From 9baf7fcdc005144c97a37ded620a90ed1085d485 Mon Sep 17 00:00:00 2001
From: uzulla <uzulla@himitsukichi.com>
Date: Sun, 8 Aug 2021 17:14:09 +0900
Subject: [PATCH] Use explicit device_type instead of req.get('device_type').
 #338

---
 app/src/App.php                               | 19 ++++++++++++-------
 .../Admin/BlogTemplatesController.php         | 17 +++++++++++++++++
 .../admin/blog_templates/fc2_index.twig       |  6 +++---
 .../admin/blog_templates/fc2_index_sp.twig    |  4 ++--
 .../admin/blog_templates/fc2_view_sp.twig     |  6 +++---
 .../admin/blog_templates/index_sp.twig        |  2 +-
 6 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/app/src/App.php b/app/src/App.php
index 5ef64d27..11e99e52 100644
--- a/app/src/App.php
+++ b/app/src/App.php
@@ -241,11 +241,7 @@ public static function getDeviceType(Request $request): int
 
         // Cookieからデバイスタイプを取得
         $device_type = $request->rawCookie('device');
-        $devices = [
-            App::DEVICE_PC,
-            App::DEVICE_SP,
-        ];
-        if (!empty($device_type) && in_array($device_type, $devices)) {
+        if (!empty($device_type) && static::isExistsDeviceId($device_type)) {
             return (int)$device_type;
         }
 
@@ -261,6 +257,16 @@ public static function getDeviceType(Request $request): int
         return App::DEVICE_PC;
     }
 
+    /**
+     * デバイスタイプが既知のものか？（許可されているか？）
+     * @param string $id
+     * @return bool
+     */
+    public static function isExistsDeviceId(string $id): bool
+    {
+        return in_array($id, self::ALLOW_DEVICES);
+    }
+
     /**
      * デバイスタイプを取得する
      * @param Request $request
@@ -269,8 +275,7 @@ public static function getDeviceType(Request $request): int
     public static function getDeviceTypeStr(Request $request): string
     {
         $device_id = static::getDeviceType($request);
-        $device_table = App::DEVICE_FC2_KEY;
-        return $device_table[$device_id];
+        return App::DEVICE_FC2_KEY[$device_id] ?? App::DEVICE_FC2_KEY[App::DEVICE_PC];
     }
 
     /**
diff --git a/app/src/Web/Controller/Admin/BlogTemplatesController.php b/app/src/Web/Controller/Admin/BlogTemplatesController.php
index 3b119972..cb8cc7a3 100644
--- a/app/src/Web/Controller/Admin/BlogTemplatesController.php
+++ b/app/src/Web/Controller/Admin/BlogTemplatesController.php
@@ -10,6 +10,7 @@
 use Fc2blog\Model\Fc2TemplatesModel;
 use Fc2blog\Model\Model;
 use Fc2blog\Service\BlogService;
+use Fc2blog\Util\Log;
 use Fc2blog\Web\Request;
 
 class BlogTemplatesController extends AdminController
@@ -45,6 +46,11 @@ public function index(Request $request): string
         }
         $this->set('device_blog_templates', $device_blog_templates);
         $this->set('devices', BlogTemplatesModel::DEVICE_NAME);
+        if (!App::isExistsDeviceId($request->get("device_type", (string)App::DEVICE_PC))) {
+            Log::notice("invalid device_type params :" . $request->get("device_type"));
+            return $this->error400();
+        }
+        $this->set('req_device_type', $request->get("device_type"));
 
         return "admin/blog_templates/index.twig";
     }
@@ -77,6 +83,11 @@ public function fc2_index(Request $request): string
         $this->set('templates', $templates);
         $this->set('paging', $paging);
         $this->set('devices', BlogTemplatesModel::DEVICE_NAME);
+        if (!App::isExistsDeviceId($request->get("device_type", (string)App::DEVICE_PC))) {
+            Log::notice("invalid device_type params :" . $request->get("device_type"));
+            return $this->error400();
+        }
+        $this->set('req_device_type', $request->get("device_type"));
 
         return "admin/blog_templates/fc2_index.twig";
     }
@@ -101,6 +112,12 @@ public function fc2_view(Request $request): string
         $device_type = $request->get('device_type', (string)App::DEVICE_PC);
         $request->set('device_type', $device_type);
 
+        if (!App::isExistsDeviceId($request->get("device_type", (string)App::DEVICE_PC))) {
+            Log::notice("invalid device_type params :" . $request->get("device_type"));
+            return $this->error400();
+        }
+        $this->set('req_device_type', $request->get("device_type"));
+
         // テンプレート取得
         $device_key = App::getDeviceFc2Key($device_type);
         $template = Model::load('Fc2Templates')->findByIdAndDevice($request->get('fc2_id'), $device_key);
diff --git a/app/twig_templates/admin/blog_templates/fc2_index.twig b/app/twig_templates/admin/blog_templates/fc2_index.twig
index 68332ae5..d531c0a3 100644
--- a/app/twig_templates/admin/blog_templates/fc2_index.twig
+++ b/app/twig_templates/admin/blog_templates/fc2_index.twig
@@ -3,7 +3,7 @@
 
 {% block content %}
 
-    <header><h2>{{ _('FC2 Template list') }}[{{ _(attribute(constant('Fc2blog\\App::DEVICE_FC2_KEY'), req.get('device_type'))) }}]</h2></header>
+    <header><h2>{{ _('FC2 Template list') }}[{{ _(attribute(constant('Fc2blog\\App::DEVICE_FC2_KEY'), req_device_type)) }}]</h2></header>
 
