diff --git a/lib/BadRequestException.php b/lib/BadRequestException.php index 894721a35..b3ffb98c1 100644 --- a/lib/BadRequestException.php +++ b/lib/BadRequestException.php @@ -24,7 +24,7 @@ namespace OCA\Deck; use OCP\AppFramework\Http; -class BadRequestException extends \Exception { +class BadRequestException extends StatusException { public function __construct($message) { parent::__construct($message); diff --git a/lib/Middleware/SharingMiddleware.php b/lib/Middleware/SharingMiddleware.php index 5e53a69df..0bbdb7058 100644 --- a/lib/Middleware/SharingMiddleware.php +++ b/lib/Middleware/SharingMiddleware.php @@ -60,7 +60,7 @@ class SharingMiddleware extends Middleware { * @throws \Exception */ public function afterException($controller, $methodName, \Exception $exception) { - if ($exception instanceof StatusException || $exception instanceof BadRequestException) { + if ($exception instanceof StatusException) { if ($this->config->getSystemValue('loglevel', Util::WARN) === Util::DEBUG) { $this->logger->logException($exception); } diff --git a/lib/Service/LabelService.php b/lib/Service/LabelService.php index 2b0a640be..48ccb89e1 100644 --- a/lib/Service/LabelService.php +++ b/lib/Service/LabelService.php @@ -27,6 +27,7 @@ use OCA\Deck\Db\Label; use OCA\Deck\Db\Acl; use OCA\Deck\Db\LabelMapper; use OCA\Deck\StatusException; +use OCA\Deck\BadRequestException; class LabelService { @@ -50,8 +51,12 @@ class LabelService { * @throws \OCA\Deck\NoPermissionException * @throws \OCP\AppFramework\Db\DoesNotExistException * @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException + * @throws BadRequestException */ public function find($labelId) { + if (is_numeric($labelId) === false) { + throw new BadRequestException('label id must be a number'); + } $this->permissionService->checkPermission($this->labelMapper, $labelId, Acl::PERMISSION_READ); return $this->labelMapper->find($labelId); } @@ -67,6 +72,19 @@ class LabelService { * @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException */ public function create($title, $color, $boardId) { + + if ($title === false || $title === null) { + throw new BadRequestException('title must be provided'); + } + + if ($color === false || $color === null) { + throw new BadRequestException('color must be provided'); + } + + if (is_numeric($boardId) === false) { + throw new BadRequestException('board id must be a number'); + } + $this->permissionService->checkPermission(null, $boardId, Acl::PERMISSION_MANAGE); if ($this->boardService->isArchived(null, $boardId)) { throw new StatusException('Operation not allowed. This board is archived.'); @@ -87,6 +105,11 @@ class LabelService { * @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException */ public function delete($id) { + + if (is_numeric($id) === false) { + throw new BadRequestException('label id must be a number'); + } + $this->permissionService->checkPermission($this->labelMapper, $id, Acl::PERMISSION_MANAGE); if ($this->boardService->isArchived($this->labelMapper, $id)) { throw new StatusException('Operation not allowed. This board is archived.'); @@ -105,6 +128,19 @@ class LabelService { * @throws \OCP\AppFramework\Db\MultipleObjectsReturnedException */ public function update($id, $title, $color) { + + if (is_numeric($id) === false) { + throw new BadRequestException('label id must be a number'); + } + + if ($title === false || $title === null) { + throw new BadRequestException('title must be provided'); + } + + if ($color === false || $color === null) { + throw new BadRequestException('color must be provided'); + } + $this->permissionService->checkPermission($this->labelMapper, $id, Acl::PERMISSION_MANAGE); if ($this->boardService->isArchived($this->labelMapper, $id)) { throw new StatusException('Operation not allowed. This board is archived.');