mirror of
https://github.com/wallabag/wallabag.git
synced 2025-01-18 12:55:26 +00:00
Merge remote-tracking branch 'origin/2.5.x'
This commit is contained in:
commit
66b7bdd07c
18 changed files with 614 additions and 472 deletions
21
CHANGELOG.md
21
CHANGELOG.md
|
@ -1,5 +1,26 @@
|
|||
# Changelog
|
||||
|
||||
## [2.5.4](https://github.com/wallabag/wallabag/tree/2.5.4)
|
||||
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.3...2.5.4)
|
||||
|
||||
### Security fixes
|
||||
* Fix adding tag to entries from other people by @j0k3r in https://github.com/wallabag/wallabag/pull/6290
|
||||
* Fix XSS on username on share page by @j0k3r in https://github.com/wallabag/wallabag/pull/6288
|
||||
* Fix CSRF on user deletion by @j0k3r in https://github.com/wallabag/wallabag/pull/6289
|
||||
|
||||
### Meta
|
||||
* Fix release script by @j0k3r in https://github.com/wallabag/wallabag/pull/6275
|
||||
|
||||
## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3)
|
||||
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3)
|
||||
|
||||
### Security fixes
|
||||
* Fix GHSA-qwx8-mxxx-mg96 https://github.com/wallabag/wallabag/commit/0f7460dbab9e29f4f7d2944aca20210f828b6abb by @Kdecherf, thanks to @bAuh0lz
|
||||
* Fix GHSA-mrqx-mjc4-vfh3 https://github.com/wallabag/wallabag/commit/5ac6b6bff9e2e3a87fd88c2904ff3c6aac40722e by @Kdecherf, thanks to @bAuh0lz
|
||||
|
||||
### Meta
|
||||
* Update deps before 2.5.3 by @j0k3r in https://github.com/wallabag/wallabag/pull/6241
|
||||
|
||||
## [2.5.2](https://github.com/wallabag/wallabag/tree/2.5.2)
|
||||
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.1...2.5.2)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
wallabag_core:
|
||||
version: 2.5.2
|
||||
version: 2.5.4
|
||||
paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb"
|
||||
languages:
|
||||
en: 'English'
|
||||
|
|
|
@ -9,7 +9,7 @@ ENV=$4
|
|||
|
||||
rm -rf "${TMP_FOLDER:?}"/"$RELEASE_FOLDER"
|
||||
mkdir "$TMP_FOLDER"/"$RELEASE_FOLDER"
|
||||
git clone https://github.com/wallabag/wallabag.git "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION"
|
||||
git clone https://github.com/wallabag/wallabag.git --single-branch --depth 1 --branch $1 "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION"
|
||||
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && SYMFONY_ENV="$ENV" COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev
|
||||
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console wallabag:install --env="$ENV" -n
|
||||
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console assets:install --env="$ENV" --symlink --relative
|
||||
|
|
|
@ -5,10 +5,10 @@ namespace Wallabag\AnnotationBundle\Controller;
|
|||
use Doctrine\ORM\EntityManagerInterface;
|
||||
use FOS\RestBundle\Controller\AbstractFOSRestController;
|
||||
use JMS\Serializer\SerializerInterface;
|
||||
use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
|
||||
use Symfony\Component\Form\FormFactoryInterface;
|
||||
use Symfony\Component\HttpFoundation\JsonResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\Routing\Annotation\Route;
|
||||
use Wallabag\AnnotationBundle\Entity\Annotation;
|
||||
use Wallabag\AnnotationBundle\Form\EditAnnotationType;
|
||||
|
@ -40,7 +40,7 @@ class WallabagAnnotationController extends AbstractFOSRestController
|
|||
*/
|
||||
public function getAnnotationsAction(Entry $entry, AnnotationRepository $annotationRepository)
|
||||
{
|
||||
$annotationRows = $annotationRepository->findAnnotationsByPageId($entry->getId(), $this->getUser()->getId());
|
||||
$annotationRows = $annotationRepository->findByEntryIdAndUserId($entry->getId(), $this->getUser()->getId());
|
||||
|
||||
$total = \count($annotationRows);
|
||||
$annotations = ['total' => $total, 'rows' => $annotationRows];
|
||||
|
@ -90,30 +90,35 @@ class WallabagAnnotationController extends AbstractFOSRestController
|
|||
* @see Wallabag\ApiBundle\Controller\WallabagRestController
|
||||
*
|
||||
* @Route("/annotations/{annotation}.{_format}", methods={"PUT"}, name="annotations_put_annotation", defaults={"_format": "json"})
|
||||
