Exemple #1
0
 /**
  * {@inheritdoc}
  */
 public function getOperations(EntityInterface $entity)
 {
     $operations = parent::getOperations($entity);
     $destination = drupal_get_destination();
     $default = $entity->isDefault();
     $id = $entity->id();
     // Get CSRF token service.
     $token_generator = \Drupal::csrfToken();
     // @TODO: permission checks.
     if ($entity->status() && !$default) {
         $operations['disable'] = array('title' => $this->t('Disable'), 'url' => Url::fromRoute('domain.inline_action', array('op' => 'disable', 'domain' => $id)), 'weight' => 50);
     } elseif (!$default) {
         $operations['enable'] = array('title' => $this->t('Enable'), 'url' => Url::fromRoute('domain.inline_action', array('op' => 'enable', 'domain' => $id)), 'weight' => 40);
     }
     if (!$default) {
         $operations['default'] = array('title' => $this->t('Make default'), 'url' => Url::fromRoute('domain.inline_action', array('op' => 'default', 'domain' => $id)), 'weight' => 30);
         $operations['delete'] = array('title' => $this->t('Delete'), 'url' => Url::fromRoute('entity.domain.delete_form', array('domain' => $id)), 'weight' => 20);
     }
     // @TODO: inject this service?
     $operations += \Drupal::moduleHandler()->invokeAll('domain_operations', array($entity));
     foreach ($operations as $key => $value) {
         if (isset($value['query']['token'])) {
             $operations[$key]['query'] += $destination;
         }
     }
     $default = \Drupal::service('domain.loader')->loadDefaultDomain();
     // Deleting the site default domain is not allowed.
     if ($id == $default->id()) {
         unset($operations['delete']);
     }
     return $operations;
 }
Exemple #2
0
 /**
  * Prepares the link pointing for approving the comment.
  *
  * @param \Drupal\Core\Entity\EntityInterface $data
  *   The comment entity.
  * @param \Drupal\views\ResultRow $values
  *   The values retrieved from a single row of a view's query result.
  *
  * @return string
  *   Returns a string for the link text.
  */
 protected function renderLink($data, ResultRow $values)
 {
     $status = $this->getValue($values, 'status');
     // Don't show an approve link on published comment.
     if ($status == CommentInterface::PUBLISHED) {
         return;
     }
     $text = !empty($this->options['text']) ? $this->options['text'] : $this->t('Approve');
     $comment = $this->get_entity($values);
     $this->options['alter']['make_link'] = TRUE;
     $this->options['alter']['url'] = Url::fromRoute('comment.approve', ['comment' => $comment->id()]);
     $this->options['alter']['query'] = $this->getDestinationArray() + array('token' => \Drupal::csrfToken()->get($this->options['alter']['url']->toString()));
     return $text;
 }
 /**
  * Checks access.
  *
  * @param \Symfony\Component\HttpFoundation\Request $request
  *   The request object.
  * @param \Drupal\Core\Session\AccountInterface $account
  *   The currently logged in account.
  *
  * @return \Drupal\Core\Access\AccessResultInterface
  *   The access result.
  */
 public function access(Request $request, AccountInterface $account)
 {
     $method = $request->getMethod();
     // This check only applies if
     // 1. this is a write operation
     // 2. the user was successfully authenticated and
     // 3. the request comes with a session cookie.
     if (!in_array($method, array('GET', 'HEAD', 'OPTIONS', 'TRACE')) && $account->isAuthenticated() && $this->sessionConfiguration->hasSession($request)) {
         $csrf_token = $request->headers->get('X-CSRF-Token');
         if (!\Drupal::csrfToken()->validate($csrf_token, 'rest')) {
             return AccessResult::forbidden()->setCacheMaxAge(0);
         }
     }
     // Let other access checkers decide if the request is legit.
     return AccessResult::allowed()->setCacheMaxAge(0);
 }
 /**
  * Checks access.
  *
  * @param \Symfony\Component\HttpFoundation\Request $request
  *   The request object.
