Skip to content

Commit

Permalink
Only allow sort fields that match the current object alias.
Browse files Browse the repository at this point in the history 
Backport 37ce6df to 1.3

Fixes #3803
  • Loading branch information
@markstory
markstory committed May 1, 2013
1 parent 2eab53d commit f2c9639
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions cake/libs/controller/controller.php
View file
Expand Up @@ -1134,10 +1134,11 @@ function paginate($object = null, $scope = array(), $whitelist = array()) {
}
$value = $options['order'][$key];
unset($options['order'][$key]);
$correctAlias = ($alias == $object->alias);

if ($object->hasField($field)) {
if ($correctAlias && $object->hasField($field)) {
$options['order'][$object->alias . '.' . $field] = $value;
} elseif ($object->hasField($key, true)) {
} elseif ($correctAlias && $object->hasField($key, true)) {
$options['order'][$field] = $value;
} elseif (isset($object->{$alias}) && $object->{$alias}->hasField($field)) {
$options['order'][$alias . '.' . $field] = $value;
Expand Down

0 comments on commit f2c9639

Please sign in to comment.