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
|
||||
*
|
||||
* @return JsonResponse
|
||||
*/
|
||||
public function putAnnotationAction(Annotation $annotation, Request $request)
|
||||
public function putAnnotationAction(Request $request, AnnotationRepository $annotationRepository, int $annotation)
|
||||
{
|
||||
$data = json_decode($request->getContent(), true);
|
||||
try {
|
||||
$annotation = $this->validateAnnotation($annotationRepository, $annotation, $this->getUser()->getId());
|
||||
|
||||
$form = $this->formFactory->createNamed('', EditAnnotationType::class, $annotation, [
|
||||
'csrf_protection' => false,
|
||||
'allow_extra_fields' => true,
|
||||
]);
|
||||
$form->submit($data);
|
||||
$data = json_decode($request->getContent(), true, 512, \JSON_THROW_ON_ERROR);
|
||||
|
||||
if ($form->isValid()) {
|
||||
$this->entityManager->persist($annotation);
|
||||
$this->entityManager->flush();
|
||||
$form = $this->formFactory->createNamed('', EditAnnotationType::class, $annotation, [
|
||||
'csrf_protection' => false,
|
||||
'allow_extra_fields' => true,
|
||||
]);
|
||||
$form->submit($data);
|
||||
|
||||
$json = $this->serializer->serialize($annotation, 'json');
|
||||
if ($form->isValid()) {
|
||||
$this->entityManager->persist($annotation);
|
||||
$this->entityManager->flush();
|
||||
|
||||
return JsonResponse::fromJsonString($json);
|
||||
$json = $this->serializer->serialize($annotation, 'json');
|
||||
|
||||
return JsonResponse::fromJsonString($json);
|
||||
}
|
||||
|
||||
return $form;
|
||||
} catch (\InvalidArgumentException $e) {
|
||||
throw new NotFoundHttpException($e);
|
||||
}
|
||||
|
||||
return $form;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -122,17 +127,33 @@ class WallabagAnnotationController extends AbstractFOSRestController
|
|||
* @see Wallabag\ApiBundle\Controller\WallabagRestController
|
||||
*
|
||||
* @Route("/annotations/{annotation}.{_format}", methods={"DELETE"}, name="annotations_delete_annotation", defaults={"_format": "json"})
|
||||
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
|
||||
*
|
||||
* @return JsonResponse
|
||||
*/
|
||||
public function deleteAnnotationAction(Annotation $annotation)
|
||||
public function deleteAnnotationAction(AnnotationRepository $annotationRepository, int $annotation)
|
||||
{
|
||||
$this->entityManager->remove($annotation);
|
||||
$this->entityManager->flush();
|
||||
try {
|
||||
$annotation = $this->validateAnnotation($annotationRepository, $annotation, $this->getUser()->getId());
|
||||
|
||||
$json = $this->serializer->serialize($annotation, 'json');
|
||||
$this->entityManager->remove($annotation);
|
||||
$this->entityManager->flush();
|
||||
|
||||
return (new JsonResponse())->setJson($json);
|
||||
$json = $this->serializer->serialize($annotation, 'json');
|
||||
|
||||
return (new JsonResponse())->setJson($json);
|
||||
} catch (\InvalidArgumentException $e) {
|
||||
throw new NotFoundHttpException($e);
|
||||
}
|
||||
}
|
||||
|
||||
private function validateAnnotation(AnnotationRepository $annotationRepository, int $annotationId, int $userId)
|
||||
{
|
||||
$annotation = $annotationRepository->findOneByIdAndUserId($annotationId, $userId);
|
||||
|
||||
if (null === $annotation) {
|
||||
throw new NotFoundHttpException();
|
||||
}
|
||||
|
||||
return $annotation;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -34,6 +34,15 @@ class AnnotationFixtures extends Fixture implements DependentFixtureInterface
|
|||
|
||||
$this->addReference('annotation2', $annotation2);
|
||||
|
||||
$annotation3 = new Annotation($this->getReference('bob-user'));
|
||||
$annotation3->setEntry($this->getReference('entry3'));
|
||||
$annotation3->setText('This is my first annotation !');
|
||||
$annotation3->setQuote('content');
|
||||
|
||||
$manager->persist($annotation3);
|
||||
|
||||
$this->addReference('annotation3', $annotation3);
|
||||
|
||||
$manager->flush();
|
||||
}
|
||||
|
||||
|
|
|
@ -49,6 +49,24 @@ class AnnotationRepository extends ServiceEntityRepository
|
|||
;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find annotation by id and user.
