Avoid user to see other entries
hehe :)
This commit is contained in:
Jeremy
parent
eb3bd7efb7
commit
3d2b2d62be
@ -12,8 +12,10 @@ use Wallabag\CoreBundle\Helper\Url;
|
|||||||
class EntryController extends Controller
|
class EntryController extends Controller
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* @param Request $request
|
* @param Request $request
|
||||||
|
*
|
||||||
* @Route("/new", name="new_entry")
|
* @Route("/new", name="new_entry")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\Response
|
* @return \Symfony\Component\HttpFoundation\Response
|
||||||
*/
|
*/
|
||||||
public function addEntryAction(Request $request)
|
public function addEntryAction(Request $request)
|
||||||
@ -54,6 +56,7 @@ class EntryController extends Controller
|
|||||||
* Shows unread entries for current user
|
* Shows unread entries for current user
|
||||||
*
|
*
|
||||||
* @Route("/unread", name="unread")
|
* @Route("/unread", name="unread")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\Response
|
* @return \Symfony\Component\HttpFoundation\Response
|
||||||
*/
|
*/
|
||||||
public function showUnreadAction()
|
public function showUnreadAction()
|
||||||
@ -73,6 +76,7 @@ class EntryController extends Controller
|
|||||||
* Shows read entries for current user
|
* Shows read entries for current user
|
||||||
*
|
*
|
||||||
* @Route("/archive", name="archive")
|
* @Route("/archive", name="archive")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\Response
|
* @return \Symfony\Component\HttpFoundation\Response
|
||||||
*/
|
*/
|
||||||
public function showArchiveAction()
|
public function showArchiveAction()
|
||||||
@ -92,6 +96,7 @@ class EntryController extends Controller
|
|||||||
* Shows starred entries for current user
|
* Shows starred entries for current user
|
||||||
*
|
*
|
||||||
* @Route("/starred", name="starred")
|
* @Route("/starred", name="starred")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\Response
|
* @return \Symfony\Component\HttpFoundation\Response
|
||||||
*/
|
*/
|
||||||
public function showStarredAction()
|
public function showStarredAction()
|
||||||
@ -110,12 +115,16 @@ class EntryController extends Controller
|
|||||||
/**
|
/**
|
||||||
* Shows entry content
|
* Shows entry content
|
||||||
*
|
*
|
||||||
* @param Entry $entry
|
* @param Entry $entry
|
||||||
|
*
|
||||||
* @Route("/view/{id}", requirements={"id" = "\d+"}, name="view")
|
* @Route("/view/{id}", requirements={"id" = "\d+"}, name="view")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\Response
|
* @return \Symfony\Component\HttpFoundation\Response
|
||||||
*/
|
*/
|
||||||
public function viewAction(Entry $entry)
|
public function viewAction(Entry $entry)
|
||||||
{
|
{
|
||||||
|
$this->checkUserAction($entry);
|
||||||
|
|
||||||
return $this->render(
|
return $this->render(
|
||||||
'WallabagCoreBundle:Entry:entry.html.twig',
|
'WallabagCoreBundle:Entry:entry.html.twig',
|
||||||
array('entry' => $entry)
|
array('entry' => $entry)
|
||||||
@ -125,13 +134,17 @@ class EntryController extends Controller
|
|||||||
/**
|
/**
|
||||||
* Changes read status for an entry
|
* Changes read status for an entry
|
||||||
*
|
*
|
||||||
* @param Request $request
|
* @param Request $request
|
||||||
* @param Entry $entry
|
* @param Entry $entry
|
||||||
|
*
|
||||||
* @Route("/archive/{id}", requirements={"id" = "\d+"}, name="archive_entry")
|
* @Route("/archive/{id}", requirements={"id" = "\d+"}, name="archive_entry")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\RedirectResponse
|
* @return \Symfony\Component\HttpFoundation\RedirectResponse
|
||||||
*/
|
*/
|
||||||
public function toggleArchiveAction(Request $request, Entry $entry)
|
public function toggleArchiveAction(Request $request, Entry $entry)
|
||||||
{
|
{
|
||||||
|
$this->checkUserAction($entry);
|
||||||
|
|
||||||
$entry->toggleArchive();
|
$entry->toggleArchive();
|
||||||
