#fix 279 check params for controllers

2025-10-10 19:43:16 +00:00 · 2012-01-27 17:17:52 +01:00
parent 694f943d23
commit 09f3ea4cfb
18 changed files with 1318 additions and 1313 deletions
--- a/lib/Alchemy/Phrasea/Application/OAuth2.php
+++ b/lib/Alchemy/Phrasea/Application/OAuth2.php
@@ -321,7 +321,7 @@ return call_user_func(function()
                            $var = array("app" => $client, "user" => $app['user'], "token" => $token);

                            return $app['response']('api/auth/application_dev_show.twig', $var);
-        });
+                          })->assert('id', '\d+');

                  /**
                   * revoke access from a user to the app
@@ -384,7 +384,7 @@ return call_user_func(function()
                                            , 200
                                            , array("content-type" => "application/json")
                            );
-        });
+                          })->assert('id', '\d+');

                  $route = "/applications/oauth_callback";
                  $app->post($route, function() use ($app)
@@ -434,7 +434,7 @@ return call_user_func(function()
                                            , 200
                                            , array("content-type" => "application/json")
                            );
-        });
+                          })->assert('id', '\d+');
                  /**
                   * *******************************************************************
                   *
--- a/lib/Alchemy/Phrasea/Controller/Prod/Basket.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/Basket.php
@@ -149,7 +149,7 @@ class Basket implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('basket_id', '\d+');

    /**
     * Removes a BasketElement
@@ -190,7 +190,7 @@ class Basket implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('basket_id', '\d+')->assert('basket_element_id', '\d+');

    /**
     * Update name and description of a basket
@@ -229,7 +229,7 @@ class Basket implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('basket_id', '\d+');

    /**
     * Get the form to update the Basket attributes (name and description)
@@ -251,7 +251,7 @@ class Basket implements ControllerProviderInterface
                                      , array('basket' => $basket)
                              )
              );
-            });
+            })->assert('basket_id', '\d+');


    /**
@@ -276,7 +276,7 @@ class Basket implements ControllerProviderInterface
                                      , array('basket' => $basket)
                              )
              );
-            });
+            })->assert('basket_id', '\d+');

    /**
     * Toggle the status of a Basket
@@ -325,7 +325,7 @@ class Basket implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('basket_id', '\d+');

    /**
     * Add a BasketElement to a basket
@@ -393,7 +393,7 @@ class Basket implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('basket_id', '\d+');



@@ -456,7 +456,7 @@ class Basket implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('basket_id', '\d+');

    /**
     * Get basket creation form
--- a/lib/Alchemy/Phrasea/Controller/Prod/Bridge.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/Bridge.php
@@ -130,7 +130,7 @@ class Bridge implements ControllerProviderInterface
              $account->get_api()->get_connector()->disconnect();

              return $app->redirect('/prod/bridge/adapter/' . $account_id . '/load-elements/' . $account->get_api()->get_connector()->get_default_element_type() . '/');
-            });
+            })->assert('account_id', '\d+');


    $controllers->get('/adapter/{account_id}/load-records/'
--- a/lib/Alchemy/Phrasea/Controller/Prod/Feed.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/Feed.php
@@ -109,7 +109,7 @@ class Feed implements ControllerProviderInterface
              $datas = $twig->render('prod/actions/publish/publish_edit.html', array('entry' => $entry, 'feeds' => $feeds));

              return new Response($datas);
-            });
+            })->assert('id', '\d+');


    $controllers->post('/entry/{id}/update/', function(Application $app, Request $request, $id) use ($appbox, $twig)
@@ -176,7 +176,7 @@ class Feed implements ControllerProviderInterface
                              , 200
                              , array('Content-Type' => 'application/json')
              );
-            });
+            })->assert('id', '\d+');


    $controllers->post('/entry/{id}/delete/', function(Application $app, Request $request, $id) use ($appbox, $twig)
@@ -219,7 +219,7 @@ class Feed implements ControllerProviderInterface
                              , 200
                              , array('Content-Type' => 'application/json')
              );
-            });
+            })->assert('id', '\d+');

 //$app->post('/entry/{id}/addelement/', function($id) use ($app, $appbox, $twig)
 //        {
@@ -275,7 +275,7 @@ class Feed implements ControllerProviderInterface
              $datas = $twig->render('prod/feeds/feeds.html', array('feed' => $feed, 'feeds' => $feeds, 'page' => $page));

              return new Response($datas);
-            });
+            })->assert('id', '\d+');


    $controllers->get('/subscribe/aggregated/', function(Application $app, Request $request) use ( $appbox, $twig)
@@ -326,7 +326,7 @@ class Feed implements ControllerProviderInterface
                              , 200
                              , array('Content-Type' => 'application/json')
              );
-            });
+            })->assert('id', '\d+');

    return $controllers;
  }
--- a/lib/Alchemy/Phrasea/Controller/Prod/Story.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/Story.php
@@ -186,7 +186,7 @@ class Story implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('sbas_id', '\d+')->assert('record_id', '\d+');

