fix: retrieve request array with all() instead of get()

williarin · williarin · commit 0d2629e69bb4 · 2022-10-08T21:15:56.000+08:00
diff --git a/.env b/.env
@@ -1,3 +1,3 @@
 APP_ENV=dev
-APP_SECRET=nSw!OiGdwCk1VYSL1zUo@F3l%$NtJW$saFU8i%6uy5waoI4!vs
+APP_SECRET=nSw!OiGdwCk1VYSL1zUo@F3l%$$NtJW$$saFU8i%6uy5waoI4!vs
 DATABASE_URL=mysql://dev:dev@mysql:3306/numbernine_dev?serverVersion=5.7
diff --git a/composer.json b/composer.json
@@ -37,7 +37,7 @@
         "imagine/imagine": "^1.2",
         "mpratt/relativetime": "^1.5",
         "nette/php-generator": "^4.0",
-        "numberninecms/common": "^0.1.11",
+        "numberninecms/common": "^0.1.12",
         "psr/cache": ">=1.0",
         "psr/log": ">=1.1",
         "scienta/doctrine-json-functions": "^4.1",
diff --git a/src/Controller/Admin/Api/ContentEntity/ContentEntitiesDeleteAction.php b/src/Controller/Admin/Api/ContentEntity/ContentEntitiesDeleteAction.php
@@ -38,8 +38,7 @@ public function __invoke(
 
         $this->denyAccessUnlessGranted($contentType->getMappedCapability(Capabilities::DELETE_POSTS));
 
-        /** @var array $ids */
-        $ids = $request->request->get('ids');
+        $ids = $request->request->all('ids');
 
         try {
             if (empty($ids)) {
diff --git a/src/Controller/Admin/Api/ContentEntity/ContentEntitiesRestoreAction.php b/src/Controller/Admin/Api/ContentEntity/ContentEntitiesRestoreAction.php
@@ -31,8 +31,7 @@ public function __invoke(
         ResponseFactory $responseFactory,
         string $type
     ): JsonResponse {
-        /** @var array $ids */
-        $ids = $request->request->get('ids');
+        $ids = $request->request->all('ids');
 
         try {
             $contentService->restoreEntitiesOfType($type, $ids);
diff --git a/src/Controller/Admin/Api/Menu/MenuUpdateAction.php b/src/Controller/Admin/Api/Menu/MenuUpdateAction.php
@@ -30,8 +30,7 @@ public function __invoke(
         ResponseFactory $responseFactory,
         Menu $menu
     ): JsonResponse {
-        /** @var array $menuItems */
-        $menuItems = $request->request->get('menuItems') ?: [];
+        $menuItems = $request->request->all('menuItems');
 
         $menu->setMenuItems($menuItems);
 
diff --git a/src/Controller/Admin/Api/PageBuilder/PageBuilderAreaComponentsUpdateAction.php b/src/Controller/Admin/Api/PageBuilder/PageBuilderAreaComponentsUpdateAction.php
@@ -34,8 +34,7 @@ public function __invoke(
         ThemeOptionsReadWriter $themeOptionsReadWriter,
         string $area
     ): JsonResponse {
-        /** @var array $components */
-        $components = $request->request->get('components');
+        $components = $request->request->all('components');
         $text = $arrayToShortcodeConverter->convertMany($components);
 
         $areas = $themeOptionsReadWriter->read($themeStore->getCurrentTheme(), 'areas', []);
diff --git a/src/Controller/Admin/Api/PageBuilder/PageBuilderEntityComponentsUpdateAction.php b/src/Controller/Admin/Api/PageBuilder/PageBuilderEntityComponentsUpdateAction.php
@@ -13,26 +13,31 @@
 
 use Doctrine\ORM\EntityManagerInterface;
 use NumberNine\Content\ArrayToShortcodeConverter;
+use NumberNine\Controller\Admin\CanEditPostsTrait;
 use NumberNine\Entity\ContentEntity;
 use NumberNine\Http\ResponseFactory;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Annotation\Route;
 
 #[Route(path: 'page_builder/{id<\d+>}/components', name: 'numbernine_admin_pagebuilder_post_entity_components', options: ['expose' => true], methods: [
     'POST',
 ])]
-final class PageBuilderEntityComponentsUpdateAction
+final class PageBuilderEntityComponentsUpdateAction extends AbstractController
 {
+    use CanEditPostsTrait;
+
     public function __invoke(
         Request $request,
         EntityManagerInterface $entityManager,
         ResponseFactory $responseFactory,
         ArrayToShortcodeConverter $arrayToShortcodeConverter,
         ContentEntity $contentEntity
     ): JsonResponse {
-        /** @var array $components */
-        $components = $request->request->get('components');
+        $this->assertCanEditPosts($this->getUser(), $contentEntity);
+
+        $components = $request->request->all('components');
         $text = $arrayToShortcodeConverter->convertMany($components);
 
