summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormorkt <>2015-01-12 09:54:26 +0100
committerYorhel <git@yorhel.nl>2015-01-12 09:54:26 +0100
commite80376eba0846f15f97f865aadcf4793f228b1a3 (patch)
tree701a13572234cb1db2d601819f145b395277025d
parent34331f1a4625eec8df708a4142b4570c155fb40e (diff)
staff: Stronger verification of form data
-rw-r--r--lib/VNDB/Handler/Staff.pm28
-rw-r--r--lib/VNDB/Handler/VNEdit.pm22
2 files changed, 29 insertions, 21 deletions
diff --git a/lib/VNDB/Handler/Staff.pm b/lib/VNDB/Handler/Staff.pm
index fbfb81a6..981a9fa8 100644
--- a/lib/VNDB/Handler/Staff.pm
+++ b/lib/VNDB/Handler/Staff.pm
@@ -12,7 +12,7 @@ TUWF::register(
qr{s(?:([1-9]\d*)(?:\.([1-9]\d*))?/edit|/new)}
=> \&edit,
qr{s/([a-z0]|all)} => \&list,
- qr{xml/staff.xml} => \&staffxml,
+ qr{xml/staff\.xml} => \&staffxml,
);
sub page {
@@ -205,7 +205,7 @@ sub edit {
|| $sid && (($s->{locked} || $s->{hidden}) && !$self->authCan('dbmod'));
my %b4 = !$sid ? () : (
- (map { $_ => $s->{$_} } qw|aid name original gender lang desc l_wp l_site l_twitter l_anidb ihid ilock|),
+ (map { $_ => $s->{$_} } qw|name original gender lang desc l_wp l_site l_twitter l_anidb ihid ilock|),
aliases => jsonEncode [
map +{ aid => $_->{id}, name => $_->{name}, orig => $_->{original} },
sort { $a->{name} cmp $b->{name} } @{$s->{aliases}}
@@ -216,7 +216,6 @@ sub edit {
if ($self->reqMethod eq 'POST') {
return if !$self->authCheckCode;
$frm = $self->formValidate (
- { post => 'aid', required => 0, template => 'int' },
{ post => 'name', maxlength => 200 },
{ post => 'original', required => 0, maxlength => 200, default => '' },
{ post => 'desc', required => 0, maxlength => 5000, default => '' },
@@ -234,29 +233,33 @@ sub edit {
);
push @{$frm->{_err}}, 'badeditsum' if !$frm->{editsum} || lc($frm->{editsum}) eq lc($frm->{desc});
- my $aliases = eval { jsonDecode $frm->{aliases} };
- push @{$frm->{_err}}, [ 'aliases', 'template', 'json' ] if $@ || ref $aliases ne 'ARRAY';
+ my @aliases;
+ my $raw_a = eval { jsonDecode $frm->{aliases} };
+ push @{$frm->{_err}}, [ 'aliases', 'template', 'json' ] if $@ || ref $raw_a ne 'ARRAY';
if(!$frm->{_err}) {
- for my $a (@$aliases) {
- $a->{aid} *= 1; # normalize to a number so that the comparison works.
+ my %old_aliases = $sid ? ( map +($_->{id} => 1), @{$s->{aliases}} ) : ();
+ for my $a (sort { $a->{name} cmp $b->{name} } @$raw_a) {
# check for empty aliases
if($a->{name} =~ /^\s*$/) {
push @{$frm->{_err}}, ['alias_name', 'required'];
last;
}
+ # normalize alias id to a number so that the comparison works
+ # or reset it to zero for newly added aliases.
