-
-
Notifications
You must be signed in to change notification settings - Fork 14
/
FormRequestFactory.php
81 lines (75 loc) · 3.02 KB
/
FormRequestFactory.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?php
declare(strict_types=1);
namespace Neos\Fusion\Form\Runtime\Domain;
/*
* This file is part of the Neos.Fusion.Form package.
*
* (c) Contributors of the Neos Project - www.neos.io
*
* This package is Open Source Software. For the full copyright and license
* information, please view the LICENSE file which was distributed with this
* source code.
*/
use Neos\Flow\Annotations as Flow;
use Neos\Flow\Mvc\ActionRequest;
use Neos\Flow\Security\Cryptography\HashService;
class FormRequestFactory
{
/**
* @var HashService
* @Flow\Inject
*/
protected $hashService;
/**
* Prepare subrequest for the identifier namespace and transfer the arguments
* only arguments present in __trustedProperties are transferred
*
* @param ActionRequest $parentRequest
* @param string $identifier
* @return ActionRequest
*/
public function createFormRequest(ActionRequest $parentRequest, string $identifier): ActionRequest
{
$formRequest = $parentRequest->createSubRequest();
$formRequest->setArgumentNamespace($identifier);
if ($parentRequest->hasArgument($identifier) === true && is_array($parentRequest->getArgument($identifier))) {
$submittedData = $parentRequest->getArgument($identifier);
if ($submittedData['__trustedProperties']) {
$trustedProperties = unserialize($this->hashService->validateAndStripHmac($submittedData['__trustedProperties']), ['allowed_classes' => false]);
$subrequestArguments = $this->filterSubmittedDataWithTrustedProperties($submittedData, $trustedProperties);
} else {
$subrequestArguments = [];
}
$formRequest->setArguments($subrequestArguments);
}
return $formRequest;
}
/**
* Filter incoming data with the trusted properties data-structure recursively this ensures only values that
* where actually rendered by the form are passed as result to the form process
*
* @param mixed[] $submittedData
* @param mixed[] $trustedProperties
* @return mixed[]
* @throws \Exception
*/
protected function filterSubmittedDataWithTrustedProperties($submittedData, array $trustedProperties): array
{
$filteredData = [];
if (!is_array($submittedData)) {
return $filteredData;
}
foreach ($trustedProperties as $fieldName => $trustedProperty) {
if (array_key_exists($fieldName, $submittedData)) {
if ($trustedProperty === 1) {
$filteredData[$fieldName] = $submittedData[$fieldName];
} elseif (is_array($trustedProperty)) {
$filteredData[$fieldName] = $this->filterSubmittedDataWithTrustedProperties($submittedData[$fieldName], $trustedProperty);
} else {
throw new \Exception('This exception should never be thrown as trusted properties are either arrays or 1');
}
}
}
return $filteredData;
}
}