fix: added missing check on integers, simplified code

thorsten · Mar 20, 2024 · 81387ee · 81387ee
1 parent 80c5d9a
commit 81387ee
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 19 deletions.
diff --git a/phpmyfaq/src/admin-routes.php b/phpmyfaq/src/admin-routes.php
@@ -79,7 +79,6 @@
     )
 );
 
-
 $routes->add(
     'admin.api.category.permissions',
     new Route('/category/permissions/{categories}', ['_controller' => [CategoryController::class, 'permissions']])

diff --git a/phpmyfaq/src/phpMyFAQ/Controller/Administration/CategoryController.php b/phpmyfaq/src/phpMyFAQ/Controller/Administration/CategoryController.php
@@ -26,6 +26,7 @@
 use phpMyFAQ\Controller\AbstractController;
 use phpMyFAQ\Core\Exception;
 use phpMyFAQ\Enums\PermissionType;
+use phpMyFAQ\Filter;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
 use phpMyFAQ\User\CurrentUser;
@@ -44,10 +45,8 @@ public function delete(Request $request): JsonResponse
     {
         $this->userHasPermission(PermissionType::CATEGORY_DELETE);
 
-        $configuration = Configuration::getConfigurationInstance();
-        $currentUser = CurrentUser::getCurrentUser($configuration);
+        $currentUser = CurrentUser::getCurrentUser($this->configuration);
 
-        $jsonResponse = new JsonResponse();
         $data = json_decode($request->getContent());
 
         if (!Token::getInstance()->verifyToken('category', $data->csrfToken)) {
@@ -56,19 +55,19 @@ public function delete(Request $request): JsonResponse
 
         [ $currentAdminUser, $currentAdminGroups ] = CurrentUser::getCurrentUserGroupId($currentUser);
 
-        $category = new Category($configuration, [], false);
+        $category = new Category($this->configuration, [], false);
         $category->setUser($currentAdminUser);
         $category->setGroups($currentAdminGroups);
 
-        $categoryRelation = new CategoryRelation($configuration, $category);
+        $categoryRelation = new CategoryRelation($this->configuration, $category);
 
-        $categoryImage = new CategoryImage($configuration);
+        $categoryImage = new CategoryImage($this->configuration);
         $categoryImage->setFileName($category->getCategoryData($data->categoryId)->getImage());
 
-        $categoryOrder = new CategoryOrder($configuration);
+        $categoryOrder = new CategoryOrder($this->configuration);
         $categoryOrder->remove($data->categoryId);
 
-        $categoryPermission = new CategoryPermission($configuration);
+        $categoryPermission = new CategoryPermission($this->configuration);
 
         if (
             (
@@ -88,7 +87,7 @@ public function delete(Request $request): JsonResponse
             return $this->json(['success' => Translation::get('ad_categ_deleted')], Response::HTTP_OK);
         } else {
             return $this->json(
-                ['error' => Translation::get('ad_adus_dberr') . $configuration->getDb()->error()],
+                ['error' => Translation::get('ad_adus_dberr') . $this->configuration->getDb()->error()],
                 Response::HTTP_INTERNAL_SERVER_ERROR
             );
         }
@@ -97,12 +96,12 @@ public function delete(Request $request): JsonResponse
     /**
      * @throws Exception
      */
-    #[Route('admin/api/category/permissions')]
+    #[Route('admin/api/category/permissions', methods: ['GET'])]
     public function permissions(Request $request): JsonResponse
     {
         $this->userIsAuthenticated();
 
-        $categoryPermission = new CategoryPermission(Configuration::getConfigurationInstance());
+        $categoryPermission = new CategoryPermission($this->configuration);
 
         $categoryData = $request->get('categories');
 
@@ -112,6 +111,10 @@ public function permissions(Request $request): JsonResponse
             $categories = explode(',', (string) $categoryData);
         }
 
+        if (!in_array(true, filter_var_array($categories, FILTER_VALIDATE_INT))) {
+            return $this->json(['error' => 'Only integer values are valid.'], Response::HTTP_BAD_REQUEST);
+        }
+
         return $this->json(
             [
                 'user' => $categoryPermission->get(CategoryPermission::USER, $categories),
@@ -129,10 +132,11 @@ public function translations(Request $request): JsonResponse
     {
         $this->userIsAuthenticated();
 
-        $configuration = Configuration::getConfigurationInstance();
-        $category = new Category($configuration, [], false);
+        $category = new Category($this->configuration, [], false);
+
+        $categoryId = Filter::filterVar($request->get('categoryId'), FILTER_VALIDATE_INT);
 
-        $translations = $category->getCategoryLanguagesTranslated($request->get('categoryId'));
+        $translations = $category->getCategoryLanguagesTranslated($categoryId);
 
         return $this->json($translations, Response::HTTP_OK);
     }
@@ -151,17 +155,16 @@ public function updateOrder(Request $request): JsonResponse
             return $this->json(['error' => Translation::get('err_NotAuth')], Response::HTTP_UNAUTHORIZED);
         }
 
-        $configuration = Configuration::getConfigurationInstance();
-        $user = CurrentUser::getCurrentUser($configuration);
+        $user = CurrentUser::getCurrentUser($this->configuration);
 
         [ $currentAdminUser, $currentAdminGroups ] = CurrentUser::getCurrentUserGroupId($user);
 
-        $categoryOrder = new CategoryOrder($configuration);
+        $categoryOrder = new CategoryOrder($this->configuration);
         $categoryOrder->setCategoryTree($data->categoryTree);
 
         $parentId = $categoryOrder->getParentId($data->categoryTree, (int)$data->categoryId);
 
-        $category = new Category($configuration, [], false);
+        $category = new Category($this->configuration, [], false);
         $category->setUser($currentAdminUser);
         $category->setGroups($currentAdminGroups);
         $category->updateParentCategory($data->categoryId, $parentId);