|
||||
*
|
||||
* @param int $annotationId
|
||||
* @param int $userId
|
||||
*
|
||||
* @return Annotation
|
||||
*/
|
||||
public function findOneByIdAndUserId($annotationId, $userId)
|
||||
{
|
||||
return $this->createQueryBuilder('a')
|
||||
->where('a.id = :annotationId')->setParameter('annotationId', $annotationId)
|
||||
->andWhere('a.user = :userId')->setParameter('userId', $userId)
|
||||
->setMaxResults(1)
|
||||
->getQuery()
|
||||
->getOneOrNullResult();
|
||||
}
|
||||
|
||||
/**
|
||||
* Find annotations for entry id.
|
||||
*
|
||||
|
@ -57,7 +75,7 @@ class AnnotationRepository extends ServiceEntityRepository
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function findAnnotationsByPageId($entryId, $userId)
|
||||
public function findByEntryIdAndUserId($entryId, $userId)
|
||||
{
|
||||
return $this->createQueryBuilder('a')
|
||||
->where('a.entry = :entryId')->setParameter('entryId', $entryId)
|
||||
|
@ -74,7 +92,7 @@ class AnnotationRepository extends ServiceEntityRepository
|
|||
*
|
||||
* @return array
|
||||
*/
|
||||
public function findLastAnnotationByPageId($entryId, $userId)
|
||||
public function findLastAnnotationByUserId($entryId, $userId)
|
||||
{
|
||||
return $this->createQueryBuilder('a')
|
||||
->where('a.entry = :entryId')->setParameter('entryId', $entryId)
|
||||
|
|
|
@ -4,7 +4,6 @@ namespace Wallabag\ApiBundle\Controller;
|
|||
|
||||
use Nelmio\ApiDocBundle\Annotation\Operation;
|
||||
use OpenApi\Annotations as OA;
|
||||
use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
|
||||
use Symfony\Component\HttpFoundation\JsonResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\Routing\Annotation\Route;
|
||||
|
@ -138,11 +137,10 @@ class AnnotationRestController extends WallabagRestController
|
|||
* )
|
||||
*
|
||||
* @Route("/api/annotations/{annotation}.{_format}", methods={"PUT"}, name="api_put_annotation", defaults={"_format": "json"})
|
||||
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
|
||||
*
|
||||
* @return JsonResponse
|
||||
*/
|
||||
public function putAnnotationAction(Annotation $annotation, Request $request)
|
||||
public function putAnnotationAction(int $annotation, Request $request)
|
||||
{
|
||||
$this->validateAuthentication();
|
||||
|
||||
|
@ -175,11 +173,10 @@ class AnnotationRestController extends WallabagRestController
|
|||
* )
|
||||
*
|
||||
* @Route("/api/annotations/{annotation}.{_format}", methods={"DELETE"}, name="api_delete_annotation", defaults={"_format": "json"})
|
||||
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
|
||||
*
|
||||
* @return JsonResponse
|
||||
*/
|
||||
public function deleteAnnotationAction(Annotation $annotation)
|
||||
public function deleteAnnotationAction(int $annotation)
|
||||
{
|
||||
$this->validateAuthentication();
|
||||
|
||||
|
|
|
@ -592,7 +592,7 @@ class ConfigController extends AbstractController
|
|||
/**
|
||||
* Delete account for current user.
