shahondin1624
b29a268b1d
- Move completed plan files to .plans/done/ - Move 18 open plan files to .plans/open/ - Update .gitignore to exclude .verified_plans temp file - Verified all 18 open plans still describe unimplemented issues
2.2 KiB
2.2 KiB
Issue #217: No Request Validation Layer
Problem
Input validation is scattered across controllers and services:
-
Controller level: Some controllers validate input exists:
$data = $this->getRequestData(); // Assumes $data is always valid -
Service level:
MemberService::validateRequiredFields()checks for required fields:private function validateRequiredFields(array $data): void { $required = ['vorname', 'nachname', 'eintritt']; // ... } -
No type validation: Phone numbers are validated via
PhoneValidator::validateAndNormalize(), but other fields have no type checking. -
No schema validation: There's no declarative validation schema.
Impact
- Inconsistent validation (some fields validated, others not)
- Potential security issues (SQL injection mitigated by ORM, but XSS, etc. not checked)
- Difficult to know what validation exists for each endpoint
- No auto-generated API documentation from validation schemas
Solution
Implement a validation layer using Symfony Validator or similar:
class CreateMemberRequest {
#[Assert\NotBlank]
#[Assert\Length(min: 1, max: 100)]
public string $vorname;
#[Assert\NotBlank]
#[Assert\Length(min: 1, max: 100)]
public string $nachname;
#[Assert\NotBlank]
#[Assert\Date]
public string $eintritt;
#[Assert\Date]
public ?string $geburtsdatum = null;
#[Assert\Choice(['maennlich', 'weiblich', 'divers'])]
public ?string $geschlecht = null;
}
public function create(): JSONResponse {
$data = $this->getRequestData();
$violations = $this->validator->validate($data, CreateMemberRequest::class);
if (count($violations) > 0) {
return $this->validationError($violations);
}
// ...
}
Tasks
- Add Symfony Validator dependency
- Create validation DTOs for each endpoint
- Add Assert annotations for all fields
- Implement validation middleware or base controller method
- Return structured validation errors (field → message)
- Update services to remove inline validation (keep business logic only)
- Add tests for validation rules
Labels
- enhancement
- security
- backend
- priority:medium