fix(api): enforce import_enabled flag for local storage (#8844)

Ankit-Jaipuriar · Ankit-Jaipuriar · commit 3504a8f101ac · 2025-08-14T00:08:34.000+05:30
diff --git a/pkg/api/controller.go b/pkg/api/controller.go
@@ -3129,7 +3129,20 @@ func (c *Controller) ImportStart(w http.ResponseWriter, r *http.Request, body ap
 	if !c.authorize(w, r, perm) {
 		return
 	}
-
+	repo, err := c.Catalog.GetRepository(r.Context(), repository)
+	if err != nil {
+		_ = c.handleAPIError(r.Context(), w, r, err)
+		return
+	}
+	storageInfo := c.BlockAdapter.GetStorageNamespaceInfo(repo.StorageNamespace)
+	if storageInfo == nil {
+		_ = c.handleAPIError(r.Context(), w, r, graveler.ErrNotFound)
+		return
+	}
+	if !storageInfo.ImportSupport {
+		writeError(w, r, http.StatusForbidden, "import is not supported for this storage namespace")
+		return
+	}
 	ctx := r.Context()
 	c.LogAction(ctx, "import", r, repository, branch, "")
 
diff --git a/pkg/api/controller_test.go b/pkg/api/controller_test.go
@@ -6628,3 +6628,43 @@ func TestController_GetLicense(t *testing.T) {
 		require.NotNil(t, resp.JSON501, "expected HTTP-501 response, got %v", resp.StatusCode())
 	})
 }
+
+func TestController_ImportStart_Disabled(t *testing.T) {
+	// set up a server with local imports disabled
+	storageLocation := t.TempDir()
+	viper.Set(config.BlockstoreTypeKey, block.BlockstoreTypeLocal)
+	viper.Set("blockstore.local.path", storageLocation)
+	viper.Set("blockstore.local.import_enabled", false)
+
+	clt, deps := setupClientWithAdmin(t)
+	ctx := t.Context()
+
+	// Create a repository with a unique name for the test
+	repo := testUniqueRepoName()
+	createRepoResp, err := clt.CreateRepositoryWithResponse(ctx, &apigen.CreateRepositoryParams{}, apigen.CreateRepositoryJSONRequestBody{
+		Name:             repo,
+		StorageNamespace: onBlock(deps, "bucket/prefix"),
+	})
+	require.NoError(t, err)
+	require.NotNil(t, createRepoResp.JSON201, "expected status 201 Created when creating repo")
+
+	// attempt to start an import
+	resp, err := clt.ImportStartWithResponse(ctx, repo, "main", apigen.ImportStartJSONRequestBody{
+		Commit: apigen.CommitCreation{
+			Message: "test import",
+		},
+		Paths: []apigen.ImportLocation{
+			{
+				Path:        "some/local/path",
+				Type:        "common_prefix",
+				Destination: "/",
+			},
+		},
+	})
+
+	// verify the request is forbidden
+	require.NoError(t, err)
+	require.NotNil(t, resp, "response should not be nil")
+	require.NotNil(t, resp.JSON403, "expected a 403 forbidden response, but got none")
+	require.Contains(t, resp.JSON403.Message, "import is not supported for this storage namespace")
+}
