Merge pull request #51 from brenoroosevelt/master

Respond with Bad Request if include is unavailable
FriendsOfCake · Apr 28, 2018 · 447760f · 447760f
2 parents 99f4a5a + 7138d74
commit 447760f
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 5 deletions.
diff --git a/src/Listener/JsonApiListener.php b/src/Listener/JsonApiListener.php
@@ -292,10 +292,14 @@ protected function _includeParameter($includes, Subject $subject, $options)
         }
         $includes = Hash::filter((array)$includes);
 
-        if (empty($includes) || $options['blacklist'] === true || $options['whitelist'] === false) {
+        if (empty($includes)) {
             return;
         }
 
+        if ($options['blacklist'] === true || $options['whitelist'] === false) {
+            throw new BadRequestException("The include parameter is not supported");
+        }
+
         $this->config('include', []);
         $includes = Hash::expand(Hash::normalize($includes));
         $blacklist = is_array($options['blacklist']) ? Hash::expand(Hash::normalize(array_fill_keys($options['blacklist'], true))) : $options['blacklist'];

diff --git a/tests/TestCase/Listener/JsonApiListenerTest.php b/tests/TestCase/Listener/JsonApiListenerTest.php
@@ -1421,6 +1421,40 @@ public function includeQueryProvider()
                 ],
                 ['cultures', 'currency']
             ],
+        ];
+    }
+
+    /**
+     * Make sure that the include query correct splits include string into a containable format
+     *
+     * @return void
+     * @dataProvider includeQueryProvider
+     */
+    public function testIncludeQuery($include, $options, $expectedContain, $expectedInclude)
+    {
+        $listener = new JsonApiListener(new Controller());
+        $this->setReflectionClassInstance($listener);
+
+        $subject = new Subject();
+
+        $query = $this
+            ->getMockBuilder(Query::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $subject->query = $query;
+        $subject->query
+            ->expects($this->any())
+            ->method('repository')
+            ->willReturn(TableRegistry::get('Countries'));
+
+        $this->callProtectedMethod('_includeParameter', [$include, $subject, $options], $listener);
+        $this->assertSame($expectedInclude, $listener->config('include'));
+    }
+
+    public function includeQueryBadRequestProvider()
+    {
+        return [
             'blacklist everything' => [
                 'cultures,currencies.countries',
                 ['blacklist' => true, 'whitelist' => ['cultures', 'currencies.countries']],
@@ -1437,12 +1471,14 @@ public function includeQueryProvider()
     }
 
     /**
-     * Make sure that the include query correct splits include string into a containable format
+     * Ensure that the whiteList nothing or blackList everything do not accept any include parameter, and responds with
+     * BadRequestException
      *
      * @return void
-     * @dataProvider includeQueryProvider
+     * @dataProvider includeQueryBadRequestProvider
+     * @expectedException \Cake\Network\Exception\BadRequestException
      */
-    public function testIncludeQuery($include, $options, $expectedContain, $expectedInclude)
+    public function testIncludeQueryBadRequest($include, $options, $expectedContain, $expectedInclude)
     {
         $listener = new JsonApiListener(new Controller());
         $this->setReflectionClassInstance($listener);
@@ -1465,7 +1501,6 @@ public function testIncludeQuery($include, $options, $expectedContain, $expected
             ->willReturn(TableRegistry::get('Countries'));
 
         $this->callProtectedMethod('_includeParameter', [$include, $subject, $options], $listener);
-        $this->assertSame($expectedInclude, $listener->config('include'));
     }
 
     /**