Skip to content

Commit ca126b4

Browse files
duncanmccleanduncanmcclean
committed
wip
1 parent f3893f6 commit ca126b4

8 files changed

Lines changed: 95 additions & 4 deletions

File tree

src/Assets/Asset.php

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1116,7 +1116,7 @@ public function hasDuration()
11161116

11171117
public function getQueryableValue(string $field)
11181118
{
1119-
if (method_exists($this, $method = Str::camel($field))) {
1119+
if (method_exists($this, $method = Str::camel($field)) && $this->methodIsSafeToQuery($method)) {
11201120
return $this->{$method}();
11211121
}
11221122

@@ -1129,6 +1129,17 @@ public function getQueryableValue(string $field)
11291129
return $field->fieldtype()->toQueryableValue($value);
11301130
}
11311131

1132+
private function methodIsSafeToQuery(string $method): bool
1133+
{
1134+
return in_array($method, [
1135+
'id', 'path', 'folder', 'filename', 'basename', 'extension',
1136+
'blueprint', 'container', 'containerId', 'containerHandle',
1137+
'size', 'lastModified', 'mimeType',
1138+
'width', 'height', 'orientation', 'ratio', 'duration',
1139+
'isImage', 'isVideo', 'isAudio', 'isSvg', 'isMedia', 'isPdf',
1140+
]);
1141+
}
1142+
11321143
public function getCurrentDirtyStateAttributes(): array
11331144
{
11341145
return array_merge([

src/Auth/User.php

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -365,7 +365,7 @@ protected function getComputedCallbacks()
365365

366366
public function getQueryableValue(string $field)
367367
{
368-
if (method_exists($this, $method = Str::camel($field))) {
368+
if (method_exists($this, $method = Str::camel($field)) && $this->methodIsSafeToQuery($method)) {
369369
return $this->{$method}();
370370
}
371371

@@ -377,4 +377,13 @@ public function getQueryableValue(string $field)
377377

378378
return $field->fieldtype()->toQueryableValue($value);
379379
}
380+
381+
private function methodIsSafeToQuery(string $method): bool
382+
{
383+
return in_array($method, [
384+
'id', 'path', 'email', 'name', 'blueprint',
385+
'roles', 'groups', 'isSuper',
386+
'lastLogin', 'preferredLocale',
387+
]);
388+
}
380389
}

src/Entries/Entry.php

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1098,7 +1098,7 @@ public function getQueryableValue(string $field)
10981098
Blink::store('entry-uris')->forget($this->id());
10991099
}
11001100

1101-
if (method_exists($this, $method = Str::camel($field))) {
1101+
if (method_exists($this, $method = Str::camel($field)) && $this->methodIsSafeToQuery($method)) {
11021102
return $this->{$method}();
11031103
}
11041104

@@ -1111,6 +1111,15 @@ public function getQueryableValue(string $field)
11111111
return $field->fieldtype()->toQueryableValue($value);
11121112
}
11131113

1114+
private function methodIsSafeToQuery(string $method): bool
1115+
{
1116+
return in_array($method, [
1117+
'id', 'path', 'slug', 'uri', 'status', 'published',
1118+
'date', 'order', 'collection', 'collectionHandle',
1119+
'blueprint', 'locale', 'site', 'lastModified',
1120+
]);
1121+
}
1122+
11141123
public function getSearchValue(string $field)
11151124
{
11161125
return method_exists($this, $field) ? $this->$field() : $this->value($field);

src/Taxonomies/LocalizedTerm.php

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -485,7 +485,7 @@ public function repository()
485485

486486
public function getQueryableValue(string $field)
487487
{
488-
if (method_exists($this, $method = Str::camel($field))) {
488+
if (method_exists($this, $method = Str::camel($field)) && $this->methodIsSafeToQuery($method)) {
489489
return $this->{$method}();
490490
}
491491

