Added 404 response for non-existing setting categories

[bookstack] / app / Http / Controllers / SettingController.php

diff --git a/app/Http/Controllers/SettingController.php b/app/Http/Controllers/SettingController.php
index 7f7f4c9caddd791d8b67a7d7f825edab50665667..3d1c184cdcebe0acac5ac0ad441b8ef9c00aeb0d 100644 (file)
--- a/app/Http/Controllers/SettingController.php
+++ b/app/Http/Controllers/SettingController.php
@@ -11,6 +11,8 @@ class SettingController extends Controller
 {
     protected ImageRepo $imageRepo;
 
+    protected array $settingCategories = ['features', 'customization', 'registration'];
+
     public function __construct(ImageRepo $imageRepo)
     {
         $this->imageRepo = $imageRepo;
@@ -21,6 +23,7 @@ class SettingController extends Controller
      */
     public function index(string $category)
     {
+        $this->ensureCategoryExists($category);
         $this->checkPermission('settings-manage');
         $this->setPageTitle(trans('settings.settings'));
 
@@ -39,6 +42,7 @@ class SettingController extends Controller
      */
     public function update(Request $request, string $category)
     {
+        $this->ensureCategoryExists($category);
         $this->preventAccessInDemoMode();
         $this->checkPermission('settings-manage');
         $this->validate($request, [
@@ -73,4 +77,11 @@ class SettingController extends Controller
 
         return redirect("/settings/${category}");
     }
+
+    protected function ensureCategoryExists(string $category): void
+    {
+        if (!in_array($category, $this->settingCategories)) {
+            abort(404);
+        }
+    }
 }