diff options
author | Jeremy Benoist <jeremy.benoist@gmail.com> | 2019-01-14 17:01:21 +0100 |
---|---|---|
committer | Jeremy Benoist <jeremy.benoist@gmail.com> | 2019-01-14 17:01:21 +0100 |
commit | 78e3fafa3fab86638295fe1ee2a05a559bf56ab1 (patch) | |
tree | 904be517d033438c36b29d2b5c3227f630455b0a | |
parent | a5e9a98aa3c67ac1ad1aff1a250ef8fdc3c24def (diff) | |
download | wallabag-78e3fafa3fab86638295fe1ee2a05a559bf56ab1.tar.gz wallabag-78e3fafa3fab86638295fe1ee2a05a559bf56ab1.tar.zst wallabag-78e3fafa3fab86638295fe1ee2a05a559bf56ab1.zip |
Avoid error when a bad `order` parameter is given
Only allowed parameter are asc & desc
3 files changed, 32 insertions, 14 deletions
diff --git a/src/Wallabag/ApiBundle/Controller/EntryRestController.php b/src/Wallabag/ApiBundle/Controller/EntryRestController.php index 0b4e74a0..b2bad406 100644 --- a/src/Wallabag/ApiBundle/Controller/EntryRestController.php +++ b/src/Wallabag/ApiBundle/Controller/EntryRestController.php | |||
@@ -9,6 +9,7 @@ use Nelmio\ApiDocBundle\Annotation\ApiDoc; | |||
9 | use Symfony\Component\HttpFoundation\JsonResponse; | 9 | use Symfony\Component\HttpFoundation\JsonResponse; |
10 | use Symfony\Component\HttpFoundation\Request; | 10 | use Symfony\Component\HttpFoundation\Request; |
11 | use Symfony\Component\HttpFoundation\Response; | 11 | use Symfony\Component\HttpFoundation\Response; |
12 | use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; | ||
12 | use Symfony\Component\HttpKernel\Exception\HttpException; | 13 | use Symfony\Component\HttpKernel\Exception\HttpException; |
13 | use Symfony\Component\Routing\Generator\UrlGeneratorInterface; | 14 | use Symfony\Component\Routing\Generator\UrlGeneratorInterface; |
14 | use Wallabag\CoreBundle\Entity\Entry; | 15 | use Wallabag\CoreBundle\Entity\Entry; |
@@ -98,24 +99,28 @@ class EntryRestController extends WallabagRestController | |||
98 | $isArchived = (null === $request->query->get('archive')) ? null : (bool) $request->query->get('archive'); | 99 | $isArchived = (null === $request->query->get('archive')) ? null : (bool) $request->query->get('archive'); |
99 | $isStarred = (null === $request->query->get('starred')) ? null : (bool) $request->query->get('starred'); | 100 | $isStarred = (null === $request->query->get('starred')) ? null : (bool) $request->query->get('starred'); |
100 | $isPublic = (null === $request->query->get('public')) ? null : (bool) $request->query->get('public'); | 101 | $isPublic = (null === $request->query->get('public')) ? null : (bool) $request->query->get('public'); |
101 | $sort = $request->query->get('sort', 'created'); | 102 | $sort = strtolower($request->query->get('sort', 'created')); |
102 | $order = $request->query->get('order', 'desc'); | 103 | $order = strtolower($request->query->get('order', 'desc')); |
103 | $page = (int) $request->query->get('page', 1); | 104 | $page = (int) $request->query->get('page', 1); |
104 | $perPage = (int) $request->query->get('perPage', 30); | 105 | $perPage = (int) $request->query->get('perPage', 30); |
105 | $tags = \is_array($request->query->get('tags')) ? '' : (string) $request->query->get('tags', ''); | 106 | $tags = \is_array($request->query->get('tags')) ? '' : (string) $request->query->get('tags', ''); |
106 | $since = $request->query->get('since', 0); | 107 | $since = $request->query->get('since', 0); |
107 | 108 | ||
108 | /** @var \Pagerfanta\Pagerfanta $pager */ | 109 | try { |
109 | $pager = $this->get('wallabag_core.entry_repository')->findEntries( | 110 | /** @var \Pagerfanta\Pagerfanta $pager */ |
