-
-
Notifications
You must be signed in to change notification settings - Fork 836
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: filter values are not validated #3795
Conversation
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
/** | ||
* @throws FlarumValidationException | ||
*/ | ||
protected function asArray($filterValue, $multidimensional = false): array |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these require string
? / why not add type annotations?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
filterValue
is either a string or an array, w can't use mixed
and we can't use sting|array
yet.
The second parameter does need to be typed though.
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another question, sorry. If we're removing the string
type annotation for $filterValue
, would it be possible to specify a union type in the doc block so we still get some kind of typechecking?
$filterState->getQuery() | ||
->join('discussion_tag', 'discussion_tag.discussion_id', '=', 'posts.discussion_id') | ||
->where('discussion_tag.tag_id', $negate ? '!=' : '=', $filterValue); | ||
->where('discussion_tag.tag_id', $negate ? '!=' : '=', $ids); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is an intArray, shouldn't it be whereIn
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice catch! technically I should have kept it an int
rather than an array<int>
. But nothing wrong with allowing filtering per many tags.
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
We can't add a more open type than the code type |
Fixes #3627
Changes proposed in this pull request:
This PR along with a tag
v0.5.2
in SychO9/json-api-php@728047e fixes a lack of validation for query parameters that would lead to multiple server errors.Reviewers should focus on:
I'm surprised we never noticed the lack of validation for filters, that said the interface forces a string type, whereas a filter can be an array, unfortunately, we can only change that in 2.0, but at least, implementations of the interface can do without the string type.
Necessity
Confirmed
composer test
).Required changes: