/**
  * Create a new translation from an existing item, switch to this language and reload the tree.
  */
 function createtranslation($data, $form)
 {
     $request = $this->owner->getRequest();
     // Protect against CSRF on destructive action
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->owner->httpError(400);
     }
     $langCode = Convert::raw2sql($request->postVar('NewTransLang'));
     $record = $this->owner->getRecord($request->postVar('ID'));
     if (!$record) {
         return $this->owner->httpError(404);
     }
     $this->owner->Locale = $langCode;
     Translatable::set_current_locale($langCode);
     // Create a new record in the database - this is different
     // to the usual "create page" pattern of storing the record
     // in-memory until a "save" is performed by the user, mainly
     // to simplify things a bit.
     // @todo Allow in-memory creation of translations that don't
     // persist in the database before the user requests it
     $translatedRecord = $record->createTranslation($langCode);
     $url = Controller::join_links($this->owner->Link('show'), $translatedRecord->ID);
     // set the X-Pjax header to Content, so that the whole admin panel will be refreshed
     $this->owner->getResponse()->addHeader('X-Pjax', 'Content');
     return $this->owner->redirect($url);
 }
 public function sort($request)
 {
     if (!SecurityToken::inst()->checkRequest($request)) {
         $this->httpError(404);
     }
     $class = $request->postVar('class');
     $ids = $request->postVar('id');
     if ($class == 'WorkflowAction') {
         $objects = $this->Definition()->Actions();
     } elseif ($class == 'WorkflowTransition') {
         $parent = $request->postVar('parent');
         $action = $this->Definition()->Actions()->byID($parent);
         if (!$action) {
             $this->httpError(400, _t('AdvancedWorkflowAdmin.INVALIDPARENTID', 'An invalid parent ID was specified.'));
         }
         $objects = $action->Transitions();
     } else {
         $this->httpError(400, _t('AdvancedWorkflowAdmin.INVALIDCLASSTOORDER', 'An invalid class to order was specified.'));
     }
     if (array_diff($ids, $objects->column('ID'))) {
         $this->httpError(400, _t('AdvancedWorkflowAdmin.INVALIDIDLIST', 'An invalid list of IDs was provided.'));
     }
     singleton('WorkflowService')->reorder($objects, $ids);
     return new SS_HTTPResponse(null, 200, _t('AdvancedWorkflowAdmin.SORTORDERSAVED', 'The sort order has been saved.'));
 }
 public function update(SS_HTTPRequest $request)
 {
     if (!SecurityToken::inst()->checkRequest($request)) {
         return '';
     }
     $url = $request->postVar('URL');
     if (strlen($url)) {
         $info = Oembed::get_oembed_from_url($url);
         if ($info && $info->exists()) {
             $object = EmbeddedObject::create();
             $object->Title = $info->title;
             $object->SourceURL = $url;
             $object->Width = $info->width;
             $object->Height = $info->height;
             $object->ThumbURL = $info->thumbnail_url;
             $object->Description = $info->description ? $info->description : $info->title;
             $object->Type = $info->type;
             $object->EmbedHTML = $info->forTemplate();
             $this->object = $object;
             // needed to make sure the check in FieldHolder works out
             $object->ID = -1;
             return $this->FieldHolder();
         } else {
             $this->message = _t('EmbeddedObjectField.ERROR', 'Could not look up provided URL: ' . Convert::raw2xml($url));
             return $this->FieldHolder();
         }
     } else {
         $this->object = null;
         return $this->FieldHolder();
     }
 }
 public function update(SS_HTTPRequest $request)
 {
     if (!SecurityToken::inst()->checkRequest($request)) {
         return '';
     }
     $url = $request->postVar('URL');
     if (strlen($url)) {
         $info = Oembed::get_oembed_from_url($url);
         $info = Embed\Embed::create($url);
         if ($info) {
             $object = EmbeddedObject::create();
             $object->setFromEmbed($info);
             $this->object = $object;
             // needed to make sure the check in FieldHolder works out
             $object->ID = -1;
             return $this->FieldHolder();
         } else {
             $this->message = _t('EmbeddedObjectField.ERROR', 'Could not look up provided URL: ' . Convert::raw2xml($url));
             return $this->FieldHolder();
         }
     } else {
         $this->object = null;
         return $this->FieldHolder();
     }
 }
 public function handleBatchAction($request)
 {
     // This method can't be called without ajax.