|
||||
*
|
||||
* @Route("/account/delete", name="delete_account")
|
||||
* @Route("/account/delete", name="delete_account", methods={"POST"})
|
||||
*
|
||||
* @throws AccessDeniedHttpException
|
||||
*
|
||||
|
@ -600,6 +600,10 @@ class ConfigController extends AbstractController
|
|||
*/
|
||||
public function deleteAccountAction(Request $request, UserRepository $userRepository, TokenStorageInterface $tokenStorage)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$enabledUsers = $userRepository->getSumEnabledUsers();
|
||||
|
||||
if ($enabledUsers <= 1) {
|
||||
|
|
|
@ -7,7 +7,6 @@ use Symfony\Component\HttpFoundation\Request;
|
|||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\Routing\Annotation\Route;
|
||||
use Wallabag\CoreBundle\Entity\Entry;
|
||||
use Wallabag\CoreBundle\Helper\EntriesExport;
|
||||
use Wallabag\CoreBundle\Repository\EntryRepository;
|
||||
use Wallabag\CoreBundle\Repository\TagRepository;
|
||||
|
@ -28,9 +27,20 @@ class ExportController extends AbstractController
|
|||
*
|
||||
* @return Response
|
||||
*/
|
||||
public function downloadEntryAction(Entry $entry, EntriesExport $entriesExport, string $format)
|
||||
public function downloadEntryAction(Request $request, EntryRepository $entryRepository, EntriesExport $entriesExport, string $format, int $id)
|
||||
{
|
||||
try {
|
||||
$entry = $entryRepository->find($id);
|
||||
|
||||
/*
|
||||
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
|
||||
*
|
||||
* This should be eventually rewritten
|
||||
*/
|
||||
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
|
||||
throw new NotFoundHttpException();
|
||||
}
|
||||
|
||||
return $entriesExport
|
||||
->setEntries($entry)
|
||||
->updateTitle('entry')
|
||||
|
|
|
@ -35,7 +35,7 @@ class TagController extends AbstractController
|
|||
}
|
||||
|
||||
/**
|
||||
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag")
|
||||
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
|
||||
*
|
||||
* @return Response
|
||||
*/
|
||||
|
@ -44,7 +44,17 @@ class TagController extends AbstractController
|
|||
$form = $this->createForm(NewTagType::class, new Tag());
|
||||
$form->handleRequest($request);
|
||||
|
||||
$tags = $form->get('label')->getData();
|
||||
$tagsExploded = explode(',', $tags);
|
||||
|
||||
// avoid too much tag to be added
|
||||
if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
|
||||
return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
|
||||
}
|
||||
|
||||
if ($form->isSubmitted() && $form->isValid()) {
|
||||
$this->checkUserAction($entry);
|
||||
|
||||
$this->tagsAssigner->assignTagsToEntry(
|
||||
$entry,
|
||||
$form->get('label')->getData()
|
||||
|
@ -76,6 +86,8 @@ class TagController extends AbstractController
|
|||
*/
|
||||
public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
|
||||
{
|
||||
$this->checkUserAction($entry);
|
||||
|
||||
$entry->removeTag($tag);
|
||||
$this->entityManager->flush();
|
||||
|
||||
|
@ -260,4 +272,14 @@ class TagController extends AbstractController
|
|||
|
||||
return $this->redirect($redirectUrl);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the logged user can manage the given entry.
