oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-08-06 17:41:01 +00:00
Code Wiki Activity

Merge remote-tracking branch 'origin/2.5.x'

Browse source
This commit is contained in:
Jeremy Benoist 2023-04-24 14:36:32 +02:00
commit 66b7bdd07c
No known key found for this signature in database
GPG key ID: 7168D5DD29F38552
18 changed files with 614 additions and 472 deletions
Download patch file Download diff file Expand all files Collapse all files

67
src/Wallabag/AnnotationBundle/Controller/WallabagAnnotationController.php
View file

@ -5,10 +5,10 @@ namespace Wallabag\AnnotationBundle\Controller;
use Doctrine\ORM\EntityManagerInterface;
use FOS\RestBundle\Controller\AbstractFOSRestController;
use JMS\Serializer\SerializerInterface;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
use Symfony\Component\Form\FormFactoryInterface;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Wallabag\AnnotationBundle\Entity\Annotation;
use Wallabag\AnnotationBundle\Form\EditAnnotationType;
@ -40,7 +40,7 @@ class WallabagAnnotationController extends AbstractFOSRestController
*/
public function getAnnotationsAction(Entry $entry, AnnotationRepository $annotationRepository)
{
$annotationRows = $annotationRepository->findAnnotationsByPageId($entry->getId(), $this->getUser()->getId());
$annotationRows = $annotationRepository->findByEntryIdAndUserId($entry->getId(), $this->getUser()->getId());
$total = \count($annotationRows);
$annotations = ['total' => $total, 'rows' => $annotationRows];
@ -90,30 +90,35 @@ class WallabagAnnotationController extends AbstractFOSRestController
* @see Wallabag\ApiBundle\Controller\WallabagRestController
*
* @Route("/annotations/{annotation}.{_format}", methods={"PUT"}, name="annotations_put_annotation", defaults={"_format": "json"})
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
*
* @return JsonResponse
*/
public function putAnnotationAction(Annotation $annotation, Request $request)
public function putAnnotationAction(Request $request, AnnotationRepository $annotationRepository, int $annotation)
{
$data = json_decode($request->getContent(), true);
try {
$annotation = $this->validateAnnotation($annotationRepository, $annotation, $this->getUser()->getId());
$form = $this->formFactory->createNamed('', EditAnnotationType::class, $annotation, [
'csrf_protection' => false,
'allow_extra_fields' => true,
]);
$form->submit($data);
$data = json_decode($request->getContent(), true, 512, \JSON_THROW_ON_ERROR);
if ($form->isValid()) {
$this->entityManager->persist($annotation);
$this->entityManager->flush();
$form = $this->formFactory->createNamed('', EditAnnotationType::class, $annotation, [
'csrf_protection' => false,
'allow_extra_fields' => true,
]);
$form->submit($data);
$json = $this->serializer->serialize($annotation, 'json');
if ($form->isValid()) {
$this->entityManager->persist($annotation);
$this->entityManager->flush();
return JsonResponse::fromJsonString($json);
$json = $this->serializer->serialize($annotation, 'json');
return JsonResponse::fromJsonString($json);
}
return $form;
} catch (\InvalidArgumentException $e) {
throw new NotFoundHttpException($e);
}
return $form;
}
/**
@ -122,17 +127,33 @@ class WallabagAnnotationController extends AbstractFOSRestController
* @see Wallabag\ApiBundle\Controller\WallabagRestController
*
* @Route("/annotations/{annotation}.{_format}", methods={"DELETE"}, name="annotations_delete_annotation", defaults={"_format": "json"})
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
*
* @return JsonResponse
*/
public function deleteAnnotationAction(Annotation $annotation)
public function deleteAnnotationAction(AnnotationRepository $annotationRepository, int $annotation)
{
$this->entityManager->remove($annotation);
$this->entityManager->flush();
try {
$annotation = $this->validateAnnotation($annotationRepository, $annotation, $this->getUser()->getId());
$json = $this->serializer->serialize($annotation, 'json');
$this->entityManager->remove($annotation);
$this->entityManager->flush();
return (new JsonResponse())->setJson($json);
$json = $this->serializer->serialize($annotation, 'json');
return (new JsonResponse())->setJson($json);
} catch (\InvalidArgumentException $e) {
throw new NotFoundHttpException($e);
}
}
private function validateAnnotation(AnnotationRepository $annotationRepository, int $annotationId, int $userId)
{
$annotation = $annotationRepository->findOneByIdAndUserId($annotationId, $userId);
if (null === $annotation) {
throw new NotFoundHttpException();
}
return $annotation;
}
}