  * @param \Drupal\Core\Session\AccountInterface $account
  *   The currently logged in account.
  *
  * @return string
  *   A \Drupal\Core\Access\AccessInterface constant value.
  */
 public function access(Request $request, AccountInterface $account)
 {
     $method = $request->getMethod();
     $cookie = $request->attributes->get('_authentication_provider') == 'cookie';
     // This check only applies if
     // 1. this is a write operation
     // 2. the user was successfully authenticated and
     // 3. the request comes with a session cookie.
     if (!in_array($method, array('GET', 'HEAD', 'OPTIONS', 'TRACE')) && $account->isAuthenticated() && $cookie) {
         $csrf_token = $request->headers->get('X-CSRF-Token');
         if (!\Drupal::csrfToken()->validate($csrf_token, 'rest')) {
             return static::KILL;
         }
     }
     // Let other access checkers decide if the request is legit.
     return static::ALLOW;
 }
 /**
  * Generates a CSRF protecting session token.
  *
  * @return \Symfony\Component\HttpFoundation\Response
  *   The response object.
  */
 public function csrfToken()
 {
     return new Response(\Drupal::csrfToken()->get('rest'), 200, array('Content-Type' => 'text/plain'));
 }
Exemple #6
0
 /**
  * Disables a resource.
  *
  * @param string $resource_id
  *   The identifier or the REST resource.
  * @param \Symfony\Component\HttpFoundation\Request $request
  *   The current request.
  *
  * @return \Drupal\Core\Ajax\AjaxResponse|\Symfony\Component\HttpFoundation\RedirectResponse
  *   Redirects back to the listing page.
  *
  * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
  */
 public function disable($resource_id, Request $request)
 {
     if (!\Drupal::csrfToken()->validate($request->query->get('token'), 'restui_disable')) {
         // Throw an access denied exception if the token is invalid or missing.
         throw new AccessDeniedHttpException();
     }
     $config = \Drupal::configFactory()->getEditable('rest.settings');
     $resources = $config->get('resources') ?: array();
     $plugin = $this->resourcePluginManager->getInstance(array('id' => $resource_id));
     if (!empty($plugin)) {
         // disable the resource.
         unset($resources[$resource_id]);
         $config->set('resources', $resources);
         $config->save();
         // Rebuild routing cache.
         $this->routeBuilder->rebuild();
         drupal_set_message(t('The resource was disabled successfully.'));
     }
     // Redirect back to the page.
     return new RedirectResponse($this->urlGenerator->generate('restui.list', array(), TRUE));
 }
 /**
  * Validate a preview token.
  *
  * @param string $token
  *   A drupal generated token.
  *
  * @return bool
  *   True if the token is valid.
  *
  * @codeCoverageIgnore
  */
 public static function validatePreviewToken($token) {
   return \Drupal::csrfToken()->validate($token, self::PREVIEW_TOKEN_NAME);
 }
Exemple #8
0
 /**
  * Tests the csrfToken() method.
  *
  * @covers ::csrfToken
  */
 public function testCsrfToken()
 {
     $this->setMockContainerService('csrf_token');
     $this->assertNotNull(\Drupal::csrfToken());
 }
Exemple #9
0
/**
 * Provides an overview of the Drupal database update.
 *
 * This page provides cautionary suggestions that should happen before
 * proceeding with the update to ensure data integrity.
 *
 * @return
 *   Rendered HTML form.
 */
function update_info_page()
{
    // Change query-strings on css/js files to enforce reload for all users.
    _drupal_flush_css_js();
    // Flush the cache of all data for the update status module.
