aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/Wallabag/CoreBundle
diff options
context:
space:
mode:
authorJeremy <jeremy.benoist@gmail.com>2015-02-10 22:33:18 +0100
committerJeremy <jeremy.benoist@gmail.com>2015-02-10 22:56:44 +0100
commit3d2b2d62be287075ca402f1d59a880687f18dfcd (patch)
tree3c99ab6fc3a396541b4aa26802f881b18252109c /src/Wallabag/CoreBundle
parenteb3bd7efb73f2e8500b6415e16438cea77aa4e9a (diff)
downloadwallabag-3d2b2d62be287075ca402f1d59a880687f18dfcd.tar.gz
wallabag-3d2b2d62be287075ca402f1d59a880687f18dfcd.tar.zst
wallabag-3d2b2d62be287075ca402f1d59a880687f18dfcd.zip
Avoid user to see other entries
hehe :)
Diffstat (limited to 'src/Wallabag/CoreBundle')
-rw-r--r--src/Wallabag/CoreBundle/Controller/EntryController.php53
-rw-r--r--src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php21
2 files changed, 63 insertions, 11 deletions
diff --git a/src/Wallabag/CoreBundle/Controller/EntryController.php b/src/Wallabag/CoreBundle/Controller/EntryController.php
index 5378486a..89677bef 100644
--- a/src/Wallabag/CoreBundle/Controller/EntryController.php
+++ b/src/Wallabag/CoreBundle/Controller/EntryController.php
@@ -12,8 +12,10 @@ use Wallabag\CoreBundle\Helper\Url;
12class EntryController extends Controller 12class EntryController extends Controller
13{ 13{
14 /** 14 /**
15 * @param Request $request 15 * @param Request $request
16 *
16 * @Route("/new", name="new_entry") 17 * @Route("/new", name="new_entry")
18 *
17 * @return \Symfony\Component\HttpFoundation\Response 19 * @return \Symfony\Component\HttpFoundation\Response
18 */ 20 */
19 public function addEntryAction(Request $request) 21 public function addEntryAction(Request $request)
@@ -54,6 +56,7 @@ class EntryController extends Controller
54 * Shows unread entries for current user 56 * Shows unread entries for current user
55 * 57 *
56 * @Route("/unread", name="unread") 58 * @Route("/unread", name="unread")
59 *
57 * @return \Symfony\Component\HttpFoundation\Response 60 * @return \Symfony\Component\HttpFoundation\Response
58 */ 61 */
59 public function showUnreadAction() 62 public function showUnreadAction()
@@ -73,6 +76,7 @@ class EntryController extends Controller
73 * Shows read entries for current user 76 * Shows read entries for current user
74 * 77 *
75 * @Route("/archive", name="archive") 78 * @Route("/archive", name="archive")
79 *
76 * @return \Symfony\Component\HttpFoundation\Response 80 * @return \Symfony\Component\HttpFoundation\Response
77 */ 81 */
78 public function showArchiveAction() 82 public function showArchiveAction()
@@ -92,6 +96,7 @@ class EntryController extends Controller
92 * Shows starred entries for current user 96 * Shows starred entries for current user
93 * 97 *
94 * @Route("/starred", name="starred") 98 * @Route("/starred", name="starred")
99 *
95 * @return \Symfony\Component\HttpFoundation\Response 100 * @return \Symfony\Component\HttpFoundation\Response
96 */ 101 */
97 public function showStarredAction() 102 public function showStarredAction()
@@ -110,12 +115,16 @@ class EntryController extends Controller
110 /** 115 /**
111 * Shows entry content 116 * Shows entry content
112 * 117 *
113 * @param Entry $entry 118 * @param Entry $entry
119 *
114 * @Route("/view/{id}", requirements={"id" = "\d+"}, name="view") 120 * @Route("/view/{id}", requirements={"id" = "\d+"}, name="view")
121 *
115 * @return \Symfony\Component\HttpFoundation\Response 122 * @return \Symfony\Component\HttpFoundation\Response
116 */ 123 */
117 public function viewAction(Entry $entry) 124 public function viewAction(Entry $entry)
118 { 125 {
126 $this->checkUserAction($entry);
127
119 return $this->render( 128 return $this->render(
120 'WallabagCoreBundle:Entry:entry.html.twig', 129 'WallabagCoreBundle:Entry:entry.html.twig',
121 array('entry' => $entry) 130 array('entry' => $entry)
@@ -125,13 +134,17 @@ class EntryController extends Controller
125 /** 134 /**
126 * Changes read status for an entry 135 * Changes read status for an entry
127 * 136 *
128 * @param Request $request 137 * @param Request $request
129 * @param Entry $entry 138 * @param Entry $entry
139 *
130 * @Route("/archive/{id}", requirements={"id" = "\d+"}, name="archive_entry") 140 * @Route("/archive/{id}", requirements={"id" = "\d+"}, name="archive_entry")