     if (!$request->isAjax()) {
         $this->parentController->redirectBack();
         return;
     }
     // Protect against CSRF on destructive action
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->httpError(400);
     }
     $actions = $this->batchActions();
     $actionClass = $actions[$request->param('BatchAction')]['class'];
     $actionHandler = new $actionClass();
     // Sanitise ID list and query the database for apges
     $ids = preg_split('/ *, */', trim($request->requestVar('csvIDs')));
     foreach ($ids as $k => $v) {
         if (!is_numeric($v)) {
             unset($ids[$k]);
         }
     }
     if ($ids) {
         if (class_exists('Translatable') && SiteTree::has_extension('Translatable')) {
             Translatable::disable_locale_filter();
         }
         $recordClass = $this->recordClass;
         $pages = DataObject::get($recordClass)->byIDs($ids);
         if (class_exists('Translatable') && SiteTree::has_extension('Translatable')) {
             Translatable::enable_locale_filter();
         }
         $record_class = $this->recordClass;
         if ($record_class::has_extension('Versioned')) {
             // If we didn't query all the pages, then find the rest on the live site
             if (!$pages || $pages->Count() < sizeof($ids)) {
                 $idsFromLive = array();
                 foreach ($ids as $id) {
                     $idsFromLive[$id] = true;
                 }
                 if ($pages) {
                     foreach ($pages as $page) {
                         unset($idsFromLive[$page->ID]);
                     }
                 }
                 $idsFromLive = array_keys($idsFromLive);
                 $livePages = Versioned::get_by_stage($this->recordClass, 'Live')->byIDs($idsFromLive);
                 if ($pages) {
                     // Can't merge into a DataList, need to condense into an actual list first
                     // (which will retrieve all records as objects, so its an expensive operation)
                     $pages = new ArrayList($pages->toArray());
                     $pages->merge($livePages);
                 } else {
                     $pages = $livePages;
                 }
             }
         }
     } else {
         $pages = new ArrayList();
     }
     return $actionHandler->run($pages);
 }
 public function authenticate(SS_HTTPRequest $request)
 {
     $token = $this->getToken($request);
     $user = null;
     if (!Member::currentUserID() && !$this->allowPublicAccess || $token) {
         if (!$token) {
             throw new WebServiceException(403, "Missing token parameter");
         }
         $user = $this->tokenAuthenticator->authenticate($token);
         if (!$user) {
             throw new WebServiceException(403, "Invalid user token");
         }
     } else {
         if ($this->allowSecurityId && Member::currentUserID()) {
             // we check the SecurityID parameter for the current user
             $secParam = SecurityToken::inst()->getName();
             $securityID = $request->requestVar($secParam);
             if ($securityID && $securityID != SecurityToken::inst()->getValue()) {
                 throw new WebServiceException(403, "Invalid security ID");
             }
             $user = Member::currentUser();
         }
     }
     if (!$user && !$this->allowPublicAccess) {
         throw new WebServiceException(403, "Invalid request");
     }
     // now, if we have an hmacValidator in place, use it
     if ($this->hmacValidator && $user) {
         if (!$this->hmacValidator->validateHmac($user, $request)) {
             throw new WebServiceException(403, "Invalid message");
         }
     }
     return true;
 }
 /**
  * Generate a security token.
  * */
 public static function getSecurityToken()
 {
     // Ensure the session exists before querying it.
     if (!Session::request_contains_session_id()) {
         Session::start();
     }
     return SecurityToken::inst()->getSecurityID();
 }
 public function saveComplexTableField($data, $form, $params)
 {
     $child = new $data['ClassName']();
     $child->ParentID = $this->controller->ID;
     $child->write();
     $link = SecurityToken::inst()->addToUrl(Controller::join_links($this->Link(), 'item', $child->ID, 'edit'));
     Session::set('FormInfo.ComplexTableField_Popup_DetailForm.formError', array('message' => _t('MemberProfiles.SECTIONADDED', 'Profile section added, please edit it below.'), 'type' => 'good'));
     return Director::redirect($link);
 }
 /**
  * @param $data
  * @param $form
  * @return mixed
  */
 public function doUpload($data, $form)
 {
     $material = PresentationSlide::create();
     $material->SlideID = $data['Slide'];
     $material->write();
     $this->presentation->Materials()->filter(['ClassName' => 'PresentationSlide'])->removeAll();
     $this->presentation->Materials()->add($material);
     $token = SecurityToken::inst()->getValue();
     return $form->controller()->redirect(Controller::join_links($form->controller()->Link(), 'success', "?key={$token}&material={$material->ID}"));
 }
 function handleAction($request)
 {
     // This method can't be called without ajax.