    $keyvalue = \Drupal::service('keyvalue.expirable');
    $keyvalue->get('update')->deleteAll();
    $keyvalue->get('update_available_release')->deleteAll();
    $token = \Drupal::csrfToken()->get('update');
    $output = '<p>Use this utility to update your database whenever a new release of Drupal or a module is installed.</p><p>For more detailed information, see the <a href="http://drupal.org/upgrade">upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>';
    $output .= "<ol>\n";
    $output .= "<li><strong>Back up your code</strong>. Hint: when backing up module code, do not leave that backup in the 'modules' or 'sites/*/modules' directories as this may confuse Drupal's auto-discovery mechanism.</li>\n";
    $output .= '<li>Put your site into <a href="' . base_path() . '?q=admin/config/development/maintenance">maintenance mode</a>.</li>' . "\n";
    $output .= "<li><strong>Back up your database</strong>. This process will change your database values and in case of emergency you may need to revert to a backup.</li>\n";
    $output .= "<li>Install your new files in the appropriate location, as described in the handbook.</li>\n";
    $output .= "</ol>\n";
    $output .= "<p>When you have performed the steps above, you may proceed.</p>\n";
    $form_action = check_url(drupal_current_script_url(array('op' => 'selection', 'token' => $token)));
    $output .= '<form method="post" action="' . $form_action . '"><div class="form-actions form-wrapper" id="edit-actions"><input type="submit" value="Continue" class="button button--primary form-submit" /></div></form>';
    $output .= "\n";
    $build = array('#title' => 'Drupal database update', '#markup' => $output);
    return $build;
}
Exemple #10
0
 /**
  * Processes raw profile configuration of a user.
  */
 public static function processUserConf(array $conf, AccountProxyInterface $user)
 {
     // Convert MB to bytes
     $conf['maxsize'] *= 1048576;
     $conf['quota'] *= 1048576;
     // Set root uri and url
     $conf['root_uri'] = $conf['scheme'] . '://';
     // file_create_url requires a filepath for some schemes like private://
     $conf['root_url'] = preg_replace('@/(?:%2E|\\.)$@i', '', file_create_url($conf['root_uri'] . '.'));
     // Convert to relative
     if (!\Drupal::config('imce.settings')->get('abs_urls')) {
         $conf['root_url'] = file_url_transform_relative($conf['root_url']);
     }
     $conf['token'] = $user->isAnonymous() ? 'anon' : \Drupal::csrfToken()->get('imce');
     // Process folders
     $conf['folders'] = static::processUserFolders($conf['folders'], $user);
     // Call plugin processors
     \Drupal::service('plugin.manager.imce.plugin')->processUserConf($conf, $user);
     return $conf;
 }
 /**
  * {@inheritdoc}
  */
 public function submitForm(array &$form, FormStateInterface $form_state)
 {
     // Check to see if we need to create an encryption key file.
     if ($form_state->getValue('update_cc_encrypt_dir')) {
         $key_path = $form_state->getValue('uc_credit_encryption_path');
         $key_file = $key_path . '/' . UC_CREDIT_KEYFILE_NAME;
         if (!file_exists($key_file)) {
             if (!($file = fopen($key_file, 'wb'))) {
                 drupal_set_message($this->t('Credit card encryption key file creation failed for file @file. Check your filepath settings and directory permissions.', ['@file' => $key_file]), 'error');
                 $this->logger('uc_credit')->error('Credit card encryption key file creation failed for file @file. Check your filepath settings and directory permissions.', ['@file' => $key_file]);
             } else {
                 // Replacement key generation suggested by Barry Jaspan
                 // for increased security.
