X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FController%2FDBIC%2FAPI%2FRequestArguments.pm;h=523c07f9e4b4df0788da67b6efcdda5a75a108b4;hb=26e9dcd6d31111877fd0b97f5c6743fab226e015;hp=e920857892c44b3d14bf305acbe86eeba318cb34;hpb=f0f07ea33a8782afb563bdc40a607d6823cb0a79;p=catagits%2FCatalyst-Controller-DBIC-API.git diff --git a/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm b/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm index e920857..523c07f 100644 --- a/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm +++ b/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm @@ -6,6 +6,7 @@ use Catalyst::Controller::DBIC::API::Types(':all'); use MooseX::Types::Moose(':all'); use Scalar::Util('reftype'); use Data::Dumper; +use Catalyst::Controller::DBIC::API::Validator; use namespace::autoclean; use Catalyst::Controller::DBIC::API::JoinBuilder; @@ -16,35 +17,28 @@ A Catalyst::Controller::DBIC::API::Validator instance used solely to validate se =cut -with 'MooseX::Role::BuildInstanceOf' => -{ - 'target' => 'Catalyst::Controller::DBIC::API::Validator', - 'prefix' => 'search_validator', -}; - =attribute_private select_validator A Catalyst::Controller::DBIC::API::Validator instance used solely to validate select parameters =cut -with 'MooseX::Role::BuildInstanceOf' => -{ - 'target' => 'Catalyst::Controller::DBIC::API::Validator', - 'prefix' => 'select_validator', -}; - =attribute_private prefetch_validator A Catalyst::Controller::DBIC::API::Validator instance used solely to validate prefetch parameters =cut -with 'MooseX::Role::BuildInstanceOf' => -{ - 'target' => 'Catalyst::Controller::DBIC::API::Validator', - 'prefix' => 'prefetch_validator', -}; +has [qw( search_validator select_validator )] => ( + is => 'ro', + isa => 'Catalyst::Controller::DBIC::API::Validator', + lazy => 1, + builder => '_build_validator', +); + +sub _build_validator { + return Catalyst::Controller::DBIC::API::Validator->new; +} parameter static => ( isa => Bool, default => 0 ); @@ -54,7 +48,7 @@ role { if($p->static) { - requires qw/check_has_relation check_column_relation/; + requires qw/check_has_relation check_column_relation prefetch_allows /; } else { @@ -151,80 +145,20 @@ prefetch is passed to ->search to optimize the number of database fetches for jo trigger => sub { my ($self, $new) = @_; - if($self->has_prefetch_allows and @{$self->prefetch_allows}) - { - foreach my $pf (@$new) - { - if(HashRef->check($pf)) - { - die qq|'${\Dumper($pf)}' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| - unless $self->prefetch_validator->validate($pf)->[0]; - } - else - { - die qq|'$pf' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| - unless $self->prefetch_validator->validate({$pf => 1})->[0]; - } - } - } - else - { - return if not defined($new); - die 'Prefetching is not allowed' if @$new; - } - }, - ); - -=attribute_public prefetch_allows is: ro, isa: ArrayRef[ArrayRef|Str|HashRef] - -prefetch_allows limits what relations may be prefetched when executing searches with joins. This is necessary to avoid denial of service attacks in form of queries which would return a large number of data and unwanted disclosure of data. - -Like the synopsis in DBIC::API shows, you can declare a "template" of what is allowed (by using an '*'). Each element passed in, will be converted into a Data::DPath and added to the validator. - - prefetch_allows => [ 'cds', { cds => tracks }, { cds => producers } ] # to be explicit - prefetch_allows => [ 'cds', { cds => '*' } ] # wildcard means the same thing - -=cut - - has prefetch_allows => - ( - is => 'ro', - writer => '_set_prefetch_allows', - isa => ArrayRef[ArrayRef|Str|HashRef], - default => sub { [ ] }, - predicate => 'has_prefetch_allows', - trigger => sub - { - my ($self, $new) = @_; - sub _check_rel { - my ($self, $rel, $static) = @_; - if(ArrayRef->check($rel)) + foreach my $pf (@$new) + { + if(HashRef->check($pf)) { - foreach my $rel_sub (@$rel) - { - $self->_check_rel($rel_sub, $static); - } - } - elsif(HashRef->check($rel)) - { - while(my($k,$v) = each %$rel) - { - $self->check_has_relation($k, $v, undef, $static); - } - $self->prefetch_validator->load($rel); + die qq|'${\Dumper($pf)}' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| + unless $self->prefetch_validator->validate($pf)->[0]; } else { - $self->check_has_relation($rel, undef, undef, $static); - $self->prefetch_validator->load($rel); + die qq|'$pf' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| + unless $self->prefetch_validator->validate({$pf => 1})->[0]; } } - - foreach my $rel (@$new) - { - $self->_check_rel($rel, $p->static); - } }, ); @@ -516,8 +450,9 @@ generate_column_parameters recursively generates properly aliased parameters for # build up condition foreach my $column (keys %$param) { - if($source->has_relationship($column)) + if ($source->has_relationship($column)) { + # check if the value isn't a hashref unless (ref($param->{$column}) && reftype($param->{$column}) eq 'HASH') { $search_params->{join('.', $base, $column)} = $param->{$column}; @@ -534,10 +469,22 @@ generate_column_parameters recursively generates properly aliased parameters for ) }}; } - else + elsif ($source->has_column($column)) { $search_params->{join('.', $base, $column)} = $param->{$column}; } + # might be a sql function instead of a column name + # e.g. {colname => {like => '%foo%'}} + else + { + # but only if it's not a hashref + unless (ref($param->{$column}) && reftype($param->{$column}) eq 'HASH') { + $search_params->{join('.', $base, $column)} = $param->{$column}; + } + else { + die "$column is neither a relationship nor a column\n"; + } + } } return $search_params; @@ -574,6 +521,7 @@ This builder method generates the search attributes as => $self->as || ((scalar(@{$static->as})) ? $static->as : undef), prefetch => $self->prefetch || $static->prefetch || undef, rows => $self->count || $static->count, + page => $static->page, offset => $self->offset, join => $self->build_joins, };