Changeset 13073

Timestamp:

08/17/2021 10:52:34 PM (4 years ago)

Author:

dcavins

Message:

Limit orderby values in BP_Invitation.

Ensure that passed orderby value matches a
verified database column name.

Location:

branches/7.0

Files:

• src/bp-core/classes/class-bp-invitation.php (modified) (2 diffs)
• tests/phpunit/testcases/core/invitations.php (modified) (2 diffs)

branches/7.0/src/bp-core/classes/class-bp-invitation.php

@@ -131 +131 @@
      */
     public $accepted;
+
+    /**
+     * Columns in the invitations table.
+     *
+     * @since 9.0.0
+     * @access public
+     * @var array
+     */
+    public static $columns = array(
+        'id',
+        'user_id',
+        'inviter_id',
+        'invitee_email',
+        'class',
+        'item_id',
+        'secondary_item_id',
+        'type',
+        'content',
+        'date_modified',
+        'invite_sent',
+        'accepted'
+    );
 
     /** Public Methods ****************************************************/
@@ -474 +496 @@
         // Order by.
         if ( ! empty( $args['order_by'] ) ) {
-            $order_by               = implode( ', ', (array) $args['order_by'] );
-            $conditions['order_by'] = "{$order_by}";
+            $order_by_clean = array();
+            foreach ( (array) $args['order_by'] as $key => $value ) {
+                if ( in_array( $value, self::$columns, true ) ) {
+                    $order_by_clean[] = $value;
+                }
+            }
+            if ( ! empty( $order_by_clean ) ) {
+                $order_by               = implode( ', ', $order_by_clean );
+                $conditions['order_by'] = "{$order_by}";
+            }
         }
 

branches/7.0/tests/phpunit/testcases/core/invitations.php

@@ -174 +174 @@
         $this->set_current_user( $old_current_user );
     }
-    
+
     public function test_bp_invitations_add_request_vanilla() {
         $old_current_user = get_current_user_id();
@@ -288 +288 @@
     }
 
+    public function test_bp_invitations_orderby_item_id() {
+        $old_current_user = get_current_user_id();
+
+        $u1 = $this->factory->user->create();
+        $u2 = $this->factory->user->create();
+        $u3 = $this->factory->user->create();
+        $this->set_current_user( $u1 );
+
+        $invites_class = new BPTest_Invitation_Manager_Extension();
+
+        // Create an invitation.
+        $i1_args = array(
+            'user_id'    => $u2,
+            'inviter_id' => $u1,
+            'item_id'    => 6,
+        );
+        $i1 = $invites_class->add_invitation( $i1_args );
+        $invites_class->send_invitation_by_id( $i1 );
+
+        $i2_args = array(
+            'user_id'    => $u3,
+            'inviter_id' => $u1,
+            'item_id'    => 4,
+        );
+        $i2 = $invites_class->add_invitation( $i2_args );
+        $invites_class->send_invitation_by_id( $i2 );
+
+        $i3_args = array(
+            'user_id'    => $u2,
+            'inviter_id' => $u1,
+            'item_id'    => 8,
+        );
+        $i3 = $invites_class->add_invitation( $i3_args );
+        $invites_class->send_invitation_by_id( $i3 );
+
+        $get_invites = array(
+            'order_by'   => 'item_id',
+            'sort_order' => 'ASC',
+            'fields'     => 'ids',
+        );
+        $invites = $invites_class->get_invitations( $get_invites );
+        $this->assertEquals( array( $i2, $i1, $i3 ), $invites );
+
+        $get_invites['sort_order'] = 'DESC';
+        $invites = $invites_class->get_invitations( $get_invites );
+        $this->assertEquals( array( $i3, $i1, $i2 ), $invites );
+
+        $this->set_current_user( $old_current_user );
+    }
 }