9
src/Wallabag/AnnotationBundle/DataFixtures/AnnotationFixtures.php
View file

@ -34,6 +34,15 @@ class AnnotationFixtures extends Fixture implements DependentFixtureInterface
$this->addReference('annotation2', $annotation2);
$annotation3 = new Annotation($this->getReference('bob-user'));
$annotation3->setEntry($this->getReference('entry3'));
$annotation3->setText('This is my first annotation !');
$annotation3->setQuote('content');
$manager->persist($annotation3);
$this->addReference('annotation3', $annotation3);
$manager->flush();
}

22
src/Wallabag/AnnotationBundle/Repository/AnnotationRepository.php
View file

@ -49,6 +49,24 @@ class AnnotationRepository extends ServiceEntityRepository
;
}
/**
* Find annotation by id and user.
*
* @param int $annotationId
* @param int $userId
*
* @return Annotation
*/
public function findOneByIdAndUserId($annotationId, $userId)
{
return $this->createQueryBuilder('a')
->where('a.id = :annotationId')->setParameter('annotationId', $annotationId)
->andWhere('a.user = :userId')->setParameter('userId', $userId)
->setMaxResults(1)
->getQuery()
->getOneOrNullResult();
}
/**
* Find annotations for entry id.
*
@ -57,7 +75,7 @@ class AnnotationRepository extends ServiceEntityRepository
*
* @return array
*/
public function findAnnotationsByPageId($entryId, $userId)
public function findByEntryIdAndUserId($entryId, $userId)
{
return $this->createQueryBuilder('a')
->where('a.entry = :entryId')->setParameter('entryId', $entryId)
@ -74,7 +92,7 @@ class AnnotationRepository extends ServiceEntityRepository
*
* @return array
*/
public function findLastAnnotationByPageId($entryId, $userId)
public function findLastAnnotationByUserId($entryId, $userId)
{
return $this->createQueryBuilder('a')
->where('a.entry = :entryId')->setParameter('entryId', $entryId)

7
src/Wallabag/ApiBundle/Controller/AnnotationRestController.php
View file

@ -4,7 +4,6 @@ namespace Wallabag\ApiBundle\Controller;
use Nelmio\ApiDocBundle\Annotation\Operation;
use OpenApi\Annotations as OA;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\ParamConverter;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Annotation\Route;
@ -138,11 +137,10 @@ class AnnotationRestController extends WallabagRestController
* )
*
* @Route("/api/annotations/{annotation}.{_format}", methods={"PUT"}, name="api_put_annotation", defaults={"_format": "json"})
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
*
* @return JsonResponse
*/
public function putAnnotationAction(Annotation $annotation, Request $request)
public function putAnnotationAction(int $annotation, Request $request)
{
$this->validateAuthentication();
@ -175,11 +173,10 @@ class AnnotationRestController extends WallabagRestController
* )
*
* @Route("/api/annotations/{annotation}.{_format}", methods={"DELETE"}, name="api_delete_annotation", defaults={"_format": "json"})
* @ParamConverter("annotation", class="Wallabag\AnnotationBundle\Entity\Annotation")
*
* @return JsonResponse
*/
public function deleteAnnotationAction(Annotation $annotation)
public function deleteAnnotationAction(int $annotation)
{
$this->validateAuthentication();