|
||||
*/
|
||||
private function checkUserAction(Entry $entry)
|
||||
{
|
||||
if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
|
||||
throw $this->createAccessDeniedException('You can not access this entry.');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -11,6 +11,8 @@ use Wallabag\CoreBundle\Entity\Tag;
|
|||
|
||||
class NewTagType extends AbstractType
|
||||
{
|
||||
public const MAX_LENGTH = 40;
|
||||
|
||||
public function buildForm(FormBuilderInterface $builder, array $options)
|
||||
{
|
||||
$builder
|
||||
|
@ -18,6 +20,7 @@ class NewTagType extends AbstractType
|
|||
'required' => true,
|
||||
'attr' => [
|
||||
'placeholder' => 'tag.new.placeholder',
|
||||
'max_length' => self::MAX_LENGTH,
|
||||
],
|
||||
])
|
||||
->add('add', SubmitType::class, [
|
||||
|
|
|
@ -561,9 +561,11 @@
|
|||
<div class="row">
|
||||
<h5>{{ 'config.form_user.delete.title'|trans }}</h5>
|
||||
<p>{{ 'config.form_user.delete.description'|trans }}</p>
|
||||
<a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account">
|
||||
{{ 'config.form_user.delete.button'|trans }}
|
||||
</a>
|
||||
<form action="{{ path('delete_account') }}" method="post" onsubmit="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" name="delete-account">
|
||||
<input type="hidden" name="token" value="{{ csrf_token('delete-account') }}" />
|
||||
|
||||
<button class="waves-effect waves-light btn red" type="submit">{{ 'config.form_user.delete.button'|trans }}</button>
|
||||
</form>
|
||||
</div>
|
||||
{% endif %}
|
||||
</div>
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
<header class="block">
|
||||
<h1>{{ entry.title|e|raw }}</h1>
|
||||
<a href="{{ entry.url|e }}" target="_blank" rel="noopener" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a>
|
||||
<p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username})|raw }}.</p>
|
||||
<p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username|escape})|raw }}.</p>
|
||||
</header>
|
||||
<article class="block">
|
||||
{{ entry.content|raw }}
|
||||
|
|
|
@ -24,8 +24,6 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
|
|||
}
|
||||
|
||||
/**
|
||||
* Test fetching annotations for an entry.
|
||||
*
|
||||
* @dataProvider dataForEachAnnotations
|
||||
*/
|
||||
public function testGetAnnotations($prefixUrl)
|
||||
|
@ -37,15 +35,7 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
|
|||
->findOneByUserName('admin');
|
||||
$entry = $em
|
||||
->getRepository(Entry::class)
|
||||
->findOneByUsernameAndNotArchived('admin');
|
||||
|
||||
$annotation = new Annotation($user);
|
||||
$annotation->setEntry($entry);
|
||||
$annotation->setText('This is my annotation /o/');
|
||||
$annotation->setQuote('content');
|
||||
|
||||
$em->persist($annotation);
|
||||
$em->flush();
|
||||
->findByUrlAndUserId('http://0.0.0.0/entry1', $user->getId());
|
||||
|
||||
if ('annotations' === $prefixUrl) {
|
||||
$this->logInAs('admin');
|
||||
|
@ -56,23 +46,44 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
|
|||
|
||||
$content = json_decode($this->client->getResponse()->getContent(), true);
|
||||
$this->assertGreaterThanOrEqual(1, $content['total']);
|
||||
$this->assertSame($annotation->getText(), $content['rows'][0]['text']);
|
||||
|
||||
// we need to re-fetch the annotation becase after the flush, it has been "detached" from the entity manager
|
||||
$annotation = $em->getRepository(Annotation::class)->findAnnotationById($annotation->getId());
|
||||
$em->remove($annotation);
|
||||
$em->flush();
|
||||
}
|
||||
|
||||
/**
|
||||
* Test creating an annotation for an entry.
|
||||
*
|
||||
* @dataProvider dataForEachAnnotations
|
||||
*/
|
||||
public function testGetAnnotationsFromAnOtherUser($prefixUrl)
|
||||
{
|
||||
$em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
|
||||
|
||||
$otherUser = $em
|
||||
->getRepository(User::class)
|
||||
->findOneByUserName('bob');
|
||||
$entry = $em
|
||||
->getRepository(Entry::class)
|
||||
->findByUrlAndUserId('http://0.0.0.0/entry3', $otherUser->getId());
|
||||
|
||||
if ('annotations' === $prefixUrl) {
|
||||
$this->logInAs('admin');
|
||||
}
|
||||
|
||||
$this->client->request('GET', $prefixUrl . '/' . $entry->getId() . '.json');
|
||||
$this->assertSame(200, $this->client->getResponse()->getStatusCode());
|
||||
|
||||
$content = json_decode($this->client->getResponse()->getContent(), true);
|
||||
$this->assertGreaterThanOrEqual(0, $content['total']);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider dataForEachAnnotations
|
||||
*/
|
||||
public function testSetAnnotation($prefixUrl)
|
||||
{
|
||||
$em = $this->client->getContainer()->get(EntityManagerInterface::class);
|
||||
|
||||
$user = $em
|
||||
->getRepository(User::class)
|
||||
->findOneByUserName('admin');
|
||||
|
||||
if ('annotations' === $prefixUrl) {
|
||||
$this->logInAs('admin');
|
||||
}
|
||||
|
@ -104,7 +115,7 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
|
|||
/** @var Annotation $annotation */
|
||||
$annotation = $em
|
||||
->getRepository(Annotation::class)
|
||||
->findLastAnnotationByPageId($entry->getId(), 1);
|
||||
->findLastAnnotationByUserId($entry->getId(), $user->getId());
|
||||
|
||||
$this->assertSame('my annotation', $annotation->getText());
|
||||
}
|
||||
|
@ -197,8 +208,6 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
|
|||
}
|
||||
|
||||
/**
|
||||
* Test editing an existing annotation.
