Merge pull request #983 from jolelievre/attribute-deletion-update

Deprecate standalone endpoints to match PrestaShop 9.0 new security policy
PrestaShop · Feb 16, 2024 · 0423259 · 0423259
2 parents 33de321 + 0286927
commit 0423259
Show file tree

Hide file tree

Showing 6 changed files with 123 additions and 6 deletions.
diff --git a/.htaccess b/.htaccess
@@ -0,0 +1,13 @@
+# In PrestaShop 9.0 php files are now protected so we allow only specific endpoints to be accessible
+<FilesMatch "ps_facetedsearch-.+\.php$">
+    # Apache 2.2
+    <IfModule !mod_authz_core.c>
+        Order Allow,Deny
+        Allow from all
+    </IfModule>
+
+    # Apache 2.4
+    <IfModule mod_authz_core.c>
+        Require all granted
+    </IfModule>
+</FilesMatch>
diff --git a/controllers/front/cron.php b/controllers/front/cron.php
@@ -0,0 +1,80 @@
+<?php
+/**
+ * Copyright since 2007 PrestaShop SA and Contributors
+ * PrestaShop is an International Registered Trademark & Property of PrestaShop SA
+ *
+ * NOTICE OF LICENSE
+ *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.md.
+ * It is also available through the world-wide-web at this URL:
+ * https://opensource.org/licenses/OSL-3.0
+ * If you did not receive a copy of the license and are unable to
+ * obtain it through the world-wide-web, please send an email
+ * to license@prestashop.com so we can send you a copy immediately.
+ *
+ * DISCLAIMER
+ *
+ * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
+ * versions in the future. If you wish to customize PrestaShop for your
+ * needs please refer to https://devdocs.prestashop.com/ for more information.
+ *
+ * @author    PrestaShop SA and Contributors <contact@prestashop.com>
+ * @copyright Since 2007 PrestaShop SA and Contributors
+ * @license   https://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
+ */
+
+declare(strict_types=1);
+
+class Ps_FacetedSearchCronModuleFrontController extends ModuleFrontController
+{
+    public function __construct()
+    {
+        parent::__construct();
+        $this->ajax = true;
+    }
+
+    public function postProcess()
+    {
+        if (substr(Tools::hash('ps_facetedsearch/index'), 0, 10) != Tools::getValue('token')) {
+            header('HTTP/1.1 403 Forbidden');
+            header('Status: 403 Forbidden');
+            $this->ajaxRender('Bad token');
+
+            return;
+        }
+
+        $action = Tools::getValue('action');
+        switch ($action) {
+            case 'indexAttributes':
+                Shop::setContext(Shop::CONTEXT_ALL);
+
+                $psFacetedsearch = new Ps_Facetedsearch();
+                $psFacetedsearch->indexAttributes();
+                $psFacetedsearch->indexFeatures();
+                $psFacetedsearch->indexAttributeGroup();
+
+                $this->ajaxRender('1');
+                break;
+            case 'clearCache':
+                $psFacetedsearch = new Ps_Facetedsearch();
+                $this->ajaxRender($psFacetedsearch->invalidateLayeredFilterBlockCache());
+                break;
+            case 'indexPrices':
+                Shop::setContext(Shop::CONTEXT_ALL);
+
+                $module = new Ps_Facetedsearch();
+                if (Tools::getValue('full')) {
+                    $this->ajaxRender($module->fullPricesIndexProcess((int) Tools::getValue('cursor'), (bool) Tools::getValue('ajax'), true));
+                } else {
+                    $this->ajaxRender($module->pricesIndexProcess((int) Tools::getValue('cursor'), (bool) Tools::getValue('ajax')));
+                }
+
+                break;
+            default:
+                header('HTTP/1.1 403 Forbidden');
+                header('Status: 403 Forbidden');
+                $this->ajaxRender('Unknown action');
+        }
+    }
+}
diff --git a/ps_facetedsearch-attribute-indexer.php b/ps_facetedsearch-attribute-indexer.php
@@ -17,6 +17,14 @@
  * @copyright Since 2007 PrestaShop SA and Contributors
  * @license   https://opensource.org/licenses/AFL-3.0 Academic Free License 3.0 (AFL-3.0)
  */
+
+/*
+ * This standalone endpoint is deprecated, it should not be used anymore and should be removed along with the
+ * htaccess file that still allows it to work despite the security policy from the core forbidding this kind
+ * of file to be executed.
+ */
+@trigger_error('This endpoint has been deprecated and will be removed in the next major version for this module, you should rely on Ps_FacetedSearchCronModuleFrontController instead.', E_USER_DEPRECATED);
+
 require_once __DIR__ . '/../../config/config.inc.php';
 require_once __DIR__ . '/ps_facetedsearch.php';
 

