X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2FCatalyst-Controller-DBIC-API.git;a=blobdiff_plain;f=lib%2FCatalyst%2FController%2FDBIC%2FAPI%2FRequestArguments.pm;fp=lib%2FCatalyst%2FController%2FDBIC%2FAPI%2FRequestArguments.pm;h=523c07f9e4b4df0788da67b6efcdda5a75a108b4;hp=a6939f2c09e89aaee5f6fb9cc844495a3eb5b07b;hb=4e5983f2a904f894762e61c2dff962a37da5ef92;hpb=8c7199a13b832b6ce5e569320b3620dd38a67617 diff --git a/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm b/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm index a6939f2..523c07f 100644 --- a/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm +++ b/lib/Catalyst/Controller/DBIC/API/RequestArguments.pm @@ -29,7 +29,7 @@ A Catalyst::Controller::DBIC::API::Validator instance used solely to validate pr =cut -has [qw( search_validator select_validator prefetch_validator )] => ( +has [qw( search_validator select_validator )] => ( is => 'ro', isa => 'Catalyst::Controller::DBIC::API::Validator', lazy => 1, @@ -48,7 +48,7 @@ role { if($p->static) { - requires qw/check_has_relation check_column_relation/; + requires qw/check_has_relation check_column_relation prefetch_allows /; } else { @@ -145,80 +145,20 @@ prefetch is passed to ->search to optimize the number of database fetches for jo trigger => sub { my ($self, $new) = @_; - if($self->has_prefetch_allows and @{$self->prefetch_allows}) - { - foreach my $pf (@$new) - { - if(HashRef->check($pf)) - { - die qq|'${\Dumper($pf)}' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| - unless $self->prefetch_validator->validate($pf)->[0]; - } - else - { - die qq|'$pf' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| - unless $self->prefetch_validator->validate({$pf => 1})->[0]; - } - } - } - else - { - return if not defined($new); - die 'Prefetching is not allowed' if @$new; - } - }, - ); - -=attribute_public prefetch_allows is: ro, isa: ArrayRef[ArrayRef|Str|HashRef] - -prefetch_allows limits what relations may be prefetched when executing searches with joins. This is necessary to avoid denial of service attacks in form of queries which would return a large number of data and unwanted disclosure of data. -Like the synopsis in DBIC::API shows, you can declare a "template" of what is allowed (by using an '*'). Each element passed in, will be converted into a Data::DPath and added to the validator. - - prefetch_allows => [ 'cds', { cds => tracks }, { cds => producers } ] # to be explicit - prefetch_allows => [ 'cds', { cds => '*' } ] # wildcard means the same thing - -=cut - - has prefetch_allows => - ( - is => 'ro', - writer => '_set_prefetch_allows', - isa => ArrayRef[ArrayRef|Str|HashRef], - default => sub { [ ] }, - predicate => 'has_prefetch_allows', - trigger => sub - { - my ($self, $new) = @_; - - sub _check_rel { - my ($self, $rel, $static) = @_; - if(ArrayRef->check($rel)) - { - foreach my $rel_sub (@$rel) - { - $self->_check_rel($rel_sub, $static); - } - } - elsif(HashRef->check($rel)) + foreach my $pf (@$new) + { + if(HashRef->check($pf)) { - while(my($k,$v) = each %$rel) - { - $self->check_has_relation($k, $v, undef, $static); - } - $self->prefetch_validator->load($rel); + die qq|'${\Dumper($pf)}' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| + unless $self->prefetch_validator->validate($pf)->[0]; } else { - $self->check_has_relation($rel, undef, undef, $static); - $self->prefetch_validator->load($rel); + die qq|'$pf' is not an allowed prefetch in: ${\join("\n", @{$self->prefetch_validator->templates})}| + unless $self->prefetch_validator->validate({$pf => 1})->[0]; } } - - foreach my $rel (@$new) - { - $self->_check_rel($rel, $p->static); - } }, );