From 6c01e4e7d6c177ac345c826059e585bffdd1d517 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 7 Apr 2023 00:13:49 +0200
Subject: Use typed access to request parameters (#5267)

* Use typed access to request parameters
This was a big source of mixed datatypes in many places

* Fix notifications

* Fix bookmarkAction
---
 app/Controllers/authController.php | 36 +++++++++++++++++-------------------
 1 file changed, 17 insertions(+), 19 deletions(-)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 81043bcf7..e499f0b8a 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -27,18 +27,16 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 		if (Minz_Request::isPost()) {
 			$ok = true;
 
-			$anon = Minz_Request::param('anon_access', false);
-			$anon = ((bool)$anon) && ($anon !== 'no');
-			$anon_refresh = Minz_Request::param('anon_refresh', false);
-			$anon_refresh = ((bool)$anon_refresh) && ($anon_refresh !== 'no');
-			$auth_type = Minz_Request::param('auth_type', 'none');
-			$unsafe_autologin = Minz_Request::param('unsafe_autologin', false);
-			$api_enabled = Minz_Request::param('api_enabled', false);
-			if ($anon != FreshRSS_Context::$system_conf->allow_anonymous ||
-				$auth_type != FreshRSS_Context::$system_conf->auth_type ||
-				$anon_refresh != FreshRSS_Context::$system_conf->allow_anonymous_refresh ||
-				$unsafe_autologin != FreshRSS_Context::$system_conf->unsafe_autologin_enabled ||
-				$api_enabled != FreshRSS_Context::$system_conf->api_enabled) {
+			$anon = Minz_Request::paramBoolean('anon_access');
+			$anon_refresh = Minz_Request::paramBoolean('anon_refresh');
+			$auth_type = Minz_Request::paramString('auth_type') ?: 'none';
+			$unsafe_autologin = Minz_Request::paramBoolean('unsafe_autologin');
+			$api_enabled = Minz_Request::paramBoolean('api_enabled');
+			if ($anon !== FreshRSS_Context::$system_conf->allow_anonymous ||
+				$auth_type !== FreshRSS_Context::$system_conf->auth_type ||
+				$anon_refresh !== FreshRSS_Context::$system_conf->allow_anonymous_refresh ||
+				$unsafe_autologin !== FreshRSS_Context::$system_conf->unsafe_autologin_enabled ||
+				$api_enabled !== FreshRSS_Context::$system_conf->api_enabled) {
 
 				// TODO: test values from form
 				FreshRSS_Context::$system_conf->auth_type = $auth_type;
@@ -67,7 +65,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 	 * the user is already connected.
 	 */
 	public function loginAction(): void {
-		if (FreshRSS_Auth::hasAccess() && Minz_Request::param('u', '') == '') {
+		if (FreshRSS_Auth::hasAccess() && Minz_Request::paramString('u') === '') {
 			Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true);
 		}
 
@@ -120,8 +118,8 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 
 		if ($isPOST) {
 			$nonce = Minz_Session::param('nonce', '');
-			$username = Minz_Request::param('username', '');
-			$challenge = Minz_Request::param('challenge', '');
+			$username = Minz_Request::paramString('username');
+			$challenge = Minz_Request::paramString('challenge');
 
 			usleep(random_int(100, 10000));	//Primitive mitigation of timing attacks, in μs
 
@@ -152,7 +150,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 				FreshRSS_Auth::giveAccess();
 
 				// Set cookie parameter if needed.
-				if (Minz_Request::param('keep_logged_in')) {
+				if (Minz_Request::paramBoolean('keep_logged_in')) {
 					FreshRSS_FormAuth::makeCookie($username, FreshRSS_Context::$user_conf->passwordHash);
 				} else {
 					FreshRSS_FormAuth::deleteCookie();
@@ -161,7 +159,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 				Minz_Translate::init(FreshRSS_Context::$user_conf->language);
 
 				// All is good, go back to the original request or the index.
-				$url = Minz_Url::unserialize(Minz_Request::param('original_request'));
+				$url = Minz_Url::unserialize(Minz_Request::paramString('original_request'));
 				if (empty($url)) {
 					$url = [ 'c' => 'index', 'a' => 'index' ];
 				}
@@ -175,8 +173,8 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 				Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false);
 			}
 		} elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) {
-			$username = Minz_Request::param('u', '');
-			$password = Minz_Request::param('p', '');
+			$username = Minz_Request::paramString('u');
+			$password = Minz_Request::paramString('p');
 			Minz_Request::_param('p');
 
 			if (!$username) {
-- 
cgit v1.2.3