CC-5733: RESTful API data sanitization and validation

Added more fields to the black list Using the "Edit Metadata" form for field validation on put requests
2014-03-31 17:57:32 -04:00 · 2014-03-31 17:57:32 -04:00 · 9eda78f8f9
parent 82958a10ae
commit 9eda78f8f9
1 changed files with 25 additions and 2 deletions
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@ -6,7 +6,13 @@ class Rest_MediaController extends Zend_Rest_Controller
    //fields that are not modifiable via our RESTful API
    private $blackList = array(
        'id',
+        'directory',
+        'filepath',
        'file_exists',
+        'hidden',
+        'mtime',
+        'utime',
+        'lptime',
        'silan_check',
        'soundcloud_id',
        'is_scheduled',
@ -147,9 +153,18 @@ class Rest_MediaController extends Zend_Rest_Controller
        }
        
        $file = CcFilesQuery::create()->findPk($id);
-        if ($file)
-        {
+        //validate fields
        $requestData = json_decode($this->getRequest()->getRawBody(), true);
+        //TODO: rename EditAudioMD form?
+        $fileForm = new Application_Form_EditAudioMD();
+        $fileForm->startForm($file->getDbId());
+        $fileForm->populate($requestData);
+
+        if (!$fileForm->isValidPartial($requestData)) {
+            $file->setDbImportStatus(2)->save();
+            $this->invalidDataResponse();
+        } else if ($file)
+        {
            $file->fromArray($this->validateRequestData($requestData), BasePeer::TYPE_FIELDNAME);

            //Our RESTful API takes "full_path" as a field, which we then split and translate to match
@ -179,6 +194,7 @@ class Rest_MediaController extends Zend_Rest_Controller
                ->setHttpResponseCode(200)
                ->appendBody(json_encode($this->sanitizeResponse($file)));
        } else {
+            $file->setDbImportStatus(2)->save();
            $this->fileNotFoundResponse();
        }
    }
@ -285,6 +301,13 @@ class Rest_MediaController extends Zend_Rest_Controller
        $resp->appendBody("ERROR: Media not found."); 
    }

+    private function invalidDataResponse()
+    {
+        $resp = $this->getResponse();
+        $resp->setHttpResponseCode(400);
+        $resp->appendBody("ERROR: Invalid data");
+    }
+    
    private function processUploadedFile($callbackUrl, $originalFilename, $ownerId)
    {
        $CC_CONFIG = Config::getConfig();