Fix adding tag to entries from other people

I've also limited tag length to 20 chars (and limit adding more than 5 tags at once)
wallabag · Feb 7, 2023 · 242e3fe · 242e3fe
1 parent 784bc13
commit 242e3fe
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/src/Wallabag/CoreBundle/Controller/TagController.php b/src/Wallabag/CoreBundle/Controller/TagController.php
@@ -17,7 +17,7 @@
 class TagController extends Controller
 {
     /**
-     * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag")
+     * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
      *
      * @return \Symfony\Component\HttpFoundation\Response
      */
@@ -26,7 +26,17 @@ public function addTagFormAction(Request $request, Entry $entry)
         $form = $this->createForm(NewTagType::class, new Tag());
         $form->handleRequest($request);
 
+        $tags = $form->get('label')->getData();
+        $tagsExploded = explode(',', $tags);
+
+        // avoid too much tag to be added
+        if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
+            return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
+        }
+
         if ($form->isSubmitted() && $form->isValid()) {
+            $this->checkUserAction($entry);
+
             $this->get('wallabag_core.tags_assigner')->assignTagsToEntry(
                 $entry,
                 $form->get('label')->getData()
@@ -59,6 +69,8 @@ public function addTagFormAction(Request $request, Entry $entry)
      */
     public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
     {
+        $this->checkUserAction($entry);
+
         $entry->removeTag($tag);
         $em = $this->getDoctrine()->getManager();
         $em->flush();
@@ -222,4 +234,14 @@ public function tagThisSearchAction($filter, Request $request)
 
         return $this->redirect($this->get('wallabag_core.helper.redirect')->to($request->headers->get('referer'), '', true));
     }
+
+    /**
+     * Check if the logged user can manage the given entry.
+     */
+    private function checkUserAction(Entry $entry)
+    {
+        if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
+            throw $this->createAccessDeniedException('You can not access this entry.');
+        }
+    }
 }
diff --git a/src/Wallabag/CoreBundle/Form/Type/NewTagType.php b/src/Wallabag/CoreBundle/Form/Type/NewTagType.php
@@ -10,13 +10,16 @@
 
 class NewTagType extends AbstractType
 {
+    public const MAX_LENGTH = 40;
+
     public function buildForm(FormBuilderInterface $builder, array $options)
     {
         $builder
             ->add('label', TextType::class, [
                 'required' => true,
                 'attr' => [
                     'placeholder' => 'tag.new.placeholder',
+                    'max_length' => self::MAX_LENGTH,
                 ],
             ])
             ->add('add', SubmitType::class, [