     if (!$this->parentController->isAjax()) {
         $this->parentController->redirectBack();
         return;
     }
     // Protect against CSRF on destructive action
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->httpError(400);
     }
     $actions = $this->batchActions();
     $actionClass = $actions[$request->param('BatchAction')]['class'];
     $actionHandler = new $actionClass();
     // Sanitise ID list and query the database for apges
     $ids = split(' *, *', trim($request->requestVar('csvIDs')));
     foreach ($ids as $k => $v) {
         if (!is_numeric($v)) {
             unset($ids[$k]);
         }
     }
     if ($ids) {
         if (class_exists('Translatable') && Object::has_extension('SiteTree', 'Translatable')) {
             Translatable::disable_locale_filter();
         }
         $pages = DataObject::get($this->recordClass, sprintf('"%s"."ID" IN (%s)', ClassInfo::baseDataClass($this->recordClass), implode(", ", $ids)));
         if (class_exists('Translatable') && Object::has_extension('SiteTree', 'Translatable')) {
             Translatable::enable_locale_filter();
         }
         if (Object::has_extension($this->recordClass, 'Versioned')) {
             // If we didn't query all the pages, then find the rest on the live site
             if (!$pages || $pages->Count() < sizeof($ids)) {
                 foreach ($ids as $id) {
                     $idsFromLive[$id] = true;
                 }
                 if ($pages) {
                     foreach ($pages as $page) {
                         unset($idsFromLive[$page->ID]);
                     }
                 }
                 $idsFromLive = array_keys($idsFromLive);
                 $sql = sprintf('"%s"."ID" IN (%s)', $this->recordClass, implode(", ", $idsFromLive));
                 $livePages = Versioned::get_by_stage($this->recordClass, 'Live', $sql);
                 if ($pages) {
                     $pages->merge($livePages);
                 } else {
                     $pages = $livePages;
                 }
             }
         }
     } else {
         $pages = new ArrayList();
     }
     return $actionHandler->run($pages);
 }
 public static function initVisitor()
 {
     $secID = SecurityToken::inst()->getSecurityID();
     if (!($visitor = self::get()->find('securityID', $secID))) {
         $referer = isset($_SERVER['HTTP_REFERER']) ? self::getDomain($_SERVER['HTTP_REFERER']) : "";
         $searchTerm = "";
         // This is a new visitor so lets see if we can find out where they came from
         $visitor = self::saveVisitor($secID, $_SERVER['REMOTE_ADDR'], $referer, $searchTerm);
     }
     return $visitor;
 }
Beispiel #12
0
 public static function initVisitor()
 {
     $secID = SecurityToken::inst()->getSecurityID();
     if (!($visitor = self::get()->find('securityID', $secID))) {
         $referer = isset($_POST['ref']) ? $_POST['ref'] : "";
         $resolution = isset($_POST['res']) ? $_POST['res'] : "";
         $platform = isset($_POST['plat']) ? $_POST['plat'] : "";
         $searchTerm = "";
         // This is a new visitor so lets see if we can find out where they came from
         $visitor = self::saveVisitor($secID, $_SERVER['REMOTE_ADDR'], $referer, $searchTerm, $resolution, $platform);
     }
     return $visitor;
 }
 public function testDeleteActionRemoveRelation()
 {
     $this->logInWithPermission('ADMIN');
     $config = GridFieldConfig::create()->addComponent(new GridFieldDeleteAction(true));
     $gridField = new GridField('testfield', 'testfield', $this->list, $config);
     $form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList());
     $stateID = 'testGridStateActionField';
     Session::set($stateID, array('grid' => '', 'actionName' => 'deleterecord', 'args' => array('RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
     $token = SecurityToken::inst();
     $request = new SS_HTTPRequest('POST', 'url', array(), array('action_gridFieldAlterAction?StateID=' . $stateID => true, $token->getName() => $token->getValue()));
     $this->gridField->gridFieldAlterAction(array('StateID' => $stateID), $this->form, $request);
     $this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
