From 8694c120bc26885eceac73cb628dca8febf3df72 Mon Sep 17 00:00:00 2001
From: Raul Ochoa <rochoaf@gmail.com>
Date: Wed, 15 Mar 2017 11:00:10 +0100
Subject: [PATCH 1/5] Allow to overwrite layers filter in static maps images

---
 lib/cartodb/controllers/base.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/cartodb/controllers/base.js b/lib/cartodb/controllers/base.js
index 4ce9af17..b4ca8500 100644
--- a/lib/cartodb/controllers/base.js
+++ b/lib/cartodb/controllers/base.js
@@ -17,6 +17,7 @@ var REQUEST_QUERY_PARAMS_WHITELIST = [
     'zoom',
     'lon',
     'lat',
+    'layer',
     // widgets & filters
     'filters', // json
     'own_filter', // 0, 1

From 6468822295b8e0c141faf0467bd5d558401a2251 Mon Sep 17 00:00:00 2001
From: Raul Ochoa <rochoaf@gmail.com>
Date: Thu, 30 Mar 2017 20:08:45 +0200
Subject: [PATCH 2/5] Remove layer param before creating a better solution

---
 lib/cartodb/controllers/base.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/cartodb/controllers/base.js b/lib/cartodb/controllers/base.js
index b4ca8500..4ce9af17 100644
--- a/lib/cartodb/controllers/base.js
+++ b/lib/cartodb/controllers/base.js
@@ -17,7 +17,6 @@ var REQUEST_QUERY_PARAMS_WHITELIST = [
     'zoom',
     'lon',
     'lat',
-    'layer',
     // widgets & filters
     'filters', // json
     'own_filter', // 0, 1

From ae5d82c41d58aa9c47bcb96fa88c072a84b1697b Mon Sep 17 00:00:00 2001
From: Raul Ochoa <rochoaf@gmail.com>
Date: Thu, 30 Mar 2017 20:09:38 +0200
Subject: [PATCH 3/5] Add test to go red

---
 test/acceptance/named_maps_static_view.js | 43 +++++++++++++++++++++--
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/test/acceptance/named_maps_static_view.js b/test/acceptance/named_maps_static_view.js
index 91026226..c7ddff2f 100644
--- a/test/acceptance/named_maps_static_view.js
+++ b/test/acceptance/named_maps_static_view.js
@@ -21,7 +21,7 @@ describe('named maps static view', function() {
 
     var IMAGE_TOLERANCE = 20;
 
-    function createTemplate(view) {
+    function createTemplate(view, layers) {
         return {
             version: '0.0.1',
             name: templateName,
@@ -36,7 +36,7 @@ describe('named maps static view', function() {
             },
             view: view,
             layergroup: {
-                layers: [
+                layers: layers || [
                     {
                         type: 'mapnik',
                         options: {
@@ -198,4 +198,43 @@ describe('named maps static view', function() {
         });
     });
 
+    it('should allow to select the layers to render', function (done) {
+        var view = {
+            bounds: {
+                west: 0,
+                south: 0,
+                east: 45,
+                north: 45
+            }
+        };
+
+        var layers = [
+            {
+                type: 'mapnik',
+                options: {
+                    sql: 'select * from populated_places_simple_reduced',
+                    cartocss: '#layer { marker-fill: <%= color %>; }',
+                    cartocss_version: '2.3.0'
+                }
+            },
+            {
+                type: 'mapnik',
+                options: {
+                    sql: 'select ST_Transform(ST_MakeEnvelope(-45, -45, 45, 45, 4326), 3857) the_geom_webmercator',
+                    cartocss: '#layer { polygon-fill: <%= color %>; }',
+                    cartocss_version: '2.3.0'
+                }
+            }
+        ];
+        templateMaps.addTemplate(username, createTemplate(view, layers), function (err) {
+            if (err) {
+                return done(err);
+            }
+            getStaticMap({ layer: 0 }, function(err, img) {
+                assert.ok(!err);
+                assert.imageIsSimilarToFile(img, previewFixture('bounds'), IMAGE_TOLERANCE, done);
+            });
+        });
+    });
+
 });

From 94299f04525b9fcc965de73f4199f55ded1ec309 Mon Sep 17 00:00:00 2001
From: Raul Ochoa <rochoaf@gmail.com>
Date: Thu, 30 Mar 2017 20:12:55 +0200
Subject: [PATCH 4/5] Configure extra allowed params per endpoint via
 middleware

Instead of making all params available in all endpoints, we control
what endpoints allow what extra params.

