pierre/wallabag
1
0
Fork 0
forked from wallabag/wallabag
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Compare commits

base: pierre:2.5.3
Branches Tags
pierre:master pierre:all_mailers pierre:2.6 pierre:fix-bad-url-format pierre:fix-install-db-not-exists pierre:remove-duplicate-errors pierre:feature/flex pierre:2.5.x pierre:fix/CodeQL-build pierre:feature/rss-to-wallabag pierre:cve-2018-11352 pierre:1.x
pierre:2.6.7_all_mailers pierre:2.6.7 pierre:2.6.6 pierre:2.6.5 pierre:2.6.4 pierre:2.6.3 pierre:2.6.2 pierre:2.6.1 pierre:2.6.0 pierre:2.5.4 pierre:2.5.3 pierre:2.5.2 pierre:2.5.1 pierre:2.5.0 pierre:2.4.3 pierre:2.4.2 pierre:2.4.1 pierre:2.4.0 pierre:2.3.8 pierre:2.3.7 pierre:2.3.6 pierre:2.3.5 pierre:2.3.4 pierre:2.3.3 pierre:2.3.2 pierre:2.3.1 pierre:2.3.0 pierre:2.2.3 pierre:2.2.2 pierre:2.2.1 pierre:2.2.0 pierre:2.1.6.1 pierre:2.1.6 pierre:2.1.5 pierre:2.1.4 pierre:2.1.3 pierre:2.1.2 pierre:2.1.1 pierre:2.1.0 pierre:2.0.8 pierre:2.0.7 pierre:2.0.6 pierre:2.0.5 pierre:2.0.4 pierre:2.0.3 pierre:2.0.2 pierre:1.9.2 pierre:2.0.1 pierre:2.0.0 pierre:2.0.0-beta.2 pierre:2.0.0-beta.1 pierre:2.0.0-alpha.2 pierre:2.0.0-alpha.1 pierre:2.0.0-alpha.0 pierre:1.9.1-b pierre:1.9.1 pierre:1.9.1beta3 pierre:1.9.1beta2 pierre:1.9.1beta1 pierre:1.9.1alpha2 pierre:1.9.1alpha1 pierre:1.9 pierre:1.9RC1 pierre:1.9beta2 pierre:1.9beta pierre:1.8.1old pierre:1.8.1bis pierre:1.8.1b pierre:1.8.1 pierre:1.8.0 pierre:1.7.2 pierre:1.7.1 pierre:1.7.0 pierre:1.6.1b pierre:1.6.1 pierre:1.6.0 pierre:1.5.2 pierre:1.5.1.1 pierre:1.5.1 pierre:1.5.0 pierre:1.4.0 pierre:1.3.1 pierre:1.3.0 pierre:1.2.0 pierre:1.1.0 pierre:1.0.0 pierre:1.0-beta5.2 pierre:1.0-beta5.1 pierre:1.0-beta5 pierre:1.0-beta4 pierre:1.0-beta3 pierre:1.0-beta2 pierre:1.0-beta1 pierre:0.3 pierre:0.2.1 pierre:0.2 pierre:0.11 pierre:0.1 wallabag:0.3 wallabag:0.1 wallabag:0.11 wallabag:0.2 wallabag:0.2.1 wallabag:1.0-beta1 wallabag:1.0-beta2 wallabag:1.0-beta3 wallabag:1.0-beta4 wallabag:1.0-beta5 wallabag:1.0-beta5.1 wallabag:1.0-beta5.2 wallabag:1.0.0 wallabag:1.1.0 wallabag:1.2.0 wallabag:1.3.0 wallabag:1.3.1 wallabag:1.4.0 wallabag:1.5.0 wallabag:1.5.1 wallabag:1.5.1.1 wallabag:1.5.2 wallabag:1.6.0 wallabag:1.6.1 wallabag:1.6.1b wallabag:1.7.0 wallabag:1.7.1 wallabag:1.7.2 wallabag:1.8.0 wallabag:1.8.1 wallabag:1.8.1b wallabag:1.8.1bis wallabag:1.8.1old wallabag:1.9 wallabag:1.9.1 wallabag:1.9.1-b wallabag:1.9.1alpha1 wallabag:1.9.1alpha2 wallabag:1.9.1beta1 