 }
 public function delete($request)
 {
     if (!SecurityToken::inst()->checkRequest($request)) {
         $this->httpError(400);
     }
     if (!$request->isPOST()) {
         $this->httpError(400);
     }
     if (!$this->record->canDelete()) {
         $this->httpError(403);
     }
     $this->record->delete();
     return $this->RootField()->forTemplate();
 }
 function testDeleteWithoutGroupDeletesFromDatabase()
 {
     $member1 = $this->objFromFixture('Member', 'member1');
     $member1ID = $member1->ID;
     $group1 = $this->objFromFixture('Group', 'group1');
     $response = $this->get('MemberTableFieldTest_Controller');
     $token = SecurityToken::inst();
     $url = sprintf('MemberTableFieldTest_Controller/FormNoGroup/field/Members/item/%d/delete/?usetestmanifest=1', $member1->ID);
     $url = $token->addToUrl($url);
     $response = $this->get($url);
     $group1->flushCache();
     $this->assertNotContains($member1->ID, $group1->Members()->column('ID'), 'Member relation to group is removed');
     DataObject::flush_and_destroy_cache();
     $this->assertFalse(DataObject::get_by_id('Member', $member1ID), 'Member record is removed from database');
 }
 function handleAction($request)
 {
     // This method can't be called without ajax.
     if (!Director::is_ajax()) {
         Director::redirectBack();
         return;
     }
     // Protect against CSRF on destructive action
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->httpError(400);
     }
     $actions = Object::get_static($this->class, 'batch_actions');
     $actionClass = $actions[$request->param('BatchAction')];
     $actionHandler = new $actionClass();
     // Sanitise ID list and query the database for apges
     $ids = split(' *, *', trim($request->requestVar('csvIDs')));
     foreach ($ids as $k => $v) {
         if (!is_numeric($v)) {
             unset($ids[$k]);
         }
     }
     if ($ids) {
         $pages = DataObject::get('SiteTree', "\"SiteTree\".\"ID\" IN (" . implode(", ", $ids) . ")");
         // If we didn't query all the pages, then find the rest on the live site
         if (!$pages || $pages->Count() < sizeof($ids)) {
             foreach ($ids as $id) {
                 $idsFromLive[$id] = true;
             }
             if ($pages) {
                 foreach ($pages as $page) {
                     unset($idsFromLive[$page->ID]);
                 }
             }
             $idsFromLive = array_keys($idsFromLive);
             // Debug::message("\"SiteTree\".\"ID\" IN (" . implode(", ", $idsFromLive) . ")");
             $livePages = Versioned::get_by_stage('SiteTree', 'Live', "\"SiteTree\".\"ID\" IN (" . implode(", ", $idsFromLive) . ")");
             if ($pages) {
                 $pages->merge($livePages);
             } else {
                 $pages = $livePages;
             }
         }
     } else {
         $pages = new DataObjectSet();
     }
     return $actionHandler->run($pages);
 }
 public function preRequest(\SS_HTTPRequest $request, \Session $session, \DataModel $model)
 {
     // Check languages to set
     $languages = array();
     foreach (SpellController::get_locales() as $locale) {
         $languages[] = i18n::get_locale_name($locale) . '=' . $locale;
     }
     // Set settings
     $editor = Config::inst()->get(__CLASS__, 'editor');
     HtmlEditorConfig::get($editor)->enablePlugins('spellchecker');
     HtmlEditorConfig::get($editor)->addButtonsToLine(2, 'spellchecker');
     $token = SecurityToken::inst();
     HtmlEditorConfig::get($editor)->setOption('spellchecker_rpc_url', $token->addToUrl('spellcheck/'));
     HtmlEditorConfig::get($editor)->setOption('browser_spellcheck', false);
     HtmlEditorConfig::get($editor)->setOption('spellchecker_languages', '+' . implode(', ', $languages));
     return true;
 }
 /**
  * Commit a page changed via the frontend editing
  *
  * @return
  */
 public function frontendCommit()
 {
     if (!SecurityToken::inst()->check($this->request->postVar('SecurityID'))) {
         return singleton('FEUtils')->ajaxResponse('Invalid security token', false);
     }
     //		Versioned::choose_site_stage();
     $urlName = isset($_POST['url']) ? $_POST['url'] : null;
