From ccab9611cb49534cde075f88930f32db70373fbc Mon Sep 17 00:00:00 2001
From: idafurjes <36131195+idafurjes@users.noreply.github.com>
Date: Tue, 24 Aug 2021 08:41:15 +0200
Subject: [PATCH] API: Add theme validation (#38432)

* Add theme validation

* Fix lint for const
---
 pkg/api/preferences.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/api/preferences.go b/pkg/api/preferences.go
index fc4e41aefe9..4fafb37e7b0 100644
--- a/pkg/api/preferences.go
+++ b/pkg/api/preferences.go
@@ -7,6 +7,12 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 )
 
+const (
+	defaultTheme string = ""
+	darkTheme    string = "dark"
+	lightTheme   string = "light"
+)
+
 // POST /api/preferences/set-home-dash
 func SetHomeDashboard(c *models.ReqContext, cmd models.SavePreferencesCommand) response.Response {
 	cmd.UserId = c.UserId
@@ -46,6 +52,9 @@ func UpdateUserPreferences(c *models.ReqContext, dtoCmd dtos.UpdatePrefsCmd) res
 }
 
 func updatePreferencesFor(orgID, userID, teamId int64, dtoCmd *dtos.UpdatePrefsCmd) response.Response {
+	if dtoCmd.Theme != lightTheme && dtoCmd.Theme != darkTheme && dtoCmd.Theme != defaultTheme {
+		return response.Error(400, "Invalid theme", nil)
+	}
 	saveCmd := models.SavePreferencesCommand{
 		UserId:          userID,
 		OrgId:           orgID,