From d7a9e4dfbe30fc72a162aa0eb60bef59b57ac57c Mon Sep 17 00:00:00 2001 From: Kovah Date: Wed, 13 Jul 2022 11:02:57 +0200 Subject: [PATCH] Only allow ordering of entities by predefined columns and directions --- .../Controllers/Models/LinkController.php | 25 +++++++++++++------ .../Controllers/Models/ListController.php | 25 +++++++++++++------ app/Http/Controllers/Models/TagController.php | 25 +++++++++++++------ .../Controllers/Traits/ChecksOrdering.php | 16 ++++++++++++ app/Http/Controllers/Traits/SearchesLinks.php | 6 +++-- 5 files changed, 74 insertions(+), 23 deletions(-) create mode 100644 app/Http/Controllers/Traits/ChecksOrdering.php diff --git a/app/Http/Controllers/Models/LinkController.php b/app/Http/Controllers/Models/LinkController.php index 487fc7eb..1c9a4b82 100644 --- a/app/Http/Controllers/Models/LinkController.php +++ b/app/Http/Controllers/Models/LinkController.php @@ -3,6 +3,7 @@ namespace App\Http\Controllers\Models; use App\Http\Controllers\Controller; +use App\Http\Controllers\Traits\ChecksOrdering; use App\Http\Requests\Models\LinkMarkWorkingRequest; use App\Http\Requests\Models\LinkStoreRequest; use App\Http\Requests\Models\LinkToggleCheckRequest; @@ -16,6 +17,14 @@ use Illuminate\Http\Request; class LinkController extends Controller { + use ChecksOrdering; + + protected array $allowedOrders = [ + 'created_at', + 'url', + 'title', + ]; + public function __construct() { $this->authorizeResource(Link::class, 'link'); @@ -29,23 +38,25 @@ class LinkController extends Controller */ public function index(Request $request): View { - $orderBy = $request->input('orderBy', session()->get('links.index.orderBy', 'created_at')); - $orderDir = $request->input('orderDir', session()->get('links.index.orderDir', 'desc')); + $this->orderBy = $request->input('orderBy', session()->get('links.index.orderBy', 'created_at')); + $this->orderDir = $request->input('orderDir', session()->get('links.index.orderDir', 'desc')); - session()->put('links.index.orderBy', $orderBy); - session()->put('links.index.orderDir', $orderDir); + $this->checkOrdering(); + + session()->put('links.index.orderBy', $this->orderBy); + session()->put('links.index.orderDir', $this->orderDir); $links = Link::query() ->visibleForUser() ->with('tags') - ->orderBy($orderBy, $orderDir) + ->orderBy($this->orderBy, $this->orderDir) ->paginate(getPaginationLimit()); return view('models.links.index', [ 'links' => $links, 'route' => $request->getBaseUrl(), - 'orderBy' => $orderBy, - 'orderDir' => $orderDir, + 'orderBy' => $this->orderBy, + 'orderDir' => $this->orderDir, ]); } diff --git a/app/Http/Controllers/Models/ListController.php b/app/Http/Controllers/Models/ListController.php index ac3c2889..18593261 100644 --- a/app/Http/Controllers/Models/ListController.php +++ b/app/Http/Controllers/Models/ListController.php @@ -3,6 +3,7 @@ namespace App\Http\Controllers\Models; use App\Http\Controllers\Controller; +use App\Http\Controllers\Traits\ChecksOrdering; use App\Http\Requests\Models\ListStoreRequest; use App\Http\Requests\Models\ListUpdateRequest; use App\Models\LinkList; @@ -14,6 +15,14 @@ use Illuminate\Http\Request; class ListController extends Controller { + use ChecksOrdering; + + protected array $allowedOrders = [ + 'created_at', + 'name', + 'links_count', + ]; + /** * Display a listing of the resource. * @@ -22,15 +31,17 @@ class ListController extends Controller */ public function index(Request $request): View { - $orderBy = $request->input('orderBy', session()->get('lists.index.orderBy', 'name')); - $orderDir = $request->input('orderDir', session()->get('lists.index.orderDir', 'asc')); + $this->orderBy = $request->input('orderBy', session()->get('lists.index.orderBy', 'name')); + $this->orderDir = $request->input('orderDir', session()->get('lists.index.orderDir', 