From b746c3ead1fca9e30624cdcc65c42532a7a6566b Mon Sep 17 00:00:00 2001
From: Devonte W <devnote.dev75@gmail.com>
Date: Thu, 23 Feb 2023 19:23:12 +0000
Subject: [PATCH] fix(api/client): add validation for backup request body
 (#4704)

---
 .../Api/Client/Servers/BackupController.php   |  7 ++-----
 .../Servers/Backups/RestoreBackupRequest.php  | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 app/Http/Requests/Api/Client/Servers/Backups/RestoreBackupRequest.php

diff --git a/app/Http/Controllers/Api/Client/Servers/BackupController.php b/app/Http/Controllers/Api/Client/Servers/BackupController.php
index 7a35341c1..11907c5b3 100644
--- a/app/Http/Controllers/Api/Client/Servers/BackupController.php
+++ b/app/Http/Controllers/Api/Client/Servers/BackupController.php
@@ -18,6 +18,7 @@ use Pterodactyl\Transformers\Api\Client\BackupTransformer;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Backups\StoreBackupRequest;
+use Pterodactyl\Http\Requests\Api\Client\Servers\Backups\RestoreBackupRequest;
 
 class BackupController extends ClientApiController
 {
@@ -188,12 +189,8 @@ class BackupController extends ClientApiController
      *
      * @throws \Throwable
      */
-    public function restore(Request $request, Server $server, Backup $backup): JsonResponse
+    public function restore(RestoreBackupRequest $request, Server $server, Backup $backup): JsonResponse
     {
-        if (!$request->user()->can(Permission::ACTION_BACKUP_RESTORE, $server)) {
-            throw new AuthorizationException();
-        }
-
         // Cannot restore a backup unless a server is fully installed and not currently
         // processing a different backup restoration request.
         if (!is_null($server->status)) {
diff --git a/app/Http/Requests/Api/Client/Servers/Backups/RestoreBackupRequest.php b/app/Http/Requests/Api/Client/Servers/Backups/RestoreBackupRequest.php
new file mode 100644
index 000000000..d2d427f99
--- /dev/null
+++ b/app/Http/Requests/Api/Client/Servers/Backups/RestoreBackupRequest.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Client\Servers\Backups;
+
+use Pterodactyl\Models\Permission;
+use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
+
+class RestoreBackupRequest extends ClientApiRequest
+{
+    public function permission(): string
+    {
+        return Permission::ACTION_BACKUP_RESTORE;
+    }
+
+    public function rules(): array
+    {
+        return ['truncate' => 'required|boolean'];
+    }
+}