4 files changed, 26 insertions, 15 deletions

diff --git a/src/args.rs b/src/args.rs
index c7c988b..6c6d6e0 100644
--- a/src/args.rs
+++ b/src/args.rs
@@ -112,9 +112,8 @@ pub struct CliArgs {
     pub file_upload: bool,
 
     /// Restrict upload directories
-    #[clap(long = "restrict-upload-dir", requires = "file-upload")]
-
-    pub restrict_upload_dir: Vec<String>,
+    #[clap(long = "restrict-upload-dir", requires = "file-upload", value_hint = ValueHint::FilePath)]
+    pub restrict_upload_dir: Vec<PathBuf>,
 
     /// Enable creating directories
     #[clap(short = 'U', long = "mkdir", requires = "file-upload")]
diff --git a/src/config.rs b/src/config.rs
index 380cf5a..3b5c1d7 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -88,7 +88,7 @@ pub struct MiniserveConfig {
     pub file_upload: bool,
 
     /// Restrict file upload dirs
-    pub restrict_upload_dir: Vec<String>,
+    pub restrict_upload_dir: Vec<PathBuf>,
 
     /// HTML accept attribute value
     pub uploadable_media_type: Option<String>,
diff --git a/src/file_upload.rs b/src/file_upload.rs
index 747d0de..56112f3 100644
--- a/src/file_upload.rs
+++ b/src/file_upload.rs
@@ -175,10 +175,15 @@ pub async fn upload_file(
     // Disallow paths outside of restricted directories
     // TODO: Probably not the most rust-ic style...
     if !conf.restrict_upload_dir.is_empty() {
-        let upl_path = upload_path.clone().into_os_string().into_string().unwrap();
+        let mut upload_allowed = false;
+        for restricted_dir in conf.restrict_upload_dir.iter() {            
+            if upload_path.starts_with(restricted_dir) {
+                    upload_allowed = true;
+                    break;
+                }
+            }
 
-        if !(conf.restrict_upload_dir.contains(&upl_path)){
-            // not good
+        if !upload_allowed {
             return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string()));
         }
     }
diff --git a/src/renderer.rs b/src/renderer.rs
index cae09df..2b3d1fa 100644
--- a/src/renderer.rs
+++ b/src/renderer.rs
@@ -39,15 +39,22 @@ pub fn page(
     let mkdir_action = build_mkdir_action(&upload_route, encoded_dir);
 
     let title_path = breadcrumbs_to_path_string(breadcrumbs);
-    let upload_allowed = conf.restrict_upload_dir.is_empty() || 
-        conf.restrict_upload_dir.contains(&encoded_dir[1..].to_string());
-
-    let title_path = breadcrumbs
-        .iter()
-        .map(|el| el.name.clone())
-        .collect::<Vec<_>>()
-        .join("/");
 
+    // TODO: Probably not very idiomatic
+    let mut upload_allowed = false;
+    
+    if conf.restrict_upload_dir.is_empty() {
+        upload_allowed = true;
+    } else {
+        for restricted_dir in conf.restrict_upload_dir.iter() {
+            let full_restricted_path = &format!("/{}", restricted_dir.display());
+            if encoded_dir.starts_with(full_restricted_path) {
+                upload_allowed = true;
+                break;
+            }
+        }
+    }
+    
     html! {
         (DOCTYPE)
         html {