From d437f7aa80639ab31593d1025f6a9b962f55907e Mon Sep 17 00:00:00 2001
From: Breno Roosevelt <breno.roosevelt@gmail.com>
Date: Fri, 27 Apr 2018 15:33:55 -0400
Subject: [PATCH 1/2] unavaliable include responds bad request

---
 src/Listener/JsonApiListener.php              |  6 ++-
 .../TestCase/Listener/JsonApiListenerTest.php | 43 +++++++++++++++++--
 2 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/src/Listener/JsonApiListener.php b/src/Listener/JsonApiListener.php
index 260aba5c..14256d6f 100644
--- a/src/Listener/JsonApiListener.php
+++ b/src/Listener/JsonApiListener.php
@@ -292,10 +292,14 @@ protected function _includeParameter($includes, Subject $subject, $options)
         }
         $includes = Hash::filter((array)$includes);
 
-        if (empty($includes) || $options['blacklist'] === true || $options['whitelist'] === false) {
+        if (empty($includes)) {
             return;
         }
 
+        if($options['blacklist'] === true || $options['whitelist'] === false) {
+            throw new BadRequestException("The include parameter is not supported");
+        }
+
         $this->config('include', []);
         $includes = Hash::expand(Hash::normalize($includes));
         $blacklist = is_array($options['blacklist']) ? Hash::expand(Hash::normalize(array_fill_keys($options['blacklist'], true))) : $options['blacklist'];
diff --git a/tests/TestCase/Listener/JsonApiListenerTest.php b/tests/TestCase/Listener/JsonApiListenerTest.php
index 97ffb7b7..b3c4c9bd 100644
--- a/tests/TestCase/Listener/JsonApiListenerTest.php
+++ b/tests/TestCase/Listener/JsonApiListenerTest.php
@@ -1421,6 +1421,40 @@ public function includeQueryProvider()
                 ],
                 ['cultures', 'currency']
             ],
+        ];
+    }
+
+    /**
+     * Make sure that the include query correct splits include string into a containable format
+     *
+     * @return void
+     * @dataProvider includeQueryProvider
+     */
+    public function testIncludeQuery($include, $options, $expectedContain, $expectedInclude)
+    {
+        $listener = new JsonApiListener(new Controller());
+        $this->setReflectionClassInstance($listener);
+
+        $subject = new Subject();
+
+        $query = $this
+            ->getMockBuilder(Query::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $subject->query = $query;
+        $subject->query
+            ->expects($this->any())
+            ->method('repository')
+            ->willReturn(TableRegistry::get('Countries'));
+
+        $this->callProtectedMethod('_includeParameter', [$include, $subject, $options], $listener);
+        $this->assertSame($expectedInclude, $listener->config('include'));
+    }
+
+    public function includeQueryBadRequestProvider()
+    {
+        return [
             'blacklist everything' => [
                 'cultures,currencies.countries',
                 ['blacklist' => true, 'whitelist' => ['cultures', 'currencies.countries']],
@@ -1437,12 +1471,14 @@ public function includeQueryProvider()
     }
 
     /**
-     * Make sure that the include query correct splits include string into a containable format
+     * Ensure that the whiteList nothing or blackList everything do not accept any include parameter, and responds with
+     * BadRequestException
      *
      * @return void
-     * @dataProvider includeQueryProvider
+     * @dataProvider includeQueryBadRequestProvider
+     * @expectedException \Cake\Network\Exception\BadRequestException
      */
-    public function testIncludeQuery($include, $options, $expectedContain, $expectedInclude)
+    public function testIncludeQueryBadRequest($include, $options, $expectedContain, $expectedInclude)
     {
         $listener = new JsonApiListener(new Controller());
         $this->setReflectionClassInstance($listener);
@@ -1465,7 +1501,6 @@ public function testIncludeQuery($include, $options, $expectedContain, $expected
             ->willReturn(TableRegistry::get('Countries'));
 
         $this->callProtectedMethod('_includeParameter', [$include, $subject, $options], $listener);
-        $this->assertSame($expectedInclude, $listener->config('include'));
     }
 
     /**

From 7138d744ae350cbac9056be0aeaef1f3cdef4f4f Mon Sep 17 00:00:00 2001
From: Breno Roosevelt <breno.roosevelt@gmail.com>
Date: Fri, 27 Apr 2018 15:44:59 -0400
Subject: [PATCH 2/2] fix phpcs

---
 src/Listener/JsonApiListener.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Listener/JsonApiListener.php b/src/Listener/JsonApiListener.php
index 14256d6f..0475e032 100644
--- a/src/Listener/JsonApiListener.php
+++ b/src/Listener/JsonApiListener.php
@@ -296,7 +296,7 @@ protected function _includeParameter($includes, Subject $subject, $options)
             return;
         }
 
-        if($options['blacklist'] === true || $options['whitelist'] === false) {
+        if ($options['blacklist'] === true || $options['whitelist'] === false) {
             throw new BadRequestException("The include parameter is not supported");
         }