Empty 'usage' property for command declares it non-executable.

Default for system commands, so they can't be executed by any user.

Empty 'usage' property for command declares it non-executable.
Default for system commands, so they can't be executed by any user.
4ac95479 · Armando Lüscher · afc0bc16 · 4ac95479 · 4ac95479 · 4ac95479
Unverified Commit 4ac95479 authored Jun 13, 2019 by Armando Lüscher
Showing with 25 additions and 19 deletions

CHANGELOG.md CHANGELOG.md +3 -0

SystemCommand.php src/Commands/SystemCommand.php +7 -0

StartCommand.php src/Commands/UserCommands/StartCommand.php +5 -10

Telegram.php src/Telegram.php +10 -9

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,11 +8,13 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
 ### Changed
 - Use PSR-12 for code style.
 ### Deprecated
+- [:exclamation:][unreleased-bc-startcommand-is-now-a-usercommand] `StartCommand` is now a `UserCommand` (not `SystemCommand` any more).
 ### Removed
 - Botan.io integration completely removed.
 ### Fixed
 - `forward_date` is now correctly saved to the DB.
 ### Security
+- Don't allow a user to call system commands directly.
 ## [0.57.0] - 2019-06-01
 :exclamation: After updating to this version, you will need to execute the [SQL migration script][0.57.0-sql-migration] on your database.
@@ -265,6 +267,7 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
 - Move `hideKeyboard` to `removeKeyboard`.
 [unreleased-sql-migration]: https://github.com/php-telegram-bot/core/tree/develop/utils/db-schema-update/unreleased.sql
+[unreleased-bc-startcommand-is-now-a-usercommand]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#startcommand-is-now-a-usercommand
 [0.57.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.56.0-0.57.0.sql
 [0.55.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.54.1-0.55.0.sql
 [0.55.0-bc-move-animation-out-of-games-namespace]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#move-animation-out-of-games-namespace

--- a/src/Commands/SystemCommand.php
+++ b/src/Commands/SystemCommand.php
@@ -14,6 +14,13 @@ use Longman\TelegramBot\Request;
 abstract class SystemCommand extends Command
 {
+    /**
+     * @{inheritdoc}
+     *
+     * Set to empty string to disallow users calling system commands.
+     */
+    protected $usage = '';
    /**
     * A system command just executes
     *

--- a/src/Commands/SystemCommands/StartCommand.php
+++ b/src/Commands/SystemCommands/StartCommand.php
@@ -8,17 +8,14 @@
 * file that was distributed with this source code.
 */
-namespace Longman\TelegramBot\Commands\SystemCommands;
+namespace Longman\TelegramBot\Commands\UserCommands;
-use Longman\TelegramBot\Commands\SystemCommand;
+use Longman\TelegramBot\Commands\UserCommand;
-use Longman\TelegramBot\Request;
 /**
 * Start command
- *
- * @todo Remove due to deprecation!
 */
-class StartCommand extends SystemCommand
+class StartCommand extends UserCommand
 {
    /**
     * @var string
@@ -38,12 +35,12 @@ class StartCommand extends SystemCommand
    /**
     * @var string
     */
-    protected $version = '1.0.0';
+    protected $version = '1.1.0';
    /**
     * Command execute method
     *
-     * @return mixed
+     * @return \Longman\TelegramBot\Entities\ServerResponse
     * @throws \Longman\TelegramBot\Exception\TelegramException
     */
    public function execute()
@@ -52,8 +49,6 @@ class StartCommand extends SystemCommand
        //$chat_id = $message->getChat()->getId();
        //$user_id = $message->getFrom()->getId();
-        trigger_error(__CLASS__ . ' is deprecated and will be removed and handled by ' . GenericmessageCommand::class . ' by default in a future release.', E_USER_DEPRECATED);
        return parent::execute();
    }
 }
--- a/src/Telegram.php
+++ b/src/Telegram.php
@@ -461,15 +461,16 @@ class Telegram
        if ($update_type === 'message') {
            $message = $this->update->getMessage();
            $type    = $message->getType();
-            if ($type === 'command') {
-                $command = $message->getCommand();
+            // Let's check if the message object has the type field we're looking for...
-            } else {
+            $command_tmp = $type === 'command' ? $message->getCommand() : $this->getCommandFromType($type);
-                // Let's check if the message object has the type field we're looking for
+            // ...and if a fitting command class is available.
-                // and if a fitting command class is available.
+            $command_obj = $this->getCommandObject($command_tmp);
-                $command_tmp = $this->getCommandFromType($type);
-                if ($this->getCommandObject($command_tmp) !== null) {
+            // Empty usage string denotes a non-executable command.
-                    $command = $command_tmp;
+            // @see https://github.com/php-telegram-bot/core/issues/772#issuecomment-388616072
-                }
+            if ($command_obj !== null && $command_obj->getUsage() !== '') {
+                $command = $command_tmp;
            }
        } else {
            $command = $this->getCommandFromType($update_type);