141 *
131 * @return \Symfony\Component\HttpFoundation\RedirectResponse 142 * @return \Symfony\Component\HttpFoundation\RedirectResponse
132 */ 143 */
133 public function toggleArchiveAction(Request $request, Entry $entry) 144 public function toggleArchiveAction(Request $request, Entry $entry)
134 { 145 {
146 $this->checkUserAction($entry);
147
135 $entry->toggleArchive(); 148 $entry->toggleArchive();
136 $this->getDoctrine()->getManager()->flush(); 149 $this->getDoctrine()->getManager()->flush();
137 150
@@ -146,13 +159,17 @@ class EntryController extends Controller
146 /** 159 /**
147 * Changes favorite status for an entry 160 * Changes favorite status for an entry
148 * 161 *
149 * @param Request $request 162 * @param Request $request
150 * @param Entry $entry 163 * @param Entry $entry
164 *
151 * @Route("/star/{id}", requirements={"id" = "\d+"}, name="star_entry") 165 * @Route("/star/{id}", requirements={"id" = "\d+"}, name="star_entry")
166 *
152 * @return \Symfony\Component\HttpFoundation\RedirectResponse 167 * @return \Symfony\Component\HttpFoundation\RedirectResponse
153 */ 168 */
154 public function toggleStarAction(Request $request, Entry $entry) 169 public function toggleStarAction(Request $request, Entry $entry)
155 { 170 {
171 $this->checkUserAction($entry);
172
156 $entry->toggleStar(); 173 $entry->toggleStar();
157 $this->getDoctrine()->getManager()->flush(); 174 $this->getDoctrine()->getManager()->flush();
158 175
@@ -167,17 +184,19 @@ class EntryController extends Controller
167 /** 184 /**
168 * Deletes entry 185 * Deletes entry
169 * 186 *
170 * @param Request $request 187 * @param Request $request
171 * @param Entry $entry 188 * @param Entry $entry
189 *
172 * @Route("/delete/{id}", requirements={"id" = "\d+"}, name="delete_entry") 190 * @Route("/delete/{id}", requirements={"id" = "\d+"}, name="delete_entry")
191 *
173 * @return \Symfony\Component\HttpFoundation\RedirectResponse 192 * @return \Symfony\Component\HttpFoundation\RedirectResponse
174 */ 193 */
175 public function deleteEntryAction(Request $request, Entry $entry) 194 public function deleteEntryAction(Request $request, Entry $entry)
176 { 195 {
177 $em = $this->getDoctrine()->getManager(); 196 $this->checkUserAction($entry);
197
178 $entry->setDeleted(1); 198 $entry->setDeleted(1);
179 $em->persist($entry); 199 $this->getDoctrine()->getManager()->flush();
180 $em->flush();
181 200
182 $this->get('session')->getFlashBag()->add( 201 $this->get('session')->getFlashBag()->add(
183 'notice', 202 'notice',
@@ -186,4 +205,16 @@ class EntryController extends Controller
186 205
187 return $this->redirect($request->headers->get('referer')); 206 return $this->redirect($request->headers->get('referer'));
188 } 207 }
208
209 /**
210 * Check if the logged user can manage the given entry
211 *
212 * @param Entry $entry
213 */
214 private function checkUserAction(Entry $entry)
215 {
216 if ($this->getUser()->getId() != $entry->getUser()->getId()) {
217 throw $this->createAccessDeniedException('You can not use this entry.');
218 }
219 }
189} 220}
diff --git a/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php b/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
index 05854525..7276f8e4 100644
--- a/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
+++ b/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
@@ -174,4 +174,25 @@ class EntryControllerTest extends WallabagTestCase
174 174
175 $this->assertEquals($res->isDeleted(), true); 175 $this->assertEquals($res->isDeleted(), true);
176 } 176 }
177
178 public function testViewOtherUserEntry()
179 {
180 $this->logInAs('bob');
181 $client = $this->getClient();
182
183 $content = $client->getContainer()
184 ->get('doctrine.orm.entity_manager')
185 ->getRepository('WallabagCoreBundle:Entry')
186 ->createQueryBuilder('e')
187 ->select('e.id')
188 ->leftJoin('e.user', 'u')
189 ->where('u.username != :username')->setParameter('username', 'bob')
190 ->setMaxResults(1)
191 ->getQuery()
192 ->getSingleResult(AbstractQuery::HYDRATE_ARRAY);
193
194 $client->request('GET', '/view/'.$content['id']);
195
196 $this->assertEquals(403, $client->getResponse()->getStatusCode());
197 }
177} 198}