     {% if templates %}
         {% for template in templates %}
@@ -18,11 +18,11 @@
                 </tr>
                 <tr>
                     <td class="btn">
-                        <a class="admin_common_btn create_btn" href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, fc2_id:template.id, device_type: req.get('device_type')}, false, true) }}" target="_blank">{{ _('Preview') }}</a>
+                        <a class="admin_common_btn create_btn" href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, fc2_id:template.id, device_type: req_device_type}, false, true) }}" target="_blank">{{ _('Preview') }}</a>
                         <form action="{{ url(req, 'blog_templates', 'download') }}" method="post" style="display: inline">
                             <input type="hidden" name="sig" value="{{ sig }}">
                             <input type="hidden" name="fc2_id" value="{{ template.id }}">
-                            <input type="hidden" name="device_type" value="{{ req.get('device_type') }}">
+                            <input type="hidden" name="device_type" value="{{ req_device_type }}">
                             <button type="submit" class="admin_common_btn create_btn">{{ _('Download') }}</button>
                         </form>
 
diff --git a/app/twig_templates/admin/blog_templates/fc2_index_sp.twig b/app/twig_templates/admin/blog_templates/fc2_index_sp.twig
index b77f858f..bc19f457 100644
--- a/app/twig_templates/admin/blog_templates/fc2_index_sp.twig
+++ b/app/twig_templates/admin/blog_templates/fc2_index_sp.twig
@@ -3,13 +3,13 @@
 
 {% block content %}
 
-    <header><h1 class="sh_heading_main_b">{{ _('FC2 Template list') }}[{{ _(attribute(constant('Fc2blog\\App::DEVICE_FC2_KEY'), req.get('device_type'))) }}]</h1></header>
+    <header><h1 class="sh_heading_main_b">{{ _('FC2 Template list') }}[{{ _(attribute(constant('Fc2blog\\App::DEVICE_FC2_KEY'), req_device_type)) }}]</h1></header>
 
     {% if templates %}
         <ul class="template_list">
             {% for template in templates %}
                 <li class="template_list_item">
-                    <a href="{{ url(req, 'blog_templates', 'fc2_view', {fc2_id: template.id, device_type: req.get('device_type')}) }}">
+                    <a href="{{ url(req, 'blog_templates', 'fc2_view', {fc2_id: template.id, device_type: req_device_type}) }}">
                         <img class="template_img" src="{{ template.image }}" alt="{{ template.name }}">
                         <p class="template_name">{{ template.name }}</p>
                     </a>
diff --git a/app/twig_templates/admin/blog_templates/fc2_view_sp.twig b/app/twig_templates/admin/blog_templates/fc2_view_sp.twig
index 7668ba19..09b7f18a 100644
--- a/app/twig_templates/admin/blog_templates/fc2_view_sp.twig
+++ b/app/twig_templates/admin/blog_templates/fc2_view_sp.twig
@@ -3,14 +3,14 @@
 
 {% block content %}
 
-    <header><h1 class="sh_heading_main_b">{{ _('FC2 Template detail') }}[{{ _(attribute(constant('Fc2blog\\App::DEVICE_FC2_KEY'), req.get('device_type'))) }}]</h1></header>
+    <header><h1 class="sh_heading_main_b">{{ _('FC2 Template detail') }}[{{ _(attribute(constant('Fc2blog\\App::DEVICE_FC2_KEY'), req_device_type)) }}]</h1></header>
     <h2><span class="h2_inner">テンプレートの詳細</span></h2>
 
     <div class="template_detail">
         <form action="{{ url(req, 'blog_templates', 'download') }}" method="post" id="template_download_form">
             <input type="hidden" name="sig" value="{{ sig }}">
             <input type="hidden" name="fc2_id" value="{{ template.id }}">
-            <input type="hidden" name="device_type" value="{{ req.get('device_type') }}">
+            <input type="hidden" name="device_type" value="{{ req_device_type }}">
         </form>
         <div class="left_column">
             <p class="template_img">
@@ -19,7 +19,7 @@
         </div>
         <div class="right_column">
             <p>
-                <a class="btn_contents touch" href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, fc2_id: template.id, device_type: req.get('device_type')}, false, true) }}" target="_blank">{{ _('Preview') }}</a>
+                <a class="btn_contents touch" href="{{ url(req, 'Entries', 'preview', {blog_id: blog.id, fc2_id: template.id, device_type: req_device_type}, false, true) }}" target="_blank">{{ _('Preview') }}</a>
             </p>
             <p>
                 <button class="btn_contents touch" onclick="$('#template_download_form').submit()">{{ _('Download') }}</button>
diff --git a/app/twig_templates/admin/blog_templates/index_sp.twig b/app/twig_templates/admin/blog_templates/index_sp.twig
index 6027a50c..e83554a2 100644
--- a/app/twig_templates/admin/blog_templates/index_sp.twig
+++ b/app/twig_templates/admin/blog_templates/index_sp.twig
@@ -8,7 +8,7 @@
         <div class="form_contents">
             <select onchange="location.href=$(this).val();">
                 {% for key, device_en in devices %}
-                    <option value="{{ url(req, 'BlogTemplates', 'index', {device_type:key}) }}" {% if req.get('device_type') == key %}selected="selected"{% endif %}>{{ _(device_en) }}</option>
+                    <option value="{{ url(req, 'BlogTemplates', 'index', {device_type:key}) }}" {% if req_device_type == key %}selected="selected"{% endif %}>{{ _(device_en) }}</option>
                 {% endfor %}
             </select>
         </div>