From 96295ec84796551590d24a3516ccbba43469b6f6 Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Sun, 4 Sep 2016 13:47:07 +0200 Subject: Validate sort field Just to avoid people to sort on crazy unexistant field --- .../CoreBundle/Controller/EntryController.php | 8 ++++-- .../CoreBundle/Repository/EntryRepository.php | 29 +++++++++++++--------- 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/src/Wallabag/CoreBundle/Controller/EntryController.php b/src/Wallabag/CoreBundle/Controller/EntryController.php index cef29990..ff90957b 100644 --- a/src/Wallabag/CoreBundle/Controller/EntryController.php +++ b/src/Wallabag/CoreBundle/Controller/EntryController.php @@ -532,8 +532,12 @@ class EntryController extends Controller $searchTerm = (isset($request->get('search_entry')['term']) ? $request->get('search_entry')['term'] : ''); $currentRoute = (null !== $request->query->get('currentRoute') ? $request->query->get('currentRoute') : ''); - $sortBy = $request->get('sort', 'id'); - $direction = $request->get('direction', 'DESC'); + $sortBy = 'id'; + if (in_array($request->get('sort', 'id'), ['id', 'created_at', 'title', 'updated_at'], true)) { + $sortBy = $request->get('sort', 'id'); + } + + $direction = 'DESC' === $request->get('direction') ? 'DESC' : 'ASC'; switch ($type) { case 'search': diff --git a/src/Wallabag/CoreBundle/Repository/EntryRepository.php b/src/Wallabag/CoreBundle/Repository/EntryRepository.php index 92d1867b..cf1cdb8a 100644 --- a/src/Wallabag/CoreBundle/Repository/EntryRepository.php +++ b/src/Wallabag/CoreBundle/Repository/EntryRepository.php @@ -16,7 +16,9 @@ class EntryRepository extends EntityRepository /** * Retrieves all entries for a user. * - * @param int $userId + * @param int $userId + * @param string $sortBy Field to sort + * @param string $direction Direction of the order * * @return QueryBuilder */ @@ -30,48 +32,51 @@ class EntryRepository extends EntityRepository /** * Retrieves unread entries for a user. * - * @param int $userId + * @param int $userId + * @param string $sortBy Field to sort + * @param string $direction Direction of the order * * @return QueryBuilder */ public function getBuilderForUnreadByUser($userId, $sortBy = 'id', $direction = 'DESC') { return $this - ->getSortedQueryBuilderByUser($userId) + ->getSortedQueryBuilderByUser($userId, $sortBy, $direction) ->andWhere('e.isArchived = false') - ->orderBy('e.'.$sortBy, $direction) ; } /** * Retrieves read entries for a user. * - * @param int $userId + * @param int $userId + * @param string $sortBy Field to sort + * @param string $direction Direction of the order * * @return QueryBuilder */ - public function getBuilderForArchiveByUser($userId, $sortBy = 'id', $direction = 'DESC') + public function getBuilderForArchiveByUser($userId, $sortBy = 'archivedAt', $direction = 'DESC') { return $this - ->getSortedQueryBuilderByUser($userId, 'archivedAt', 'desc') + ->getSortedQueryBuilderByUser($userId, $sortBy, $direction) ->andWhere('e.isArchived = true') - ->orderBy('e.'.$sortBy, $direction) ; } /** * Retrieves starred entries for a user. * - * @param int $userId + * @param int $userId + * @param string $sortBy Field to sort + * @param string $direction Direction of the order * * @return QueryBuilder */ - public function getBuilderForStarredByUser($userId, $sortBy = 'id', $direction = 'DESC') + public function getBuilderForStarredByUser($userId, $sortBy = 'starredAt', $direction = 'DESC') { return $this - ->getSortedQueryBuilderByUser($userId, 'starredAt', 'desc') + ->getSortedQueryBuilderByUser($userId, $sortBy, $direction) ->andWhere('e.isStarred = true') - ->orderBy('e.'.$sortBy, $direction) ; } -- cgit v1.2.3