From 0b871ff1f298d84c7b3c12444ee923bcfb1ac02a Mon Sep 17 00:00:00 2001
From: Lain Soykaf <lain@lain.com>
Date: Sat, 17 Jan 2026 12:32:10 +0400
Subject: [PATCH] ConfigController: Don't allow updating the whitelist

---
 .../controllers/config_controller_test.exs    | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/test/pleroma/web/admin_api/controllers/config_controller_test.exs b/test/pleroma/web/admin_api/controllers/config_controller_test.exs
index 7cb4ec938..e62d95fad 100644
--- a/test/pleroma/web/admin_api/controllers/config_controller_test.exs
+++ b/test/pleroma/web/admin_api/controllers/config_controller_test.exs
@@ -1220,6 +1220,31 @@ defmodule Pleroma.Web.AdminAPI.ConfigControllerTest do
       assert Application.get_env(:not_real, :anything) == "value6"
     end
 
+    test "doesn't allow updating the database_config_whitelist itself", %{conn: conn} do
+      original_whitelist = Pleroma.Config.get(:database_config_whitelist)
+
+      refute ConfigDB.get_by_group_and_key(:pleroma, :database_config_whitelist)
+
+      conn =
+        conn
+        |> put_req_header("content-type", "application/json")
+        |> post("/api/pleroma/admin/config", %{
+          configs: [
+            %{
+              group: ":pleroma",
+              key: ":database_config_whitelist",
+              value: [%{"tuple" => [":pleroma", ":key1"]}]
+            }
+          ]
+        })
+
+      %{"configs" => configs} = json_response_and_validate_schema(conn, 200)
+
+      assert configs == []
+      assert Pleroma.Config.get(:database_config_whitelist) == original_whitelist
+      refute ConfigDB.get_by_group_and_key(:pleroma, :database_config_whitelist)
+    end
+
     test "args for Pleroma.Upload.Filter.Mogrify with custom tuples", %{conn: conn} do
       assert conn
              |> put_req_header("content-type", "application/json")