CC-5733: RESTful API data sanitization and validation

Stripped out fields that are readonly to the RESTful API from the request data for POST and PUT.
Stripped out fields that should never be visible outside of Airtime in response data.
Set uploaded and modified timestamp on POST request.
Set modified timestamp on PUT request.
This commit is contained in:
drigato 2014-03-14 17:34:56 -04:00
parent 6a68967f81
commit 820f7f257a

View file

@ -2,6 +2,26 @@
class Rest_MediaController extends Zend_Rest_Controller
{
//fields that are not modifiable via our RESTful API
private $blackList = array(
'id',
'file_exists',
'hidden',
'silan_check',
'soundcloud_id',
'is_scheduled',
'is_playlist'
);
//fields we should never expose through our RESTful API
private $privateFields = array(
'file_exists',
'hidden',
'silan_check',
'is_scheduled',
'is_playlist'
);
public function init()
{
$this->view->layout()->disableLayout();
@ -13,10 +33,10 @@ class Rest_MediaController extends Zend_Rest_Controller
return;
}
$files_array = [];
$files_array = array();
foreach (CcFilesQuery::create()->find() as $file)
{
array_push($files_array, $file->toArray(BasePeer::TYPE_FIELDNAME));
array_push($files_array, $this->sanitize($file));
}
$this->getResponse()
@ -42,11 +62,10 @@ class Rest_MediaController extends Zend_Rest_Controller
$file = CcFilesQuery::create()->findPk($id);
if ($file) {
//TODO: Strip or sanitize the JSON output
$this->getResponse()
->setHttpResponseCode(200)
->appendBody(json_encode($file->toArray(BasePeer::TYPE_FIELDNAME)));
->appendBody(json_encode($this->sanitize($file)));
} else {
$this->fileNotFoundResponse();
}
@ -66,18 +85,20 @@ class Rest_MediaController extends Zend_Rest_Controller
return;
}
//TODO: Strip or sanitize the JSON output
$file = new CcFiles();
$file->fromArray($this->getRequest()->getPost());
$file->fromArray($this->validateRequestData($this->getRequest()->getPost()));
$file->setDbOwnerId($this->getOwnerId());
$now = new DateTime("now", new DateTimeZone("UTC"));
$file->setDbUtime($now);
$file->setDbMtime($now);
$file->save();
$callbackUrl = $this->getRequest()->getScheme() . '://' . $this->getRequest()->getHttpHost() . $this->getRequest()->getRequestUri() . "/" . $file->getPrimaryKey();
$this->processUploadedFile($callbackUrl);
$this->getResponse()
->setHttpResponseCode(201)
->appendBody(json_encode($file->toArray(BasePeer::TYPE_FIELDNAME)));
->appendBody(json_encode($this->sanitize($file)));
}
public function putAction()
@ -94,12 +115,13 @@ class Rest_MediaController extends Zend_Rest_Controller
if ($file)
{
//TODO: Strip or sanitize the JSON output
$file->fromArray(json_decode($this->getRequest()->getRawBody(), true), BasePeer::TYPE_FIELDNAME);
$file->fromArray($this->validateRequestData(json_decode($this->getRequest()->getRawBody(), true)), BasePeer::TYPE_FIELDNAME);
$now = new DateTime("now", new DateTimeZone("UTC"));
$file->setDbMtime($now);
$file->save();
$this->getResponse()
->setHttpResponseCode(200)
->appendBody(json_encode($file->toArray(BasePeer::TYPE_FIELDNAME)));
->appendBody(json_encode($this->sanitize($file)));
} else {
$this->fileNotFoundResponse();
}
@ -224,5 +246,36 @@ class Rest_MediaController extends Zend_Rest_Controller
Logging::info($e->getMessage());
}
}
/**
*
* Strips out fields from incoming request data that should never be modified
* from outside of Airtime
* @param array $data
*/
private function validateRequestData($data)
{
foreach ($this->blackList as $key) {
unset($data[$key]);
}
return $data;
}
/**
*
* Strips out the private fields we do not want to send back in API responses
*/
//TODO: rename this function?
public function sanitize($file)
{
$response = $file->toArray(BasePeer::TYPE_FIELDNAME);
foreach ($this->privateFields as $key) {
unset($response[$key]);
}
return $response;
}
}