diff --git a/ps_facetedsearch-clear-cache.php b/ps_facetedsearch-clear-cache.php
@@ -17,6 +17,14 @@
  * @copyright Since 2007 PrestaShop SA and Contributors
  * @license   https://opensource.org/licenses/AFL-3.0 Academic Free License 3.0 (AFL-3.0)
  */
+
+/*
+ * This standalone endpoint is deprecated, it should not be used anymore and should be removed along with the
+ * htaccess file that still allows it to work despite the security policy from the core forbidding this kind
+ * of file to be executed.
+ */
+@trigger_error('This endpoint has been deprecated and will be removed in the next major version for this module, you should rely on Ps_FacetedSearchCronModuleFrontController instead.', E_USER_DEPRECATED);
+
 require_once __DIR__ . '/../../config/config.inc.php';
 require_once __DIR__ . '/ps_facetedsearch.php';
 

diff --git a/ps_facetedsearch-price-indexer.php b/ps_facetedsearch-price-indexer.php
@@ -17,6 +17,14 @@
  * @copyright Since 2007 PrestaShop SA and Contributors
  * @license   https://opensource.org/licenses/AFL-3.0 Academic Free License 3.0 (AFL-3.0)
  */
+
+/*
+ * This standalone endpoint is deprecated, it should not be used anymore and should be removed along with the
+ * htaccess file that still allows it to work despite the security policy from the core forbidding this kind
+ * of file to be executed.
+ */
+@trigger_error('This endpoint has been deprecated and will be removed in the next major version for this module, you should rely on Ps_FacetedSearchCronModuleFrontController instead.', E_USER_DEPRECATED);
+
 require_once __DIR__ . '/../../config/config.inc.php';
 require_once __DIR__ . '/ps_facetedsearch.php';
 

diff --git a/ps_facetedsearch.php b/ps_facetedsearch.php
@@ -779,20 +779,20 @@ public function getContent()
     public function renderAdminMain()
     {
         // General purpose variables
-        $moduleUrl = Tools::getProtocol(Tools::usingSecureMode()) . $_SERVER['HTTP_HOST'] . $this->getPathUri();
         $features = $this->getAvailableFeatures();
         $attributeGroups = $this->getAvailableAttributes();
 
+        $cronToken = substr(Tools::hash('ps_facetedsearch/index'), 0, 10);
         $this->context->smarty->assign([
             'PS_LAYERED_INDEXED' => (int) Configuration::getGlobalValue('PS_LAYERED_INDEXED'),
             'current_url' => Tools::safeOutput(preg_replace('/&deleteFilterTemplate=[0-9]*&id_layered_filter=[0-9]*/', '', $_SERVER['REQUEST_URI'])),
             'id_lang' => $this->getContext()->cookie->id_lang,
-            'token' => substr(Tools::hash('ps_facetedsearch/index'), 0, 10),
+            'token' => $cronToken,
             'base_folder' => urlencode(_PS_ADMIN_DIR_),
-            'price_indexer_url' => $moduleUrl . 'ps_facetedsearch-price-indexer.php' . '?token=' . substr(Tools::hash('ps_facetedsearch/index'), 0, 10),
-            'full_price_indexer_url' => $moduleUrl . 'ps_facetedsearch-price-indexer.php' . '?token=' . substr(Tools::hash('ps_facetedsearch/index'), 0, 10) . '&full=1',
-            'attribute_indexer_url' => $moduleUrl . 'ps_facetedsearch-attribute-indexer.php' . '?token=' . substr(Tools::hash('ps_facetedsearch/index'), 0, 10),
-            'clear_cache_url' => $moduleUrl . 'ps_facetedsearch-clear-cache.php' . '?token=' . substr(Tools::hash('ps_facetedsearch/index'), 0, 10),
+            'price_indexer_url' => $this->context->link->getModuleLink('ps_facetedsearch', 'cron', ['ajax' => true, 'action' => 'indexPrices', 'token' => $cronToken]),
+            'full_price_indexer_url' => $this->context->link->getModuleLink('ps_facetedsearch', 'cron', ['ajax' => true, 'action' => 'indexPrices', 'full' => 1, 'token' => $cronToken]),
+            'attribute_indexer_url' => $this->context->link->getModuleLink('ps_facetedsearch', 'cron', ['ajax' => true, 'action' => 'indexAttributes', 'token' => $cronToken]),
+            'clear_cache_url' => $this->context->link->getModuleLink('ps_facetedsearch', 'cron', ['ajax' => true, 'action' => 'clearCache', 'token' => $cronToken]),
             'filters_templates' => $this->getExistingFiltersOverview(),
             'show_quantities' => Configuration::get('PS_LAYERED_SHOW_QTIES'),
             'cache_enabled' => Configuration::get('PS_LAYERED_CACHE_ENABLED'),