Skip to content

Commit 81387ee

Browse files
thorstenthorsten
committed
fix: added missing check on integers, simplified code
1 parent 80c5d9a commit 81387ee

File tree

2 files changed

+21
-19
lines changed

2 files changed

+21
-19
lines changed

phpmyfaq/src/admin-routes.php

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,6 @@
7979
)
8080
);
8181

82-
8382
$routes->add(
8483
'admin.api.category.permissions',
8584
new Route('/category/permissions/{categories}', ['_controller' => [CategoryController::class, 'permissions']])

phpmyfaq/src/phpMyFAQ/Controller/Administration/CategoryController.php

Lines changed: 21 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
use phpMyFAQ\Controller\AbstractController;
2727
use phpMyFAQ\Core\Exception;
2828
use phpMyFAQ\Enums\PermissionType;
29+
use phpMyFAQ\Filter;
2930
use phpMyFAQ\Session\Token;
3031
use phpMyFAQ\Translation;
3132
use phpMyFAQ\User\CurrentUser;
@@ -44,10 +45,8 @@ public function delete(Request $request): JsonResponse
4445
{
4546
$this->userHasPermission(PermissionType::CATEGORY_DELETE);
4647

47-
$configuration = Configuration::getConfigurationInstance();
48-
$currentUser = CurrentUser::getCurrentUser($configuration);
48+
$currentUser = CurrentUser::getCurrentUser($this->configuration);
4949

50-
$jsonResponse = new JsonResponse();
5150
$data = json_decode($request->getContent());
5251

5352
if (!Token::getInstance()->verifyToken('category', $data->csrfToken)) {
@@ -56,19 +55,19 @@ public function delete(Request $request): JsonResponse
5655

5756
[ $currentAdminUser, $currentAdminGroups ] = CurrentUser::getCurrentUserGroupId($currentUser);
5857

59-
$category = new Category($configuration, [], false);
58+
$category = new Category($this->configuration, [], false);
6059
$category->setUser($currentAdminUser);
6160
$category->setGroups($currentAdminGroups);
6261

63-
$categoryRelation = new CategoryRelation($configuration, $category);
62+
$categoryRelation = new CategoryRelation($this->configuration, $category);
6463

65-
$categoryImage = new CategoryImage($configuration);
64+
$categoryImage = new CategoryImage($this->configuration);
6665
$categoryImage->setFileName($category->getCategoryData($data->categoryId)->getImage());
6766

68-
$categoryOrder = new CategoryOrder($configuration);
67+
$categoryOrder = new CategoryOrder($this->configuration);
6968
$categoryOrder->remove($data->categoryId);
7069

71-
$categoryPermission = new CategoryPermission($configuration);
70+
$categoryPermission = new CategoryPermission($this->configuration);
7271

7372
if (
7473
(
@@ -88,7 +87,7 @@ public function delete(Request $request): JsonResponse
8887
return $this->json(['success' => Translation::get('ad_categ_deleted')], Response::HTTP_OK);
8988
} else {
9089
return $this->json(
91-
['error' => Translation::get('ad_adus_dberr') . $configuration->getDb()->error()],
90+
['error' => Translation::get('ad_adus_dberr') . $this->configuration->getDb()->error()],
9291
Response::HTTP_INTERNAL_SERVER_ERROR
9392
);
9493
}
@@ -97,12 +96,12 @@ public function delete(Request $request): JsonResponse
9796
/**
9897
* @throws Exception
9998
*/
100-
#[Route('admin/api/category/permissions')]
99+
#[Route('admin/api/category/permissions', methods: ['GET'])]
101100
public function permissions(Request $request): JsonResponse
102101
{
103102
$this->userIsAuthenticated();
104103

105-
$categoryPermission = new CategoryPermission(Configuration::getConfigurationInstance());
104+
$categoryPermission = new CategoryPermission($this->configuration);
106105

107106
$categoryData = $request->get('categories');
108107

@@ -112,6 +111,10 @@ public function permissions(Request $request): JsonResponse
112111
$categories = explode(',', (string) $categoryData);
113112
}
114113

114+
if (!in_array(true, filter_var_array($categories, FILTER_VALIDATE_INT))) {
115+
return $this->json(['error' => 'Only integer values are valid.'], Response::HTTP_BAD_REQUEST);
116+
}
117+
115118
return $this->json(
116119
[
117120
'user' => $categoryPermission->get(CategoryPermission::USER, $categories),
@@ -129,10 +132,11 @@ public function translations(Request $request): JsonResponse
129132
{
130133
$this->userIsAuthenticated();
131134

132-
$configuration = Configuration::getConfigurationInstance();
133-
$category = new Category($configuration, [], false);
135+
$category = new Category($this->configuration, [], false);
136+
137+
$categoryId = Filter::filterVar($request->get('categoryId'), FILTER_VALIDATE_INT);
134138

135-
$translations = $category->getCategoryLanguagesTranslated($request->get('categoryId'));
139+
$translations = $category->getCategoryLanguagesTranslated($categoryId);
136140

137141
return $this->json($translations, Response::HTTP_OK);
138142
}
@@ -151,17 +155,16 @@ public function updateOrder(Request $request): JsonResponse
151155
return $this->json(['error' => Translation::get('err_NotAuth')], Response::HTTP_UNAUTHORIZED);
152156
}
153157

154-
$configuration = Configuration::getConfigurationInstance();
155-
$user = CurrentUser::getCurrentUser($configuration);
158+
$user = CurrentUser::getCurrentUser($this->configuration);
156159

157160
[ $currentAdminUser, $currentAdminGroups ] = CurrentUser::getCurrentUserGroupId($user);
158161

159-
$categoryOrder = new CategoryOrder($configuration);
162+
$categoryOrder = new CategoryOrder($this->configuration);
160163
$categoryOrder->setCategoryTree($data->categoryTree);
161164

162165
$parentId = $categoryOrder->getParentId($data->categoryTree, (int)$data->categoryId);
163166

164-
$category = new Category($configuration, [], false);
167+
$category = new Category($this->configuration, [], false);
165168
$category->setUser($currentAdminUser);
166169
$category->setGroups($currentAdminGroups);
167170
$category->updateParentCategory($data->categoryId, $parentId);

0 commit comments

Comments
 (0)