Skip to content
This repository has been archived by the owner on Aug 13, 2022. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
add CSRF tokens to duplicate action
  • Loading branch information
Guite committed Dec 28, 2021
1 parent ddefbcc commit 5e9bb46
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 2 deletions.
Expand Up @@ -443,6 +443,10 @@ public function adminDuplicate(
HookHelper $hookHelper,
string $slug = ''
): RedirectResponse {
if (!$this->isCsrfTokenValid('duplicate-page', $request->query->get('token'))) {
throw new AccessDeniedException();
}

return $this->duplicateInternal($request, $router, $permissionHelper, $entityFactory, $workflowHelper, $modelHelper, $hookHelper, $slug, true);
}

Expand All @@ -462,6 +466,10 @@ public function duplicate(
HookHelper $hookHelper,
string $slug = ''
): RedirectResponse {
if (!$this->isCsrfTokenValid('duplicate-page', $request->query->get('token'))) {
throw new AccessDeniedException();
}

return $this->duplicateInternal($request, $router, $permissionHelper, $entityFactory, $workflowHelper, $modelHelper, $hookHelper, $slug, false);
}

Expand Down
19 changes: 17 additions & 2 deletions src/extensions/Zikula/ContentModule/Menu/MenuBuilder.php
Expand Up @@ -17,6 +17,7 @@
namespace Zikula\ContentModule\Menu;

use Knp\Menu\ItemInterface;
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
use Symfony\Contracts\Translation\TranslatorInterface;
use Zikula\ContentModule\Entity\PageEntity;
use Zikula\ContentModule\Menu\Base\AbstractMenuBuilder;
Expand All @@ -32,6 +33,11 @@ class MenuBuilder extends AbstractMenuBuilder
*/
private $translator;

/**
* @var CsrfTokenManagerInterface
*/
private $csrfTokenManager;

/**
* @var bool
*/
Expand Down Expand Up @@ -95,9 +101,11 @@ public function createItemActionsMenu(array $options = []): ItemInterface
;
}
if ($hasEditPermissions) {
$routeParameters = $entity->createUrlArgs();
$routeParameters['token'] = $this->getCsrfToken('duplicate-page');
$menu->addChild('Duplicate', [
'route' => $routePrefix . $routeArea . 'duplicate',
'routeParameters' => $entity->createUrlArgs(),
'routeParameters' => $routeParameters,
])
->setLinkAttribute(
'title',
Expand Down Expand Up @@ -135,9 +143,16 @@ public function createItemActionsMenu(array $options = []): ItemInterface
*/
public function setAdditionalDependencies(
TranslatorInterface $translator,
VariableApiInterface $variableApi
CsrfTokenManagerInterface $csrfTokenManager,
VariableApiInterface $variableApi,
): void {
$this->translator = $translator;
$this->csrfTokenManager = $csrfTokenManager;
$this->multilingual = $variableApi->getSystemVar('multilingual', true);
}

private function getCsrfToken(string $tokenId): string
{
return $this->csrfTokenManager->getToken($tokenId)->getValue();
}
}

0 comments on commit 5e9bb46

Please sign in to comment.