wallabag:1.9.1beta2 wallabag:1.9.1beta3 wallabag:1.9.2 wallabag:1.9RC1 wallabag:1.9beta wallabag:1.9beta2 wallabag:2.0.0 wallabag:2.0.0-alpha.0 wallabag:2.0.0-alpha.1 wallabag:2.0.0-alpha.2 wallabag:2.0.0-beta.1 wallabag:2.0.0-beta.2 wallabag:2.0.1 wallabag:2.0.2 wallabag:2.0.3 wallabag:2.0.4 wallabag:2.0.5 wallabag:2.0.6 wallabag:2.0.7 wallabag:2.0.8 wallabag:2.1.0 wallabag:2.1.1 wallabag:2.1.2 wallabag:2.1.3 wallabag:2.1.4 wallabag:2.1.5 wallabag:2.1.6 wallabag:2.1.6.1 wallabag:2.2.0 wallabag:2.2.1 wallabag:2.2.2 wallabag:2.2.3 wallabag:2.3.0 wallabag:2.3.1 wallabag:2.3.2 wallabag:2.3.3 wallabag:2.3.4 wallabag:2.3.5 wallabag:2.3.6 wallabag:2.3.7 wallabag:2.3.8 wallabag:2.4.0 wallabag:2.4.1 wallabag:2.4.2 wallabag:2.4.3 wallabag:2.5.0 wallabag:2.5.1 wallabag:2.5.2 wallabag:2.5.3 wallabag:2.5.4 wallabag:2.6.0 wallabag:2.6.1 wallabag:2.6.10 wallabag:2.6.11 wallabag:2.6.12 wallabag:2.6.13 wallabag:2.6.14 wallabag:2.6.2 wallabag:2.6.3 wallabag:2.6.4 wallabag:2.6.5 wallabag:2.6.6 wallabag:2.6.7 wallabag:2.6.8 wallabag:2.6.9
...
compare: pierre:2.5.4
Branches Tags
pierre:all_mailers pierre:master pierre:2.6 pierre:fix-bad-url-format pierre:fix-install-db-not-exists pierre:remove-duplicate-errors pierre:feature/flex pierre:2.5.x pierre:fix/CodeQL-build pierre:feature/rss-to-wallabag pierre:cve-2018-11352 pierre:1.x wallabag:master wallabag:dependabot/npm_and_yarn/mathjax-4.1.0 wallabag:dependabot/npm_and_yarn/webpack-manifest-plugin-6.0.1 wallabag:2.6 wallabag:add-importers-selector wallabag:feat/sort wallabag:feat/tags-filter wallabag:change-read-icon wallabag:articles-with-annotation-display wallabag:parameters-from-environment-with-dotenv wallabag:upgrade-materialize wallabag:fix-install-db-not-exists wallabag:remove-duplicate-errors wallabag:2.5.x wallabag:feature/rss-to-wallabag wallabag:cve-2018-11352 wallabag:1.x
pierre:2.6.7_all_mailers pierre:2.6.7 pierre:2.6.6 pierre:2.6.5 pierre:2.6.4 pierre:2.6.3 pierre:2.6.2 pierre:2.6.1 pierre:2.6.0 pierre:2.5.4 pierre:2.5.3 pierre:2.5.2 pierre:2.5.1 pierre:2.5.0 pierre:2.4.3 pierre:2.4.2 pierre:2.4.1 pierre:2.4.0 pierre:2.3.8 pierre:2.3.7 pierre:2.3.6 pierre:2.3.5 pierre:2.3.4 pierre:2.3.3 pierre:2.3.2 pierre:2.3.1 pierre:2.3.0 pierre:2.2.3 pierre:2.2.2 pierre:2.2.1 pierre:2.2.0 pierre:2.1.6.1 pierre:2.1.6 pierre:2.1.5 pierre:2.1.4 pierre:2.1.3 pierre:2.1.2 pierre:2.1.1 pierre:2.1.0 pierre:2.0.8 pierre:2.0.7 pierre:2.0.6 pierre:2.0.5 pierre:2.0.4 pierre:2.0.3 pierre:2.0.2 