This PR is based on 2.5.x branch.
We fix the improper authorization by retrieving the annotation using id
and user id.
We also replace the ParamConverter used to get the requested Annotation
on put and delete actions with an explicit call to AnnotationRepository
in order to prevent a resource enumeration through response discrepancy.
Fixes GHSA-mrqx-mjc4-vfh3
Co-authored-by: Jeremy Benoist <jeremy.benoist@gmail.com>
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
We rename getBuilderByUser to getSortedQueryBuilderByUser as long as the
method currently returns a QueryBuilder with an orderBy()
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
Since we still support fucking SQLite, we need to retrieve all tags & annotations for archived entries before deleting them.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
Fix controller forward in WallabagRestController.
Update PHPDoc so it is sorted the same way as others one
Duplicate all annotations test to use both api & normal way
Also, make annotation tests independent to each other