Skip to content
Permalink
Browse files

Enforce model aliases when generating order by clauses.

Invalid SQL could be created by sorting on an invalid alias, with
a field that exists on the model.

Backport c327bdc from 2.3 to 2.2.
  • Loading branch information...
markstory committed Apr 27, 2013
1 parent 6a4160f commit b4efeb48b8554aba316d80eb89424a20b3be0b27
@@ -339,6 +339,7 @@ public function validateSort($object, $options, $whitelist = array()) {
$field = key($options['order']);
if (!in_array($field, $whitelist)) {
$options['order'] = null;
return $options;
}
}
@@ -352,7 +353,7 @@ public function validateSort($object, $options, $whitelist = array()) {
}
if ($object->hasField($field)) {
$order[$alias . '.' . $field] = $value;
$order[$object->alias . '.' . $field] = $value;
} elseif ($object->hasField($key, true)) {
$order[$field] = $value;
} elseif (isset($object->{$alias}) && $object->{$alias}->hasField($field, true)) {
@@ -884,10 +884,12 @@ public function testValidateSortMultiple() {
$model->alias = 'model';
$model->expects($this->any())->method('hasField')->will($this->returnValue(true));
$options = array('order' => array(
'author_id' => 'asc',
'title' => 'asc'
));
$options = array(
'order' => array(
'author_id' => 'asc',
'title' => 'asc'
)
);
$result = $this->Paginator->validateSort($model, $options);
$expected = array(
'model.author_id' => 'asc',
@@ -917,6 +919,21 @@ public function testValidateSortNoSort() {
$this->assertEquals($options['order'], $result['order']);
}
/**
* Test sorting with incorrect aliases on valid fields.
*
* @return void
*/
public function testValidateSortInvalidAlias() {
$model = $this->getMock('Model');
$model->alias = 'Model';
$model->expects($this->any())->method('hasField')->will($this->returnValue(true));
$options = array('sort' => 'Derp.id');
$result = $this->Paginator->validateSort($model, $options);
$this->assertEquals(array('Model.id' => 'asc'), $result['order']);
}
/**
* test that maxLimit is respected
*

0 comments on commit b4efeb4

Please sign in to comment.
You can’t perform that action at this time.