pierre:1.9.2 pierre:2.0.1 pierre:2.0.0 pierre:2.0.0-beta.2 pierre:2.0.0-beta.1 pierre:2.0.0-alpha.2 pierre:2.0.0-alpha.1 pierre:2.0.0-alpha.0 pierre:1.9.1-b pierre:1.9.1 pierre:1.9.1beta3 pierre:1.9.1beta2 pierre:1.9.1beta1 pierre:1.9.1alpha2 pierre:1.9.1alpha1 pierre:1.9 pierre:1.9RC1 pierre:1.9beta2 pierre:1.9beta pierre:1.8.1old pierre:1.8.1bis pierre:1.8.1b pierre:1.8.1 pierre:1.8.0 pierre:1.7.2 pierre:1.7.1 pierre:1.7.0 pierre:1.6.1b pierre:1.6.1 pierre:1.6.0 pierre:1.5.2 pierre:1.5.1.1 pierre:1.5.1 pierre:1.5.0 pierre:1.4.0 pierre:1.3.1 pierre:1.3.0 pierre:1.2.0 pierre:1.1.0 pierre:1.0.0 pierre:1.0-beta5.2 pierre:1.0-beta5.1 pierre:1.0-beta5 pierre:1.0-beta4 pierre:1.0-beta3 pierre:1.0-beta2 pierre:1.0-beta1 pierre:0.3 pierre:0.2.1 pierre:0.2 pierre:0.11 pierre:0.1 wallabag:0.3 wallabag:0.1 wallabag:0.11 wallabag:0.2 wallabag:0.2.1 wallabag:1.0-beta1 wallabag:1.0-beta2 wallabag:1.0-beta3 wallabag:1.0-beta4 wallabag:1.0-beta5 wallabag:1.0-beta5.1 wallabag:1.0-beta5.2 wallabag:1.0.0 wallabag:1.1.0 wallabag:1.2.0 wallabag:1.3.0 wallabag:1.3.1 wallabag:1.4.0 wallabag:1.5.0 wallabag:1.5.1 wallabag:1.5.1.1 wallabag:1.5.2 wallabag:1.6.0 wallabag:1.6.1 wallabag:1.6.1b wallabag:1.7.0 wallabag:1.7.1 wallabag:1.7.2 wallabag:1.8.0 wallabag:1.8.1 wallabag:1.8.1b wallabag:1.8.1bis wallabag:1.8.1old wallabag:1.9 wallabag:1.9.1 wallabag:1.9.1-b wallabag:1.9.1alpha1 wallabag:1.9.1alpha2 wallabag:1.9.1beta1 wallabag:1.9.1beta2 wallabag:1.9.1beta3 wallabag:1.9.2 wallabag:1.9RC1 wallabag:1.9beta wallabag:1.9beta2 wallabag:2.0.0 wallabag:2.0.0-alpha.0 wallabag:2.0.0-alpha.1 wallabag:2.0.0-alpha.2 wallabag:2.0.0-beta.1 wallabag:2.0.0-beta.2 wallabag:2.0.1 wallabag:2.0.2 wallabag:2.0.3 wallabag:2.0.4 wallabag:2.0.5 wallabag:2.0.6 wallabag:2.0.7 wallabag:2.0.8 wallabag:2.1.0 wallabag:2.1.1 wallabag:2.1.2 wallabag:2.1.3 wallabag:2.1.4 wallabag:2.1.5 wallabag:2.1.6 wallabag:2.1.6.1 wallabag:2.2.0 wallabag:2.2.1 wallabag:2.2.2 wallabag:2.2.3 wallabag:2.3.0 wallabag:2.3.1 wallabag:2.3.2 wallabag:2.3.3 wallabag:2.3.4 wallabag:2.3.5 wallabag:2.3.6 wallabag:2.3.7 wallabag:2.3.8 wallabag:2.4.0 wallabag:2.4.1 wallabag:2.4.2 wallabag:2.4.3 wallabag:2.5.0 wallabag:2.5.1 wallabag:2.5.2 wallabag:2.5.3 wallabag:2.5.4 wallabag:2.6.0 wallabag:2.6.1 wallabag:2.6.10 wallabag:2.6.11 wallabag:2.6.12 wallabag:2.6.13 wallabag:2.6.14 wallabag:2.6.2 wallabag:2.6.3 wallabag:2.6.4 wallabag:2.6.5 wallabag:2.6.6 wallabag:2.6.7 wallabag:2.6.8 wallabag:2.6.9

