fix: filter values are not validated #3795
Conversation
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
| /** | ||
| * @throws FlarumValidationException | ||
| */ | ||
| protected function asArray($filterValue, $multidimensional = false): array |
There was a problem hiding this comment.
Should these require string? / why not add type annotations?
There was a problem hiding this comment.
filterValue is either a string or an array, w can't use mixed and we can't use sting|array yet.
The second parameter does need to be typed though.
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
| $filterState->getQuery() | ||
| ->join('discussion_tag', 'discussion_tag.discussion_id', '=', 'posts.discussion_id') | ||
| ->where('discussion_tag.tag_id', $negate ? '!=' : '=', $filterValue); | ||
| ->where('discussion_tag.tag_id', $negate ? '!=' : '=', $ids); |
There was a problem hiding this comment.
If this is an intArray, shouldn't it be whereIn?
There was a problem hiding this comment.
nice catch! technically I should have kept it an int rather than an array<int>. But nothing wrong with allowing filtering per many tags.
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
We can't add a more open type than the code type |
Fixes #3627
Changes proposed in this pull request:
This PR along with a tag
v0.5.2in SychO9/json-api-php@728047e fixes a lack of validation for query parameters that would lead to multiple server errors.Reviewers should focus on:
I'm surprised we never noticed the lack of validation for filters, that said the interface forces a string type, whereas a filter can be an array, unfortunately, we can only change that in 2.0, but at least, implementations of the interface can do without the string type.
Necessity
Confirmed
composer test).Required changes: