From d0fcf2b0b2ff3eaf19934a765763d3846155101c Mon Sep 17 00:00:00 2001
From: Kazhnuz <kazhnuz@kobold.cafe>
Date: Sat, 29 Mar 2025 09:39:08 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Add=20a=20check=20to=20?=
 =?UTF-8?q?avoid=20going=20to=20wrong=20functions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kernel/router.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/router.php b/kernel/router.php
index 8d449df..19f13e3 100644
--- a/kernel/router.php
+++ b/kernel/router.php
@@ -16,6 +16,9 @@ class Router {
     private $namespaces = [];
     private $currentNamespaceHandler;
 
+    // List of forbidden route, to avoid calling private or other REST verbs
+    private $forbiddenRoutes = [ '__', '_post', '_delete', '_put', '_patch'];
+
 
     public function registerNamespace($name, $authLevel, $haveCharacterId) {
         $this->namespaces[$name] = new NamespaceHandler($name, $authLevel, $haveCharacterId);
@@ -61,6 +64,12 @@ class Router {
             $this->controller = $this->getFromUrl($requestParts, 1, "pages");
             $this->func = $this->getFromUrl($requestParts, 2, "index");
         }
+
+        foreach ($this->forbiddenRoutes as $forbiddenRoute) {
+            if (str_contains($this->func, $forbiddenRoute)) {
+                $renderer->error(500);
+            }
+        }
     }
 
     private function getControllerPath() {