Fix an issue where Phame could post to the wrong blog

When you `getInt()` an array, PHP decides the array has value `1`. This would cause us to post to blog #1 incorrectly. I didn't catch this locally because I happened to be posting to blog #1. Stop us from interpreting array values as `1`, and fix blog interpretation. This approach is a little messy (projects has the same issue) but I'll see if I can clean it up in some future change. Auditors: chad
2024-12-23 22:10:55 +01:00 · 2016-01-02 05:16:10 -08:00 · 2016-01-02 05:16:10 -08:00 · 2328e739b7
commit 2328e739b7
parent edcc3232aa
2 changed files with 24 additions and 9 deletions
--- a/src/aphront/AphrontRequest.php
+++ b/src/aphront/AphrontRequest.php
@ -123,6 +123,11 @@ final class AphrontRequest extends Phobject {
   */
  public function getInt($name, $default = null) {
    if (isset($this->requestData[$name])) {
+      // Converting from array to int is "undefined". Don't rely on whatever
+      // PHP decides to do.
+      if (is_array($this->requestData[$name])) {
+        return $default;
+      }
      return (int)$this->requestData[$name];
    } else {
      return $default;
--- a/src/applications/phame/controller/post/PhamePostEditController.php
+++ b/src/applications/phame/controller/post/PhamePostEditController.php
@ -32,18 +32,27 @@ final class PhamePostEditController extends PhamePostController {
      }
      $blog_id = $post->getBlog()->getID();
    } else {
-      $blog_id = $request->getInt('blog');
+      $blog_id = head($request->getArr('blog'));
+      if (!$blog_id) {
+        $blog_id = $request->getStr('blog');
+      }
    }

-    $blog = id(new PhameBlogQuery())
+    $query = id(new PhameBlogQuery())
      ->setViewer($viewer)
-      ->withIDs(array($blog_id))
      ->requireCapabilities(
        array(
          PhabricatorPolicyCapability::CAN_VIEW,
          PhabricatorPolicyCapability::CAN_EDIT,
-        ))
-      ->executeOne();
+        ));
+
+    if (ctype_digit($blog_id)) {
+      $query->withIDs(array($blog_id));
+    } else {
+      $query->withPHIDs(array($blog_id));
+    }
+
+    $blog = $query->executeOne();
    if (!$blog) {
      return new Aphront404Response();
    }
@ -60,10 +69,11 @@ final class PhamePostEditController extends PhamePostController {
    $crumbs = parent::buildApplicationCrumbs();

    $blog = $this->getBlog();
-
-    $crumbs->addTextCrumb(
-      $blog->getName(),
-      $blog->getViewURI());
+    if ($blog) {
+      $crumbs->addTextCrumb(
+        $blog->getName(),
+        $blog->getViewURI());
+    }

    return $crumbs;
  }