                 fwrite($file, md5(\Drupal::csrfToken()->get(serialize($_REQUEST) . serialize($_SERVER) . REQUEST_TIME)));
                 fclose($file);
                 drupal_set_message($this->t('Credit card encryption key file generated. Card data will now be encrypted.'));
                 $this->logger('uc_credit')->notice('Credit card encryption key file generated. Card data will now be encrypted.');
             }
         }
     }
     // Need to use configFactory() and getEditable() here, because this form is
     // wrapped by PaymentMethodSettingsForm so $this->getEditableConfigNames()
     // never gets called
     $credit_config = \Drupal::configFactory()->getEditable('uc_credit.settings');
     $credit_config->set('validate_numbers', $form_state->getValue('uc_credit_validate_numbers'))->set('encryption_path', $form_state->getValue('uc_credit_encryption_path'))->set('cvv_enabled', $form_state->getValue('uc_credit_cvv_enabled'))->set('owner_enabled', $form_state->getValue('uc_credit_owner_enabled'))->set('start_enabled', $form_state->getValue('uc_credit_start_enabled'))->set('issue_enabled', $form_state->getValue('uc_credit_issue_enabled'))->set('bank_enabled', $form_state->getValue('uc_credit_bank_enabled'))->set('type_enabled', $form_state->getValue('uc_credit_type_enabled'))->set('policy', $form_state->getValue('uc_credit_policy'))->set('accepted_types', explode("\r\n", $form_state->getValue('uc_credit_accepted_types')))->save();
 }
 /**
  * {@inheritdoc}
  */
 public function submitForm(array &$form, FormStateInterface $form_state)
 {
     parent::submitForm($form, $form_state);
     // Check to see if we need to create an encryption key file.
     if ($form_state->getValue('update_cc_encrypt_dir')) {
         $key_path = $form_state->getValue('uc_credit_encryption_path');
         $key_file = $key_path . '/' . UC_CREDIT_KEYFILE_NAME;
         if (!file_exists($key_file)) {
             if (!($file = fopen($key_file, 'wb'))) {
                 drupal_set_message($this->t('Credit card encryption key file creation failed for file @file. Check your filepath settings and directory permissions.', ['@file' => $key_file]), 'error');
                 $this->logger('uc_credit')->error('Credit card encryption key file creation failed for file @file. Check your filepath settings and directory permissions.', ['@file' => $key_file]);
             } else {
                 // Replacement key generation suggested by Barry Jaspan
                 // for increased security.
                 fwrite($file, md5(\Drupal::csrfToken()->get(serialize($_REQUEST) . serialize($_SERVER) . REQUEST_TIME)));
                 fclose($file);
                 drupal_set_message($this->t('Credit card encryption key file generated. Card data will now be encrypted.'));
                 $this->logger('uc_credit')->notice('Credit card encryption key file generated. Card data will now be encrypted.');
             }
         }
     }
     $this->config('uc_credit.settings')->set('encryption_path', $form_state->getValue('uc_credit_encryption_path'))->set('visa', $form_state->getValue('uc_credit_visa'))->set('mastercard', $form_state->getValue('uc_credit_mastercard'))->set('discover', $form_state->getValue('uc_credit_discover'))->set('amex', $form_state->getValue('uc_credit_amex'))->save();
 }
 /**
  * Render API callback: Hides display of the upload or remove controls.
  *
  * Upload controls are hidden when a file is already uploaded. Remove controls
  * are hidden when there is no file attached. Controls are hidden here instead
  * of in \Drupal\file\Element\ManagedFile::processManagedFile(), because
  * #access for these buttons depends on the managed_file element's #value. See
  * the documentation of \Drupal\Core\Form\FormBuilderInterface::doBuildForm()
  * for more detailed information about the relationship between #process,
  * #value, and #access.
  *
  * Because #access is set here, it affects display only and does not prevent
  * JavaScript or other untrusted code from submitting the form as though
  * access were enabled. The form processing functions for these elements
  * should not assume that the buttons can't be "clicked" just because they are
  * not displayed.
  *
  * @see \Drupal\file\Element\ManagedFile::processManagedFile()
  * @see \Drupal\Core\Form\FormBuilderInterface::doBuildForm()
  *
  * Note: based on plupload_element_pre_render().
