Skip to content
Permalink
Browse files
Improved form token generation and validation.
  • Loading branch information
Carlos García Gómez committed Oct 22, 2021
1 parent 8bc627b commit 8e2c15ab914ccf29ce7e328de1826b99aa1dd839
Show file tree
Hide file tree
Showing 21 changed files with 351 additions and 323 deletions.
@@ -123,7 +123,7 @@ public function __construct(string $className, string $uri = '')
$this->className = $className;
$this->dataBase = new DataBase();
$this->empresa = new Empresa();
$this->multiRequestProtection = new MultiRequestProtection($className);
$this->multiRequestProtection = new MultiRequestProtection();
$this->request = Request::createFromGlobals();
$this->template = $this->className . '.html.twig';
$this->uri = $uri;
@@ -201,6 +201,9 @@ public function privateCore(&$response, $user, $permissions)
// Select the default company for the user
$this->empresa = Empresas::get($this->user->idempresa);

// add the user to the token generation seed
$this->multiRequestProtection->addSeed($user->nick);

// Have this user a default page?
$defaultPage = $this->request->query->get('defaultPage', '');
if ($defaultPage === 'TRUE') {
@@ -16,12 +16,13 @@
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

namespace FacturaScripts\Core\Controller;

use FacturaScripts\Core\Base;
use FacturaScripts\Dinamic\Model\User;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\File\UploadedFile;
use Symfony\Component\HttpFoundation\Response;

/**
* AdminPlugins.
@@ -41,10 +42,9 @@ class AdminPlugins extends Base\Controller
public $pluginManager;

/**
*
* @return array
*/
public function getAllPlugins()
public function getAllPlugins(): array
{
$downloadTools = new Base\DownloadTools();
$json = json_decode($downloadTools->getContents(self::PLUGIN_LIST_URL, 3), true);
@@ -54,7 +54,7 @@ public function getAllPlugins()

$list = [];
foreach ($json as $item) {
/// plugin is already installed?
// plugin is already installed?
$item['installed'] = false;
foreach ($this->getPlugins() as $plug) {
if ($plug['name'] == $item['name']) {
@@ -101,14 +101,14 @@ public function getPageData()
public function getPlugins()
{
$installedPlugins = $this->pluginManager->installedPlugins();
if (!defined('FS_HIDDEN_PLUGINS')) {
if (false === defined('FS_HIDDEN_PLUGINS')) {
return $installedPlugins;
}

/// exclude hidden plugins
$hiddenPlugins = \explode(',', \FS_HIDDEN_PLUGINS);
// exclude hidden plugins
$hiddenPlugins = explode(',', FS_HIDDEN_PLUGINS);
foreach ($installedPlugins as $key => $plugin) {
if (\in_array($plugin['name'], $hiddenPlugins, false)) {
if (in_array($plugin['name'], $hiddenPlugins, false)) {
unset($installedPlugins[$key]);
}
}
@@ -118,9 +118,9 @@ public function getPlugins()
/**
* Runs the controller's private logic.
*
* @param Response $response
* @param User $user
* @param Base\ControllerPermissions $permissions
* @param Response $response
* @param User $user
* @param Base\ControllerPermissions $permissions
*/
public function privateCore(&$response, $user, $permissions)
{
@@ -169,7 +169,7 @@ private function enablePlugin($pluginName)

/**
* Execute main actions.
*
*
* @param string $action
*/
private function execAction($action)
@@ -198,8 +198,8 @@ private function execAction($action)
break;

default:
if (\FS_DEBUG) {
/// On debug mode, always deploy the contents of Dinamic.
if (FS_DEBUG) {
// On debug mode, always deploy the contents of Dinamic.
$this->pluginManager->deploy(true, true);
$this->toolBox()->cache()->clear();
}
@@ -232,6 +232,25 @@ private function removePlugin($pluginName)
*/
private function uploadPlugin($uploadFiles)
{
// check user permissions
if (false === $this->permissions->allowUpdate) {
$this->toolBox()->i18nLog()->warning('not-allowed-update');
return;
}

// valid request?
$token = $this->request->request->get('multireqtoken', '');
if (empty($token) || false === $this->multiRequestProtection->validate($token)) {
$this->toolBox()->i18nLog()->warning('invalid-request');
return;
}

// duplicated request?
if ($this->multiRequestProtection->tokenExist($token)) {
$this->toolBox()->i18nLog()->warning('duplicated-request');
return;
}

foreach ($uploadFiles as $uploadFile) {
if (false === $uploadFile->isValid()) {
$this->toolBox()->log()->error($uploadFile->getErrorMessage());
@@ -244,7 +263,7 @@ private function uploadPlugin($uploadFiles)
}

