fix(theming): Adjust config listener to validate `apporder` config

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>

diff --git a/apps/theming/lib/Listener/BeforePreferenceListener.php b/apps/theming/lib/Listener/BeforePreferenceListener.php
index 96d4ba6cf0d2141773f86fedf05a7b53acd19756..5eaf84d5226b23a1c4677e71ff83f0c48fe3489b 100644 (file)
--- a/apps/theming/lib/Listener/BeforePreferenceListener.php
+++ b/apps/theming/lib/Listener/BeforePreferenceListener.php
@@ -79,12 +79,16 @@ class BeforePreferenceListener implements IEventListener {
                }
 
                $value = json_decode($event->getConfigValue(), true, flags:JSON_THROW_ON_ERROR);
-               if (is_array(($value))) {
-                       foreach ($value as $id => $info) {
-                               if (!is_array($info) || empty($info) || !isset($info['app']) || !$this->appManager->isEnabledForUser($info['app']) || !is_numeric($info['order'] ?? '')) {
-                                       // Invalid config value, refuse the change
-                                       return;
-                               }
+               if (!is_array(($value))) {
+                       // Must be an array
+                       return;
+               }
+
+               foreach ($value as $id => $info) {
+                       // required format: [ navigation_id: string => [ order: int, app?: string ] ]
+                       if (!is_string($id) || !is_array($info) || empty($info) || !isset($info['order']) || !is_numeric($info['order']) || (isset($info['app']) && !$this->appManager->isEnabledForUser($info['app']))) {
+                               // Invalid config value, refuse the change
+                               return;
                        }
                }
                $event->setValid(true);