From f9e8a0abec43119dd8e28a9973142af4848a1079 Mon Sep 17 00:00:00 2001 From: Guillermo Date: Thu, 26 Dec 2019 17:25:00 -0300 Subject: [PATCH] add department test and escape query --- server/controllers/ticket/search.php | 24 ++++----- server/libs/validations/validPrioritys.php | 19 ------- .../tests/controllers/ticket/searchTest.php | 50 ++++++++++++++++--- 3 files changed, 54 insertions(+), 39 deletions(-) delete mode 100644 server/libs/validations/validPrioritys.php diff --git a/server/controllers/ticket/search.php b/server/controllers/ticket/search.php index a3ea08fe..3eb05304 100644 --- a/server/controllers/ticket/search.php +++ b/server/controllers/ticket/search.php @@ -111,21 +111,22 @@ class SearchController extends Controller { 'query' => Controller::request('query'), 'orderBy' => json_decode(Controller::request('orderBy'),true), 'page' => Controller::request('page'), - 'user' => Controller::getLoggedUser(), + 'allowedDepartments' => Controller::getLoggedUser()->sharedDepartmentList->toArray(), ]; + $query = $this->getSQLQuery($inputs); $queryWithOrder = $this->getSQLQueryWithOrder($inputs); - $totalCount = RedBean::getAll("SELECT COUNT(*) FROM (SELECT COUNT(*) " . $query . " ) AS T2")[0]['COUNT(*)']; - $ticketIdList = RedBean::getAll($queryWithOrder); + $totalCount = RedBean::getAll("SELECT COUNT(*) FROM (SELECT COUNT(*) " . $query . " ) AS T2", [':query' => $inputs['query']])[0]['COUNT(*)']; + $ticketIdList = RedBean::getAll($queryWithOrder, [':query' => "%" . $inputs['query'] . "%"]); $ticketList = []; foreach ($ticketIdList as $item) { $ticket = Ticket::getDataStore($item['id']); array_push($ticketList, $ticket->toArray()); } - $ticketTableExists = RedBean::exec("select table_name from information_schema.tables where table_name = 'ticket';"); + if($ticketTableExists){ Response::respondSuccess([ 'tickets' => $ticketList, @@ -171,7 +172,7 @@ class SearchController extends Controller { if(array_key_exists('unreadStaff',$inputs)) $this->setSeenFilter($inputs['unreadStaff'], $filters); if(array_key_exists('priority',$inputs)) $this->setPriorityFilter($inputs['priority'], $filters); if(array_key_exists('dateRange',$inputs)) $this->setDateFilter($inputs['dateRange'], $filters); - if(array_key_exists('departments',$inputs)) $this->setDepartmentFilter($inputs['departments'],$inputs['user'], $filters); + if(array_key_exists('departments',$inputs)) $this->setDepartmentFilter($inputs['departments'],$inputs['allowedDepartments'], $filters); if(array_key_exists('authors',$inputs)) $this->setAuthorFilter($inputs['authors'], $filters); if(array_key_exists('query',$inputs)) $this->setStringFilter($inputs['query'], $filters); if($filters != "") $filters = " WHERE " . $filters; @@ -243,9 +244,8 @@ class SearchController extends Controller { } } - private function setDepartmentFilter($departments,$user, &$filters){ - - $validDepartments = $this->generateValidDepartmentList($departments, $user); + private function setDepartmentFilter($departments,$allowedDepartments, &$filters){ + $validDepartments = $this->generateValidDepartmentList($departments, $allowedDepartments); if ($filters != "") $filters .= " and "; $first = TRUE; @@ -302,16 +302,16 @@ class SearchController extends Controller { if($search != null){ if ($filters != "") $filters .= " and "; - $ticketevent = ( $ticketEventTableExists ? " or (ticketevent.type = 'COMMENT' and ticketevent.content LIKE '%" . $search ."%')" : ""); - $filters .= " (ticket.title LIKE '%" . $search . "%' or ticket.content LIKE '%" . $search . "%' or ticket.ticket_number LIKE '%" . $search . "%'". $ticketevent ." )"; + $ticketevent = ( $ticketEventTableExists ? " or (ticketevent.type = 'COMMENT' and ticketevent.content LIKE :query)" : ""); + $filters .