Add Telegram as a configurable social link#258
Conversation
|
Warning Review limit reached
Next review available in: 47 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (12)
📝 WalkthroughWalkthroughAggiunge ChangesLink social Telegram
Estimated code review effort: 2 (Simple) | ~10 minuti Sequence Diagram(s)sequenceDiagram
participant Admin
participant SettingsController
participant SettingsRepository
participant ConfigStore
participant Footer
Admin->>SettingsController: invia social_telegram
SettingsController->>SettingsRepository: salva impostazione
SettingsController->>ConfigStore: sincronizza configurazione
Footer->>ConfigStore: legge app.social_telegram
ConfigStore-->>Footer: restituisce URL Telegram
Footer-->>Admin: renderizza link se valorizzato
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@app/Controllers/SettingsController.php`:
- Line 131: Aggiorna la gestione di social_telegram in SettingsController per
sanitizzare lato server l’URL tramite HtmlHelper::sanitizePublicHttpUrl().
Mantieni vuoto il valore se l’input è vuoto, ma rifiuta gli URL non validi o con
schemi non HTTP(S) prima della persistenza, evitando di salvare valori come
javascript:.
In `@app/Views/frontend/layout.php`:
- Around line 1678-1681: Replace HtmlHelper::e($socialTelegram) with
htmlspecialchars($socialTelegram, ENT_QUOTES, 'UTF-8') in the Telegram href of
app/Views/frontend/layout.php lines 1678-1681 and app/Views/user_layout.php
lines 1067-1070; no other changes are needed.
In `@docs/settings.MD`:
- Line 40: Aggiorna la descrizione operativa dei social nella sezione successiva
della documentazione, includendo Telegram insieme alle piattaforme già elencate.
Mantieni invariato il resto dei contenuti e allinea l’elenco alla voce della
tabella `general`.
In `@installer/database/data_it_IT.sql`:
- Line 284: Rendi non distruttivo il seeding della chiave social_telegram
nell’INSERT bulk con ON DUPLICATE KEY UPDATE: il valore vuoto deve essere
inserito solo quando la chiave non esiste e non deve sovrascrivere un link
Telegram già configurato durante riesecuzioni del seeder.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2eb7e2a5-1609-4a78-bb7d-641a869af153
📒 Files selected for processing (12)
app/Controllers/SettingsController.phpapp/Support/ConfigStore.phpapp/Views/frontend/layout.phpapp/Views/settings/index.phpapp/Views/user_layout.phpdocs/settings.MDinstaller/database/data_de_DE.sqlinstaller/database/data_en_US.sqlinstaller/database/data_fr_FR.sqlinstaller/database/data_it_IT.sqlinstaller/database/migrations/migrate_0.7.35.sqltests/issue-257-telegram-social-links.unit.php
| 'social_instagram' => trim((string) ($data['social_instagram'] ?? '')), | ||
| 'social_linkedin' => trim((string) ($data['social_linkedin'] ?? '')), | ||
| 'social_bluesky' => trim((string) ($data['social_bluesky'] ?? '')), | ||
| 'social_telegram' => trim((string) ($data['social_telegram'] ?? '')), |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Validare e sanitizzare l’URL Telegram lato server.
type="url" è solo una validazione client-side: un POST arbitrario può salvare javascript: o altri schemi pericolosi, che diventano eseguibili quando il valore viene usato nel footer. Riusa HtmlHelper::sanitizePublicHttpUrl() e rifiuta valori non vuoti non validi prima di persisterli.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@app/Controllers/SettingsController.php` at line 131, Aggiorna la gestione di
social_telegram in SettingsController per sanitizzare lato server l’URL tramite
HtmlHelper::sanitizePublicHttpUrl(). Mantieni vuoto il valore se l’input è
vuoto, ma rifiuta gli URL non validi o con schemi non HTTP(S) prima della
persistenza, evitando di salvare valori come javascript:.
Source: Path instructions
There was a problem hiding this comment.
My change is stereotyped, the issue targets the existing code.
There was a problem hiding this comment.
@Himura2la, corretto che il pattern esisteva già. Tuttavia social_telegram aggiunge un nuovo input persistito e renderizzato nel footer, quindi eredita direttamente la stessa vulnerabilità.
Per una correzione coerente, validerei tutti i link social nel loop con HtmlHelper::sanitizePublicHttpUrl() e rifiuterei qualsiasi valore non vuoto che non sia HTTP(S), invece di limitarsi a Telegram.
| <?php if ($socialTelegram !== ''): ?> | ||
| <a href="<?= HtmlHelper::e($socialTelegram) ?>" target="_blank" rel="noopener noreferrer"><i | ||
| class="fa-brands fa-telegram"></i></a> | ||
| <?php endif; ?> |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win
Violazione delle direttive di progetto: non usare HtmlHelper::e() nelle view.
