joinsCollectionsIds

fogelito · fogelito · commit f0ac90c3db21 · 2026-02-10T11:51:14.000+02:00
diff --git a/src/Database/Database.php b/src/Database/Database.php
@@ -442,6 +442,11 @@ class Database
      */
     protected array $documentTypes = [];
 
+    /**
+     * List of collections allowed to join
+     * @var array<string>
+     */
+    protected array $joinsCollectionsIds = [];
 
     /**
      * @var Authorization
@@ -5794,7 +5799,7 @@ public function updateDocuments(
                 minAllowedDate: $this->adapter->getMinDateTime(),
                 maxAllowedDate: $this->adapter->getMaxDateTime(),
                 supportForAttributes: $this->adapter->getSupportForAttributes(),
-                maxUIDLength: $this->adapter->getMaxUIDLength()
+                maxUIDLength: $this->adapter->getMaxUIDLength(),
             );
 
             if (!$validator->isValid($queries)) {
@@ -7513,7 +7518,7 @@ public function deleteDocuments(
                 minAllowedDate: $this->adapter->getMinDateTime(),
                 maxAllowedDate: $this->adapter->getMaxDateTime(),
                 supportForAttributes: $this->adapter->getSupportForAttributes(),
-                maxUIDLength: $this->adapter->getMaxUIDLength()
+                maxUIDLength: $this->adapter->getMaxUIDLength(),
             );
 
             if (!$validator->isValid($queries)) {
@@ -7763,7 +7768,8 @@ public function find(string $collection, array $queries = [], string $forPermiss
                 minAllowedDate: $this->adapter->getMinDateTime(),
                 maxAllowedDate: $this->adapter->getMaxDateTime(),
                 supportForAttributes: $this->adapter->getSupportForAttributes(),
-                maxUIDLength: $this->adapter->getMaxUIDLength()
+                maxUIDLength: $this->adapter->getMaxUIDLength(),
+                joinsCollectionsIds: $this->joinsCollectionsIds,
             );
             if (!$validator->isValid($queries)) {
                 throw new QueryException($validator->getDescription());
@@ -8017,7 +8023,8 @@ public function count(string $collection, array $queries = [], ?int $max = null)
                 minAllowedDate: $this->adapter->getMinDateTime(),
                 maxAllowedDate: $this->adapter->getMaxDateTime(),
                 supportForAttributes: $this->adapter->getSupportForAttributes(),
-                maxUIDLength: $this->adapter->getMaxUIDLength()
+                maxUIDLength: $this->adapter->getMaxUIDLength(),
+                joinsCollectionsIds: $this->joinsCollectionsIds,
             );
             if (!$validator->isValid($queries)) {
                 throw new QueryException($validator->getDescription());
@@ -8082,7 +8089,8 @@ public function sum(string $collection, string $attribute, array $queries = [],
                 minAllowedDate: $this->adapter->getMinDateTime(),
                 maxAllowedDate: $this->adapter->getMaxDateTime(),
                 supportForAttributes: $this->adapter->getSupportForAttributes(),
-                maxUIDLength: $this->adapter->getMaxUIDLength()
+                maxUIDLength: $this->adapter->getMaxUIDLength(),
+                joinsCollectionsIds: $this->joinsCollectionsIds,
             );
             if (!$validator->isValid($queries)) {
                 throw new QueryException($validator->getDescription());
@@ -9428,4 +9436,15 @@ private function rollbackAttributeMetadata(Document $collection, array $attribut
         );
         $collection->setAttribute('attributes', \array_values($filteredAttributes));
     }
+
+    /**
+     * Add Join Collection
+     *
+     * @param string $collectionId
+     * @return void
+     */
+    public function addJoinCollection(string $collectionId): void
+    {
+        $this->joinsCollectionsIds[$collectionId] = true;
+    }
 }
diff --git a/src/Database/Validator/Queries/V2.php b/src/Database/Validator/Queries/V2.php
@@ -63,7 +63,8 @@ public function __construct(
         int $maxLimit = PHP_INT_MAX,
         int $maxOffset = PHP_INT_MAX,
         protected bool $supportForAttributes = true,
-        protected int $maxUIDLength = Database::MAX_UID_DEFAULT_LENGTH
+        protected int $maxUIDLength = Database::MAX_UID_DEFAULT_LENGTH,
+        protected array $joinsCollectionsIds = []
     ) {
         $this->context = $context;
         $this->idAttributeType = $idAttributeType;
@@ -304,6 +305,10 @@ public function isValid($value, string $scope = ''): bool
                     case Query::TYPE_INNER_JOIN:
                     case Query::TYPE_LEFT_JOIN:
                     case Query::TYPE_RIGHT_JOIN:
+                        if (($this->joinsCollectionsIds[$query->getCollection()] ?? false) !== true) {
+                            throw new \Exception('Invalid query: Cannot ' . ucfirst($method) . ' this table.');
+                        }
+
                         $this->joinsAliasOrder[] = $query->getAlias();
 
                         $this->validateFilterQueries($query);
@@ -481,14 +486,18 @@ protected function validateAttributeExist(string $attributeId, string $alias, st
      */
     protected function validateAlias(Query $query): void
     {
-        $validator = new AliasValidator();
-
-        if (! $validator->isValid($query->getAlias())) {
-            throw new \Exception('Query '.\ucfirst($query->getMethod()).': '.$validator->getDescription());
+        if ($query->getAlias() !== '') {
+            $validator = new AliasValidator();
+            if (! $validator->isValid($query->getAlias())) {
+                throw new \Exception('Query '.\ucfirst($query->getMethod()).': '.$validator->getDescription());
+            }
         }
 
-        if (! $validator->isValid($query->getRightAlias())) {
-            throw new \Exception('Query '.\ucfirst($query->getMethod()).': '.$validator->getDescription());
+        if ($query->getRightAlias() !== '') {
+            $validator = new AliasValidator();
+            if (! $validator->isValid($query->getRightAlias())) {
+                throw new \Exception('Query '.\ucfirst($query->getMethod()).': '.$validator->getDescription());
+            }
         }
     }
 
diff --git a/tests/e2e/Adapter/Scopes/JoinsTests.php b/tests/e2e/Adapter/Scopes/JoinsTests.php
@@ -80,6 +80,23 @@ public function testJoin(): void
             '$permissions' => [],
         ]));
 
+        /**
+         * Test collection not whitelist
+         */
+        try {
+            $database->find('__users', [
+                Query::join('__sessions', 'B', [])
+            ]);
+            $this->fail('Failed to throw exception');
+        } catch (\Throwable $e) {
+            $this->assertTrue($e instanceof QueryException);
+            $this->assertEquals('Invalid query: Cannot InnerJoin this table.', $e->getMessage());
+        }
+
+        $database->addJoinCollection('__users');
+        $database->addJoinCollection('__sessions');
+        $database->addJoinCollection('__banks');
+
         /**
          * Test $session1 does not have read permissions
          * Test right attribute is internal attribute