10 Commits
2.5.3 ... 2.5.4

Author SHA1 Message Date
Jérémy Benoist
055d304bc9 Merge pull request #6291 from wallabag/release/2.5.4 
Prepare 2.5.4
 2023-02-07 22:20:00 +01:00
Jeremy Benoist
812d6ac376 Prepare 2.5.4 2023-02-07 22:03:20 +01:00
Jérémy Benoist
268372dbbd Merge pull request #6289 from wallabag/2.5/fix-csrf-user-deletion 
Fix CSRF on user deletion
 2023-02-07 21:52:51 +01:00
Jérémy Benoist
4e023bddc3 Merge pull request #6288 from wallabag/2.5/xss-username-share-page 
Fix XSS on username on share page
 2023-02-07 21:43:04 +01:00
Jérémy Benoist
acd285dcbb Merge pull request #6290 from wallabag/2.5/fix-add-tag-other-entries 
Fix adding tag to entries from other people
 2023-02-07 21:42:46 +01:00
Jeremy Benoist
f1b3d5cdd7 Fix CSRF on user deletion 2023-02-07 21:41:52 +01:00
Jeremy Benoist
242e3feac9 Fix adding tag to entries from other people 
I've also limited tag length to 20 chars (and limit adding more than 5 tags at once)
 2023-02-07 21:25:57 +01:00
Jeremy Benoist
bd4c71682e Fix XSS on username on share page 2023-02-07 19:58:06 +01:00
Jérémy Benoist
784bc1393c Merge pull request #6275 from wallabag/2.x/fix-release-script 
Fix release script
 2023-02-06 10:13:57 +01:00
Jeremy Benoist
42b03d2834 Fix release script 
The release script cloned the master branch by default because we never have to clone something else from now.
The script will now clone the tag using the given VERSION parameter.
 2023-02-03 10:10:35 +01:00
10 changed files with 72 additions and 30 deletions
Expand all files Collapse all files

11
CHANGELOG.md
View File

@ -1,5 +1,16 @@
# Changelog # Changelog
## [2.5.4](https://github.com/wallabag/wallabag/tree/2.5.4)
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.3...2.5.4)
### Security fixes
* Fix adding tag to entries from other people by @j0k3r in https://github.com/wallabag/wallabag/pull/6290
* Fix XSS on username on share page by @j0k3r in https://github.com/wallabag/wallabag/pull/6288
* Fix CSRF on user deletion by @j0k3r in https://github.com/wallabag/wallabag/pull/6289
### Meta
* Fix release script by @j0k3r in https://github.com/wallabag/wallabag/pull/6275
## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3) ## [2.5.3](https://github.com/wallabag/wallabag/tree/2.5.3)
[Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3) [Full Changelog](https://github.com/wallabag/wallabag/compare/2.5.2...2.5.3)

2
app/config/wallabag.yml
View File

@ -1,5 +1,5 @@
wallabag_core: wallabag_core:
version: 2.5.3 version: 2.5.4
paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb" paypal_url: "https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=9UBA65LG3FX9Y&lc=gb"
languages: languages:
en: 'English' en: 'English'

