Page MenuHomePhabricator

D527.id1673.diff
No OneTemporary

D527.id1673.diff

diff --git a/bin/controllers/setting.php b/bin/controllers/setting.php
--- a/bin/controllers/setting.php
+++ b/bin/controllers/setting.php
@@ -47,7 +47,7 @@
* @param SettingModel $setting This variable is only used in get scenarios
* @throws HTTPMethodException
*/
- public function set(SettingModel$setting = null) {
+ public function set(SettingModel $setting = null) {
try {
if (!$this->request->isPost()) { throw new HTTPMethodException(); }
diff --git a/bin/models/setting.php b/bin/models/setting.php
--- a/bin/models/setting.php
+++ b/bin/models/setting.php
@@ -3,6 +3,7 @@
use definitions\SettingModel as ParentModel;
use spitfire\Model;
use spitfire\storage\database\Schema;
+use spitfire\exceptions\PublicException;
/*
* The MIT License
@@ -59,6 +60,48 @@
$schema->index($schema->user, $schema->setting)->unique(true);
}
+ /**
+ * Magic set method. This is used to validate input to the value whenever
+ * it is modified.
+ *
+ * @todo This should be refactored into a proper validation mechanism, but it
+ * does the trick for now.
+ * @param type $field
+ * @param type $value
+ * @return type
+ * @throws PublicException
+ */
+ public function __set($field, $value)
+ {
+ #If the application is trying to write the value, we need to verify it's
+ #a valid value
+ if ($field === 'value') {
+ switch ($this->setting->type) {
+ case 'enum':
+ $options = json_decode($this->setting->additional, true);
+ if (array_search($value, array_keys($options)) === false) { throw new PublicException('Validation failed', 400); }
+ break;
+ case 'boolean':
+ $value = !!$value;
+ break;
+ case 'media':
+ #TODO: Claim the upload
+ break;
+ /*
+ * External data can only be set in the exact same manner as a string.
+ * Also note that the external should NOT be considered a safe location
+ * to place data into, the user may be able to manipulate this.
+ */
+ case 'external':
+ case 'string':
+ if (!is_string($value)) { throw new PublicException('Validation failed. Onlly strings are allowed', 400); }
+ break;
+ }
+ }
+
+ return parent::__set($field, $value);
+ }
+
public function onbeforesave(): void {
parent::onbeforesave();

File Metadata

Mime Type
text/plain
Expires
Apr 11 2021, 10:05 AM (9 w, 2 d ago)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5591
Default Alt Text
D527.id1673.diff (2 KB)

Event Timeline