From 9eda78f8f9d760ef7e296fb6a8eba8b2321b77d2 Mon Sep 17 00:00:00 2001
From: drigato <denise.rigato@sourcefabric.org>
Date: Mon, 31 Mar 2014 17:57:32 -0400
Subject: [PATCH] CC-5733: RESTful API data sanitization and validation

Added more fields to the black list
Using the "Edit Metadata" form for field validation on put requests
---
 .../rest/controllers/MediaController.php      | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/airtime_mvc/application/modules/rest/controllers/MediaController.php b/airtime_mvc/application/modules/rest/controllers/MediaController.php
index f092574b3..33dd9a9f6 100644
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@@ -6,7 +6,13 @@ class Rest_MediaController extends Zend_Rest_Controller
     //fields that are not modifiable via our RESTful API
     private $blackList = array(
         'id',
+        'directory',
+        'filepath',
         'file_exists',
+        'hidden',
+        'mtime',
+        'utime',
+        'lptime',
         'silan_check',
         'soundcloud_id',
         'is_scheduled',
@@ -147,9 +153,18 @@ class Rest_MediaController extends Zend_Rest_Controller
         }
         
         $file = CcFilesQuery::create()->findPk($id);
-        if ($file)
+        //validate fields
+        $requestData = json_decode($this->getRequest()->getRawBody(), true);
+        //TODO: rename EditAudioMD form?
+        $fileForm = new Application_Form_EditAudioMD();
+        $fileForm->startForm($file->getDbId());
+        $fileForm->populate($requestData);
+
+        if (!$fileForm->isValidPartial($requestData)) {
+            $file->setDbImportStatus(2)->save();
+            $this->invalidDataResponse();
+        } else if ($file)
         {
-            $requestData = json_decode($this->getRequest()->getRawBody(), true);
             $file->fromArray($this->validateRequestData($requestData), BasePeer::TYPE_FIELDNAME);
 
             //Our RESTful API takes "full_path" as a field, which we then split and translate to match
@@ -179,6 +194,7 @@ class Rest_MediaController extends Zend_Rest_Controller
                 ->setHttpResponseCode(200)
                 ->appendBody(json_encode($this->sanitizeResponse($file)));
         } else {
+            $file->setDbImportStatus(2)->save();
             $this->fileNotFoundResponse();
         }
     }
@@ -284,6 +300,13 @@ class Rest_MediaController extends Zend_Rest_Controller
         $resp->setHttpResponseCode(404);
         $resp->appendBody("ERROR: Media not found."); 
     }
+
+    private function invalidDataResponse()
+    {
+        $resp = $this->getResponse();
+        $resp->setHttpResponseCode(400);
+        $resp->appendBody("ERROR: Invalid data");
+    }
     
     private function processUploadedFile($callbackUrl, $originalFilename, $ownerId)
     {