         $contentEntity->setContent($text);
diff --git a/src/Controller/Admin/Api/PageBuilder/PageBuilderShortcodePresetCreateUpdateAction.php b/src/Controller/Admin/Api/PageBuilder/PageBuilderShortcodePresetCreateUpdateAction.php
@@ -34,7 +34,6 @@ public function __invoke(
         PresetRepository $templateRepository,
         string $name
     ): JsonResponse {
-        /** @var array $component */
         $component = $request->request->all();
 
         if (empty($component)) {
diff --git a/src/Controller/Admin/Api/Taxonomy/TermDeleteAction.php b/src/Controller/Admin/Api/Taxonomy/TermDeleteAction.php
@@ -32,8 +32,7 @@ public function __invoke(
         ResponseFactory $responseFactory,
         string $taxonomy
     ): JsonResponse {
-        /** @var array $ids */
-        $ids = $request->request->get('ids');
+        $ids = $request->request->all('ids');
 
         try {
             $termRepository->removeCollection($ids);
diff --git a/src/Controller/Admin/Api/User/UsersDeleteAction.php b/src/Controller/Admin/Api/User/UsersDeleteAction.php
@@ -35,8 +35,7 @@ public function __invoke(
     ): JsonResponse {
         $this->denyAccessUnlessGranted(Capabilities::DELETE_USERS);
 
-        /** @var array $ids */
-        $ids = $request->request->get('ids');
+        $ids = $request->request->all('ids');
         /** @var string $associatedContent */
         $associatedContent = $request->request->get('associatedContent', 'reassign');
 
