Fix bug allowing you to delete your own site directory

2025-07-03 01:23:22 +02:00 · 2015-06-07 21:54:25 -07:00 · 2015-06-07 21:54:25 -07:00 · 397f34a014
commit 397f34a014
parent 092eb4536f
3 changed files with 26 additions and 0 deletions
--- a/app/api.rb
+++ b/app/api.rb
@ -48,6 +48,10 @@ post '/api/delete' do
      api_error 400, 'bad_filename', "#{path} is not a valid filename, canceled deleting"
    end

+    if current_site.files_path(path) == current_site.files_path
+      api_error 400, 'cannot_delete_site_directory', 'cannot delete the root directory of the site'
+    end
+
    if !current_site.file_exists?(path)
      api_error 400, 'missing_files', "#{path} was not found on your site, canceled deleting"
    end