    $controllers->post(
                    '/{sbas_id}/{record_id}/delete/{child_sbas_id}/{child_record_id}/'
@@ -220,7 +220,12 @@ class Story implements ControllerProviderInterface
                      {
                        return new RedirectResponse('/');
                      }
-            });
+                    })
+            ->assert('sbas_id', '\d+')
+            ->assert('record_id', '\d+')
+            ->assert('child_sbas_id', '\d+')
+            ->assert('child_record_id', '\d+');
+                    
 //    $controllers->post('/{basket_id}/delete/', function(Application $app, Request $request, $basket_id)
 //            {
 //              $em = $app['Core']->getEntityManager();
--- a/lib/Alchemy/Phrasea/Controller/Prod/Tooltip.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/Tooltip.php
@@ -73,7 +73,7 @@ class Tooltip implements ControllerProviderInterface
                                      , array('user' => $user)
                              )
              );
-            })->assert('sbas_id', '\d+')->assert('record_id', '\d+');
+            })->assert('usr_id', '\d+');


    $controllers->post('/preview/{sbas_id}/{record_id}/'
--- a/lib/Alchemy/Phrasea/Controller/Prod/UsrLists.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/UsrLists.php
@@ -202,7 +202,7 @@ class UsrLists implements ControllerProviderInterface

              return new Response($Json, 200, array('Content-Type' => 'application/json'));
            }
-    );
+    )->assert('list_id', '\d+');

    /**
     * Update a list
@@ -254,7 +254,7 @@ class UsrLists implements ControllerProviderInterface

              return new Response($Json, 200, array('Content-Type' => 'application/json'));
            }
-    );
+    )->assert('list_id', '\d+');

    /**
     * Delete a list
@@ -292,7 +292,7 @@ class UsrLists implements ControllerProviderInterface

              return new Response($Json, 200, array('Content-Type' => 'application/json'));
            }
-    );
+    )->assert('list_id', '\d+');


    /**
@@ -336,7 +336,7 @@ class UsrLists implements ControllerProviderInterface

              return new Response($Json, 200, array('Content-Type' => 'application/json'));
            }
-    );
+    )->assert('list_id', '\d+')->assert('entry_id', '\d+');

    /**
     * Adds a usr_id to a list
@@ -383,7 +383,7 @@ class UsrLists implements ControllerProviderInterface

              return new Response($Json, 200, array('Content-Type' => 'application/json'));
            }
-    );
+    )->assert('list_id', '\d+')->assert('usr_id', '\d+');

    /**
     * Share a list to a user with an optionnal role
@@ -459,7 +459,8 @@ class UsrLists implements ControllerProviderInterface

              return new Response($Json, 200, array('Content-Type' => 'application/json'));
            }
-    );
+    )->assert('list_id', '\d+')->assert('usr_id', '\d+');
+
    /**
     * UnShare a list to a user
     */
@@ -504,7 +505,7 @@ class UsrLists implements ControllerProviderInterface

              return new Response($Json, 200, array('Content-Type' => 'application/json'));
            }
-    );
+    )->assert('list_id', '\d+')->assert('usr_id', '\d+');


    return $controllers;
--- a/lib/Alchemy/Phrasea/Controller/Prod/WorkZone.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/WorkZone.php
@@ -65,7 +65,6 @@ class WorkZone implements ControllerProviderInterface

    $controllers->get('/Browse/Search/', function(Application $app)
            {
-
              $user = $app['Core']->getAuthenticatedUser();

              $request = $app['request'];
@@ -99,9 +98,9 @@ class WorkZone implements ControllerProviderInterface
                  , 'Page' => $page
                  , 'MaxPage' => $maxPage
                  , 'Total' => $Baskets['count']
-                  , 'Query' =>$request->get('Query')
-                  , 'Year' =>$request->get('Year')
-                  , 'Type' =>$request->get('Type')
+                  , 'Query' => $request->get('Query')
+                  , 'Year' => $request->get('Year')
+                  , 'Type' => $request->get('Type')
              );

              return new Response($app['Core']->getTwig()->render('prod/WorkZone/Browser/Results.html.twig', $params));
@@ -116,18 +115,18 @@ class WorkZone implements ControllerProviderInterface
                      ->findUserBasket($basket_id, $app['Core']->getAuthenticatedUser());

              $params = array(
-                  'Basket'=>$basket
+                  'Basket' => $basket
              );

              return new Response($app['Core']->getTwig()->render('prod/WorkZone/Browser/Basket.html.twig', $params));
-            });
+            })->assert('basket_id', '\d+');


    $controllers->post(
            '/attachStories/'
            , function(Application $app, Request $request)
            {
-              if(!$request->get('stories'))
+              if (!$request->get('stories'))
                throw new \Exception_BadRequest();

              $user = $app['Core']->getAuthenticatedUser();
@@ -261,7 +260,7 @@ class WorkZone implements ControllerProviderInterface
              {
                return new RedirectResponse('/');
              }
-            });
+            })->assert('sbas_id', '\d+')->assert('record_id', '\d+');


    return $controllers;
--- a/lib/Alchemy/Phrasea/Controller/Root/RSSFeeds.php
+++ b/lib/Alchemy/Phrasea/Controller/Root/RSSFeeds.php
@@ -154,7 +154,7 @@ class RSSFeeds implements ControllerProviderInterface
              $page = $page < 1 ? 1 : $page;

              return $display_feed($feed, $format, $page, $token->get_user());
-            })->assert('id', '\d+')->assert('format', '(rss|atom)');
+            })->assert('format', '(rss|atom)');