From c96f4d6b10a0cb0d0549636261b0800bffc01bf9 Mon Sep 17 00:00:00 2001
From: Guillaume Heurtier <guillaume.heurtier@maarch.org>
Date: Thu, 13 Feb 2020 11:12:29 +0100
Subject: [PATCH] FEAT #12072 TIME 0:25 check template perimeter in merge email
---
.../controllers/TemplateController.php | 21 +++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/app/template/controllers/TemplateController.php b/src/app/template/controllers/TemplateController.php
index 4f4170e91ed..32dfcf8c7ad 100755
--- a/src/app/template/controllers/TemplateController.php
+++ b/src/app/template/controllers/TemplateController.php
@@ -476,10 +476,27 @@ class TemplateController
public static function mergeEmailTemplate(Request $request, Response $response, array $args)
{
- $template = TemplateModel::getById(['id' => $args['id'], 'select' => ['template_content']]);
- if (empty($template)) {
+ if (!Validator::intVal()->validate($args['id'])) {
+ return $response->withStatus(400)->withJson(['errors' => 'Route param id is not an integer']);
+ }
+
+ $entities = UserModel::getEntitiesByLogin(['login' => $GLOBALS['userId']]);
+ $entities = array_column($entities, 'entity_id');
+ if (empty($entities)) {
+ $entities = [0];
+ }
+
+ $templates = TemplateModel::getWithAssociation([
+ 'select' => ['DISTINCT(templates.template_id)', 'templates.template_content'],
+ 'where' => ['(templates_association.value_field in (?) OR templates_association.template_id IS NULL)', 'templates.template_type = ?', 'templates.template_target = ?', 'templates.template_id = ?'],
+ 'data' => [$entities, 'HTML', 'sendmail', $args['id']],
+ 'orderBy' => ['templates.template_id']
+ ]);
+
+ if (empty($templates[0])) {
return $response->withStatus(400)->withJson(['errors' => 'Template does not exist']);
}
+ $template = $templates[0];
if (empty($template['template_content'])) {
return $response->withStatus(400)->withJson(['errors' => 'Template has no content']);
}
--
GitLab