From 4b6849eea70d9b8783c456fe81a6ca1a6119ae5d Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@netways.de>
Date: Thu, 13 Aug 2015 14:06:27 +0200
Subject: [PATCH] Repository: Introduce query column blacklists

We can no longer use $filterColumns to blacklist query columns so
there is now another set of column names required to achieve this.

refs #9029
---
 .../Authentication/User/DbUserBackend.php     |  2 +-
 .../Authentication/User/LdapUserBackend.php   |  2 +-
 .../UserGroup/DbUserGroupBackend.php          |  2 +-
 .../UserGroup/IniUserGroupBackend.php         |  2 +-
 library/Icinga/Repository/Repository.php      | 65 ++++++++++++++++---
 5 files changed, 59 insertions(+), 14 deletions(-)

diff --git a/library/Icinga/Authentication/User/DbUserBackend.php b/library/Icinga/Authentication/User/DbUserBackend.php
index 48662a987..7d7273ddc 100644
--- a/library/Icinga/Authentication/User/DbUserBackend.php
+++ b/library/Icinga/Authentication/User/DbUserBackend.php
@@ -61,7 +61,7 @@ class DbUserBackend extends DbRepository implements UserBackendInterface, Inspec
      *
      * @var array
      */
-    protected $filterColumns = array('user');
+    protected $blacklistedQueryColumns = array('user');
 
     /**
      * The default sort rules to be applied on a query
diff --git a/library/Icinga/Authentication/User/LdapUserBackend.php b/library/Icinga/Authentication/User/LdapUserBackend.php
index df2c0a8e0..5e0b98037 100644
--- a/library/Icinga/Authentication/User/LdapUserBackend.php
+++ b/library/Icinga/Authentication/User/LdapUserBackend.php
@@ -50,7 +50,7 @@ class LdapUserBackend extends LdapRepository implements UserBackendInterface, In
      *
      * @var array
      */
-    protected $filterColumns = array('user');
+    protected $blacklistedQueryColumns = array('user');
 
     /**
      * The default sort rules to be applied on a query
diff --git a/library/Icinga/Authentication/UserGroup/DbUserGroupBackend.php b/library/Icinga/Authentication/UserGroup/DbUserGroupBackend.php
index 0fd3fda14..91fc2ba86 100644
--- a/library/Icinga/Authentication/UserGroup/DbUserGroupBackend.php
+++ b/library/Icinga/Authentication/UserGroup/DbUserGroupBackend.php
@@ -71,7 +71,7 @@ class DbUserGroupBackend extends DbRepository implements UserGroupBackendInterfa
      *
      * @var array
      */
-    protected $filterColumns = array('group', 'user');
+    protected $blacklistedQueryColumns = array('group', 'user');
 
     /**
      * The value conversion rules to apply on a query or statement
diff --git a/library/Icinga/Authentication/UserGroup/IniUserGroupBackend.php b/library/Icinga/Authentication/UserGroup/IniUserGroupBackend.php
index 53eadc147..2055eb039 100644
--- a/library/Icinga/Authentication/UserGroup/IniUserGroupBackend.php
+++ b/library/Icinga/Authentication/UserGroup/IniUserGroupBackend.php
@@ -32,7 +32,7 @@ class IniUserGroupBackend extends IniRepository implements UserGroupBackendInter
      *
      * @var array
      */
-    protected $filterColumns = array('group');
+    protected $blacklistedQueryColumns = array('group');
 
     /**
      * The value conversion rules to apply on a query or statement
diff --git a/library/Icinga/Repository/Repository.php b/library/Icinga/Repository/Repository.php
index 7ca12a43d..6efcafaa7 100644
--- a/library/Icinga/Repository/Repository.php
+++ b/library/Icinga/Repository/Repository.php
@@ -64,17 +64,34 @@ abstract class Repository implements Selectable
      *          'alias2' => 'column3'
      *      )
      *  )
-     * <pre><code>
+     * </code></pre>
      *
      * @var array
      */
     protected $queryColumns;
 
