feat: add relation column type (improve security)

Signed-off-by: Kostiantyn Miakshyn <molodchick@gmail.com>

Author: Koc

lib/Db/Column.php

@@ -115,6 +115,10 @@ class Column extends EntitySuper implements JsonSerializable {
 
 	public const META_ID_TITLE = 'id';
 
+	public const RELATION_TYPE = 'relationType';
+	public const RELATION_TARGET_ID = 'targetId';
+	public const RELATION_LABEL_COLUMN = 'labelColumn';
+
 	protected ?string $title = null;
 	protected ?int $tableId = null;
 	protected ?string $createdBy = null;

lib/Service/ColumnTypes/RelationBusiness.php

@@ -8,6 +8,7 @@
 namespace OCA\Tables\Service\ColumnTypes;
 
 use OCA\Tables\Db\Column;
+use OCA\Tables\Errors\BadRequestError;
 use OCA\Tables\Service\RelationService;
 use Psr\Log\LoggerInterface;
 
@@ -73,4 +74,25 @@ public function canBeParsed($value, ?Column $column = null): bool {
 
 		return false;
 	}
+
+	public function validateValue(mixed $value, Column $column, string $userId, int $tableId, ?int $rowId): void {
+		if ($value === null || $value === '') {
+			return;
+		}
+		// Validate that the value exists in the target table/view
+		$relationData = $this->relationService->getRelationData($column);
+
+		// Try to find value by label first
+		$matchingRelation = array_filter($relationData, fn (array $relation) => $relation['label'] === $value);
+		if (!empty($matchingRelation)) {
+			return;
+		}
+
+		// If not found by label, try to find by id
+		if (is_numeric($value) && isset($relationData[(int)$value])) {
+			return;
+		}
+
+		throw new BadRequestError('Relation value does not exist in the target table/view');
+	}
 }

lib/Service/RelationService.php

@@ -15,34 +15,18 @@
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
 use OCP\AppFramework\Db\DoesNotExistException;
-use Psr\Log\LoggerInterface;
 
 class RelationService {
-
-	private ColumnMapper $columnMapper;
-	private ViewMapper $viewMapper;
-	private Row2Mapper $row2Mapper;
-	private ColumnService $columnService;
-	private LoggerInterface $logger;
-	private ?string $userId;
-
 	/** @var array<string, array> Cache for relation data */
 	private array $cacheRelationData = [];
 
 	public function __construct(
-		ColumnMapper $columnMapper,
-		ViewMapper $viewMapper,
-		Row2Mapper $row2Mapper,
-		ColumnService $columnService,
-		LoggerInterface $logger,
-		?string $userId,
+		private ColumnMapper $columnMapper,
+		private ViewMapper $viewMapper,
+		private Row2Mapper $row2Mapper,
+		private ColumnService $columnService,
+		private ?string $userId,
 	) {
-		$this->columnMapper = $columnMapper;
-		$this->viewMapper = $viewMapper;
-		$this->row2Mapper = $row2Mapper;
-		$this->columnService = $columnService;
-		$this->logger = $logger;
-		$this->userId = $userId;
 	}
 
 	/**
@@ -171,16 +155,16 @@ private function getRelationDataForTarget(string $target, Column $column): array
 		}
 
 		$settings = $column->getCustomSettingsArray();
-		if (empty($settings['relationType']) || empty($settings['targetId']) || empty($settings['labelColumn'])) {
+		if (empty($settings[Column::RELATION_TYPE]) || empty($settings[Column::RELATION_TARGET_ID]) || empty($settings[Column::RELATION_LABEL_COLUMN])) {
 			$this->cacheRelationData[$cacheKey] = [];
 			return [];
 		}
 
-		$isView = $settings['relationType'] === 'view';
-		$targetId = $settings['targetId'] ?? null;
+		$isView = $settings[Column::RELATION_TYPE] === 'view';
+		$targetId = $settings[Column::RELATION_TARGET_ID] ?? null;
 
 		try {
-			$targetColumn = $this->columnMapper->find($settings['labelColumn']);
+			$targetColumn = $this->columnMapper->find($settings[Column::RELATION_LABEL_COLUMN]);
 			if ($isView) {
 				$view = $this->viewMapper->find($targetId);
 				$rows = $this->row2Mapper->findAll(
@@ -212,7 +196,7 @@ private function getRelationDataForTarget(string $target, Column $column): array
 		foreach ($rows as $row) {
 			$data = $row->getData();
 			$displayFieldData = array_filter($data, function ($item) use ($settings) {
-				return $item['columnId'] === (int)$settings['labelColumn'];
+				return $item['columnId'] === (int)$settings[Column::RELATION_LABEL_COLUMN];
 			});
 			$value = reset($displayFieldData)['value'] ?? null;