|
||||
*
|
||||
* @dataProvider dataForEachAnnotations
|
||||
*/
|
||||
public function testEditAnnotation($prefixUrl)
|
||||
|
@ -245,8 +254,31 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
|
|||
}
|
||||
|
||||
/**
|
||||
* Test deleting an annotation.
|
||||
*
|
||||
* @dataProvider dataForEachAnnotations
|
||||
*/
|
||||
public function testEditAnnotationFromAnOtherUser($prefixUrl)
|
||||
{
|
||||
$em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
|
||||
|
||||
$otherUser = $em
|
||||
->getRepository(User::class)
|
||||
->findOneByUserName('bob');
|
||||
$entry = $em
|
||||
->getRepository(Entry::class)
|
||||
->findByUrlAndUserId('http://0.0.0.0/entry3', $otherUser->getId());
|
||||
$annotation = $em
|
||||
->getRepository(Annotation::class)
|
||||
->findLastAnnotationByUserId($entry->getId(), $otherUser->getId());
|
||||
|
||||
$headers = ['CONTENT_TYPE' => 'application/json'];
|
||||
$content = json_encode([
|
||||
'text' => 'a modified annotation',
|
||||
]);
|
||||
$this->client->request('PUT', $prefixUrl . '/' . $annotation->getId() . '.json', [], [], $headers, $content);
|
||||
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider dataForEachAnnotations
|
||||
*/
|
||||
public function testDeleteAnnotation($prefixUrl)
|
||||
|
@ -289,4 +321,40 @@ class AnnotationControllerTest extends WallabagAnnotationTestCase
|
|||
|
||||
$this->assertNull($annotationDeleted);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider dataForEachAnnotations
|
||||
*/
|
||||
public function testDeleteAnnotationFromAnOtherUser($prefixUrl)
|
||||
{
|
||||
$em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
|
||||
|
||||
$otherUser = $em
|
||||
->getRepository(User::class)
|
||||
->findOneByUserName('bob');
|
||||
$entry = $em
|
||||
->getRepository(Entry::class)
|
||||
->findByUrlAndUserId('http://0.0.0.0/entry3', $otherUser->getId());
|
||||
$annotation = $em
|
||||
->getRepository(Annotation::class)
|
||||
->findLastAnnotationByUserId($entry->getId(), $otherUser->getId());
|
||||
|
||||
$user = $em
|
||||
->getRepository(User::class)
|
||||
->findOneByUserName('admin');
|
||||
$entry = $em
|
||||
->getRepository(Entry::class)
|
||||
->findOneByUsernameAndNotArchived('admin');
|
||||
|
||||
if ('annotations' === $prefixUrl) {
|
||||
$this->logInAs('admin');
|
||||
}
|
||||
|
||||
$headers = ['CONTENT_TYPE' => 'application/json'];
|
||||
$content = json_encode([
|
||||
'text' => 'a modified annotation',
|
||||
]);
|
||||
$this->client->request('DELETE', $prefixUrl . '/' . $annotation->getId() . '.json', [], [], $headers, $content);
|
||||
$this->assertSame(404, $this->client->getResponse()->getStatusCode());
|
||||
}
|
||||
}
|
||||
|
|
|
@ -797,7 +797,7 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
|||
$this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
|
||||
$this->assertStringNotContainsString('config.form_user.delete.button', $body[0]);
|
||||
|
||||
$client->request('GET', '/account/delete');
|
||||
$client->request('POST', '/account/delete');
|
||||
$this->assertSame(403, $client->getResponse()->getStatusCode());
|
||||
|
||||
$user = $em
|
||||
|