36
composer.lock generated
View File

@ -541,16 +541,16 @@
}, },
{ {
"name": "doctrine/annotations", "name": "doctrine/annotations",
"version": "1.14.2", "version": "1.14.3",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/doctrine/annotations.git", "url": "https://github.com/doctrine/annotations.git",
"reference": "ad785217c1e9555a7d6c6c8c9f406395a5e2882b" "reference": "fb0d71a7393298a7b232cbf4c8b1f73f3ec3d5af"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/doctrine/annotations/zipball/ad785217c1e9555a7d6c6c8c9f406395a5e2882b", "url": "https://api.github.com/repos/doctrine/annotations/zipball/fb0d71a7393298a7b232cbf4c8b1f73f3ec3d5af",
"reference": "ad785217c1e9555a7d6c6c8c9f406395a5e2882b", "reference": "fb0d71a7393298a7b232cbf4c8b1f73f3ec3d5af",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -611,9 +611,9 @@
], ],
"support": { "support": {
"issues": "https://github.com/doctrine/annotations/issues", "issues": "https://github.com/doctrine/annotations/issues",
"source": "https://github.com/doctrine/annotations/tree/1.14.2" "source": "https://github.com/doctrine/annotations/tree/1.14.3"
}, },
"time": "2022-12-15T06:48:22+00:00" "time": "2023-02-01T09:20:38+00:00"
}, },
{ {
"name": "doctrine/cache", "name": "doctrine/cache",
@ -4926,16 +4926,16 @@
}, },
{ {
"name": "jms/serializer", "name": "jms/serializer",
"version": "3.21.0", "version": "3.22.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/schmittjoh/serializer.git", "url": "https://github.com/schmittjoh/serializer.git",
"reference": "cc49ca6cd97baa173166c1f4fc54521964cf28bd" "reference": "576d226178697534e214531dbf80058637a10ebc"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/schmittjoh/serializer/zipball/cc49ca6cd97baa173166c1f4fc54521964cf28bd", "url": "https://api.github.com/repos/schmittjoh/serializer/zipball/576d226178697534e214531dbf80058637a10ebc",
"reference": "cc49ca6cd97baa173166c1f4fc54521964cf28bd", "reference": "576d226178697534e214531dbf80058637a10ebc",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -5010,7 +5010,7 @@
], ],
"support": { "support": {
"issues": "https://github.com/schmittjoh/serializer/issues", "issues": "https://github.com/schmittjoh/serializer/issues",
"source": "https://github.com/schmittjoh/serializer/tree/3.21.0" "source": "https://github.com/schmittjoh/serializer/tree/3.22.0"
}, },
"funding": [ "funding": [
{ {
@ -5018,7 +5018,7 @@
"type": "github" "type": "github"
} }
], ],
"time": "2023-01-10T13:08:17+00:00" "time": "2023-02-03T04:58:11+00:00"
}, },
{ {
"name": "jms/serializer-bundle", "name": "jms/serializer-bundle",
@ -7510,16 +7510,16 @@
}, },
{ {
"name": "phpstan/phpdoc-parser", "name": "phpstan/phpdoc-parser",
"version": "1.16.0", "version": "1.16.1",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/phpstan/phpdoc-parser.git", "url": "https://github.com/phpstan/phpdoc-parser.git",
"reference": "57090cfccbfaa639e703c007486d605a6e80f56d" "reference": "e27e92d939e2e3636f0a1f0afaba59692c0bf571"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/57090cfccbfaa639e703c007486d605a6e80f56d", "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/e27e92d939e2e3636f0a1f0afaba59692c0bf571",
"reference": "57090cfccbfaa639e703c007486d605a6e80f56d", "reference": "e27e92d939e2e3636f0a1f0afaba59692c0bf571",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
@ -7549,9 +7549,9 @@
"description": "PHPDoc parser with support for nullable, intersection and generic types", "description": "PHPDoc parser with support for nullable, intersection and generic types",
"support": { "support": {
"issues": "https://github.com/phpstan/phpdoc-parser/issues", "issues": "https://github.com/phpstan/phpdoc-parser/issues",
"source": "https://github.com/phpstan/phpdoc-parser/tree/1.16.0" "source": "https://github.com/phpstan/phpdoc-parser/tree/1.16.1"
}, },
"time": "2023-01-29T14:41:23+00:00" "time": "2023-02-07T18:11:17+00:00"
}, },
{ {
"name": "phpzip/phpzip", "name": "phpzip/phpzip",

