refactor(actions): centralize core page request/csrf guards

This commit is contained in:
2026-04-24 19:10:37 +02:00
parent a05a628968
commit 52f10ae46c
18 changed files with 253 additions and 29 deletions

View File

@@ -7,7 +7,6 @@ use MintyPHP\Router;
use MintyPHP\Service\Access\SettingsAuthorizationPolicy;
use MintyPHP\Service\Access\UiAccessService;
use MintyPHP\Service\Content\PageService;
use MintyPHP\Session;
use MintyPHP\Support\Flash;
$sessionStore = app(SessionStoreInterface::class);
@@ -21,6 +20,10 @@ if ($currentUserId <= 0) {
}
$return = Request::safeReturnTarget((string) (requestInput()->bodyAll()['return'] ?? ''));
if (!actionRequirePost($return !== '' ? $return : '')) {
return;
}
$canEdit = app(UiAccessService::class)->allow(
$currentUserId,
SettingsAuthorizationPolicy::ABILITY_ADMIN_SETTINGS_UPDATE
@@ -31,7 +34,7 @@ if (!$canEdit) {
Router::redirect($return !== '' ? $return : '');
}
if (!Session::checkCsrfToken()) {
if (!actionRequireCsrf($return !== '' ? $return : '', flashOnFailure: false, redirectOnFailure: false)) {
Flash::error(t('Form expired, please try again'), $return, 'page_csrf');
Router::redirect($return !== '' ? $return : '');
}

View File

@@ -8,11 +8,11 @@ use MintyPHP\Router;
use MintyPHP\Service\Access\SettingsAuthorizationPolicy;
use MintyPHP\Service\Access\UiAccessService;
use MintyPHP\Service\Content\PageService;
use MintyPHP\Session;
use MintyPHP\Support\Flash;
$sessionStore = app(SessionStoreInterface::class);
$session = $sessionStore->all();
$request = requestInput();
$slug = trim((string) ($slug ?? ''));
if ($slug === '') {
@@ -38,7 +38,7 @@ $returnPath = Request::path();
if ($returnPath === '') {
$returnPath = 'page/' . $slug;
}
$requestedReturn = Request::safeReturnTarget((string) (requestInput()->bodyAll()['return'] ?? ''));
$requestedReturn = Request::safeReturnTarget((string) ($request->bodyAll()['return'] ?? ''));
if ($requestedReturn !== '') {
$returnPath = $requestedReturn;
}
@@ -62,7 +62,7 @@ if (!empty($session['page_edit_mode']) && is_array($session['page_edit_mode']))
$sessionStore->set('page_edit_mode', $pageEditMode);
}
if (requestInput()->method() === 'POST') {
if ($request->isMethod('POST')) {
if (!$canEdit || $notFound) {
http_response_code(403);
Flash::error(t('You are not allowed to edit this page'), $returnPath, 'page_forbidden');
@@ -72,7 +72,7 @@ if (requestInput()->method() === 'POST') {
Router::redirect($returnPath);
}
if (!Session::checkCsrfToken()) {
if (!actionRequireCsrf($returnPath, flashOnFailure: false, redirectOnFailure: false)) {
Flash::error(t('Form expired, please try again'), $returnPath, 'page_csrf');
if ($wantsJson) {
Router::json(['ok' => false, 'error' => 'csrf', 'redirect' => $returnPath]);
@@ -80,7 +80,7 @@ if (requestInput()->method() === 'POST') {
Router::redirect($returnPath);
}
$content = (string) (requestInput()->bodyAll()['content'] ?? '');
$content = (string) ($request->bodyAll()['content'] ?? '');
$result = PageService::updateContentBySlug($slug, $content, $currentUserId, I18n::$locale ?? null);
if (!($result['ok'] ?? false)) {
@@ -112,6 +112,6 @@ if ($contentJson === '') {
$contentJson = json_encode(['blocks' => []], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
}
$editMode = $canEdit && (($sessionEdit === true) || ((requestInput()->queryAll()['edit'] ?? '') === '1'));
$editMode = $canEdit && (($sessionEdit === true) || (($request->queryAll()['edit'] ?? '') === '1'));
$locales = defined('APP_LOCALES') ? APP_LOCALES : [I18n::$defaultLocale];
$currentLocale = I18n::$locale ?? (I18n::$defaultLocale ?? 'de');