= " (ticket.title LIKE :query or ticket.content LIKE :query or ticket.ticket_number LIKE :query". $ticketevent ." )"; }; } - private function generateValidDepartmentList($departments, $user){ + private function generateValidDepartmentList($departments, $allowedDepartments){ $result = []; $managedDepartments = []; if($departments == null) $departments = []; - foreach ($user->sharedDepartmentList->toArray() as $department) { + foreach ($allowedDepartments as $department) { array_push($managedDepartments,$department['id']); } $result = array_intersect($departments,$managedDepartments); diff --git a/server/libs/validations/validPrioritys.php b/server/libs/validations/validPrioritys.php deleted file mode 100644 index 53bf9505..00000000 --- a/server/libs/validations/validPrioritys.php +++ /dev/null @@ -1,19 +0,0 @@ -= 1 and ticket.date <= 2) GROUP BY ticket.id' ); } - /* + public function testDepartmentsFilter() { $this->assertEquals( $this->searchController->getSQLQuery([ - 'departments' => null + 'departments' => null, + 'allowedDepartments' => [ + [ + 'id' => 2 + ], + [ + 'id' => 1 + ], + [ + 'id' => 3 + ] + ] ]), - 'FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) GROUP BY ticket.id' + 'FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) WHERE ( ticket.department_id = 2 or ticket.department_id = 1 or ticket.department_id = 3) GROUP BY ticket.id' ); $this->assertEquals( $this->searchController->getSQLQuery([ - 'departments' => [1] + 'departments' => [1], + 'allowedDepartments' => [ + [ + 'id' => 2 + ], + [ + 'id' => 1 + ], + [ + 'id' => 3 + ] + ] ]), 'FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) WHERE ( ticket.department_id = 1) GROUP BY ticket.id' ); $this->assertEquals( $this->searchController->getSQLQuery([ - 'departments' => [1,2,3] + 'departments' => [1,2,3], + 'allowedDepartments' => [ + [ + 'id' => 2 + ], + [ + 'id' => 1 + ], + [ + 'id' => 3 + ] + ] ]), 'FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) WHERE ( ticket.department_id = 1 or ticket.department_id = 2 or ticket.department_id = 3) GROUP BY ticket.id' ); } - */ + public function testAuthorsFilter() { $this->assertEquals( $this->searchController->getSQLQuery([ @@ -228,7 +261,8 @@ class SearchControllerTest extends TestCase { $this->searchController->getSQLQuery([ 'query' => 'hello world' ]), - "FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) WHERE (ticket.title LIKE '%hello world%' or ticket.content LIKE '%hello world%' or ticket.ticket_number LIKE '%hello world%' or (ticketevent.type = 'COMMENT' and ticketevent.content LIKE '%hello world%') ) GROUP BY ticket.id" + "FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) WHERE (ticket.title LIKE :query or ticket.content LIKE :query or ticket.ticket_number LIKE :query or (ticketevent.type = 'COMMENT' and ticketevent.content LIKE :query) ) GROUP BY ticket.id" + ); } public function testQueryWithOrder() { @@ -244,7 +278,7 @@ class SearchControllerTest extends TestCase { 'page' => 1, 'query' => 'stark' ]), - "SELECT ticket.id FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) WHERE (ticket.title LIKE '%stark%' or ticket.content LIKE '%stark%' or ticket.ticket_number LIKE '%stark%' or (ticketevent.type = 'COMMENT' and ticketevent.content LIKE '%stark%') ) GROUP BY ticket.id ORDER BY CASE WHEN (ticket.ticket_number LIKE '%stark%') THEN ticket.ticket_number END desc,CASE WHEN (ticket.title LIKE '%stark%') THEN ticket.title END desc, CASE WHEN ( ticket.content LIKE '%stark%') THEN ticket.content END desc, CASE WHEN (ticketevent.type = 'COMMENT' and ticketevent.content LIKE '%stark%') THEN ticketevent.content END desc,ticket.closed asc, ticket.owner_id asc, ticket.unread_staff asc, ticket.priority desc, ticket.date desc LIMIT 10 OFFSET 0" + "SELECT ticket.id FROM (ticket LEFT JOIN tag_ticket ON tag_ticket.ticket_id = ticket.id LEFT JOIN ticketevent ON ticketevent.ticket_id = ticket.id) WHERE (ticket.title LIKE :query or ticket.content LIKE :query or ticket.ticket_number LIKE :query or (ticketevent.type = 'COMMENT' and ticketevent.content LIKE :query) ) GROUP BY ticket.id ORDER BY CASE WHEN (ticket.ticket_number LIKE '%stark%') THEN ticket.ticket_number END desc,CASE WHEN (ticket.title LIKE '%stark%') THEN ticket.title END desc, CASE WHEN ( ticket.content LIKE '%stark%') THEN ticket.content END desc, CASE WHEN (ticketevent.type = 'COMMENT' and ticketevent.content LIKE '%stark%') THEN ticketevent.content END desc,ticket.closed asc, ticket.owner_id asc, ticket.unread_staff asc, ticket.priority desc, ticket.date desc LIMIT 10 OFFSET 0" ); $this->assertEquals(