From 9512e3a8dfdcaf6e3ff129db65f79f94dece55b1 Mon Sep 17 00:00:00 2001
From: morgane <enagore@gmail.com>
Date: Wed, 17 Jun 2026 13:14:46 +0000
Subject: [PATCH] Actualiser api/index.php

---
 api/index.php | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/api/index.php b/api/index.php
index 987302f..e17b52b 100644
--- a/api/index.php
+++ b/api/index.php
@@ -11,6 +11,16 @@
 // ── Core bootstrap (env, security, database, logger) ─────────────────────────
 require_once __DIR__ . '/bootstrap.php';
 
+/** True if $location is a known location key (builtin or custom). */
+function isValidLocation(PDO $db, string $location): bool {
+    static $cache = null;
+    if ($cache === null) {
+        $rows = $db->query("SELECT key FROM locations")->fetchAll(PDO::FETCH_COLUMN);
+        $cache = array_flip($rows);
+    }
+    return isset($cache[$location]);
+}
+
 const RECIPE_PANTRY_MIN_MATCH_SCORE = 80;
 const RECENTLY_EXHAUSTED_DAYS = 30;
 /** How long to suppress auto-re-add after user bought an item (ms, synced with client blocklist). */
@@ -3039,8 +3049,7 @@ function addToInventory(PDO $db): void {
     }
 
     // Validate location
-    $validLocations = ['dispensa', 'frigo', 'freezer', 'altro'];
-    if (!in_array($location, $validLocations)) {
+    if (!isValidLocation($db, $location)) {
         EverLog::warn('addToInventory: invalid location (400)');
         http_response_code(400);
         echo json_encode(['error' => 'Invalid location']);
@@ -11874,9 +11883,8 @@ function familySiblingSuggest(PDO $db): void {
         return;
     }
 
-    $validLocations = ['dispensa', 'frigo', 'freezer', 'altro'];
     $location = $input['location'] ?? 'dispensa';
-    if (!in_array($location, $validLocations, true)) {
+    if (!isValidLocation($db, $location)) {
         $location = 'dispensa';
     }