Dataviews endpoints should be migrated to this.
---
 lib/cartodb/controllers/base.js              | 8 ++++++--
 lib/cartodb/controllers/layergroup.js        | 7 +++++--
 lib/cartodb/controllers/named_maps.js        | 3 ++-
 lib/cartodb/middleware/allow-query-params.js | 6 ++++++
 4 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 lib/cartodb/middleware/allow-query-params.js

diff --git a/lib/cartodb/controllers/base.js b/lib/cartodb/controllers/base.js
index 4ce9af17..aa607a87 100644
--- a/lib/cartodb/controllers/base.js
+++ b/lib/cartodb/controllers/base.js
@@ -36,7 +36,7 @@ function BaseController(authApi, pgConnection) {
 
 module.exports = BaseController;
 
-// jshint maxcomplexity:9
+// jshint maxcomplexity:10
 /**
  * Whitelist input and get database name & default geometry type from
  * subdomain/user metadata held in CartoDB Redis
@@ -77,7 +77,11 @@ BaseController.prototype.req2params = function(req, callback){
         return;
     }
 
-    req.query = _.pick(req.query, REQUEST_QUERY_PARAMS_WHITELIST);
+    var allowedQueryParams = REQUEST_QUERY_PARAMS_WHITELIST;
+    if (Array.isArray(req.context.allowedQueryParams)) {
+        allowedQueryParams = allowedQueryParams.concat(req.context.allowedQueryParams);
+    }
+    req.query = _.pick(req.query, allowedQueryParams);
     req.params = _.extend({}, req.params); // shuffle things as request is a strange array/object
 
     var user = req.context.user;
diff --git a/lib/cartodb/controllers/layergroup.js b/lib/cartodb/controllers/layergroup.js
index f7215943..4119655f 100644
--- a/lib/cartodb/controllers/layergroup.js
+++ b/lib/cartodb/controllers/layergroup.js
@@ -6,6 +6,7 @@ var BaseController = require('./base');
 
 var cors = require('../middleware/cors');
 var userMiddleware = require('../middleware/user');
+var allowQueryParams = require('../middleware/allow-query-params');
 
 var DataviewBackend = require('../backends/dataview');
 var AnalysisStatusBackend = require('../backends/analysis-status');
@@ -67,11 +68,13 @@ LayergroupController.prototype.register = function(app) {
         this.attributes.bind(this));
 
     app.get(app.base_url_mapconfig +
-        '/static/center/:token/:z/:lat/:lng/:width/:height.:format', cors(), userMiddleware,
+        '/static/center/:token/:z/:lat/:lng/:width/:height.:format',
+        cors(), userMiddleware, allowQueryParams(['layer']),
         this.center.bind(this));
 
     app.get(app.base_url_mapconfig +
-        '/static/bbox/:token/:west,:south,:east,:north/:width/:height.:format', cors(), userMiddleware,
+        '/static/bbox/:token/:west,:south,:east,:north/:width/:height.:format',
+        cors(), userMiddleware, allowQueryParams(['layer']),
         this.bbox.bind(this));
 
     // Undocumented/non-supported API endpoint methods.
diff --git a/lib/cartodb/controllers/named_maps.js b/lib/cartodb/controllers/named_maps.js
index 4d22aeea..6681a893 100644
--- a/lib/cartodb/controllers/named_maps.js
+++ b/lib/cartodb/controllers/named_maps.js
@@ -8,6 +8,7 @@ var BaseController = require('./base');
 
 var cors = require('../middleware/cors');
 var userMiddleware = require('../middleware/user');
+var allowQueryParams = require('../middleware/allow-query-params');
 
 function NamedMapsController(authApi, pgConnection, namedMapProviderCache, tileBackend, previewBackend,
                              surrogateKeysCache, tablesExtentApi, metadataBackend) {
@@ -31,7 +32,7 @@ NamedMapsController.prototype.register = function(app) {
         this.tile.bind(this));
 
     app.get(app.base_url_mapconfig +
-        '/static/named/:template_id/:width/:height.:format', cors(), userMiddleware,
+        '/static/named/:template_id/:width/:height.:format', cors(), userMiddleware, allowQueryParams(['layer']),
         this.staticMap.bind(this));
 };
 
diff --git a/lib/cartodb/middleware/allow-query-params.js b/lib/cartodb/middleware/allow-query-params.js
new file mode 100644
index 00000000..82c255f7
--- /dev/null
+++ b/lib/cartodb/middleware/allow-query-params.js
@@ -0,0 +1,6 @@
+module.exports = function allowQueryParams(params) {
+    return function allowQueryParamsMiddleware(req, res, next) {
+        req.context.allowedQueryParams = params;
+        next();
+    };
+};

From ededc73fd74777d0d44b3d1613414fe3787a6c9f Mon Sep 17 00:00:00 2001
From: Raul Ochoa <rochoaf@gmail.com>
Date: Fri, 31 Mar 2017 18:39:29 +0200
Subject: [PATCH 5/5] Throw on invalid params argument

---
 lib/cartodb/middleware/allow-query-params.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/cartodb/middleware/allow-query-params.js b/lib/cartodb/middleware/allow-query-params.js
index 82c255f7..04a27033 100644
--- a/lib/cartodb/middleware/allow-query-params.js
+++ b/lib/cartodb/middleware/allow-query-params.js
@@ -1,4 +1,7 @@
 module.exports = function allowQueryParams(params) {
+    if (!Array.isArray(params)) {
+        throw new Error('allowQueryParams must receive an Array of params');
+    }
     return function allowQueryParamsMiddleware(req, res, next) {
         req.context.allowedQueryParams = params;
         next();