feat: Validate custom settings

lib/Controller/Api1Controller.php

@@ -605,7 +605,8 @@ public function createShare(
 					$permissionDelete,
 					$permissionManage,
 					$displayMode
-				)->jsonSerialize());
+				)->jsonSerialize()
+			);
 		} catch (PermissionError $e) {
 			$this->logger->warning('A permission error occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];
@@ -931,6 +932,10 @@ public function createColumn(
 			$this->logger->warning('A permission error occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];
 			return new DataResponse($message, Http::STATUS_FORBIDDEN);
+		} catch (BadRequestError $e) {
+			$this->logger->warning('A bad request error occurred: ' . $e->getMessage(), ['exception' => $e]);
+			$message = ['message' => $e->translatedMessage ?: $e->getMessage()];
+			return new DataResponse($message, Http::STATUS_BAD_REQUEST);
 		} catch (InternalError $e) {
 			$this->logger->error('An internal error or exception occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];
@@ -975,9 +980,11 @@ public function createColumn(
 	 * @param bool|null $usergroupShowUserStatus Whether to show the user's status, if column type is usergroup
 	 * @param array<string, mixed> $customSettings Custom settings for the column
 	 *
-	 * @return DataResponse<Http::STATUS_OK, TablesColumn, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
+	 * @return DataResponse<Http::STATUS_OK, TablesColumn, array{}>|DataResponse<Http::STATUS_BAD_REQUEST|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Updated column
+	 * 400: Validation error
+	 * 500: Internal error
 	 */
 	#[NoAdminRequired]
 	#[NoCSRFRequired]
@@ -1047,6 +1054,10 @@ public function updateColumn(
 				)
 			);
 			return new DataResponse($item->jsonSerialize());
+		} catch (BadRequestError $e) {
+			$this->logger->warning('A bad request error occurred: ' . $e->getMessage(), ['exception' => $e]);
+			$message = ['message' => $e->translatedMessage ?: $e->getMessage()];
+			return new DataResponse($message, Http::STATUS_BAD_REQUEST);
 		} catch (InternalError $e) {
 			$this->logger->error('An internal error or exception occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];
@@ -1700,6 +1711,10 @@ public function createTableColumn(
 			$this->logger->warning('A permission error occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];
 			return new DataResponse($message, Http::STATUS_FORBIDDEN);
+		} catch (BadRequestError $e) {
+			$this->logger->warning('A bad request error occurred: ' . $e->getMessage(), ['exception' => $e]);
+			$message = ['message' => $e->translatedMessage ?: $e->getMessage()];
+			return new DataResponse($message, Http::STATUS_BAD_REQUEST);
 		} catch (InternalError $e) {
 			$this->logger->error('An internal error or exception occurred: ' . $e->getMessage(), ['exception' => $e]);
 			$message = ['message' => $e->getMessage()];

lib/Controller/ApiColumnsController.php

@@ -140,6 +140,7 @@ public function show(int $id): DataResponse {
 	 * @throws InternalError
 	 * @throws NotFoundError
 	 * @throws PermissionError
+	 * @throws BadRequestError
 	 */
 	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
@@ -202,6 +203,7 @@ public function createNumberColumn(int $baseNodeId, string $title, ?float $numbe
 	 * @throws InternalError
 	 * @throws NotFoundError
 	 * @throws PermissionError
+	 * @throws BadRequestError
 	 */
 	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
@@ -264,6 +266,7 @@ public function createTextColumn(int $baseNodeId, string $title, ?string $textDe
 	 * @throws InternalError
 	 * @throws NotFoundError
 	 * @throws PermissionError
+	 * @throws BadRequestError
 	 */
 	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
@@ -321,6 +324,7 @@ public function createSelectionColumn(int $baseNodeId, string $title, string $se
 	 * @throws InternalError
 	 * @throws NotFoundError
 	 * @throws PermissionError
+	 * @throws BadRequestError
 	 */
 	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
@@ -380,6 +384,7 @@ public function createDatetimeColumn(int $baseNodeId, string $title, ?string $da
 	 * @throws InternalError
 	 * @throws NotFoundError
 	 * @throws PermissionError
+	 * @throws BadRequestError
 	 */
 	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]

lib/Service/ColumnService.php

@@ -258,6 +258,8 @@ public function create(
 			$i++;
 		}
 
+		$this->validateCustomSettings($columnDto->getCustomSettings());
+
 		$time = new DateTime();
 		$item = Column::fromDto($columnDto);
 		$item->setTitle($newTitle);
@@ -358,6 +360,7 @@ public function update(
 			$item->setUsergroupSelectGroups($columnDto->getUsergroupSelectGroups());
 			$item->setUsergroupSelectTeams($columnDto->getUsergroupSelectTeams());
 			$item->setShowUserStatus($columnDto->getShowUserStatus());
+			$this->validateCustomSettings($columnDto->getCustomSettings());
 			$item->setCustomSettings($columnDto->getCustomSettings());
 
 			$this->updateMetadata($item, $userId);
@@ -368,6 +371,36 @@ public function update(
 		}
 	}
 
+	/**
+	 * Validate custom settings
+	 *
+	 * @param string|null $customSettings JSON encoded custom settings
+	 * @throws BadRequestError
+	 */
+	private function validateCustomSettings(?string $customSettings): void {
+		if ($customSettings === null) {
+			return;
+		}
+
+		$settings = json_decode($customSettings, true);
+		if (!is_array($settings)) {
+			return;
+		}
+
+		if (isset($settings['width'])) {
+			$width = $settings['width'];
+			if (!is_numeric($width) || $width < 50 || $width > 1000) {
+				$translatedMessage = $this->l->t('Column width must be between %1$s and %2$s.', [50, 1000]);
+				throw new BadRequestError(
+					$translatedMessage,
+					0,
+					null,
+					$translatedMessage
+				);
+			}
+		}
+	}
+
 	private function updateMetadata(Column $column, ?string $userId, bool $setCreateData = false): void {
 		if ($userId) {
 			$column->setLastEditBy($userId);

openapi.json

@@ -4498,8 +4498,26 @@
                             }
                         }
                     },
+                    "400": {
+                        "description": "Validation error",
+                        "content": {
+                            "application/json": {
+                                "schema": {
+                                    "type": "object",
+                                    "required": [
+                                        "message"
+                                    ],
+                                    "properties": {
+                                        "message": {
+                                            "type": "string"
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    },
                     "500": {
-                        "description": "",
+                        "description": "Internal error",
                         "content": {
                             "application/json": {
                                 "schema": {

src/types/openapi/openapi.ts

@@ -3261,6 +3261,17 @@ export interface operations {
                     readonly "application/json": components["schemas"]["Column"];
                 };
             };
+            /** @description Validation error */
+            readonly 400: {
+                headers: {
+                    readonly [name: string]: unknown;
+                };
+                content: {
+                    readonly "application/json": {
+                        readonly message: string;
+                    };
+                };
+            };
             /** @description Current user is not logged in */
             readonly 401: {
                 headers: {
@@ -3272,6 +3283,7 @@ export interface operations {
                     };
                 };
             };
+            /** @description Internal error */
             readonly 500: {
                 headers: {
                     readonly [name: string]: unknown;

tests/integration/base-query-count.txt

@@ -1 +1 @@
-180450
+184171