wallabag/src/Wallabag/CoreBundle/Controller/ExportController.php

<?php

namespace Wallabag\CoreBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Wallabag\CoreBundle\Helper\EntriesExport;
use Wallabag\CoreBundle\Repository\EntryRepository;
use Wallabag\CoreBundle\Repository\TagRepository;

/**
 * The try/catch can be removed once all formats will be implemented.
 * Still need implementation: txt.
 */
class ExportController extends AbstractController
{
    /**
     * Gets one entry content.
     *
     * @Route("/export/{id}.{format}", name="export_entry", requirements={
     *     "format": "epub|mobi|pdf|json|xml|txt|csv",
     *     "id": "\d+"
     * })
     *
     * @return Response
     */
    public function downloadEntryAction(Request $request, EntryRepository $entryRepository, EntriesExport $entriesExport, string $format, int $id)
    {
        try {
            $entry = $entryRepository->find($id);

            /*
             * We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
             *
             * This should be eventually rewritten
             */
            if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
                throw new NotFoundHttpException();
            }

            return $entriesExport
                ->setEntries($entry)
                ->updateTitle('entry')
                ->updateAuthor('entry')
                ->exportAs($format);
        } catch (\InvalidArgumentException $e) {
            throw new NotFoundHttpException($e->getMessage());
        }
    }

    /**
     * Export all entries for current user.
     *
     * @Route("/export/{category}.{format}", name="export_entries", requirements={
     *     "format": "epub|mobi|pdf|json|xml|txt|csv",
     *     "category": "all|unread|starred|archive|tag_entries|untagged|search|annotated|same_domain"
     * })
     *
     * @return Response
     */
    public function downloadEntriesAction(Request $request, EntryRepository $entryRepository, TagRepository $tagRepository, EntriesExport $entriesExport, string $format, string $category)
    {
        $method = ucfirst($category);
        $methodBuilder = 'getBuilderFor' . $method . 'ByUser';
        $title = $method;

        if ('tag_entries' === $category) {
            $tag = $tagRepository->findOneBySlug($request->query->get('tag'));

            $entries = $entryRepository->findAllByTagId(
                $this->getUser()->getId(),
                $tag->getId()
            );

            $title = 'Tag ' . $tag->getLabel();
        } elseif ('search' === $category) {
            $searchTerm = (isset($request->get('search_entry')['term']) ? $request->get('search_entry')['term'] : '');
            $currentRoute = (null !== $request->query->get('currentRoute') ? $request->query->get('currentRoute') : '');

            $entries = $entryRepository->getBuilderForSearchByUser(
                    $this->getUser()->getId(),
                    $searchTerm,
                    $currentRoute
            )->getQuery()
             ->getResult();

            $title = 'Search ' . $searchTerm;
        } elseif ('annotated' === $category) {
            $entries = $entryRepository->getBuilderForAnnotationsByUser(
                $this->getUser()->getId()
            )->getQuery()
             ->getResult();

            $title = 'With annotations';
        } else {
            $entries = $entryRepository
                ->$methodBuilder($this->getUser()->getId())
                ->getQuery()
                ->getResult();
        }

        try {
            return $entriesExport
                ->setEntries($entries)
                ->updateTitle($title)
                ->updateAuthor($method)
                ->exportAs($format);
        } catch (\InvalidArgumentException $e) {
            throw new NotFoundHttpException($e->getMessage());
        }
    }
}
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`<?php`