diff --git a/src/Controller/Admin/CanEditPostsTrait.php b/src/Controller/Admin/CanEditPostsTrait.php
@@ -0,0 +1,46 @@
+<?php
+/*
+ * This file is part of the NumberNine package.
+ *
+ * (c) William Arin <williamarin.dev@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace NumberNine\Controller\Admin;
+
+use NumberNine\Content\ContentService;
+use NumberNine\Entity\ContentEntity;
+use NumberNine\Entity\User;
+use NumberNine\Security\Capabilities;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Contracts\Service\Attribute\Required;
+
+/**
+ * @property ContentService $contentService
+ *
+ * @method UserInterface getUser()
+ * @method void          denyAccessUnlessGranted(string $attribute)
+ */
+trait CanEditPostsTrait
+{
+    #[Required]
+    public ContentService $contentService;
+
+    private function assertCanEditPosts(UserInterface $user, ContentEntity $entity): void
+    {
+        $contentType = $this->contentService->getContentType($entity->getType());
+        $this->denyAccessUnlessGranted($contentType->getMappedCapability(Capabilities::EDIT_POSTS));
+
+        if (
+            $user instanceof User
+            && $entity->getAuthor() instanceof User
+            && $user->getId() !== $entity->getAuthor()->getId()
+        ) {
+            $this->denyAccessUnlessGranted($contentType->getMappedCapability(Capabilities::EDIT_OTHERS_POSTS));
+        }
+    }
+}
diff --git a/tests/Fixtures/Controller/Admin/Api/PageBuilder/PageBuilderEntityComponentsUpdateActionTest/content.json b/tests/Fixtures/Controller/Admin/Api/PageBuilder/PageBuilderEntityComponentsUpdateActionTest/content.json
@@ -0,0 +1 @@
+{"components":[{"id":"1670c881-3da2-4b8d-b96d-ae9dc5f641f8","name":"text","parameters":{"content":"Add a new component to this page..."},"computed":{},"position":0,"label":"Text","children":[],"siblingsPosition":["top","bottom"],"siblingsShortcodes":[],"icon":"file-alt","editable":true,"container":false,"responsive":[],"collapsed":false},{"type":"NumberNine\\Shortcode\\ButtonShortcode","name":"button","parameters":{"content":"","text":"View more...","case":"normal","color":"primary","style":"default","size":"normal","expand":false,"link":"","custom_class":""},"responsive":[],"computed":[],"editable":true,"container":false,"leaf":true,"id":"0dc6f0ce-d80c-41eb-af7c-b28ba799a9a0","position":0,"label":"Button","siblingsPosition":["top","bottom"],"siblingsShortcodes":[],"icon":"mdi-gesture-tap-button"}]}
diff --git a/tests/Functional/Controller/Admin/Api/PageBuilder/PageBuilderEntityComponentsUpdateActionTest.php b/tests/Functional/Controller/Admin/Api/PageBuilder/PageBuilderEntityComponentsUpdateActionTest.php
@@ -0,0 +1,99 @@
+<?php
+/*
+ * This file is part of the NumberNine package.
+ *
+ * (c) William Arin <williamarin.dev@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace NumberNine\Tests\Functional\Controller\Admin\Api\PageBuilder;
+
+use NumberNine\Bundle\Test\UserAwareTestCase;
+use NumberNine\Entity\Post;
+use NumberNine\Model\Content\PublishingStatusInterface;
+use NumberNine\Security\Capabilities;
+
+/**
+ * @internal
+ * @coversNothing
+ */
+final class PageBuilderEntityComponentsUpdateActionTest extends UserAwareTestCase
+{
+    public function testNotLoggedInUserCantAccessUrl(): void
+    {
+        $post = $this->getPost();
+
+        $this->client->request('POST', $this->urlGenerator->generate(
+            'numbernine_admin_pagebuilder_post_entity_components',
+            ['id' => $post->getId()],
+        ));
+        self::assertResponseRedirects($this->urlGenerator->generate('numbernine_login'));
+    }
+
+    public function testNonAllowedUserCantAccessUrl(): void
+    {
+        $this->setCapabilitiesThenLogin([Capabilities::ACCESS_ADMIN]);
+        $post = $this->getPost();
+
+        $this->client->request('POST', $this->urlGenerator->generate(
+            'numbernine_admin_pagebuilder_post_entity_components',
+            ['id' => $post->getId()],
+        ));
+        self::assertResponseRedirects($this->urlGenerator->generate('numbernine_login'));
+    }
+
+    public function testUpdatePostComponents(): void
+    {
+        $this->setCapabilitiesThenLogin([
+            Capabilities::ACCESS_ADMIN,
+            Capabilities::EDIT_POSTS,
+            Capabilities::EDIT_OTHERS_POSTS,
+        ]);
+        $post = $this->getPost();
+
+        $this->client->request(
+            'POST',
+            $this->urlGenerator->generate(
+                'numbernine_admin_pagebuilder_post_entity_components',
+                ['id' => $post->getId()],
+            ),
+            [],
+            [],
+            ['CONTENT_TYPE' => 'application/json'],
+            file_get_contents(
+                __DIR__ . '/../../../../../Fixtures/Controller/Admin/Api/PageBuilder/PageBuilderEntityComponentsUpdateActionTest/content.json'
+            ),
+        );
+
+        self::assertResponseIsSuccessful();
+
+        $post = $this->entityManager->getRepository(Post::class)->find($post->getId());
+        static::assertSame(<<<'CONTENT'
+        Add a new component to this page...
+        [button text="View more..." case="normal" color="primary" style="default" size="normal"]
+        CONTENT, $post->getContent());
+    }
+
+    private function getPost(): Post
+    {
+        $author = $this->createUser('Contributor');
+
+        $post = (new Post())
+            ->setTitle('My blog post')
+            ->setCustomType('post')
+            ->setAuthor($author)
+            ->setStatus(PublishingStatusInterface::STATUS_PUBLISH)
+            ->setCreatedAt(new \DateTime('2013/12/18'))
+            ->setPublishedAt(new \DateTime('2015/05/13'))
+        ;
+
+        $this->entityManager->persist($post);
+        $this->entityManager->flush();
+
+        return $post;
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"components":[{"id":"1670c881-3da2-4b8d-b96d-ae9dc5f641f8","name":"text","parameters":{"content":"Add a new component to this page..."},"computed":{},"position":0,"label":"Text","children":[],"siblingsPosition":["top","bottom"],"siblingsShortcodes":[],"icon":"file-alt","editable":true,"container":false,"responsive":[],"collapsed":false},{"type":"NumberNine\\Shortcode\\ButtonShortcode","name":"button","parameters":{"content":"","text":"View more...","case":"normal","color":"primary","style":"default","size":"normal","expand":false,"link":"","custom_class":""},"responsive":[],"computed":[],"editable":true,"container":false,"leaf":true,"id":"0dc6f0ce-d80c-41eb-af7c-b28ba799a9a0","position":0,"label":"Button","siblingsPosition":["top","bottom"],"siblingsShortcodes":[],"icon":"mdi-gesture-tap-button"}]}