From fa2c834aab79fa96112d16e569190facd2c589b6 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Tue, 21 Nov 2023 12:29:26 +0100
Subject: [PATCH] fix(theming): Adjust config listener to validate `apporder`
 config

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 .../lib/Listener/BeforePreferenceListener.php    | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/apps/theming/lib/Listener/BeforePreferenceListener.php b/apps/theming/lib/Listener/BeforePreferenceListener.php
index 96d4ba6cf0d..5eaf84d5226 100644
--- a/apps/theming/lib/Listener/BeforePreferenceListener.php
+++ b/apps/theming/lib/Listener/BeforePreferenceListener.php
@@ -79,12 +79,16 @@ class BeforePreferenceListener implements IEventListener {
 		}
 
 		$value = json_decode($event->getConfigValue(), true, flags:JSON_THROW_ON_ERROR);
-		if (is_array(($value))) {
-			foreach ($value as $id => $info) {
-				if (!is_array($info) || empty($info) || !isset($info['app']) || !$this->appManager->isEnabledForUser($info['app']) || !is_numeric($info['order'] ?? '')) {
-					// Invalid config value, refuse the change
-					return;
-				}
+		if (!is_array(($value))) {
+			// Must be an array
+			return;
+		}
+
+		foreach ($value as $id => $info) {
+			// required format: [ navigation_id: string => [ order: int, app?: string ] ]
+			if (!is_string($id) || !is_array($info) || empty($info) || !isset($info['order']) || !is_numeric($info['order']) || (isset($info['app']) && !$this->appManager->isEnabledForUser($info['app']))) {
+				// Invalid config value, refuse the change
+				return;
 			}
 		}
 		$event->setValid(true);
-- 
2.39.5