feat: add relation column type (improve security)

Signed-off-by: Kostiantyn Miakshyn <molodchick@gmail.com>

Author: Koc

lib/Db/Column.php

@@ -115,6 +115,10 @@ class Column extends EntitySuper implements JsonSerializable {
 
 	public const META_ID_TITLE = 'id';
 
+	public const RELATION_TYPE = 'relationType';
+	public const RELATION_TARGET_ID = 'targetId';
+	public const RELATION_LABEL_COLUMN = 'labelColumn';
+
 	protected ?string $title = null;
 	protected ?int $tableId = null;
 	protected ?string $createdBy = null;

lib/Service/ColumnTypes/RelationBusiness.php

@@ -8,6 +8,7 @@
 namespace OCA\Tables\Service\ColumnTypes;
 
 use OCA\Tables\Db\Column;
+use OCA\Tables\Errors\BadRequestError;
 use OCA\Tables\Service\RelationService;
 use Psr\Log\LoggerInterface;
 
@@ -73,4 +74,25 @@ public function canBeParsed($value, ?Column $column = null): bool {
 
 		return false;
 	}
+
+	public function validateValue(mixed $value, Column $column, string $userId, int $tableId, ?int $rowId): void {
+		if ($value === null || $value === '') {
+			return;
+		}
+		// Validate that the value exists in the target table/view
+		$relationData = $this->relationService->getRelationData($column);
+
+		// Try to find value by label first
+		$matchingRelation = array_filter($relationData, fn (array $relation) => $relation['label'] === $value);
+		if (!empty($matchingRelation)) {
+			return;
+		}
+
+		// If not found by label, try to find by id
+		if (is_numeric($value) && isset($relationData[(int)$value])) {
+			return;
+		}
+
+		throw new BadRequestError('Relation value does not exist in the target table/view');
+	}
 }

lib/Service/RelationService.php

@@ -23,6 +23,7 @@ class RelationService {
 	private ViewMapper $viewMapper;
 	private Row2Mapper $row2Mapper;
 	private ColumnService $columnService;
+	private PermissionsService $permissionsService;
 	private LoggerInterface $logger;
 	private ?string $userId;
 
@@ -34,13 +35,15 @@ public function __construct(
 		ViewMapper $viewMapper,
 		Row2Mapper $row2Mapper,
 		ColumnService $columnService,
+		PermissionsService $permissionsService,
 		LoggerInterface $logger,
 		?string $userId,
 	) {
 		$this->columnMapper = $columnMapper;
 		$this->viewMapper = $viewMapper;
 		$this->row2Mapper = $row2Mapper;
 		$this->columnService = $columnService;
+		$this->permissionsService = $permissionsService;
 		$this->logger = $logger;
 		$this->userId = $userId;
 	}
@@ -171,16 +174,23 @@ private function getRelationDataForTarget(string $target, Column $column): array
 		}
 
 		$settings = $column->getCustomSettingsArray();
-		if (empty($settings['relationType']) || empty($settings['targetId']) || empty($settings['labelColumn'])) {
+		if (empty($settings[Column::RELATION_TYPE]) || empty($settings[Column::RELATION_TARGET_ID]) || empty($settings[Column::RELATION_LABEL_COLUMN])) {
 			$this->cacheRelationData[$cacheKey] = [];
 			return [];
 		}
 
-		$isView = $settings['relationType'] === 'view';
-		$targetId = $settings['targetId'] ?? null;
+		if (!$this->permissionsService->canReadRowsByElementId($settings[Column::RELATION_TARGET_ID], $settings[Column::RELATION_TYPE], $this->userId)) {
+			$e = new \Exception('Row not found.');
+			$this->logger->error($e->getMessage(), ['exception' => $e]);
+			throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': ' . $e->getMessage());
+		}
+
+
+		$isView = $settings[Column::RELATION_TYPE] === 'view';
+		$targetId = $settings[Column::RELATION_TARGET_ID] ?? null;
 
 		try {
-			$targetColumn = $this->columnMapper->find($settings['labelColumn']);
+			$targetColumn = $this->columnMapper->find($settings[Column::RELATION_LABEL_COLUMN]);
 			if ($isView) {
 				$view = $this->viewMapper->find($targetId);
 				$rows = $this->row2Mapper->findAll(
@@ -212,7 +222,7 @@ private function getRelationDataForTarget(string $target, Column $column): array
 		foreach ($rows as $row) {
 			$data = $row->getData();
 			$displayFieldData = array_filter($data, function ($item) use ($settings) {
-				return $item['columnId'] === (int)$settings['labelColumn'];
+				return $item['columnId'] === (int)$settings[Column::RELATION_LABEL_COLUMN];
 			});
 			$value = reset($displayFieldData)['value'] ?? null;