@ -862,9 +862,9 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
|||
|
||||
$crawler = $client->request('GET', '/config');
|
||||
|
||||
$deleteLink = $crawler->filter('.delete-account')->last()->link();
|
||||
$deleteForm = $crawler->filter('form[name=delete-account]')->form();
|
||||
|
||||
$client->click($deleteLink);
|
||||
$client->submit($deleteForm);
|
||||
$this->assertSame(302, $client->getResponse()->getStatusCode());
|
||||
|
||||
$em = $client->getContainer()->get(EntityManagerInterface::class);
|
||||
|
@ -936,7 +936,7 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
|||
|
||||
$annotationsReset = $em
|
||||
->getRepository(Annotation::class)
|
||||
->findAnnotationsByPageId($entry->getId(), $user->getId());
|
||||
->findByEntryIdAndUserId($entry->getId(), $user->getId());
|
||||
|
||||
$this->assertEmpty($annotationsReset, 'Annotations were reset');
|
||||
|
||||
|
@ -1046,7 +1046,7 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
|||
|
||||
$annotationsReset = $em
|
||||
->getRepository(Annotation::class)
|
||||
->findAnnotationsByPageId($annotationArchived->getId(), $user->getId());
|
||||
->findByEntryIdAndUserId($annotationArchived->getId(), $user->getId());
|
||||
|
||||
$this->assertEmpty($annotationsReset, 'Annotations were reset');
|
||||
}
|
||||
|
@ -1105,7 +1105,7 @@ class ConfigControllerTest extends WallabagCoreTestCase
|
|||
|
||||
$annotationsReset = $em
|
||||
->getRepository(Annotation::class)
|
||||
->findAnnotationsByPageId($entry->getId(), $user->getId());
|
||||
->findByEntryIdAndUserId($entry->getId(), $user->getId());
|
||||
|
||||
$this->assertEmpty($annotationsReset, 'Annotations were reset');
|
||||
}
|
||||
|
|
|
@ -1502,7 +1502,7 @@ class EntryControllerTest extends WallabagCoreTestCase
|
|||
'pt_BR',
|
||||
],
|
||||
'es-ES' => [
|
||||
'https://elpais.com/internacional/2022-10-09/ultima-hora-de-la-guerra-en-ucrania-hoy-en-directo.html',
|
||||
'https://elpais.com/internacional/2022-11-03/ultima-hora-de-la-guerra-entre-rusia-y-ucrania-hoy-en-directo.html',
|
||||
'es',
|
||||
],
|
||||
];
|
||||
|
|
|
@ -58,7 +58,7 @@ class ExportControllerTest extends WallabagCoreTestCase
|
|||
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
||||
}
|
||||
|
||||
public function testBadEntryId()
|
||||
public function testNonExistingEntryId()
|
||||
{
|
||||
$this->logInAs('admin');
|
||||
$client = $this->getTestClient();
|
||||
|
@ -68,6 +68,21 @@ class ExportControllerTest extends WallabagCoreTestCase
|
|||
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
||||
}
|
||||
|
||||
public function testForbiddenEntryId()
|
||||
{
|
||||
$this->logInAs('admin');
|
||||
$client = $this->getTestClient();
|
||||
|
||||
$content = $client->getContainer()
|
||||
->get('doctrine.orm.entity_manager')
|
||||
->getRepository(Entry::class)
|
||||
->findOneByUsernameAndNotArchived('bob');
|
||||
|
||||
$client->request('GET', '/export/' . $content->getId() . '.mobi');
|
||||
|
||||
$this->assertSame(404, $client->getResponse()->getStatusCode());
|
||||
}
|
||||
|
||||
public function testEpubExport()
|
||||
{
|
||||
$this->logInAs('admin');
|
||||
|
|
Loading…
Reference in a new issue