			`namespace Wallabag\CoreBundle\Controller;`

Add `RabbitMQConsumerTotalProxy` to lazy RabbitMQ services for messages This is just a simple proxy because we can't lazy load RabbitMQ service just to count number of messages in the queue. As they are automatically injected in the controller now, we can't lazy load them. Also forgot to use `AbstractController` in previous PR about _controller as a service_. 2022-12-19 13:23:56 +01:00			`use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;`
Fixed entries export filtered with a tag Fix #2505 2016-10-27 09:41:19 +02:00			`use Symfony\Component\HttpFoundation\Request;`
Import used classes 2022-08-28 16:59:43 +02:00			`use Symfony\Component\HttpFoundation\Response;`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;`
Jump to Symfony 3.4 Thanks to the BC compatibility, almost nothing have to be changed. All changes are related to new bundle version of: - SensioFrameworkExtraBundle - DoctrineFixturesBundle 2018-10-04 14:07:20 +02:00			`use Symfony\Component\Routing\Annotation\Route;`
Use FQCN as service name for helper services 2022-04-24 17:48:59 +02:00			`use Wallabag\CoreBundle\Helper\EntriesExport;`
Use FQCN as service name for repositories 2022-04-24 17:58:57 +02:00			`use Wallabag\CoreBundle\Repository\EntryRepository;`
			`use Wallabag\CoreBundle\Repository\TagRepository;`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00
Fix route parameters Improve export tests Improve CSV export 2015-10-30 20:57:10 +01:00			`/**`
			`* The try/catch can be removed once all formats will be implemented.`
			`* Still need implementation: txt.`
			`*/`
Add `RabbitMQConsumerTotalProxy` to lazy RabbitMQ services for messages This is just a simple proxy because we can't lazy load RabbitMQ service just to count number of messages in the queue. As they are automatically injected in the controller now, we can't lazy load them. Also forgot to use `AbstractController` in previous PR about _controller as a service_. 2022-12-19 13:23:56 +01:00			`class ExportController extends AbstractController`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`{`
			`/**`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`* Gets one entry content.`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`*`
Fix route parameters Improve export tests Improve CSV export 2015-10-30 20:57:10 +01:00			`* @Route("/export/{id}.{format}", name="export_entry", requirements={`
			`* "format": "epub\|mobi\|pdf\|json\|xml\|txt\|csv",`
			`* "id": "\d+"`
			`* })`
Convert array + phpDoc Thanks for https://github.com/thomasbachem/php-short-array-syntax-converter 2016-04-12 11:36:01 +02:00			`*`
Import used classes 2022-08-28 16:59:43 +02:00			`* @return Response`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`*/`
Merge remote-tracking branch 'origin/2.5.x' 2023-04-24 14:36:32 +02:00			`public function downloadEntryAction(Request $request, EntryRepository $entryRepository, EntriesExport $entriesExport, string $format, int $id)`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`{`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`try {`
Merge remote-tracking branch 'origin/2.5.x' 2023-04-24 14:36:32 +02:00			`$entry = $entryRepository->find($id);`
ExportController: fix improper authorization vulnerability We fix the improper authorization by duplicating the check done by the private method EntryController::checkUserAction(). We also replace the ParamConverter used to get the requested Entry with an explicit call to EntryRepository in order to prevent a resource enumeration through response discrepancy. Thus, we get the same exception whether the requested resource does not exist or is not owned by the requester. Fixes GHSA-qwx8-mxxx-mg96 Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2023-01-12 23:40:16 +01:00
Prepare 2.5.3 2023-02-01 09:51:02 +01:00			`/*`
ExportController: fix improper authorization vulnerability We fix the improper authorization by duplicating the check done by the private method EntryController::checkUserAction(). We also replace the ParamConverter used to get the requested Entry with an explicit call to EntryRepository in order to prevent a resource enumeration through response discrepancy. Thus, we get the same exception whether the requested resource does not exist or is not owned by the requester. Fixes GHSA-qwx8-mxxx-mg96 Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2023-01-12 23:40:16 +01:00			`* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability`
			`*`
			`* This should be eventually rewritten`
Prepare 2.5.3 2023-02-01 09:51:02 +01:00			`*/`
ExportController: fix improper authorization vulnerability We fix the improper authorization by duplicating the check done by the private method EntryController::checkUserAction(). We also replace the ParamConverter used to get the requested Entry with an explicit call to EntryRepository in order to prevent a resource enumeration through response discrepancy. Thus, we get the same exception whether the requested resource does not exist or is not owned by the requester. Fixes GHSA-qwx8-mxxx-mg96 Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2023-01-12 23:40:16 +01:00			`if (null === $entry \|\| null === $this->getUser() \|\| $this->getUser()->getId() !== $entry->getUser()->getId()) {`
			`throw new NotFoundHttpException();`
			`}`

Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`return $entriesExport`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`->setEntries($entry)`
			`->updateTitle('entry')`
Use the article domain as author for export files When exporting an entry, use the domain name as author name for epub, mobi and pdf formats, instead of 'wallabag'. Change the author from array to string, because for now, there is always only one author. 2017-07-08 17:55:58 +02:00			`->updateAuthor('entry')`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`->exportAs($format);`
			`} catch (\InvalidArgumentException $e) {`
			`throw new NotFoundHttpException($e->getMessage());`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`}`
			`}`