'asc')); - session()->put('lists.index.orderBy', $orderBy); - session()->put('lists.index.orderDir', $orderDir); + $this->checkOrdering(); + + session()->put('lists.index.orderBy', $this->orderBy); + session()->put('lists.index.orderDir', $this->orderDir); $lists = LinkList::byUser() ->withCount('links') - ->orderBy($orderBy, $orderDir); + ->orderBy($this->orderBy, $this->orderDir); if ($request->input('filter')) { $lists = $lists->where('name', 'like', '%' . $request->input('filter') . '%'); @@ -41,8 +52,8 @@ class ListController extends Controller return view('models.lists.index', [ 'lists' => $lists, 'route' => $request->getBaseUrl(), - 'orderBy' => $orderBy, - 'orderDir' => $orderDir, + 'orderBy' => $this->orderBy, + 'orderDir' => $this->orderDir, ]); } diff --git a/app/Http/Controllers/Models/TagController.php b/app/Http/Controllers/Models/TagController.php index 2a66bb27..732a3597 100644 --- a/app/Http/Controllers/Models/TagController.php +++ b/app/Http/Controllers/Models/TagController.php @@ -3,6 +3,7 @@ namespace App\Http\Controllers\Models; use App\Http\Controllers\Controller; +use App\Http\Controllers\Traits\ChecksOrdering; use App\Http\Requests\Models\TagStoreRequest; use App\Http\Requests\Models\TagUpdateRequest; use App\Models\Tag; @@ -14,6 +15,14 @@ use Illuminate\Http\Request; class TagController extends Controller { + use ChecksOrdering; + + protected array $allowedOrders = [ + 'created_at', + 'name', + 'links_count', + ]; + /** * Display a listing of the resource. * @@ -22,15 +31,17 @@ class TagController extends Controller */ public function index(Request $request): View { - $orderBy = $request->input('orderBy', session()->get('tags.index.orderBy', 'name')); - $orderDir = $request->input('orderDir', session()->get('tags.index.orderDir', 'asc')); + $this->orderBy = $request->input('orderBy', session()->get('tags.index.orderBy', 'name')); + $this->orderDir = $request->input('orderDir', session()->get('tags.index.orderDir', 'asc')); - session()->put('tags.index.orderBy', $orderBy); - session()->put('tags.index.orderDir', $orderDir); + $this->checkOrdering(); + + session()->put('tags.index.orderBy', $this->orderBy); + session()->put('tags.index.orderDir', $this->orderDir); $tags = Tag::byUser() ->withCount('links') - ->orderBy($orderBy, $orderDir); + ->orderBy($this->orderBy, $this->orderDir); if ($request->input('filter')) { $tags = $tags->where('name', 'like', '%' . $request->input('filter') . '%'); @@ -41,8 +52,8 @@ class TagController extends Controller return view('models.tags.index', [ 'tags' => $tags, 'route' => $request->getBaseUrl(), - 'orderBy' => $orderBy, - 'orderDir' => $orderDir, + 'orderBy' => $this->orderBy, + 'orderDir' => $this->orderDir, 'filter' => $request->input('filter'), ]); } diff --git a/app/Http/Controllers/Traits/ChecksOrdering.php b/app/Http/Controllers/Traits/ChecksOrdering.php new file mode 100644 index 00000000..3414a81f --- /dev/null +++ b/app/Http/Controllers/Traits/ChecksOrdering.php @@ -0,0 +1,16 @@ +orderBy = in_array($this->orderBy, $this->allowedOrders, true) ? $this->orderBy : 'created_at'; + $this->orderDir = in_array($this->orderDir, ['asc', 'desc']) ? $this->orderDir : 'asc'; + } +} diff --git a/app/Http/Controllers/Traits/SearchesLinks.php b/app/Http/Controllers/Traits/SearchesLinks.php index df7b66d9..0c79ef84 100644 --- a/app/Http/Controllers/Traits/SearchesLinks.php +++ b/app/Http/Controllers/Traits/SearchesLinks.php @@ -88,8 +88,10 @@ trait SearchesLinks }); } - // Order the results if applicable - if ($this->searchOrderBy = $request->input('order_by', $this->orderByOptions[0])) { + // Order the results if applicable and only allow predefined ordering + if ($this->searchOrderBy = $request->input('order_by')) { + $this->searchOrderBy = in_array($this->searchOrderBy, $this->orderByOptions) + ? $this->searchOrderBy : $this->orderByOptions[0]; $search->orderBy(...explode(':', $this->searchOrderBy)); }