     if ($urlName) {
         $obj = $this->Page($urlName);
         if ($obj->canPublish()) {
             $obj->write();
             $obj->doPublish();
         }
     }
     //		Versioned::choose_site_stage();
     $return = new stdClass();
     $return->success = 0;
     $return->message = "Data not found";
     $data = isset($_POST['data']) ? $_POST['data'] : null;
     if ($data) {
         // deserialise
         $data = json_decode($data);
         $topublish = $data->toPublish;
         foreach ($topublish as $typeInfo => $nothing) {
             list($type, $id) = explode('-', $typeInfo);
             if ($id) {
                 // set all the contents on the item
                 $obj = DataObject::get_by_id($type, $id);
                 if ($obj) {
                     if ($obj->FrontendEditAllowed() && $obj->doPublish()) {
                         $return->success = 1;
                         $return->message = _t('FrontendEditing.PUBLISH_SUCCESSFUL', "Successfully published page");
                     } else {
                         $return->message = _t('FrontendEditing.PUBLISH_NOT_ALLOWED', "You cannot publish that content.");
                     }
                 } else {
                     $return->message = sprintf(_t('FrontendEditing.PAGE_MISSING', 'Page %s could not be found'), $id);
                 }
             } else {
                 $return->message = sprintf(_t('FrontendEditing.PAGE_MISSING', 'Page %s could not be found'), $id);
             }
         }
     }
     return Convert::raw2json($return);
 }
 public function index($request)
 {
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->httpError(403);
     }
     $id = $request->getVar('ID');
     if (!$id) {
         return $this->httpError(400);
     }
     $feature = Feature::get()->byId($id);
     if (!$feature) {
         return $this->httpError(404);
     }
     if (!$feature->canView()) {
         return $this->httpError(403);
     }
     $field = $feature->getValueField()->setName($request->getVar('Name'));
     return $field->forTemplate();
 }
 /**
  * @param $data
  * @param Form $form
  * @return bool|SS_HTTPResponse
  */
 public function saveLink($data, Form $form)
 {
     $url = $data['Link'];
     // Attach a protocol if needed
     if (substr($url, 0, 7) != 'http://' && substr($url, 0, 8) != 'https://') {
         $url = 'http://' . $url;
     }
     if (!filter_var($url, FILTER_VALIDATE_URL)) {
         $form->sessionMessage('That does not appear to be a valid URL', 'bad');
         return $this->Controller()->redirectBack();
     }
     $material = PresentationSlide::create();
     $material->Link = $url;
     $material->write();
     $this->presentation->Materials()->filter(['ClassName' => 'PresentationSlide'])->removeAll();
     $this->presentation->Materials()->add($material);
     $token = SecurityToken::inst()->getValue();
     return $this->Controller()->redirect(Controller::join_links($this->Controller()->Link(), 'success', "?key={$token}&material={$material->ID}"));
 }
 function testDeleteAllCommentsOnPage()
 {
     $second = $this->objFromFixture('Page', 'second');
     $this->autoFollowRedirection = false;
     $this->logInAs('commentadmin');
     $response = $this->get($second->RelativeLink());
     $token = SecurityToken::inst();
     $url = sprintf('PageComment/deleteallcomments?pageid=%d', $second->ID);
     $url = $token->addToUrl($url);
     $response = $this->get($url);
     $response = $this->get($second->RelativeLink());
     $secondComments = DataObject::get('PageComment', '"ParentID" = ' . $second->ID);
     $this->assertNull($secondComments);
     $first = $this->objFromFixture('Page', 'first');
     $firstComments = DataObject::get('PageComment', '"ParentID" = ' . $first->ID);
     $this->assertNotNull($firstComments);
     $third = $this->objFromFixture('Page', 'third');
     $thirdComments = DataObject::get('PageComment', '"ParentID" = ' . $third->ID);
     $this->assertEquals($thirdComments->Count(), 3);
 }
    /**
     * @return Session
     */
    public function getFreshSession()
    {
        // set up CSRF token stuff
        $placeholder = Config::inst()->get('LiveFilesystemPublisher', 'security_token_placeholder');
