From 84ac41ad7e8aff7df91a4d806823d3fa6984d308 Mon Sep 17 00:00:00 2001
From: Echo <github@3kh0.net>
Date: Tue, 26 Aug 2025 07:03:48 -0400
Subject: [PATCH] fix broken validation

---
 app/controllers/api/admin/v1/admin_controller.rb | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/app/controllers/api/admin/v1/admin_controller.rb b/app/controllers/api/admin/v1/admin_controller.rb
index 69ef1c9..d0d8de0 100644
--- a/app/controllers/api/admin/v1/admin_controller.rb
+++ b/app/controllers/api/admin/v1/admin_controller.rb
@@ -248,8 +248,11 @@ module Api
             return render json: { error: "whatcha doin'?" }, status: :unprocessable_entity
           end
 
+          cool = %w[created_at deleted_at]
           not_cool = %w[INSERT UPDATE DELETE DROP CREATE ALTER TRUNCATE EXEC EXECUTE]
-          if not_cool.any? { |keyword| query.upcase.include?(keyword) }
+
+          if not_cool.any? { |keyword| query.upcase.include?(keyword) } &&
+             cool.none? { |field| query.upcase.include?(field.upcase) }
             return render json: { error: "no perms lmaooo" }, status: :forbidden
           end
 
@@ -257,11 +260,6 @@ module Api
             return render json: { error: "no perms lmaooo" }, status: :forbidden
           end
 
-          cool = %w[created_at deleted_at]
-          if query.upcase.match?(/\b(#{not_cool.join('|')})\b/) && !query.upcase.match?(/\b(#{cool.join('|')})\b/)
-            return render json: { error: "no perms lmaooo" }, status: :forbidden
-          end
-
           begin
             limited_query = query.strip
             unless limited_query.upcase.include?("LIMIT")