6
src/Wallabag/CoreBundle/Controller/ConfigController.php
View file

@ -592,7 +592,7 @@ class ConfigController extends AbstractController
/**
* Delete account for current user.
*
* @Route("/account/delete", name="delete_account")
* @Route("/account/delete", name="delete_account", methods={"POST"})
*
* @throws AccessDeniedHttpException
*
@ -600,6 +600,10 @@ class ConfigController extends AbstractController
*/
public function deleteAccountAction(Request $request, UserRepository $userRepository, TokenStorageInterface $tokenStorage)
{
if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.');
}
$enabledUsers = $userRepository->getSumEnabledUsers();
if ($enabledUsers <= 1) {

14
src/Wallabag/CoreBundle/Controller/ExportController.php
View file

@ -7,7 +7,6 @@ use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Wallabag\CoreBundle\Entity\Entry;
use Wallabag\CoreBundle\Helper\EntriesExport;
use Wallabag\CoreBundle\Repository\EntryRepository;
use Wallabag\CoreBundle\Repository\TagRepository;
@ -28,9 +27,20 @@ class ExportController extends AbstractController
*
* @return Response
*/
public function downloadEntryAction(Entry $entry, EntriesExport $entriesExport, string $format)
public function downloadEntryAction(Request $request, EntryRepository $entryRepository, EntriesExport $entriesExport, string $format, int $id)
{
try {
$entry = $entryRepository->find($id);
/*
* We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability
*
* This should be eventually rewritten
*/
if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw new NotFoundHttpException();
}
return $entriesExport
->setEntries($entry)
->updateTitle('entry')

24
src/Wallabag/CoreBundle/Controller/TagController.php
View file

@ -35,7 +35,7 @@ class TagController extends AbstractController
}
/**
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag")
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
*
* @return Response
*/
@ -44,7 +44,17 @@ class TagController extends AbstractController
$form = $this->createForm(NewTagType::class, new Tag());
$form->handleRequest($request);
$tags = $form->get('label')->getData();
$tagsExploded = explode(',', $tags);
// avoid too much tag to be added
if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
}
if ($form->isSubmitted() && $form->isValid()) {
$this->checkUserAction($entry);
$this->tagsAssigner->assignTagsToEntry(
$entry,
$form->get('label')->getData()
@ -76,6 +86,8 @@ class TagController extends AbstractController
*/
public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
{
$this->checkUserAction($entry);
$entry->removeTag($tag);
$this->entityManager->flush();
@ -260,4 +272,14 @@ class TagController extends AbstractController
return $this->redirect($redirectUrl);
}
/**
* Check if the logged user can manage the given entry.
*/
private function checkUserAction(Entry $entry)
{
if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw $this->createAccessDeniedException('You can not access this entry.');
}
}
}

3
src/Wallabag/CoreBundle/Form/Type/NewTagType.php
View file

@ -11,6 +11,8 @@ use Wallabag\CoreBundle\Entity\Tag;
class NewTagType extends AbstractType
{
public const MAX_LENGTH = 40;
public function buildForm(FormBuilderInterface $builder, array $options)
{
$builder
@ -18,6 +20,7 @@ class NewTagType extends AbstractType
'required' => true,
'attr' => [
'placeholder' => 'tag.new.placeholder',
'max_length' => self::MAX_LENGTH,
],
])
->add('add', SubmitType::class, [

8
src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
View file

@ -561,9 +561,11 @@
<div class="row">
<h5>{{ 'config.form_user.delete.title'|trans }}</h5>
<p>{{ 'config.form_user.delete.description'|trans }}</p>
<a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account">
{{ 'config.form_user.delete.button'|trans }}
</a>
<form action="{{ path('delete_account') }}" method="post" onsubmit="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" name="delete-account">
<input type="hidden" name="token" value="{{ csrf_token('delete-account') }}" />
<button class="waves-effect waves-light btn red" type="submit">{{ 'config.form_user.delete.button'|trans }}</button>
</form>
</div>
{% endif %}
</div>

2
src/Wallabag/CoreBundle/Resources/views/Entry/share.html.twig
View file

@ -28,7 +28,7 @@
<header class="block">
<h1>{{ entry.title|e|raw }}</h1>
<a href="{{ entry.url|e }}" target="_blank" rel="noopener" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a>
<p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username})|raw }}.</p>
<p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username|escape})|raw }}.</p>
</header>
<article class="block">
{{ entry.content|raw }}