  */
 public static function preRenderPlUploadFile($element)
 {
     $settings = isset($element['#plupload_settings']) ? $element['#plupload_settings'] : array();
     // Set upload URL.
     if (empty($settings['url'])) {
         $settings['url'] = Url::fromRoute('plupload.upload', array(), array('query' => array('token' => \Drupal::csrfToken()->get('plupload-handle-uploads'))))->toString();
     }
     // The Plupload library supports client-side validation of file extension, so
     // pass along the information for it to do that. However, as with all client-
     // side validation, this is a UI enhancement only, and not a replacement for
     // server-side validation.
     if (empty($settings['filters']) && isset($element['#upload_validators']['file_validate_extensions'][0])) {
         $settings['filters'][] = array('title' => t('Allowed files'), 'extensions' => str_replace(' ', ',', $element['#upload_validators']['file_validate_extensions'][0]));
     }
     // Check for autoupload and autosubmit settings and add appropriate callback.
     if (!empty($element['#autoupload'])) {
         $settings['init']['FilesAdded'] = 'Drupal.plupload.filesAddedCallback';
         if (!empty($element['#autosubmit'])) {
             $settings['init']['UploadComplete'] = 'Drupal.plupload.uploadCompleteCallback';
         }
     }
     // Add a specific submit element that we want to click if one is specified.
     if (!empty($element['#submit_element'])) {
         $settings['submit_element'] = $element['#submit_element'];
     }
     // Check if there are event callbacks and append them to current ones, if any.
     if (!empty($element['#event_callbacks'])) {
         // array_merge() only accepts parameters of type array.
         if (!isset($settings['init'])) {
             $settings['init'] = array();
         }
         $settings['init'] = array_merge($settings['init'], $element['#event_callbacks']);
     }
     if (empty($element['#description'])) {
         $element['#description'] = '';
     }
     $element['#description'] = array('#theme' => 'file_upload_help', '#description' => $element['#description'], '#upload_validators' => $element['#upload_validators']);
     // Global settings
     $library_discovery = \Drupal::service('library.discovery');
     $library = $library_discovery->getLibraryByName('plupload', 'plupload');
     $element['#attached']['drupalSettings']['plupload'] = array('_default' => $library['settings']['plupload']['_default'], $element['#id'] => $settings);
     return $element;
 }
Exemple #14
0
 /**
  * {@inheritdoc}
  */
 function create(array $batch)
 {
     $this->connection->insert('batch')->fields(array('bid' => $batch['id'], 'timestamp' => REQUEST_TIME, 'token' => \Drupal::csrfToken()->get($batch['id']), 'batch' => serialize($batch)))->execute();
 }
 /**
  * Processes a file download.
  *
  * @param $file_user
  * @param $ip
  */
 protected function logDownload($file_user, $ip)
 {
     // Add the address if it doesn't exist.
     $addresses = $file_user->addresses;
     if (!in_array($ip, $addresses)) {
         $addresses[] = $ip;
     }
     $file_user->addresses = $addresses;
     // Accessed again.
     $file_user->accessed++;
     // Calculate hash
     $file_user->file_key = \Drupal::csrfToken()->get(serialize($file_user));
     $key = NULL;
     if (isset($file_user['fuid'])) {
         $key = $file_user['fuid'];
     }
     // Insert or update (if $key is already in table) uc_file_users table.
     db_merge('uc_file_users')->key(['fuid' => $key])->fields($file_user)->execute();
 }
 /**
  * Prepares the link pointing for approving the comment.
  *
  * @param \Drupal\Core\Entity\EntityInterface $data
  *   The comment entity.
  * @param \Drupal\views\ResultRow $values
  *   The values retrieved from a single row of a view's query result.
  *
  * @return string
  *   Returns a string for the link text.
  */
 protected function renderLink($data, ResultRow $values)
 {
     $status = $this->getValue($values, 'status');
     // Don't show an approve link on published comment.
     if ($status == CommentInterface::PUBLISHED) {
         return;
     }
     $text = !empty($this->options['text']) ? $this->options['text'] : $this->t('Approve');
     $comment = $this->get_entity($values);
     $this->options['alter']['make_link'] = TRUE;
     $this->options['alter']['path'] = "comment/" . $comment->id() . "/approve";
     $this->options['alter']['query'] = drupal_get_destination() + array('token' => \Drupal::csrfToken()->get($this->options['alter']['path']));
     return $text;
 }