We fix the improper authorization by duplicating the check done by
the private method EntryController::checkUserAction().
We also replace the ParamConverter used to get the requested Entry with
an explicit call to EntryRepository in order to prevent a resource
enumeration through response discrepancy. Thus, we get the same
exception whether the requested resource does not exist or is not owned
by the requester.
Fixes GHSA-qwx8-mxxx-mg96
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
This is just a simple proxy because we can't lazy load RabbitMQ service just to count number of messages in the queue.
As they are automatically injected in the controller now, we can't lazy load them.
Also forgot to use `AbstractController` in previous PR about _controller as a service_.
Mostly using autowiring to inject deps.
The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case.
Usually:
- if a controller has a constructor, it means injected services are at least re-used once in actions
- otherwise, service are injected per action
Change '{method} authors' (which gives 'Tag_entries authors' when
exporting a tag) to 'Various authors'.
When exporting a tag (tag_entries), change the title from 'Tag_entries
articles' to 'Tag {tag} articles'.
Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
Thanks to the BC compatibility, almost nothing have to be changed.
All changes are related to new bundle version of:
- SensioFrameworkExtraBundle
- DoctrineFixturesBundle
When exporting an entry, use the domain name as author name for epub,
mobi and pdf formats, instead of 'wallabag'.
Change the author from array to string, because for now, there is always
only one author.