refactor(actions): centralize core page request/csrf guards
This commit is contained in:
@@ -4,7 +4,6 @@ use MintyPHP\Buffer;
|
||||
use MintyPHP\Http\SessionStoreInterface;
|
||||
use MintyPHP\Router;
|
||||
use MintyPHP\Service\Auth\AuthServicesFactory;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
@@ -16,7 +15,7 @@ $email = trim((string) $request->body('email', ''));
|
||||
$passwordResetService = (app(AuthServicesFactory::class))->createPasswordResetService();
|
||||
|
||||
if ($request->isMethod('POST')) {
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (!actionRequireCsrf('password/forgot', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
$errorBag->addGlobal(t('Form expired, please try again'));
|
||||
} elseif ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
|
||||
$errorBag->addGlobal(t('Please enter a valid email address'));
|
||||
|
||||
@@ -8,7 +8,6 @@ use MintyPHP\Service\Auth\AuthServicesFactory;
|
||||
use MintyPHP\Service\Security\SecurityServicesFactory;
|
||||
use MintyPHP\Service\Tenant\TenantServicesFactory;
|
||||
use MintyPHP\Service\User\UserServicesFactory;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$requestRuntime = app(RequestRuntimeInterface::class);
|
||||
@@ -172,8 +171,8 @@ $resolveSelectedTenantId = static function (array $candidateByIdValue, int $requ
|
||||
return (int) ($first['id'] ?? 0);
|
||||
};
|
||||
|
||||
if (requestInput()->method() === 'POST') {
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (requestInput()->isMethod('POST')) {
|
||||
if (!actionRequireCsrf('login', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
$errorBag->addGlobal(t('Form expired, please try again'));
|
||||
$stage = 'resolve_email';
|
||||
} else {
|
||||
|
||||
@@ -4,7 +4,6 @@ use MintyPHP\Http\SessionStoreInterface;
|
||||
use MintyPHP\Router;
|
||||
use MintyPHP\Service\Auth\AuthServicesFactory;
|
||||
use MintyPHP\Service\User\UserServicesFactory;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
@@ -17,7 +16,7 @@ if (!allowRegistration()) {
|
||||
}
|
||||
|
||||
if ($request->isMethod('POST')) {
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (!actionRequireCsrf('register', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
$error = t('Form expired, please try again');
|
||||
} elseif ($request->hasBody('email')) {
|
||||
$authService = (app(AuthServicesFactory::class))->createAuthService();
|
||||
|
||||
@@ -5,7 +5,6 @@ use MintyPHP\Http\SessionStoreInterface;
|
||||
use MintyPHP\Router;
|
||||
use MintyPHP\Service\Auth\AuthServicesFactory;
|
||||
use MintyPHP\Service\User\UserServicesFactory;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
@@ -24,7 +23,7 @@ if ($resetId <= 0) {
|
||||
}
|
||||
|
||||
if ($request->isMethod('POST')) {
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (!actionRequireCsrf('password/reset', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
$errorBag->addGlobal(t('Form expired, please try again'));
|
||||
} else {
|
||||
$result = $passwordResetService->resetPassword($resetId, $password, $password2);
|
||||
|
||||
@@ -4,7 +4,6 @@ use MintyPHP\Buffer;
|
||||
use MintyPHP\Http\SessionStoreInterface;
|
||||
use MintyPHP\Router;
|
||||
use MintyPHP\Service\Auth\AuthServicesFactory;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
@@ -18,7 +17,7 @@ $code = trim((string) $request->body('code', ''));
|
||||
$passwordResetService = (app(AuthServicesFactory::class))->createPasswordResetService();
|
||||
|
||||
if ($request->isMethod('POST')) {
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (!actionRequireCsrf('password/verify', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
$errorBag->addGlobal(t('Form expired, please try again'));
|
||||
} elseif ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
|
||||
$errorBag->addGlobal(t('Please enter a valid email address'));
|
||||
|
||||
@@ -4,7 +4,6 @@ use MintyPHP\Buffer;
|
||||
use MintyPHP\Http\SessionStoreInterface;
|
||||
use MintyPHP\Router;
|
||||
use MintyPHP\Service\Auth\AuthServicesFactory;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
@@ -20,7 +19,7 @@ $emailVerificationService = (app(AuthServicesFactory::class))->createEmailVerifi
|
||||
if ($request->isMethod('POST')) {
|
||||
$action = (string) $request->body('action', 'verify');
|
||||
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (!actionRequireCsrf('verify-email', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
$errorBag->addGlobal(t('Form expired, please try again'));
|
||||
} elseif ($action === 'resend') {
|
||||
// Resend verification code
|
||||
|
||||
@@ -2,17 +2,17 @@
|
||||
|
||||
use MintyPHP\Http\Request;
|
||||
use MintyPHP\Router;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$target = Request::safeReturnTarget(requestInput()->bodyAll()['return'] ?? '');
|
||||
$request = requestInput();
|
||||
$target = Request::safeReturnTarget($request->bodyAll()['return'] ?? '');
|