Entrambi i file utilizzano HtmlHelper::e() all'interno dell'attributo href del link Telegram. Come da istruzioni di progetto, l'uso di HtmlHelper::e() nelle view è severamente vietato e costituisce un rischio per la sicurezza (XSS). Occorre usare obbligatoriamente htmlspecialchars(..., ENT_QUOTES, 'UTF-8') per tutti gli attributi HTML.
app/Views/frontend/layout.php#L1678-L1681: sostituisciHtmlHelper::e($socialTelegram)conhtmlspecialchars($socialTelegram, ENT_QUOTES, 'UTF-8').app/Views/user_layout.php#L1067-L1070: sostituisciHtmlHelper::e($socialTelegram)conhtmlspecialchars($socialTelegram, ENT_QUOTES, 'UTF-8').
🛡️ Modifica suggerita
- <a href="<?= HtmlHelper::e($socialTelegram) ?>" target="_blank" rel="noopener noreferrer"><i
+ <a href="<?= htmlspecialchars($socialTelegram, ENT_QUOTES, 'UTF-8') ?>" target="_blank" rel="noopener noreferrer"><i
class="fa-brands fa-telegram"></i></a>📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| <?php if ($socialTelegram !== ''): ?> | |
| <a href="<?= HtmlHelper::e($socialTelegram) ?>" target="_blank" rel="noopener noreferrer"><i | |
| class="fa-brands fa-telegram"></i></a> | |
| <?php endif; ?> | |
| <?php if ($socialTelegram !== ''): ?> | |
| <a href="<?= htmlspecialchars($socialTelegram, ENT_QUOTES, 'UTF-8') ?>" target="_blank" rel="noopener noreferrer"><i | |
| class="fa-brands fa-telegram"></i></a> | |
| <?php endif; ?> |
📍 Affects 2 files
app/Views/frontend/layout.php#L1678-L1681(this comment)app/Views/user_layout.php#L1067-L1070
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@app/Views/frontend/layout.php` around lines 1678 - 1681, Replace
HtmlHelper::e($socialTelegram) with htmlspecialchars($socialTelegram,
ENT_QUOTES, 'UTF-8') in the Telegram href of app/Views/frontend/layout.php lines
1678-1681 and app/Views/user_layout.php lines 1067-1070; no other changes are
needed.
Source: Path instructions
There was a problem hiding this comment.
My change is stereotyped, the issue targets the existing code.
There was a problem hiding this comment.
@Himura2la Capisco: il pattern esisteva già. Tuttavia, le due occorrenze di Telegram sono nuove in questa PR e ricadono nella regola esplicita per app/Views/**.
La richiesta resta quindi limitata ai nuovi link Telegram; non richiede di modificare i link social preesistenti.
db64bb4 to
c2c396f
Compare
c2c396f to
735762b
Compare
|
sorry for several AI-review triggers, I fucked up with git history two times... UPD: oh, I see it did not run on on my amends/force-pushes, great! Review limit saved us. |
…updater message + official image in README - Social links (footer, frontend + user layouts) now pass through HtmlHelper::sanitizePublicHttpUrl() at load, so only clean http(s) URLs are rendered — a javascript:/no-scheme/credentialed value stored for ANY social (facebook, twitter, instagram, linkedin, bluesky) collapses to no link instead of a clickable href. The hrefs escape with htmlspecialchars(..., ENT_QUOTES) per the view rule (HtmlHelper::e removed from the social hrefs). This closes the same stored-URL class the Telegram PR (#258) surfaced, at the root and for every social, not just one. - Updater: the "files not writable inside a container" message no longer presumes "you're running the Docker image". It's reached only after the writability check already failed (a community image with a writable code volume passes that check and never lands here), so the wording now states the real condition and covers both the official read-only image (fabiodalez/pinakes) and a community image whose code volume is currently read-only. Reworded in all four locales. - README: added the official Docker image — fabiodalez/pinakes on Docker Hub (+ GHCR), source at fabiodalez-dev/pinakes-docker — and clarified the community jbenamy image keeps code in a writable volume.
|
A few notes on the CodeRabbit findings — two of the three are pre-existing patterns across all the social links, not anything this PR introduced:
So after a rebase this reduces to just the |
Implements #257
AI Description
This PR adds
social_telegramacross the same paths currently used by other app social links, so Telegram can be configured in admin settings and rendered in public/user footers. It also adds DB coverage for both fresh installs (seed data) and upgrades (migration).Config + persistence wiring
social_telegramto app defaults and DB-loaded social key set inConfigStore.social_telegramto general settings save/load flow inSettingsController.Admin settings UI
social_telegram), with Font Awesome brand icon and Telegram placeholder URL.fa-brands fa-telegram.Frontend rendering
app.social_telegramread in both layout templates:app/Views/frontend/layout.phpapp/Views/user_layout.phpDatabase install/upgrade coverage
app.social_telegramseed row to:installer/database/data_en_US.sqlinstaller/database/data_de_DE.sqlinstaller/database/data_fr_FR.sqlinstaller/database/data_it_IT.sqlinstaller/database/migrations/migrate_0.7.35.sqlinserting the new setting for existing installations.Docs + focused regression guard
docs/settings.MD.tests/issue-257-telegram-social-links.unit.php.Summary by CodeRabbit
Nuove funzionalità
Documentazione
Test