Avoid error when a bad order parameter is given

Only allowed parameter are asc & desc
This commit is contained in:
Jeremy Benoist 2019-01-14 17:01:21 +01:00
parent a5e9a98aa3
commit 78e3fafa3f
No known key found for this signature in database
GPG key ID: BCA73962457ACC3C
3 changed files with 32 additions and 14 deletions

View file

@ -9,6 +9,7 @@ use Nelmio\ApiDocBundle\Annotation\ApiDoc;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Wallabag\CoreBundle\Entity\Entry;
@ -98,13 +99,14 @@ class EntryRestController extends WallabagRestController
$isArchived = (null === $request->query->get('archive')) ? null : (bool) $request->query->get('archive');
$isStarred = (null === $request->query->get('starred')) ? null : (bool) $request->query->get('starred');
$isPublic = (null === $request->query->get('public')) ? null : (bool) $request->query->get('public');
$sort = $request->query->get('sort', 'created');
$order = $request->query->get('order', 'desc');
$sort = strtolower($request->query->get('sort', 'created'));
$order = strtolower($request->query->get('order', 'desc'));
$page = (int) $request->query->get('page', 1);
$perPage = (int) $request->query->get('perPage', 30);
$tags = \is_array($request->query->get('tags')) ? '' : (string) $request->query->get('tags', '');
$since = $request->query->get('since', 0);
try {
/** @var \Pagerfanta\Pagerfanta $pager */
$pager = $this->get('wallabag_core.entry_repository')->findEntries(
$this->getUser()->getId(),
@ -116,6 +118,9 @@ class EntryRestController extends WallabagRestController
$since,
$tags
);
} catch (\Exception $e) {
throw new BadRequestHttpException($e->getMessage());
}
$pager->setMaxPerPage($perPage);
$pager->setCurrentPage($page);

View file

@ -142,7 +142,7 @@ class EntryRepository extends EntityRepository
*
* @return Pagerfanta
*/
public function findEntries($userId, $isArchived = null, $isStarred = null, $isPublic = null, $sort = 'created', $order = 'ASC', $since = 0, $tags = '')
public function findEntries($userId, $isArchived = null, $isStarred = null, $isPublic = null, $sort = 'created', $order = 'asc', $since = 0, $tags = '')
{
$qb = $this->createQueryBuilder('e')
->leftJoin('e.tags', 't')
@ -185,6 +185,10 @@ class EntryRepository extends EntityRepository
}
}
if (!\in_array(strtolower($order), ['asc', 'desc'], true)) {
throw new \Exception('Order "' . $order . '" parameter is wrong, allowed: asc or desc');
}
if ('created' === $sort) {
$qb->orderBy('e.id', $order);
} elseif ('updated' === $sort) {

View file

@ -242,6 +242,15 @@ class EntryRestControllerTest extends WallabagApiTestCase
$this->assertSame(2, $content['limit']);
}
public function testGetStarredEntriesWithBadSort()
{
$this->client->request('GET', '/api/entries', ['starred' => 1, 'sort' => 'updated', 'order' => 'unknown']);
$this->assertSame(400, $this->client->getResponse()->getStatusCode());
$this->assertSame('application/json', $this->client->getResponse()->headers->get('Content-Type'));
}
public function testGetStarredEntries()
{
$this->client->request('GET', '/api/entries', ['starred' => 1, 'sort' => 'updated']);