@@ -498,6 +498,15 @@ public function getQueryableValue(string $field)
498498
return $field->fieldtype()->toQueryableValue($value);
499499
}
500500

501+
private function methodIsSafeToQuery(string $method): bool
502+
{
503+
return in_array($method, [
504+
'id', 'path', 'slug', 'title', 'uri',
505+
'taxonomy', 'taxonomyHandle', 'blueprint',
506+
'locale', 'site', 'lastModified', 'entriesCount',
507+
]);
508+
}
509+
501510
public function getCpSearchResultBadge()
502511
{
503512
return $this->taxonomy()->title();

tests/Data/Assets/AssetQueryBuilderTest.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -715,6 +715,17 @@ public function values_can_be_plucked()
715715
'f.jpg',
716716
], $this->container->queryAssets()->where('extension', 'jpg')->pluck('path')->all());
717717
}
718+
719+
#[Test]
720+
public function sorting_by_unsafe_method_does_not_invoke_it()
721+
{
722+
$count = $this->container->assets()->count();
723+
$this->assertGreaterThan(0, $count);
724+
725+
$this->container->queryAssets()->orderBy('delete', 'asc')->get();
726+
727+
$this->assertCount($count, $this->container->assets());
728+
}
718729
}
719730

720731
class CustomScope extends Scope

tests/Data/Entries/EntryQueryBuilderTest.php

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1270,6 +1270,19 @@ public function exists_returns_false_when_no_results_are_found()
12701270
{
12711271
$this->assertFalse(Entry::query()->exists());
12721272
}
1273+
1274+
#[Test]
1275+
public function sorting_by_unsafe_method_does_not_invoke_it()
1276+
{
1277+
$this->createDummyCollectionAndEntries();
1278+
1279+
$count = Entry::all()->count();
1280+
$this->assertGreaterThan(0, $count);
1281+
1282+
Entry::query()->orderBy('delete', 'asc')->get();
1283+
1284+
$this->assertCount($count, Entry::all());
1285+
}
12731286
}
12741287

12751288
class CustomScope extends Scope

tests/Data/Taxonomies/TermQueryBuilderTest.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -775,6 +775,21 @@ public function terms_are_found_using_where_relation()
775775
$this->assertCount(1, $terms);
776776
$this->assertEquals(['c'], $terms->map->slug->all());
777777
}
778+
779+
#[Test]
780+
public function sorting_by_unsafe_method_does_not_invoke_it()
781+
{
782+
Taxonomy::make('tags')->save();
783+
Term::make('a')->taxonomy('tags')->data(['title' => 'Alpha'])->save();
784+
Term::make('b')->taxonomy('tags')->data(['title' => 'Bravo'])->save();
785+
786+
$count = Term::all()->count();
787+
$this->assertGreaterThan(0, $count);
788+
789+
Term::query()->orderBy('delete', 'asc')->get();
790+
791+
$this->assertCount($count, Term::all());
792+
}
778793
}
779794

780795
class CustomScope extends Scope

tests/Data/Users/UserQueryBuilderTest.php

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -496,6 +496,20 @@ public function users_are_found_using_scopes()
496496
$this->assertCount(1, User::query()->customScope(['email' => 'gandalf@precious.com'])->get());
497497
$this->assertCount(1, User::query()->whereCustom(['email' => 'gandalf@precious.com'])->get());
498498
}
499+
500+
#[Test]
501+
public function sorting_by_unsafe_method_does_not_invoke_it()
502+
{
503+
User::make()->email('a@example.com')->data(['name' => 'Alpha'])->save();
504+
User::make()->email('b@example.com')->data(['name' => 'Bravo'])->save();
505+
506+
$count = User::all()->count();
507+
$this->assertGreaterThan(0, $count);
508+
509+
User::query()->orderBy('delete', 'asc')->get();
510+
511+
$this->assertCount($count, User::all());
512+
}
499513
}
500514

501515
class CustomScope extends Scope

0 commit comments

Comments
 (0)