        if ($placeholder) {
            $sessionKey = SecurityToken::inst()->getName();
            // This duplicates the SessionToken functionality exactly
            // But only requires the one class from Silverstripe
            LivePubHelper::require_session();
            LivePubHelper::add_init_code('
				function new_security_token() {
					require_once("' . BASE_PATH . '/framework/security/RandomGenerator.php");
					$generator = new RandomGenerator();
					return $_SESSION["' . $sessionKey . '"] = $generator->randomToken("sha1");
				}
				$security_token = isset($_SESSION["' . $sessionKey . '"]) ? $_SESSION["' . $sessionKey . '"] : new_security_token();
			', 'LiveSecurityToken');
            return new Session(array($sessionKey => $placeholder));
        } else {
            return new Session(null);
        }
    }
 public function flagComment(SS_HTTPRequest $request)
 {
     // Check Security ID
     if (!SecurityToken::inst()->check($request->getVar('SecurityID'))) {
         return $this->owner->httpError(400);
     }
     $comment = $this->getComment($request);
     if (!$comment) {
         return $this->owner->httpError(404);
     }
     if (!$comment->canFlag()) {
         return Security::permissionFailure($this->owner);
     }
     $flagged = $comment->doFlag();
     if ($request->isAjax()) {
         $response = $this->owner->getResponse();
         $response->addHeader('Content-Type', 'application/json');
         $response->setBody(json_encode(['flagged' => $flagged]));
         return $response;
     }
     return $this->owner->redirect($comment->Link());
 }
 /**
  * one stop shop button
  * @return Object (
  *   IsConnected,
  *   IsLoggedIn,
  *   Link,
  *   ConnectedName,
  *   ConnectedImageURL
  * )
  */
 public static function get_login_button($backURL = "", $member)
 {
     //back URL
     if (!$backURL) {
         $backURL = $_SERVER['REQUEST_URI'];
     }
     $position = strpos($backURL, "?");
     if ($position) {
         $backURL = substr($backURL, 0, $position);
     }
     $backURL = str_replace("//", "/", $backURL);
     $backURL .= "#" . strtolower(self::my_service_name()) . "_tab";
     $backURL = "?BackURL=" . urlencode($backURL);
     //security
     $token = SecurityToken::inst();
     if ($member->exists()) {
         //AJAX FUNCTIONALITY
         //Requirements::javascript(THIRDPARTY_DIR . '/jquery/jquery.js');
         //Requirements::javascript(THIRDPARTY_DIR . '/jquery-livequery/jquery.livequery.js');
         //Requirements::javascript('social_integration/javascript/'.strtolower(self::my_service_name()).".js");
         $method = "has" . self::my_service_name();
         if ($member->{$method}()) {
             $removeURL = Controller::join_links(self::my_class_name(), 'remove', $backURL);
             $removeURL = $token->addToUrl($removeURL);
             $nameField = self::my_service_name() . "Name";
             $pictureField = self::my_service_name() . "Picture";
             return new ArrayData(array("IsConnected" => true, "IsLoggedIn" => Member::currentUserID() == $member->ID ? true : false, "Link" => $removeURL, "ConnectedName" => $member->{$nameField}, "ConnectedImageURL" => $member->{$pictureField}));
         } else {
             $connectURL = Controller::join_links(self::my_class_name(), self::my_service_name() . 'Connect', $backURL);
             $connectURL = $token->addToUrl($connectURL);
             return new ArrayData(array("IsConnected" => false, "IsLoggedIn" => Member::currentUserID() == $member->ID ? true : false, "Link" => $connectURL, "ConnectedName" => "", "ConnectedImageURL" => ""));
         }
     } else {
         $connectURL = Controller::join_links(self::my_class_name(), self::my_service_name() . 'Connect', $backURL);
         $connectURL = $token->addToUrl($connectURL);
         return new ArrayData(array("IsConnected" => false, "IsLoggedIn" => false, "Link" => $connectURL, "ConnectedName" => "", "ConnectedImageURL" => ""));
     }
 }
 /**
  * Invoke a batch action
  *
  * @param SS_HTTPRequest $request
  * @return SS_HTTPResponse
  */
 public function handleBatchAction($request)
 {
     // This method can't be called without ajax.
