Fix adding tag to entries from other people

I've also limited tag length to 20 chars (and limit adding more than 5 tags at once)
2024-11-23 01:21:03 +00:00 · 2023-02-07 21:18:06 +01:00 · 2023-02-07 21:18:06 +01:00 · 242e3feac9
commit 242e3feac9
parent 784bc1393c
2 changed files with 26 additions and 1 deletions
--- a/src/Wallabag/CoreBundle/Controller/TagController.php
+++ b/src/Wallabag/CoreBundle/Controller/TagController.php
@ -17,7 +17,7 @@ use Wallabag\CoreBundle\Form\Type\RenameTagType;
 class TagController extends Controller
 {
    /**
-     * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag")
+     * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
     *
     * @return \Symfony\Component\HttpFoundation\Response
     */
@ -26,7 +26,17 @@ class TagController extends Controller
        $form = $this->createForm(NewTagType::class, new Tag());
        $form->handleRequest($request);

+        $tags = $form->get('label')->getData();
+        $tagsExploded = explode(',', $tags);
+
+        // avoid too much tag to be added
+        if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
+            return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
+        }
+
        if ($form->isSubmitted() && $form->isValid()) {
+            $this->checkUserAction($entry);
+
            $this->get('wallabag_core.tags_assigner')->assignTagsToEntry(
                $entry,
                $form->get('label')->getData()
@ -59,6 +69,8 @@ class TagController extends Controller
     */
    public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
    {
+        $this->checkUserAction($entry);
+
        $entry->removeTag($tag);
        $em = $this->getDoctrine()->getManager();
        $em->flush();
@ -222,4 +234,14 @@ class TagController extends Controller

        return $this->redirect($this->get('wallabag_core.helper.redirect')->to($request->headers->get('referer'), '', true));
    }
+
+    /**
+     * Check if the logged user can manage the given entry.
+     */
+    private function checkUserAction(Entry $entry)
+    {
+        if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
+            throw $this->createAccessDeniedException('You can not access this entry.');
+        }
+    }
 }
--- a/src/Wallabag/CoreBundle/Form/Type/NewTagType.php
+++ b/src/Wallabag/CoreBundle/Form/Type/NewTagType.php
@ -10,6 +10,8 @@ use Symfony\Component\OptionsResolver\OptionsResolver;

 class NewTagType extends AbstractType
 {
+    public const MAX_LENGTH = 40;
+
    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        $builder
@ -17,6 +19,7 @@ class NewTagType extends AbstractType
                'required' => true,
                'attr' => [
                    'placeholder' => 'tag.new.placeholder',
+                    'max_length' => self::MAX_LENGTH,
                ],
            ])
            ->add('add', SubmitType::class, [