From e375e24a6df35a85101d79588ee5e5da7f2410aa Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Mon, 20 Feb 2023 10:17:20 +0100 Subject: [PATCH] chg: [component:CRUD] Added validation of order fields --- src/Controller/Component/CRUDComponent.php | 36 +++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php index fa98a42..5edb80d 100644 --- a/src/Controller/Component/CRUDComponent.php +++ b/src/Controller/Component/CRUDComponent.php @@ -73,7 +73,11 @@ class CRUDComponent extends Component $query->select($options['fields']); } if (!empty($options['order'])) { - $query->order($options['order']); + $orderFields = array_keys($options['order']); + if ($this->_validOrderFields($orderFields)) { + $query->order($options['order']); + $this->Controller->paginate['order'] = $options['order']; + } } if ($this->Controller->ParamHandler->isRest()) { if ($this->metaFieldsSupported()) { @@ -1581,4 +1585,34 @@ class CRUDComponent extends Component } return $typeMap; } + + protected function _validOrderFields($fields): bool + { + if (!is_array($fields)) { + $fields = [$fields]; + } + foreach ($fields as $field) { + $exploded = explode('.', $field); + if (count($exploded) > 1) { + $model = $exploded[0]; + $subField = $exploded[1]; + if ($model == $this->Table->getAlias()) { + if (empty($this->Table->getSchema()->typeMap()[$subField])) { + return false; + } + } else { + $association = $this->Table->associations()->get($model); + $associatedTable = $association->getTarget(); + if (empty($associatedTable->getSchema()->typeMap()[$subField])) { + return false; + } + } + } else { + if (empty($this->Table->getSchema()->typeMap()[$field])) { + return false; + } + } + } + return true; + } }