2
scripts/release.sh
View File

@ -9,7 +9,7 @@ ENV=$4
rm -rf "${TMP_FOLDER:?}"/"$RELEASE_FOLDER" rm -rf "${TMP_FOLDER:?}"/"$RELEASE_FOLDER"
mkdir "$TMP_FOLDER"/"$RELEASE_FOLDER" mkdir "$TMP_FOLDER"/"$RELEASE_FOLDER"
git clone https://github.com/wallabag/wallabag.git "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" git clone https://github.com/wallabag/wallabag.git --single-branch --depth 1 --branch $1 "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION"
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && SYMFONY_ENV="$ENV" COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && SYMFONY_ENV="$ENV" COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console wallabag:install --env="$ENV" -n cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console wallabag:install --env="$ENV" -n
cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console assets:install --env="$ENV" --symlink --relative cd "$TMP_FOLDER"/"$RELEASE_FOLDER"/"$VERSION" && php bin/console assets:install --env="$ENV" --symlink --relative

6
src/Wallabag/CoreBundle/Controller/ConfigController.php
View File

@ -586,7 +586,7 @@ class ConfigController extends Controller
/** /**
* Delete account for current user. * Delete account for current user.
* *
* @Route("/account/delete", name="delete_account") * @Route("/account/delete", name="delete_account", methods={"POST"})
* *
* @throws AccessDeniedHttpException * @throws AccessDeniedHttpException
* *
@ -594,6 +594,10 @@ class ConfigController extends Controller
*/ */
public function deleteAccountAction(Request $request) public function deleteAccountAction(Request $request)
{ {
if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.');
}
$enabledUsers = $this->get('wallabag_user.user_repository') $enabledUsers = $this->get('wallabag_user.user_repository')
->getSumEnabledUsers(); ->getSumEnabledUsers();

24
src/Wallabag/CoreBundle/Controller/TagController.php
View File

@ -17,7 +17,7 @@ use Wallabag\CoreBundle\Form\Type\RenameTagType;
class TagController extends Controller class TagController extends Controller
{ {
/** /**
* @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag") * @Route("/new-tag/{entry}", requirements={"entry" = "\d+"}, name="new_tag", methods={"POST"})
* *
* @return \Symfony\Component\HttpFoundation\Response * @return \Symfony\Component\HttpFoundation\Response
*/ */
@ -26,7 +26,17 @@ class TagController extends Controller
$form = $this->createForm(NewTagType::class, new Tag()); $form = $this->createForm(NewTagType::class, new Tag());
$form->handleRequest($request); $form->handleRequest($request);
$tags = $form->get('label')->getData();
$tagsExploded = explode(',', $tags);
// avoid too much tag to be added
if (\count($tagsExploded) >= 5 || \strlen($tags) >= NewTagType::MAX_LENGTH) {
return $this->redirect($this->generateUrl('view', ['id' => $entry->getId()]));
}
if ($form->isSubmitted() && $form->isValid()) { if ($form->isSubmitted() && $form->isValid()) {
$this->checkUserAction($entry);
$this->get('wallabag_core.tags_assigner')->assignTagsToEntry( $this->get('wallabag_core.tags_assigner')->assignTagsToEntry(
$entry, $entry,
$form->get('label')->getData() $form->get('label')->getData()
@ -59,6 +69,8 @@ class TagController extends Controller
*/ */
public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag) public function removeTagFromEntry(Request $request, Entry $entry, Tag $tag)
{ {
$this->checkUserAction($entry);
$entry->removeTag($tag); $entry->removeTag($tag);
$em = $this->getDoctrine()->getManager(); $em = $this->getDoctrine()->getManager();
$em->flush(); $em->flush();
@ -222,4 +234,14 @@ class TagController extends Controller
return $this->redirect($this->get('wallabag_core.helper.redirect')->to($request->headers->get('referer'), '', true)); return $this->redirect($this->get('wallabag_core.helper.redirect')->to($request->headers->get('referer'), '', true));
} }
/**
* Check if the logged user can manage the given entry.
*/
private function checkUserAction(Entry $entry)
{
if (null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) {
throw $this->createAccessDeniedException('You can not access this entry.');
}
}
} }

