From 7114d280f4192573d40f262eafb92b5c86b9fc6f Mon Sep 17 00:00:00 2001
From: Paul Maillardet <paul@pulsanova.com>
Date: Fri, 4 Aug 2023 15:20:55 +0200
Subject: [PATCH] Release hotfix 0.22.1

---
 CHANGELOG.md                                  |  5 ++++
 VERSION                                       |  2 +-
 .../App/Controllers/BeneficiaryController.php | 27 +++++++++++++++++++
 .../App/Controllers/MaterialController.php    |  7 ++++-
 server/src/App/Controllers/ParkController.php |  5 ++--
 .../App/Controllers/TechnicianController.php  |  6 ++++-
 server/src/App/Controllers/UserController.php |  6 ++++-
 7 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17d25fb60..5ff795a6f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ Tous les changements notables sur le projet sont documentés dans ce fichier.
 
 Ce projet adhère au principe du [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.22.1 (2023-08-04)
+
+- L'utilisation d'un champ de tri non autorisé ne fait plus planter les pages de listing.
+- Corrige les boutons de modification et suppression des emplacements de parc (Premium).
+
 ## 0.22.0 (2023-08-03)
 
 - Ajoute la possibilité de choisir un emplacement de rangement pour chaque matériel
diff --git a/VERSION b/VERSION
index 215740905..a723ece79 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.22.0
+0.22.1
diff --git a/server/src/App/Controllers/BeneficiaryController.php b/server/src/App/Controllers/BeneficiaryController.php
index 0ed6cf1ee..69998b9b2 100644
--- a/server/src/App/Controllers/BeneficiaryController.php
+++ b/server/src/App/Controllers/BeneficiaryController.php
@@ -17,6 +17,33 @@ class BeneficiaryController extends BaseController
 {
     use WithCrud;
 
+    public function getAll(Request $request, Response $response): Response
+    {
+        $paginated = (bool) $request->getQueryParam('paginated', true);
+        $search = $request->getQueryParam('search', null);
+        $limit = $request->getQueryParam('limit', null);
+        $ascending = (bool) $request->getQueryParam('ascending', true);
+        $onlyDeleted = (bool) $request->getQueryParam('deleted', false);
+
+        $orderBy = $request->getQueryParam('orderBy', null);
+        if (!in_array($orderBy, ['full_name', 'reference', 'company', 'email'], true)) {
+            $orderBy = null;
+        }
+
+        $query = (new Beneficiary)
+            ->setOrderBy($orderBy, $ascending)
+            ->setSearch($search)
+            ->getAll($onlyDeleted);
+
+        if ($paginated) {
+            $results = $this->paginate($request, $query, is_numeric($limit) ? (int) $limit : null);
+        } else {
+            $results = $query->get();
+        }
+
+        return $response->withJson($results, StatusCode::STATUS_OK);
+    }
+
     public function create(Request $request, Response $response): Response
     {
         $postData = (array) $request->getParsedBody();
diff --git a/server/src/App/Controllers/MaterialController.php b/server/src/App/Controllers/MaterialController.php
index a972c5afe..d27d7ae03 100644
--- a/server/src/App/Controllers/MaterialController.php
+++ b/server/src/App/Controllers/MaterialController.php
@@ -73,12 +73,17 @@ public function getAll(Request $request, Response $response): Response
     {
         $paginated = (bool) $request->getQueryParam('paginated', true);
         $limit = $request->getQueryParam('limit', null);
-        $orderBy = $request->getQueryParam('orderBy', null);
         $ascending = (bool) $request->getQueryParam('ascending', true);
         $search = $request->getQueryParam('search', null);
         $dateForQuantities = $request->getQueryParam('dateForQuantities', null);
         $onlyDeleted = (bool) $request->getQueryParam('deleted', false);
 
+        $orderBy = $request->getQueryParam('orderBy', null);
+        $allowedOrderFields = ['name', 'reference', 'rental_price', 'stock_quantity', 'out_of_order_quantity'];
+        if (!in_array($orderBy, $allowedOrderFields, true)) {
+            $orderBy = null;
+        }
+
         $query = (new Material)
             ->setOrderBy($orderBy, $ascending)
             ->setSearch($search)
diff --git a/server/src/App/Controllers/ParkController.php b/server/src/App/Controllers/ParkController.php
index 0d9200a9f..d7e9ae96a 100644
--- a/server/src/App/Controllers/ParkController.php
+++ b/server/src/App/Controllers/ParkController.php
@@ -19,13 +19,12 @@ public function getAll(Request $request, Response $response): Response
     {
         $paginated = (bool) $request->getQueryParam('paginated', true);
         $search = $request->getQueryParam('search', null);
-        $orderBy = $request->getQueryParam('orderBy', null);
         $limit = $request->getQueryParam('limit', null);
         $ascending = (bool) $request->getQueryParam('ascending', true);
         $onlyDeleted = (bool) $request->getQueryParam('deleted', false);
 
-        $query = $this->getModel()
-            ->setOrderBy($orderBy, $ascending)
+        $query = (new Park)
+            ->setOrderBy(null, $ascending)
             ->setSearch($search)
             ->getAll($onlyDeleted);
 
diff --git a/server/src/App/Controllers/TechnicianController.php b/server/src/App/Controllers/TechnicianController.php
index 3ec1dafdc..92f820db9 100644
--- a/server/src/App/Controllers/TechnicianController.php
+++ b/server/src/App/Controllers/TechnicianController.php
@@ -39,11 +39,15 @@ public function __construct(Container $container, I18n $i18n)
     public function getAll(Request $request, Response $response): Response
     {
         $search = $request->getQueryParam('search', null);
-        $orderBy = $request->getQueryParam('orderBy', null);
         $limit = $request->getQueryParam('limit', null);
         $ascending = (bool) $request->getQueryParam('ascending', true);
         $onlyDeleted = (bool) $request->getQueryParam('deleted', false);
 
+        $orderBy = $request->getQueryParam('orderBy', null);
+        if (!in_array($orderBy, ['full_name', 'email', 'nickname'], true)) {
+            $orderBy = null;
+        }
+
         // - Disponibilité dans une période donnée.
         $availabilityPeriod = Arr::mapKeys(
             function ($key) use ($request) {
diff --git a/server/src/App/Controllers/UserController.php b/server/src/App/Controllers/UserController.php
index 87b288e2b..eeff7d917 100644
--- a/server/src/App/Controllers/UserController.php
+++ b/server/src/App/Controllers/UserController.php
@@ -26,12 +26,16 @@ public function getAll(Request $request, Response $response): Response
     {
         $paginated = (bool) $request->getQueryParam('paginated', true);
         $search = $request->getQueryParam('search', null);
-        $orderBy = $request->getQueryParam('orderBy', null);
         $group = $request->getQueryParam('group', null);
         $limit = $request->getQueryParam('limit', null);
         $ascending = (bool) $request->getQueryParam('ascending', true);
         $onlyDeleted = (bool) $request->getQueryParam('deleted', false);
 
+        $orderBy = $request->getQueryParam('orderBy', null);
+        if (!in_array($orderBy, ['pseudo', 'email', 'group'], true)) {
+            $orderBy = null;
+        }
+
         $query = (new User())
             ->setOrderBy($orderBy, $ascending)
             ->setSearch($search)