From bab1fd3225bdcec6003ea7826ebac3422e45a1ba Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Mon, 2 Jul 2018 12:31:10 -0700
Subject: [PATCH] (dev/core#217) PrevNext - Sanitize the `markSelection()`
 contract

The contract feels quirky -- e.g.

* Who would guess that `markSelection()` defaults to `$action == 'unselect'`?
* What's the point of accepting `$entity_table` if it's never used?

Fortunately, this function is only called from `CRM_Contact_Page_AJAX::selectUnselectContacts`,
so it's fairly easy to audit and see that:

* The `$action` is always passed in -- it never relies on the default value.
* The `$entity_table` is never specified explicitly -- it always relies on the default value.
---
 CRM/Core/PrevNextCache/Interface.php | 6 ++----
 CRM/Core/PrevNextCache/Sql.php       | 6 +++---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/CRM/Core/PrevNextCache/Interface.php b/CRM/Core/PrevNextCache/Interface.php
index 161120ca00..212482fbd6 100644
--- a/CRM/Core/PrevNextCache/Interface.php
+++ b/CRM/Core/PrevNextCache/Interface.php
@@ -64,13 +64,11 @@ interface CRM_Core_PrevNextCache_Interface {
    * @param string $cacheKey
    * @param string $action
    *   Ex: 'select', 'unselect'.
-   * @param array|int|NULL $cIds
+   * @param array|int|NULL $ids
    *   A list of contact IDs to (un)select.
    *   To unselect all contact IDs, use NULL.
-   * @param string $entity_table
-   *   Ex: 'civicrm_contact'.
    */
-  public function markSelection($cacheKey, $action = 'unselect', $cIds = NULL, $entity_table = 'civicrm_contact');
+  public function markSelection($cacheKey, $action, $ids = NULL);
 
   /**
    * Get the selections.
diff --git a/CRM/Core/PrevNextCache/Sql.php b/CRM/Core/PrevNextCache/Sql.php
index 2bf5242fc3..9f7d99dc4e 100644
--- a/CRM/Core/PrevNextCache/Sql.php
+++ b/CRM/Core/PrevNextCache/Sql.php
@@ -83,10 +83,10 @@ INSERT INTO civicrm_prevnext_cache ( entity_table, entity_id1, entity_id2, cache
    * @param array|int|NULL $cIds
    *   A list of contact IDs to (un)select.
    *   To unselect all contact IDs, use NULL.
-   * @param string $entity_table
-   *   Ex: 'civicrm_contact'.
    */
-  public function markSelection($cacheKey, $action = 'unselect', $cIds = NULL, $entity_table = 'civicrm_contact') {
+  public function markSelection($cacheKey, $action, $cIds = NULL) {
+    $entity_table = 'civicrm_contact';
+
     if (!$cacheKey) {
       return;
     }
-- 
2.25.1