class EntryController extends Controller
{
/**
- * @param Request $request
+ * @param Request $request
+ *
* @Route("/new", name="new_entry")
+ *
* @return \Symfony\Component\HttpFoundation\Response
*/
public function addEntryAction(Request $request)
* Shows unread entries for current user
*
* @Route("/unread", name="unread")
+ *
* @return \Symfony\Component\HttpFoundation\Response
*/
public function showUnreadAction()
* Shows read entries for current user
*
* @Route("/archive", name="archive")
+ *
* @return \Symfony\Component\HttpFoundation\Response
*/
public function showArchiveAction()
* Shows starred entries for current user
*
* @Route("/starred", name="starred")
+ *
* @return \Symfony\Component\HttpFoundation\Response
*/
public function showStarredAction()
/**
* Shows entry content
*
- * @param Entry $entry
+ * @param Entry $entry
+ *
* @Route("/view/{id}", requirements={"id" = "\d+"}, name="view")
+ *
* @return \Symfony\Component\HttpFoundation\Response
*/
public function viewAction(Entry $entry)
{
+ $this->checkUserAction($entry);
+
return $this->render(
'WallabagCoreBundle:Entry:entry.html.twig',
array('entry' => $entry)
/**
* Changes read status for an entry
*
- * @param Request $request
- * @param Entry $entry
+ * @param Request $request
+ * @param Entry $entry
+ *
* @Route("/archive/{id}", requirements={"id" = "\d+"}, name="archive_entry")
+ *
* @return \Symfony\Component\HttpFoundation\RedirectResponse
*/
public function toggleArchiveAction(Request $request, Entry $entry)
{
+ $this->checkUserAction($entry);
+
$entry->toggleArchive();
$this->getDoctrine()->getManager()->flush();
/**
* Changes favorite status for an entry
*
- * @param Request $request
- * @param Entry $entry
+ * @param Request $request
+ * @param Entry $entry
+ *
* @Route("/star/{id}", requirements={"id" = "\d+"}, name="star_entry")
+ *
* @return \Symfony\Component\HttpFoundation\RedirectResponse
*/
public function toggleStarAction(Request $request, Entry $entry)
{
+ $this->checkUserAction($entry);
+
$entry->toggleStar();
$this->getDoctrine()->getManager()->flush();
/**
* Deletes entry
*
- * @param Request $request
- * @param Entry $entry
+ * @param Request $request
+ * @param Entry $entry
+ *
* @Route("/delete/{id}", requirements={"id" = "\d+"}, name="delete_entry")
+ *
* @return \Symfony\Component\HttpFoundation\RedirectResponse
*/
public function deleteEntryAction(Request $request, Entry $entry)
{
- $em = $this->getDoctrine()->getManager();
+ $this->checkUserAction($entry);
+
$entry->setDeleted(1);
- $em->persist($entry);
- $em->flush();
+ $this->getDoctrine()->getManager()->flush();
$this->get('session')->getFlashBag()->add(
'notice',
return $this->redirect($request->headers->get('referer'));
}
+
+ /**
+ * Check if the logged user can manage the given entry
+ *
+ * @param Entry $entry
+ */
+ private function checkUserAction(Entry $entry)
+ {
+ if ($this->getUser()->getId() != $entry->getUser()->getId()) {
+ throw $this->createAccessDeniedException('You can not use this entry.');
+ }
+ }
}
$this->assertEquals($res->isDeleted(), true);
}
+
+ public function testViewOtherUserEntry()
+ {
+ $this->logInAs('bob');
+ $client = $this->getClient();
+
+ $content = $client->getContainer()
+ ->get('doctrine.orm.entity_manager')
+ ->getRepository('WallabagCoreBundle:Entry')
+ ->createQueryBuilder('e')
+ ->select('e.id')
+ ->leftJoin('e.user', 'u')
+ ->where('u.username != :username')->setParameter('username', 'bob')
+ ->setMaxResults(1)
+ ->getQuery()
+ ->getSingleResult(AbstractQuery::HYDRATE_ARRAY);
+
+ $client->request('GET', '/view/'.$content['id']);
+
+ $this->assertEquals(403, $client->getResponse()->getStatusCode());
+ }
}
projects / github / wallabag / wallabag.git / commitdiff