110 | $this->getUser()->getId(), | 111 | $pager = $this->get('wallabag_core.entry_repository')->findEntries( |
111 | $isArchived, | 112 | $this->getUser()->getId(), |
112 | $isStarred, | 113 | $isArchived, |
113 | $isPublic, | 114 | $isStarred, |
114 | $sort, | 115 | $isPublic, |
115 | $order, | 116 | $sort, |
116 | $since, | 117 | $order, |
117 | $tags | 118 | $since, |
118 | ); | 119 | $tags |
120 | ); | ||
121 | } catch (\Exception $e) { | ||
122 | throw new BadRequestHttpException($e->getMessage()); | ||
123 | } | ||
119 | 124 | ||
120 | $pager->setMaxPerPage($perPage); | 125 | $pager->setMaxPerPage($perPage); |
121 | $pager->setCurrentPage($page); | 126 | $pager->setCurrentPage($page); |
diff --git a/src/Wallabag/CoreBundle/Repository/EntryRepository.php b/src/Wallabag/CoreBundle/Repository/EntryRepository.php index 83379998..cebce714 100644 --- a/src/Wallabag/CoreBundle/Repository/EntryRepository.php +++ b/src/Wallabag/CoreBundle/Repository/EntryRepository.php | |||
@@ -142,7 +142,7 @@ class EntryRepository extends EntityRepository | |||
142 | * | 142 | * |
143 | * @return Pagerfanta | 143 | * @return Pagerfanta |
144 | */ | 144 | */ |
145 | public function findEntries($userId, $isArchived = null, $isStarred = null, $isPublic = null, $sort = 'created', $order = 'ASC', $since = 0, $tags = '') | 145 | public function findEntries($userId, $isArchived = null, $isStarred = null, $isPublic = null, $sort = 'created', $order = 'asc', $since = 0, $tags = '') |
146 | { | 146 | { |
147 | $qb = $this->createQueryBuilder('e') | 147 | $qb = $this->createQueryBuilder('e') |
148 | ->leftJoin('e.tags', 't') | 148 | ->leftJoin('e.tags', 't') |
@@ -185,6 +185,10 @@ class EntryRepository extends EntityRepository | |||
185 | } | 185 | } |
186 | } | 186 | } |
187 | 187 | ||
188 | if (!\in_array(strtolower($order), ['asc', 'desc'], true)) { | ||
189 | throw new \Exception('Order "' . $order . '" parameter is wrong, allowed: asc or desc'); | ||
190 | } | ||
191 | |||
188 | if ('created' === $sort) { | 192 | if ('created' === $sort) { |
189 | $qb->orderBy('e.id', $order); | 193 | $qb->orderBy('e.id', $order); |
190 | } elseif ('updated' === $sort) { | 194 | } elseif ('updated' === $sort) { |
diff --git a/tests/Wallabag/ApiBundle/Controller/EntryRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/EntryRestControllerTest.php index 58b617f3..2a1d2e15 100644 --- a/tests/Wallabag/ApiBundle/Controller/EntryRestControllerTest.php +++ b/tests/Wallabag/ApiBundle/Controller/EntryRestControllerTest.php | |||
@@ -242,6 +242,15 @@ class EntryRestControllerTest extends WallabagApiTestCase | |||
242 | $this->assertSame(2, $content['limit']); | 242 | $this->assertSame(2, $content['limit']); |
243 | } | 243 | } |
244 | 244 | ||
245 | public function testGetStarredEntriesWithBadSort() | ||
246 | { | ||
247 | $this->client->request('GET', '/api/entries', ['starred' => 1, 'sort' => 'updated', 'order' => 'unknown']); | ||
248 | |||
249 | $this->assertSame(400, $this->client->getResponse()->getStatusCode()); | ||
250 | |||
251 | $this->assertSame('application/json', $this->client->getResponse()->headers->get('Content-Type')); | ||
252 | } | ||
253 | |||
245 | public function testGetStarredEntries() | 254 | public function testGetStarredEntries() |
246 | { | 255 | { |
247 | $this->client->request('GET', '/api/entries', ['starred' => 1, 'sort' => 'updated']); | 256 | $this->client->request('GET', '/api/entries', ['starred' => 1, 'sort' => 'updated']); |