From 242e3feac9270b17caf9f186eba2e2f986d30c41 Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Tue, 7 Feb 2023 21:18:06 +0100 Subject: [PATCH] Fix adding tag to entries from other people I've also limited tag length to 20 chars (and limit adding more than 5 tags at once) --- .../CoreBundle/Controller/TagController.php | 24 ++++++++++++++++++- .../CoreBundle/Form/Type/NewTagType.php | 3 +++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/Wallabag/CoreBundle/Controller/TagController.php b/src/Wallabag/CoreBundle/Controller/TagController.php index 7df73e8c7..a18c9f39a 100644 --- a/src/Wallabag/CoreBundle/Controller/TagController.php +++ b/src/Wallabag/CoreBundle/Controller/TagController.php @@ -17,7 +17,7 @@ use Wallabag\CoreBundle\Form\Type\RenameTagType; class TagController extends Controller { /** - * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag") + * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"}) * * @return \Symfony\Component\HttpFoundation\Response */ @@ -26,7 +26,17 @@ class TagController extends Controller $form = $this->createForm(NewTagType::class, new Tag()); $form->handleRequest($request); + $tags = $form->get('label')->getData(); + $tagsExploded = explode(',', $tags); + + // avoid too much tag to be added + if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) { + return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()])); + } + if ($form->isSubmitted() && $form->isValid()) { + $this->checkUserAction($entry); + $this->get('wallabag_core.tags_assigner')->assignTagsToEntry( $entry, $form->get('label')->getData() @@ -59,6 +69,8 @@ class TagController extends Controller */ public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag) { + $this->checkUserAction($entry); + $entry->removeTag($tag); $em = $this->getDoctrine()->getManager(); $em->flush(); @@ -222,4 +234,14 @@ class TagController extends Controller return $this->redirect($this->get('wallabag_core.helper.redirect')->to($request->headers->get('referer'), '', true)); } + + /** + * Check if the logged user can manage the given entry. + */ + private function checkUserAction(Entry $entry) + { + if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) { + throw $this->createAccessDeniedException('You can not access this entry.'); + } + } } diff --git a/src/Wallabag/CoreBundle/Form/Type/NewTagType.php b/src/Wallabag/CoreBundle/Form/Type/NewTagType.php index e830ade48..01caa75d9 100644 --- a/src/Wallabag/CoreBundle/Form/Type/NewTagType.php +++ b/src/Wallabag/CoreBundle/Form/Type/NewTagType.php @@ -10,6 +10,8 @@ use Symfony\Component\OptionsResolver\OptionsResolver; class NewTagType extends AbstractType { + public const MAX_LENGTH = 40; + public function buildForm(FormBuilderInterface $builder, array $options) { $builder @@ -17,6 +19,7 @@ class NewTagType extends AbstractType 'required' => true, 'attr' => [ 'placeholder' => 'tag.new.placeholder', + 'max_length' => self::MAX_LENGTH, ], ]) ->add('add', SubmitType::class, [