Migrate dataviews endpoints to use the allow-query-params

2017-06-08 19:22:33 +02:00 · 2017-06-08 19:22:33 +02:00 · 29a6658e3d
commit 29a6658e3d
parent 2772fc62d2
2 changed files with 46 additions and 24 deletions
--- a/lib/cartodb/controllers/base.js
+++ b/lib/cartodb/controllers/base.js
@ -17,18 +17,8 @@ var REQUEST_QUERY_PARAMS_WHITELIST = [
    'zoom',
    'lon',
    'lat',
-    // widgets & filters
-    'filters', // json
-    'own_filter', // 0, 1
-    'bbox', // w,s,e,n
-    'bins', // number
-    'start', // number
-    'end', // number
-    'column_type', // string
-    'aggregation', //string
-    'timezone', // number
-    // widgets search
-    'q'
+    // analysis
+    'filters' // json
 ];

 function BaseController(authApi, pgConnection) {
--- a/lib/cartodb/controllers/layergroup.js
+++ b/lib/cartodb/controllers/layergroup.js
@ -79,19 +79,51 @@ LayergroupController.prototype.register = function(app) {

    // Undocumented/non-supported API endpoint methods.
    // Use at your own peril.
-    app.get(app.base_url_mapconfig +
-            '/:token/dataview/:dataviewName', cors(), userMiddleware,
-        this.dataview.bind(this));
-    app.get(app.base_url_mapconfig +
-            '/:token/:layer/widget/:dataviewName', cors(), userMiddleware,
-        this.dataview.bind(this));

-    app.get(app.base_url_mapconfig +
-            '/:token/dataview/:dataviewName/search', cors(), userMiddleware,
-        this.dataviewSearch.bind(this));
-    app.get(app.base_url_mapconfig +
-            '/:token/:layer/widget/:dataviewName/search', cors(), userMiddleware,
-        this.dataviewSearch.bind(this));
+    var allowedDataviewQueryParams = [
+        'filters', // json
+        'own_filter', // 0, 1
+        'bbox', // w,s,e,n
+        'start', // number
+        'end', // number
+        'column_type', // string
+        'bins', // number
+        'aggregation', //string
+        'timezone', // number
+        'q' // widgets search
+    ];
+
+    app.get(
+        app.base_url_mapconfig + '/:token/dataview/:dataviewName',
+        cors(),
+        userMiddleware,
+        allowQueryParams(allowedDataviewQueryParams),
+        this.dataview.bind(this)
+    );
+
+    app.get(
+        app.base_url_mapconfig + '/:token/:layer/widget/:dataviewName',
+        cors(),
+        userMiddleware,
+        allowQueryParams(allowedDataviewQueryParams),
+        this.dataview.bind(this)
+    );
+
+    app.get(
+        app.base_url_mapconfig + '/:token/dataview/:dataviewName/search',
+        cors(),
+        userMiddleware,
+        allowQueryParams(allowedDataviewQueryParams),
+        this.dataviewSearch.bind(this)
+    );
+
+    app.get(
+        app.base_url_mapconfig + '/:token/:layer/widget/:dataviewName/search',
+        cors(),
+        userMiddleware,
+        allowQueryParams(allowedDataviewQueryParams),
+        this.dataviewSearch.bind(this)
+    );

    app.get(app.base_url_mapconfig +
        '/:token/analysis/node/:nodeId', cors(), userMiddleware,