From c1f1959aa12e32bfee6a4197ca011677093797e9 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 5 May 2026 02:21:31 -0400
Subject: [PATCH] firefly-iii-data-importer: fix allowlist

---
 services/firefly-iii-data-importer.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/services/firefly-iii-data-importer.nix b/services/firefly-iii-data-importer.nix
index 25dcec4..4c2a6d6 100644
--- a/services/firefly-iii-data-importer.nix
+++ b/services/firefly-iii-data-importer.nix
@@ -46,6 +46,10 @@ in
       # don't see the noise.
       IGNORE_DUPLICATE_ERRORS = true;
 
+      # `artisan importer:import <path>` rejects any config path whose parent
+      # directory is not in this allow-list. Same dir we hand to the CLI below.
+      IMPORT_DIR_ALLOWLIST = "${fidi.dataDir}/storage/configurations";
+
       # CLI-driven imports only. Leave the /autoimport HTTP endpoint disabled
       # (default) — the systemd timer below uses `artisan importer:import`
       # against a static config file, which avoids exposing another web-