$this->getDoctrine()->getManager()->flush();
|
$this->getDoctrine()->getManager()->flush();
|
||||||
|
|
||||||
@ -146,13 +159,17 @@ class EntryController extends Controller
|
|||||||
/**
|
/**
|
||||||
* Changes favorite status for an entry
|
* Changes favorite status for an entry
|
||||||
*
|
*
|
||||||
* @param Request $request
|
* @param Request $request
|
||||||
* @param Entry $entry
|
* @param Entry $entry
|
||||||
|
*
|
||||||
* @Route("/star/{id}", requirements={"id" = "\d+"}, name="star_entry")
|
* @Route("/star/{id}", requirements={"id" = "\d+"}, name="star_entry")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\RedirectResponse
|
* @return \Symfony\Component\HttpFoundation\RedirectResponse
|
||||||
*/
|
*/
|
||||||
public function toggleStarAction(Request $request, Entry $entry)
|
public function toggleStarAction(Request $request, Entry $entry)
|
||||||
{
|
{
|
||||||
|
$this->checkUserAction($entry);
|
||||||
|
|
||||||
$entry->toggleStar();
|
$entry->toggleStar();
|
||||||
$this->getDoctrine()->getManager()->flush();
|
$this->getDoctrine()->getManager()->flush();
|
||||||
|
|
||||||
@ -167,17 +184,19 @@ class EntryController extends Controller
|
|||||||
/**
|
/**
|
||||||
* Deletes entry
|
* Deletes entry
|
||||||
*
|
*
|
||||||
* @param Request $request
|
* @param Request $request
|
||||||
* @param Entry $entry
|
* @param Entry $entry
|
||||||
|
*
|
||||||
* @Route("/delete/{id}", requirements={"id" = "\d+"}, name="delete_entry")
|
* @Route("/delete/{id}", requirements={"id" = "\d+"}, name="delete_entry")
|
||||||
|
*
|
||||||
* @return \Symfony\Component\HttpFoundation\RedirectResponse
|
* @return \Symfony\Component\HttpFoundation\RedirectResponse
|
||||||
*/
|
*/
|
||||||
public function deleteEntryAction(Request $request, Entry $entry)
|
public function deleteEntryAction(Request $request, Entry $entry)
|
||||||
{
|
{
|
||||||
$em = $this->getDoctrine()->getManager();
|
$this->checkUserAction($entry);
|
||||||
|
|
||||||
$entry->setDeleted(1);
|
$entry->setDeleted(1);
|
||||||
$em->persist($entry);
|
$this->getDoctrine()->getManager()->flush();
|
||||||
$em->flush();
|
|
||||||
|
|
||||||
$this->get('session')->getFlashBag()->add(
|
$this->get('session')->getFlashBag()->add(
|
||||||
'notice',
|
'notice',
|
||||||
@ -186,4 +205,16 @@ class EntryController extends Controller
|
|||||||
|
|
||||||
return $this->redirect($request->headers->get('referer'));
|
return $this->redirect($request->headers->get('referer'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the logged user can manage the given entry
|
||||||
|
*
|
||||||
|
* @param Entry $entry
|
||||||
|
*/
|
||||||
|
private function checkUserAction(Entry $entry)
|
||||||
|
{
|
||||||
|
if ($this->getUser()->getId() != $entry->getUser()->getId()) {
|
||||||
|
throw $this->createAccessDeniedException('You can not use this entry.');
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -174,4 +174,25 @@ class EntryControllerTest extends WallabagTestCase
|
|||||||
|
|
||||||
$this->assertEquals($res->isDeleted(), true);
|
$this->assertEquals($res->isDeleted(), true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testViewOtherUserEntry()
|
||||||
|
{
|
||||||
|
$this->logInAs('bob');
|
||||||
|
$client = $this->getClient();
|
||||||
|
|
||||||
|
$content = $client->getContainer()
|
||||||
|
->get('doctrine.orm.entity_manager')
|
||||||
|
->getRepository('WallabagCoreBundle:Entry')
|
||||||
|
->createQueryBuilder('e')
|
||||||
|
->select('e.id')
|
||||||
|
->leftJoin('e.user', 'u')
|
||||||
|
->where('u.username != :username')->setParameter('username', 'bob')
|
||||||
|
->setMaxResults(1)
|
||||||
|
->getQuery()
|
||||||
|
->getSingleResult(AbstractQuery::HYDRATE_ARRAY);
|
||||||
|
|
||||||
|
$client->request('GET', '/view/'.$content['id']);
|
||||||
|
|
||||||
|
$this->assertEquals(403, $client->getResponse()->getStatusCode());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user