			`/**`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`* Export all entries for current user.`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`*`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`* @Route("/export/{category}.{format}", name="export_entries", requirements={`
Fix route parameters Improve export tests Improve CSV export 2015-10-30 20:57:10 +01:00			`* "format": "epub\|mobi\|pdf\|json\|xml\|txt\|csv",`
Enhanced tests and changed route 2020-04-26 14:09:16 +02:00			`* "category": "all\|unread\|starred\|archive\|tag_entries\|untagged\|search\|annotated\|same_domain"`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`* })`
Convert array + phpDoc Thanks for https://github.com/thomasbachem/php-short-array-syntax-converter 2016-04-12 11:36:01 +02:00			`*`
Import used classes 2022-08-28 16:59:43 +02:00			`* @return Response`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`*/`
Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`public function downloadEntriesAction(Request $request, EntryRepository $entryRepository, TagRepository $tagRepository, EntriesExport $entriesExport, string $format, string $category)`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`{`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`$method = ucfirst($category);`
Add a real configuration for CS-Fixer 2017-07-01 09:52:38 +02:00			`$methodBuilder = 'getBuilderFor' . $method . 'ByUser';`
EntriesExport: change authors and title when not single entry export Change '{method} authors' (which gives 'Tag_entries authors' when exporting a tag) to 'Various authors'. When exporting a tag (tag_entries), change the title from 'Tag_entries articles' to 'Tag {tag} articles'. Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2019-01-06 20:17:35 +01:00			`$title = $method;`
Fixed entries export filtered with a tag Fix #2505 2016-10-27 09:41:19 +02:00
CS 2017-10-09 16:47:15 +02:00			`if ('tag_entries' === $category) {`
Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`$tag = $tagRepository->findOneBySlug($request->query->get('tag'));`
Fixed entries export filtered with a tag Fix #2505 2016-10-27 09:41:19 +02:00
Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`$entries = $entryRepository->findAllByTagId(`
User existing service instead of getDoctrine 2017-06-10 12:33:58 +02:00			`$this->getUser()->getId(),`
			`$tag->getId()`
			`);`
EntriesExport: change authors and title when not single entry export Change '{method} authors' (which gives 'Tag_entries authors' when exporting a tag) to 'Various authors'. When exporting a tag (tag_entries), change the title from 'Tag_entries articles' to 'Tag {tag} articles'. Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2019-01-06 20:17:35 +01:00
			`$title = 'Tag ' . $tag->getLabel();`
ExportController: fix entries export from search view Fixes #4240 Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2020-02-04 22:19:45 +01:00			`} elseif ('search' === $category) {`
			`$searchTerm = (isset($request->get('search_entry')['term']) ? $request->get('search_entry')['term'] : '');`
			`$currentRoute = (null !== $request->query->get('currentRoute') ? $request->query->get('currentRoute') : '');`

Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`$entries = $entryRepository->getBuilderForSearchByUser(`
ExportController: fix entries export from search view Fixes #4240 Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2020-02-04 22:19:45 +01:00			`$this->getUser()->getId(),`
			`$searchTerm,`
			`$currentRoute`
			`)->getQuery()`
			`->getResult();`

			`$title = 'Search ' . $searchTerm;`
Enhanced tests and changed route 2020-04-26 14:09:16 +02:00			`} elseif ('annotated' === $category) {`
Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`$entries = $entryRepository->getBuilderForAnnotationsByUser(`
Added route to list entries with annotations 2020-04-20 19:00:58 +02:00			`$this->getUser()->getId()`
			`)->getQuery()`
			`->getResult();`

			`$title = 'With annotations';`
Fixed entries export filtered with a tag Fix #2505 2016-10-27 09:41:19 +02:00			`} else {`
Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`$entries = $entryRepository`
Fixed entries export filtered with a tag Fix #2505 2016-10-27 09:41:19 +02:00			`->$methodBuilder($this->getUser()->getId())`
			`->getQuery()`
			`->getResult();`
			`}`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00
			`try {`
Move to controller as a service Mostly using autowiring to inject deps. The only tricky part was for import because all producer use the same class and have a different alias. So we must write them down in the service definition, autowiring doesn't work in that case. Usually: - if a controller has a constructor, it means injected services are at least re-used once in actions - otherwise, service are injected per action 2022-12-19 10:37:22 +01:00			`return $entriesExport`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`->setEntries($entries)`
EntriesExport: change authors and title when not single entry export Change '{method} authors' (which gives 'Tag_entries authors' when exporting a tag) to 'Various authors'. When exporting a tag (tag_entries), change the title from 'Tag_entries articles' to 'Tag {tag} articles'. Signed-off-by: Kevin Decherf <kevin@kdecherf.com> 2019-01-06 20:17:35 +01:00			`->updateTitle($title)`
Use the article domain as author for export files When exporting an entry, use the domain name as author name for epub, mobi and pdf formats, instead of 'wallabag'. Change the author from array to string, because for now, there is always only one author. 2017-07-08 17:55:58 +02:00			`->updateAuthor($method)`
Rework on export - all export now return a `HttpFoundation\Response` - return a 404 on unsupported format - add tests 2015-10-16 10:51:53 +02:00			`->exportAs($format);`
			`} catch (\InvalidArgumentException $e) {`
			`throw new NotFoundHttpException($e->getMessage());`
			`}`
Start work on export For now: - ebook - mobi - pdf - csv 2015-10-15 20:06:59 +02:00			`}`
			`}`