Validate icon existence when setting user icon · recaptime.dev/phorge@b8ff791

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Validate icon existence when setting user icon

Summary:
Do not allow setting an invalid user icon via the `user.edit` Conduit API but validate the value.

This code path is executed because `PhabricatorApplicationTransactionEditor::validateTransaction()` for `case PhabricatorTransactions::TYPE_CUSTOMFIELD` calls `$field->validateApplicationTransactions` and because `PhabricatorUserIconField` is a child class of `PhabricatorCustomField`.

Closes T16307

Test Plan:
* Run `echo '{ "objectIdentifier":"@myusername", "transactions":[{"type":"icon","value":"nonexistingicon"}]}' | /var/www/html/phorge/arcanist/bin/arc call-conduit --conduit-uri http://phorge.localhost/ --conduit-token "cli-mytoken" user.edit --` before and after this, and get a new error after this patch:
```
{
"error": "ERR-CONDUIT-CORE",
"errorMessage": "ERR-CONDUIT-CORE: <user.edit> Validation errors:\n - Value for \"Icon\" is invalid: \"nonexistingicon\".",
"response": null
}
```
* Optionally, check database value of `SELECT u.userName, up.icon FROM phabricator_user.user_profile up JOIN phabricator_user.user u ON up.userPHID = u.phid WHERE u.userName = "myusername";` in the database before and after applying patch and compare what `PhabricatorPeopleIconSet` actually offers
* Run `echo '{ "objectIdentifier":"@myusername", "transactions":[{"type":"icon","value":"spy"}]}' | /var/www/html/phorge/arcanist/bin/arc call-conduit --conduit-uri http://phorge.localhost/ --conduit-token "cli-mytoken" user.edit --` and still successfully change your user icon
* Run `echo '{ "objectIdentifier":"@notmyusername", "transactions":[{"type":"icon","value":"spy"}]}' | /var/www/html/phorge/arcanist/bin/arc call-conduit --conduit-uri http://phorge.localhost/ --conduit-token "cli-mytoken" user.edit --` and still get the expected error that you are not that user

Reviewers: O1 Blessed Committers, valerio.bozzolan

Reviewed By: O1 Blessed Committers, valerio.bozzolan

Subscribers: mainframe98, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Maniphest Tasks: T16307

Differential Revision: https://we.phorge.it/D26430

Andre Klapper 2 months ago b8ff7916 912acf19

+27

1 changed file

expand all

src

applications

people

customfield

PhabricatorUserIconField.php

+27

src/applications/people/customfield/PhabricatorUserIconField.php

··· 79 79 return new ConduitStringParameterType(); 80 80 } 81 81 82 + public function validateApplicationTransactions( 83 + PhabricatorApplicationTransactionEditor $editor, 84 + $type, 85 + array $xactions) { 86 + 87 + $errors = parent::validateApplicationTransactions( 88 + $editor, 89 + $type, 90 + $xactions); 91 + 92 + foreach ($xactions as $xaction) { 93 + $new_icon = $xaction->getNewValue(); 94 + if (!PhabricatorPeopleIconSet::getIconName($new_icon)) { 95 + $errors[] = new PhabricatorApplicationTransactionValidationError( 96 + $type, 97 + pht('Invalid'), 98 + pht( 99 + 'Value for "%s" is invalid: "%s".', 100 + $this->getFieldName(), 101 + $new_icon)); 102 + break; 103 + } 104 + } 105 + 106 + return $errors; 107 + } 108 + 82 109 }

Configure Feed

Configure Feed