     /**
-     * The columns (or aliases) which are not permitted to be queried. (by design)
+     * The columns (or aliases) which are not permitted to be queried
+     *
+     * Blacklisted query columns can still occur in a filter expression or sort rule.
      *
      * @var array   An array of strings
      */
+    protected $blacklistedQueryColumns;
+
+    /**
+     * The filter columns being provided
+     *
+     * This might be intialized by concrete repository implementations, in the following format
+     * <pre><code>
+     *  array(
+     *      'alias_or_column_name',
+     *      'label_to_show_in_the_filter_editor' => 'alias_or_column_name'
+     *  )
+     * </code></pre>
+     *
+     * @var array
+     */
     protected $filterColumns;
 
     /**
@@ -98,7 +115,7 @@ abstract class Repository implements Selectable
      *          // Ascendant sort by default
      *      )
      *  )
-     * <pre><code>
+     * </code></pre>
      * Note that it's mandatory to supply the alias name in case there is one.
      *
      * @var array
@@ -260,6 +277,33 @@ abstract class Repository implements Selectable
     /**
      * Return the columns (or aliases) which are not permitted to be queried
      *
+     * Calls $this->initializeBlacklistedQueryColumns() in case $this->blacklistedQueryColumns is null.
+     *
+     * @return  array
+     */
+    public function getBlacklistedQueryColumns()
+    {
+        if ($this->blacklistedQueryColumns === null) {
+            $this->blacklistedQueryColumns = $this->initializeBlacklistedQueryColumns();
+        }
+
+        return $this->blacklistedQueryColumns;
+    }
+
+    /**
+     * Overwrite this in your repository implementation in case you
+     * need to initialize the blacklisted query columns lazily
+     *
+     * @return  array
+     */
+    protected function initializeBlacklistedQueryColumns()
+    {
+        return array();
+    }
+
+    /**
+     * Return the filter columns being provided
+     *
      * Calls $this->initializeFilterColumns() in case $this->filterColumns is null.
      *
      * @return  array
@@ -781,10 +825,10 @@ abstract class Repository implements Selectable
             throw new ProgrammingError('Table name "%s" not found', $table);
         }
 
-        $filterColumns = $this->getFilterColumns();
+        $blacklist = $this->getBlacklistedQueryColumns();
         $columns = array();
         foreach ($queryColumns[$table] as $alias => $column) {
-            if (! in_array(is_string($alias) ? $alias : $column, $filterColumns)) {
+            if (! in_array(is_string($alias) ? $alias : $column, $blacklist)) {
                 $columns[$alias] = $column;
             }
         }
@@ -874,7 +918,8 @@ abstract class Repository implements Selectable
             return false;
         }
 
-        return !in_array($alias, $this->getFilterColumns()) && $this->validateQueryColumnAssociation($table, $name);
+        return !in_array($alias, $this->getBlacklistedQueryColumns())
+            && $this->validateQueryColumnAssociation($table, $name);
     }
 
     /**
@@ -898,8 +943,8 @@ abstract class Repository implements Selectable
             throw new QueryException(t('Query column "%s" not found'), $name);
         }
 
-        if (in_array($alias, $this->getFilterColumns())) {
-            throw new QueryException(t('Filter column "%s" cannot be queried'), $name);
+        if (in_array($alias, $this->getBlacklistedQueryColumns())) {
+            throw new QueryException(t('Column "%s" cannot be queried'), $name);
         }
 
         if (! $this->validateQueryColumnAssociation($table, $alias)) {
@@ -985,8 +1030,8 @@ abstract class Repository implements Selectable
             throw new StatementException('Statement column "%s" not found', $name);
         }
 
-        if (in_array($alias, $this->getFilterColumns())) {
-            throw new StatementException('Filter column "%s" cannot be referenced in a statement', $name);
+        if (in_array($alias, $this->getBlacklistedQueryColumns())) {
+            throw new StatementException('Column "%s" cannot be referenced in a statement', $name);
         }
 
         if (! $this->validateQueryColumnAssociation($table, $alias)) {