||||
|
||||
if (requestInput()->method() !== 'POST') {
|
||||
Router::redirect($target);
|
||||
if (!actionRequirePost($target)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (!Session::checkCsrfToken()) {
|
||||
Router::redirect($target);
|
||||
if (!actionRequireCsrf($target, flashOnFailure: false)) {
|
||||
return;
|
||||
}
|
||||
|
||||
$flashId = isset($id) ? trim((string) $id) : '';
|
||||
|
||||
@@ -5,14 +5,13 @@ use MintyPHP\Http\SessionStoreInterface;
|
||||
use MintyPHP\I18n;
|
||||
use MintyPHP\Router;
|
||||
use MintyPHP\Service\User\UserServicesFactory;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
$session = $sessionStore->all();
|
||||
|
||||
$request = requestInput();
|
||||
if ($request->isMethod('POST') && !Session::checkCsrfToken()) {
|
||||
if ($request->isMethod('POST') && !actionRequireCsrf('', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
Flash::error(t('Form expired, please try again'), '', 'csrf_expired');
|
||||
Router::redirect('');
|
||||
return;
|
||||
|
||||
@@ -7,7 +7,6 @@ use MintyPHP\Router;
|
||||
use MintyPHP\Service\Access\SettingsAuthorizationPolicy;
|
||||
use MintyPHP\Service\Access\UiAccessService;
|
||||
use MintyPHP\Service\Content\PageService;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
@@ -21,6 +20,10 @@ if ($currentUserId <= 0) {
|
||||
}
|
||||
|
||||
$return = Request::safeReturnTarget((string) (requestInput()->bodyAll()['return'] ?? ''));
|
||||
if (!actionRequirePost($return !== '' ? $return : '')) {
|
||||
return;
|
||||
}
|
||||
|
||||
$canEdit = app(UiAccessService::class)->allow(
|
||||
$currentUserId,
|
||||
SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_UPDATE
|
||||
@@ -31,7 +34,7 @@ if (!$canEdit) {
|
||||
Router::redirect($return !== '' ? $return : '');
|
||||
}
|
||||
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (!actionRequireCsrf($return !== '' ? $return : '', flashOnFailure: false, redirectOnFailure: false)) {
|
||||
Flash::error(t('Form expired, please try again'), $return, 'page_csrf');
|
||||
Router::redirect($return !== '' ? $return : '');
|
||||
}
|
||||
|
||||
@@ -8,11 +8,11 @@ use MintyPHP\Router;
|
||||
use MintyPHP\Service\Access\SettingsAuthorizationPolicy;
|
||||
use MintyPHP\Service\Access\UiAccessService;
|
||||
use MintyPHP\Service\Content\PageService;
|
||||
use MintyPHP\Session;
|
||||
use MintyPHP\Support\Flash;
|
||||
|
||||
$sessionStore = app(SessionStoreInterface::class);
|
||||
$session = $sessionStore->all();
|
||||
$request = requestInput();
|
||||
|
||||
$slug = trim((string) ($slug ?? ''));
|
||||
if ($slug === '') {
|
||||
@@ -38,7 +38,7 @@ $returnPath = Request::path();
|
||||
if ($returnPath === '') {
|
||||
$returnPath = 'page/' . $slug;
|
||||
}
|
||||
$requestedReturn = Request::safeReturnTarget((string) (requestInput()->bodyAll()['return'] ?? ''));
|
||||
$requestedReturn = Request::safeReturnTarget((string) ($request->bodyAll()['return'] ?? ''));
|
||||
if ($requestedReturn !== '') {
|
||||
$returnPath = $requestedReturn;
|
||||
}
|
||||
@@ -62,7 +62,7 @@ if (!empty($session['page_edit_mode']) && is_array($session['page_edit_mode']))
|
||||
$sessionStore->set('page_edit_mode', $pageEditMode);
|
||||
}
|
||||
|
||||
if (requestInput()->method() === 'POST') {
|
||||
if ($request->isMethod('POST')) {
|
||||
if (!$canEdit || $notFound) {
|
||||
http_response_code(403);
|
||||
Flash::error(t('You are not allowed to edit this page'), $returnPath, 'page_forbidden');
|
||||
@@ -72,7 +72,7 @@ if (requestInput()->method() === 'POST') {
|
||||
Router::redirect($returnPath);
|
||||
}
|
||||
|
||||
if (!Session::checkCsrfToken()) {
|
||||
if (!actionRequireCsrf($returnPath, flashOnFailure: false, redirectOnFailure: false)) {
|
||||
Flash::error(t('Form expired, please try again'), $returnPath, 'page_csrf');
|
||||
if ($wantsJson) {
|
||||
Router::json(['ok' => false, 'error' => 'csrf', 'redirect' => $returnPath]);
|
||||
@@ -80,7 +80,7 @@ if (requestInput()->method() === 'POST') {
|
||||
Router::redirect($returnPath);
|
||||
}
|
||||
|
||||
$content = (string) (requestInput()->bodyAll()['content'] ?? '');
|
||||
$content = (string) ($request->bodyAll()['content'] ?? '');
|
||||
$result = PageService::updateContentBySlug($slug, $content, $currentUserId, I18n::$locale ?? null);
|
||||
|
||||
if (!($result['ok'] ?? false)) {
|
||||
@@ -112,6 +112,6 @@ if ($contentJson === '') {
|
||||
$contentJson = json_encode(['blocks' => []], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
|
||||
}
|
||||
|
||||
$editMode = $canEdit && (($sessionEdit === true) || ((requestInput()->queryAll()['edit'] ?? '') === '1'));
|
||||
$editMode = $canEdit && (($sessionEdit === true) || (($request->queryAll()['edit'] ?? '') === '1'));
|
||||
$locales = defined('APP_LOCALES') ? APP_LOCALES : [I18n::$defaultLocale];
|
||||
$currentLocale = I18n::$locale ?? (I18n::$defaultLocale ?? 'de');
|
||||
|
||||
Reference in New Issue
Block a user