+ $a->{aid} *= $old_aliases{$a->{aid}} ? 1 : 0;
+ push @aliases, $a;
}
}
if(!$frm->{_err}) {
- # parse and normalize
- $frm->{aliases} = jsonEncode [ sort { $a->{name} cmp $b->{name} } @$aliases ];
+ $frm->{aliases} = jsonEncode \@aliases;
$frm->{ihid} = $frm->{ihid} ?1:0;
$frm->{ilock} = $frm->{ilock}?1:0;
+ $frm->{aid} = $s->{aid} if $sid;
return $self->resRedirect("/s$sid", 'post')
if $sid && !first { ($frm->{$_}//'') ne ($b4{$_}//'') } keys %b4;
- }
- if(!$frm->{_err}) {
- $frm->{aliases} = [ map [ @{$_}{qw|aid name orig|} ], @$aliases ];
+
+ $frm->{aliases} = [ map [ @{$_}{qw|aid name orig|} ], @aliases ];
my $nrev = $self->dbItemEdit ('s' => $sid ? $s->{cid} : undef, %$frm);
return $self->resRedirect("/s$nrev->{iid}.$nrev->{rev}", 'post');
}
@@ -272,7 +275,6 @@ sub edit {
$self->htmlEditMessage('s', $s, $title);
$self->htmlForm({ frm => $frm, action => $s ? "/s$sid/edit" : '/s/new', editsum => 1 },
staffe_geninfo => [ mt('_staffe_form_generalinfo'),
- [ hidden => short => 'aid' ],
[ input => name => mt('_staffe_form_name'), short => 'name' ],
[ input => name => mt('_staffe_form_original'), short => 'original' ],
[ static => content => mt('_staffe_form_original_note') ],
diff --git a/lib/VNDB/Handler/VNEdit.pm b/lib/VNDB/Handler/VNEdit.pm
index a7900628..b055a87c 100644
--- a/lib/VNDB/Handler/VNEdit.pm
+++ b/lib/VNDB/Handler/VNEdit.pm
@@ -85,6 +85,7 @@ sub edit {
|| $vid && (($v->{locked} || $v->{hidden}) && !$self->authCan('dbmod'));
my $r = $v ? $self->dbReleaseGet(vid => $v->{id}) : [];
+ my $chars = $v ? $self->dbCharGet(vid => $v->{id}, results => 50) : [];
my %b4 = !$vid ? () : (
(map { $_ => $v->{$_} } qw|title original desc alias length l_wp l_encubed l_renai image img_nsfw ihid ilock|),
@@ -145,11 +146,17 @@ sub edit {
$last_c = $c;
}
- my $last_s;
- for my $s (sort { $a->{aid} <=> $b->{aid} || $a->{cid} <=> $b->{cid} } @$raw_s) {
- next if $last_s->{aid} == $s->{aid} && $last_s->{cid} == $s->{cid};
- push @seiyuu, $s;
- $last_s = $s;
+ # if character list is empty, any seiyuu data will be discarded
+ if (@$chars && @$raw_s) {
+ my %vn_chars = map +($_->{id} => 1), @$chars;
+ my $last_s;
+ for my $s (sort { $a->{aid} <=> $b->{aid} || $a->{cid} <=> $b->{cid} } @$raw_s) {
+ next unless exists $vn_chars{$s->{cid}}; # weed out odd characters
+ next if $last_s->{aid} == $s->{aid} && $last_s->{cid} == $s->{cid};
+ $s->{cid} += 0; # force numeric conversion
+ push @seiyuu, $s;
+ $last_s = $s;
+ }
}
};
push @{$frm->{_err}}, [ 'credits', 'template', 'json' ] if $@;
@@ -210,7 +217,7 @@ sub edit {
$self->htmlHeader(title => $title, noindex => 1);
$self->htmlMainTabs('v', $v, 'edit') if $vid;
$self->htmlEditMessage('v', $v, $title);
- _form($self, $v, $frm, $r);
+ _form($self, $v, $frm, $r, $chars);
$self->htmlFooter;
}
@@ -250,8 +257,7 @@ sub _uploadimage {
sub _form {
- my($self, $v, $frm, $r) = @_;
- my $chars = $v ? $self->dbCharGet(vid => $v->{id}, results => 50) : [];
+ my($self, $v, $frm, $r, $chars) = @_;
my $import = @$chars ? $self->dbVNImportSeiyuu($v->{id}, [ map $_->{id}, @$chars ]) : [];
$self->htmlForm({ frm => $frm, action => $v ? "/v$v->{id}/edit" : '/v/new', editsum => 1, upload => 1 },
vn_geninfo => [ mt('_vnedit_geninfo'),