3
src/Wallabag/CoreBundle/Form/Type/NewTagType.php
View File

@ -10,6 +10,8 @@ use Symfony\Component\OptionsResolver\OptionsResolver;
class NewTagType extends AbstractType class NewTagType extends AbstractType
{ {
public const MAX_LENGTH = 40;
public function buildForm(FormBuilderInterface $builder, array $options) public function buildForm(FormBuilderInterface $builder, array $options)
{ {
$builder $builder
@ -17,6 +19,7 @@ class NewTagType extends AbstractType
'required' => true, 'required' => true,
'attr' => [ 'attr' => [
'placeholder' => 'tag.new.placeholder', 'placeholder' => 'tag.new.placeholder',
'max_length' => self::MAX_LENGTH,
], ],
]) ])
->add('add', SubmitType::class, [ ->add('add', SubmitType::class, [

2
src/Wallabag/CoreBundle/Resources/views/themes/common/Entry/share.html.twig
View File

@ -28,7 +28,7 @@
<header class="block"> <header class="block">
<h1>{{ entry.title|e|raw }}</h1> <h1>{{ entry.title|e|raw }}</h1>
<a href="{{ entry.url|e }}" target="_blank" rel="noopener" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a> <a href="{{ entry.url|e }}" target="_blank" rel="noopener" title="{{ 'entry.view.original_article'|trans }} : {{ entry.title|e|raw }}" class="tool">{{ entry.domainName|removeWww }}</a>
<p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username})|raw }}.</p> <p class="shared-by">{{ "entry.public.shared_by_wallabag"|trans({'%wallabag_instance%': url('homepage'), '%username%': entry.user.username|escape})|raw }}.</p>
</header> </header>
<article class="block"> <article class="block">
{{ entry.content | raw }} {{ entry.content | raw }}

8
src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig
View File

@ -573,9 +573,11 @@
<div class="row"> <div class="row">
<h5>{{ 'config.form_user.delete.title'|trans }}</h5> <h5>{{ 'config.form_user.delete.title'|trans }}</h5>
<p>{{ 'config.form_user.delete.description'|trans }}</p> <p>{{ 'config.form_user.delete.description'|trans }}</p>
<a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account"> <form action="{{ path('delete_account') }}" method="post" onsubmit="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" name="delete-account">
{{ 'config.form_user.delete.button'|trans }} <input type="hidden" name="token" value="{{ csrf_token('delete-account') }}" />
</a>
<button class="waves-effect waves-light btn red" type="submit">{{ 'config.form_user.delete.button'|trans }}</button>
</form>
</div> </div>
{% endif %} {% endif %}
</div> </div>

6
tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
View File

@ -794,7 +794,7 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text'])); $this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
$this->assertStringNotContainsString('config.form_user.delete.button', $body[0]); $this->assertStringNotContainsString('config.form_user.delete.button', $body[0]);
$client->request('GET', '/account/delete'); $client->request('POST', '/account/delete');
$this->assertSame(403, $client->getResponse()->getStatusCode()); $this->assertSame(403, $client->getResponse()->getStatusCode());
$user = $em $user = $em
@ -860,9 +860,9 @@ class ConfigControllerTest extends WallabagCoreTestCase
$crawler = $client->request('GET', '/config'); $crawler = $client->request('GET', '/config');
$deleteLink = $crawler->filter('.delete-account')->last()->link(); $deleteForm = $crawler->filter('form[name=delete-account]')->form();
$client->click($deleteLink); $client->submit($deleteForm);
$this->assertSame(302, $client->getResponse()->getStatusCode()); $this->assertSame(302, $client->getResponse()->getStatusCode());
$em = $client->getContainer()->get('doctrine.orm.entity_manager'); $em = $client->getContainer()->get('doctrine.orm.entity_manager');