     if (!$request->isAjax()) {
         return $this->parentController->redirectBack();
     }
     // Protect against CSRF on destructive action
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->httpError(400);
     }
     // Find the action handler
     $action = $request->param('BatchAction');
     $actionHandler = $this->actionByName($action);
     // Sanitise ID list and query the database for apges
     $csvIDs = $request->requestVar('csvIDs');
     $ids = $this->cleanIDs($csvIDs);
     // Filter ids by those which are applicable to this action
     // Enforces front end filter in LeftAndMain.BatchActions.js:refreshSelected
     $ids = $actionHandler->applicablePages($ids);
     // Query ids and pass to action to process
     $pages = $this->getPages($ids);
     return $actionHandler->run($pages);
 }
 /**
  * Tests security ID check
  */
 public function testSecurityID()
 {
     // Mock token
     $securityToken = SecurityToken::inst();
     $generator = new RandomGenerator();
     $token = $generator->randomToken('sha1');
     $session = array($securityToken->getName() => $token);
     $tokenError = _t('SpellController.SecurityMissing', 'Your session has expired. Please refresh your browser to continue.');
     // Test request sans token
     $response = $this->get('spellcheck', Injector::inst()->create('Session', $session));
     $this->assertEquals(400, $response->getStatusCode());
     $jsonBody = json_decode($response->getBody());
     $this->assertEquals($tokenError, $jsonBody->error->errstr);
     // Test request with correct token (will fail with an unrelated error)
     $response = $this->get('spellcheck/?SecurityID=' . urlencode($token), Injector::inst()->create('Session', $session));
     $jsonBody = json_decode($response->getBody());
     $this->assertNotEquals($tokenError, $jsonBody->error->errstr);
     // Test request with check disabled
     Config::inst()->update('SpellController', 'enable_security_token', false);
     $response = $this->get('spellcheck', Injector::inst()->create('Session', $session));
     $jsonBody = json_decode($response->getBody());
     $this->assertNotEquals($tokenError, $jsonBody->error->errstr);
 }
 /**
  * Create a new translation from an existing item, switch to this language and reload the tree.
  */
 function createtranslation($data, $form)
 {
     $request = $this->owner->getRequest();
     // Protect against CSRF on destructive action
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->owner->httpError(400);
     }
     $langCode = Convert::raw2sql($request->postVar('NewTransLang'));
     $record = $this->owner->getRecord($request->postVar('ID'));
     if (!$record) {
         return $this->httpError(404);
     }
     $this->owner->Locale = $langCode;
     Translatable::set_current_locale($langCode);
     // Create a new record in the database - this is different
     // to the usual "create page" pattern of storing the record
     // in-memory until a "save" is performed by the user, mainly
     // to simplify things a bit.
