Validate sort field

Just to avoid people to sort on crazy unexistant field

diff --git a/src/Wallabag/CoreBundle/Controller/EntryController.php b/src/Wallabag/CoreBundle/Controller/EntryController.php
index cef299900d0636970c4e8e3c3a6477893446b3ec..ff90957b9917661f879472a5186d28dea6ab26a1 100644 (file)
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@@ -532,8 +532,12 @@ class EntryController extends Controller
         $searchTerm = (isset($request->get('search_entry')['term']) ? $request->get('search_entry')['term'] : '');
         $currentRoute = (null !== $request->query->get('currentRoute') ? $request->query->get('currentRoute') : '');
 
-        $sortBy = $request->get('sort', 'id');
-        $direction = $request->get('direction', 'DESC');
+        $sortBy = 'id';
+        if (in_array($request->get('sort', 'id'), ['id', 'created_at', 'title', 'updated_at'], true)) {
+            $sortBy = $request->get('sort', 'id');
+        }
+
+        $direction = 'DESC' === $request->get('direction') ? 'DESC' : 'ASC';
 
         switch ($type) {
             case 'search':

diff --git a/src/Wallabag/CoreBundle/Repository/EntryRepository.php b/src/Wallabag/CoreBundle/Repository/EntryRepository.php
index 92d1867bf7532e924185b54862b6710d86330249..cf1cdb8a5e0a77c8fbb349458099d90baa8a9e40 100644 (file)
--- a/src/Wallabag/CoreBundle/Repository/EntryRepository.php
+++ b/src/Wallabag/CoreBundle/Repository/EntryRepository.php
@@ -16,7 +16,9 @@ class EntryRepository extends EntityRepository
     /**
      * Retrieves all entries for a user.
      *
-     * @param int $userId
+     * @param int    $userId
+     * @param string $sortBy    Field to sort
+     * @param string $direction Direction of the order
      *
      * @return QueryBuilder
      */
@@ -30,48 +32,51 @@ class EntryRepository extends EntityRepository
     /**
      * Retrieves unread entries for a user.
      *
-     * @param int $userId
+     * @param int    $userId
+     * @param string $sortBy    Field to sort
+     * @param string $direction Direction of the order
      *
      * @return QueryBuilder
      */
     public function getBuilderForUnreadByUser($userId, $sortBy = 'id', $direction = 'DESC')
     {
         return $this
-            ->getSortedQueryBuilderByUser($userId)
+            ->getSortedQueryBuilderByUser($userId, $sortBy, $direction)
             ->andWhere('e.isArchived = false')
-            ->orderBy('e.'.$sortBy, $direction)
         ;
     }
 
     /**
      * Retrieves read entries for a user.
      *
-     * @param int $userId
+     * @param int    $userId
+     * @param string $sortBy    Field to sort
+     * @param string $direction Direction of the order
      *
      * @return QueryBuilder
      */
-    public function getBuilderForArchiveByUser($userId, $sortBy = 'id', $direction = 'DESC')
+    public function getBuilderForArchiveByUser($userId, $sortBy = 'archivedAt', $direction = 'DESC')
     {
         return $this
-            ->getSortedQueryBuilderByUser($userId, 'archivedAt', 'desc')
+            ->getSortedQueryBuilderByUser($userId, $sortBy, $direction)
             ->andWhere('e.isArchived = true')
-            ->orderBy('e.'.$sortBy, $direction)
         ;
     }
 
     /**
      * Retrieves starred entries for a user.
      *
-     * @param int $userId
+     * @param int    $userId
+     * @param string $sortBy    Field to sort
+     * @param string $direction Direction of the order
      *
      * @return QueryBuilder
      */
-    public function getBuilderForStarredByUser($userId, $sortBy = 'id', $direction = 'DESC')
+    public function getBuilderForStarredByUser($userId, $sortBy = 'starredAt', $direction = 'DESC')
     {
         return $this
-            ->getSortedQueryBuilderByUser($userId, 'starredAt', 'desc')
+            ->getSortedQueryBuilderByUser($userId, $sortBy, $direction)
             ->andWhere('e.isStarred = true')
-            ->orderBy('e.'.$sortBy, $direction)
         ;
     }