$this->pluginManager->install($uploadFile->getPathname(), $uploadFile->getClientOriginalName());
\unlink($uploadFile->getPathname());
unlink($uploadFile->getPathname());
}

if ($this->pluginManager->deploymentRequired()) {
@@ -119,7 +119,7 @@ public function privateCore(&$response, $user, $permissions)
if ($status) {
// validate form request?
$token = $this->request->request->get('multireqtoken', '');
if (empty($token) || false === $this->multiRequestProtection->validate($token, $this->user->logkey)) {
if (empty($token) || false === $this->multiRequestProtection->validate($token)) {
$this->toolBox()->i18nLog()->warning('invalid-request');
return;
}
@@ -16,9 +16,9 @@
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

namespace FacturaScripts\Core\Controller;

use Exception;
use FacturaScripts\Core\Base\DataBase\DataBaseWhere;
use FacturaScripts\Core\Lib\ExtendedController\BaseView;
use FacturaScripts\Core\Lib\ExtendedController\EditController;
@@ -34,7 +34,6 @@ class EditApiKey extends EditController
{

/**
*
* @return array
*/
public function getAccessRules(): array
@@ -63,7 +62,7 @@ public function getAccessRules(): array

/**
* Returns the model name.
*
*
* @return string
*/
public function getModelClassName()
@@ -96,7 +95,6 @@ protected function createViews()
}

/**
*
* @param string $viewName
*/
protected function createViewsAccess(string $viewName = 'ApiAccess')
@@ -105,29 +103,36 @@ protected function createViewsAccess(string $viewName = 'ApiAccess')
}

/**
*
* @return bool
*/
protected function editRulesAction(): bool
{
// check user permissions
if (false === $this->permissions->allowUpdate) {
$this->toolBox()->i18nLog()->warning('not-allowed-update');
return true;
} elseif (false === $this->validateFormToken()) {
return true;
}

$allowGet = $this->request->request->get('allowget');
$allowPut = $this->request->request->get('allowput');
$allowPost = $this->request->request->get('allowpost');
$allowDelete = $this->request->request->get('allowdelete');

/// update current access rules
// update current access rules
$accessModel = new ApiAccess();
$where = [new DataBaseWhere('idapikey', $this->request->query->get('code'))];
$rules = $accessModel->all($where, [], 0, 0);
foreach ($rules as $access) {
$access->allowget = \is_array($allowGet) && \in_array($access->resource, $allowGet);
$access->allowput = \is_array($allowPut) && \in_array($access->resource, $allowPut);
$access->allowpost = \is_array($allowPost) && \in_array($access->resource, $allowPost);
$access->allowdelete = \is_array($allowDelete) && \in_array($access->resource, $allowDelete);
$access->allowget = is_array($allowGet) && in_array($access->resource, $allowGet);
$access->allowput = is_array($allowPut) && in_array($access->resource, $allowPut);
$access->allowpost = is_array($allowPost) && in_array($access->resource, $allowPost);
$access->allowdelete = is_array($allowDelete) && in_array($access->resource, $allowDelete);
$access->save();
}

/// add new rules
// add new rules
foreach ($allowGet as $resource) {
$found = false;
foreach ($rules as $rule) {
@@ -140,14 +145,14 @@ protected function editRulesAction(): bool
continue;
}

/// add
// add
$newAccess = new ApiAccess();
$newAccess->idapikey = $this->request->query->get('code');
$newAccess->resource = $resource;
$newAccess->allowget = \is_array($allowGet) && \in_array($resource, $allowGet);
$newAccess->allowput = \is_array($allowPut) && \in_array($resource, $allowPut);
$newAccess->allowpost = \is_array($allowPost) && \in_array($resource, $allowPost);
$newAccess->allowdelete = \is_array($allowDelete) && \in_array($resource, $allowDelete);
$newAccess->allowget = is_array($allowGet) && in_array($resource, $allowGet);
$newAccess->allowput = is_array($allowPut) && in_array($resource, $allowPut);
$newAccess->allowpost = is_array($allowPost) && in_array($resource, $allowPost);
$newAccess->allowdelete = is_array($allowDelete) && in_array($resource, $allowDelete);
$newAccess->save();
}

@@ -183,29 +188,29 @@ protected function getResources(): array
{
$resources = [];

$path = \FS_FOLDER . DIRECTORY_SEPARATOR . 'Dinamic' . DIRECTORY_SEPARATOR . 'Lib' . DIRECTORY_SEPARATOR . 'API';
foreach (\scandir($path, SCANDIR_SORT_NONE) as $resource) {
if (\substr($resource, -4) !== '.php') {
$path = FS_FOLDER . DIRECTORY_SEPARATOR . 'Dinamic' . DIRECTORY_SEPARATOR . 'Lib' . DIRECTORY_SEPARATOR . 'API';
foreach (scandir($path, SCANDIR_SORT_NONE) as $resource) {
if (substr($resource, -4) !== '.php') {
continue;
}

$class = substr('\\FacturaScripts\\Dinamic\\Lib\\API\\' . $resource, 0, -4);
$APIClass = new $class($this->response, $this->request, []);
if (isset($APIClass) && \method_exists($APIClass, 'getResources')) {
if (isset($APIClass) && method_exists($APIClass, 'getResources')) {
foreach ($APIClass->getResources() as $name => $data) {
$resources[] = $name;
}
}
}

\sort($resources);
sort($resources);
return $resources;
}

/**
* Load view data.
*
* @param string $viewName
* @param string $viewName
* @param BaseView $view
*/
protected function loadData($viewName, $view)

0 comments on commit 8e2c15a

Please sign in to comment.