     // @todo Allow in-memory creation of translations that don't persist in the database before the user requests it
     $translatedRecord = $record->createTranslation($langCode);
     $url = sprintf("%s/%d/?locale=%s", singleton('CMSPageEditController')->Link('show'), $translatedRecord->ID, $langCode);
     return $this->owner->redirect($url);
 }
 public function duplicatewithchildren($request)
 {
     // Protect against CSRF on destructive action
     if (!SecurityToken::inst()->checkRequest($request)) {
         return $this->httpError(400);
     }
     if (($id = $this->urlParams['ID']) && is_numeric($id)) {
         $page = DataObject::get_by_id("SiteTree", $id);
         if ($page && (!$page->canEdit() || !$page->canCreate())) {
             return Security::permissionFailure($this);
         }
         if (!$page || !$page->ID) {
             throw new SS_HTTPResponse_Exception("Bad record ID #{$id}", 404);
         }
         $newPage = $page->duplicateWithChildren();
         // Reload form, data and actions might have changed
         $form = $this->getEditForm($newPage->ID);
         return $form->forTemplate()->RAW();
     } else {
         user_error("CMSMain::duplicate() Bad ID: '{$id}'", E_USER_WARNING);
     }
 }
Beispiel #29
0
 public function testDisableSecurityTokenAcceptsSubmissionWithoutToken()
 {
     SecurityToken::enable();
     $expectedToken = SecurityToken::inst()->getValue();
     $response = $this->get('FormTest_ControllerWithSecurityToken');
     // can't use submitForm() as it'll automatically insert SecurityID into the POST data
     $response = $this->post('FormTest_ControllerWithSecurityToken/Form', array('Email' => '*****@*****.**', 'action_doSubmit' => 1));
     $this->assertEquals(400, $response->getStatusCode(), 'Submission fails without security token');
     // Generate a new token which doesn't match the current one
     $generator = new RandomGenerator();
     $invalidToken = $generator->randomToken('sha1');
     $this->assertNotEquals($invalidToken, $expectedToken);
     // Test token with request
     $response = $this->get('FormTest_ControllerWithSecurityToken');
     $response = $this->post('FormTest_ControllerWithSecurityToken/Form', array('Email' => '*****@*****.**', 'action_doSubmit' => 1, 'SecurityID' => $invalidToken));
     $this->assertEquals(200, $response->getStatusCode(), 'Submission reloads form if security token invalid');
     $this->assertTrue(stripos($response->getBody(), 'name="SecurityID" value="' . $expectedToken . '"') !== false, 'Submission reloads with correct security token after failure');
     $this->assertTrue(stripos($response->getBody(), 'name="SecurityID" value="' . $invalidToken . '"') === false, 'Submission reloads without incorrect security token after failure');
     $matched = $this->cssParser()->getBySelector('#Form_Form_Email');
     $attrs = $matched[0]->attributes();
     $this->assertEquals('*****@*****.**', (string) $attrs['value'], 'Submitted data is preserved');
     $response = $this->get('FormTest_ControllerWithSecurityToken');
     $tokenEls = $this->cssParser()->getBySelector('#Form_Form_SecurityID');
     $this->assertEquals(1, count($tokenEls), 'Token form field added for controller without disableSecurityToken()');
     $token = (string) $tokenEls[0];
     $response = $this->submitForm('Form_Form', null, array('Email' => '*****@*****.**', 'SecurityID' => $token));
     $this->assertEquals(200, $response->getStatusCode(), 'Submission suceeds with security token');
 }
 public function index()
 {
     $this->setHeaders();
     // Check security token
     if (self::config()->enable_security_token && !SecurityToken::inst()->checkRequest($this->request)) {
         return $this->error(_t('SpellController.SecurityMissing', 'Your session has expired. Please refresh your browser to continue.'), 400);
     }
     // Check permission
     $permission = self::config()->required_permission;
     if ($permission && !Permission::check($permission)) {
         return $this->error(_t('SpellController.SecurityDenied', 'Permission Denied'), 403);
     }
     // Check data
     $data = $this->getRequestData();
     if (empty($data)) {
         return $this->error(_t('SpellController.MissingData', "Could not get raw post data"), 400);
     }
     // Check params and request type
     if (!Director::is_ajax() || empty($data['method']) || empty($data['params']) || count($data['params']) < 2) {
         return $this->error(_t('SpellController.InvalidRequest', 'Invalid request'), 400);
     }
     // Check locale
     $params = $data['params'];
     $locale = $params[0];
     if (!in_array($locale, self::get_locales())) {
         return $this->error(_t('SpellController.InvalidLocale', 'Not supported locale'), 400);
     }
     // Check provider
     $provider = $this->getProvider();
     if (empty($provider)) {
         return $this->error(_t('SpellController.MissingProviders', "No spellcheck module installed"), 500);
     }
     // Perform action
     try {
         $method = $data['method'];
         $words = $params[1];
         switch ($method) {
             case 'checkWords':
                 return $this->success($provider->checkWords($locale, $words));
             case 'getSuggestions':
                 return $this->success($provider->getSuggestions($locale, $words));
             default:
                 return $this->error(_t('SpellController.UnsupportedMethod', "Unsupported method '{method}'", array('method' => $method)), 400);
         }
     } catch (SpellException $ex) {
         return $this->error($ex->getMessage(), $ex->getCode());
     }
 }