/**
* Add hidden csrf field to a form
*/
public static function csrfHidden($ret = false)
{
if (class_exists('\\Riimu\\Kit\\CSRF\\CSRFHandler')) {
$csrf = new \Riimu\Kit\CSRF\CSRFHandler(false);
$token = $csrf->getToken();
if ($ret) {
return self::hiddenClean('csrf_token', htmlspecialchars($token, ENT_QUOTES | ENT_HTML5, 'UTF-8'));
} else {
self::hidden('csrf_token', htmlspecialchars($token, ENT_QUOTES | ENT_HTML5, 'UTF-8'));
}
}
}
<?php
require __DIR__ . '/../vendor/autoload.php';
$csrf = new \Riimu\Kit\CSRF\CSRFHandler();
try {
$csrf->validateRequest(true);
} catch (\Riimu\Kit\CSRF\InvalidCSRFTokenException $ex) {
header('HTTP/1.0 400 Bad Request');
exit('Bad CSRF Token!');
}
$token = $csrf->getToken();
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Simple Form</title>
</head>
<body>
<?php
if (!empty($_POST['my_name'])) {
printf(" <p>Hello <strong>%s</strong>!</p>" . PHP_EOL, htmlspecialchars($_POST['my_name'], ENT_QUOTES | ENT_HTML5, 'UTF-8'));
}
?>
<h3>Form with a CSRF token:</h3>
<form method="post"><div>
<input type="hidden" name="csrf_token" value="<?php
echo htmlspecialchars($token, ENT_QUOTES | ENT_HTML5, 'UTF-8');
?>
" />
What is your name?
public function display()
{
$start = gettimeofday(TRUE);
// ATTN: check system always returns true?
if (!$this->check_system()) {
$this->login_required = FALSE;
// if (!defined('SETUP'))
// {
// define('SETUP', TRUE);
// }
if (!defined('MODULE')) {
define('MODULE', 'system_admin');
}
if (!defined('CONTROLLER')) {
define('CONTROLLER', 'SystemsController');
}
}
$this->load_essential();
debug('system::display session data:' . print_r($_SESSION, TRUE));
$this->user = FALSE;
if (isLoggedIn()) {
// Sets the global constants EGS_USERNAME and EGS_COMPANY_ID
setupLoggedInUser();
$this->user = getCurrentUser();
$this->access = AccessObject::Instance($_SESSION['username']);
} else {
define('EGS_COMPANY_ID', -1);
define('EGS_USERNAME', $_SESSION['username']);
$this->access = AccessObject::Instance();
}
$this->setView();
$this->view->set("accessTree", $this->access->tree);
$this->view->set('access', $this->access);
$this->setController();
$this->setTemplates();
$this->setAction();
$csrf = new \Riimu\Kit\CSRF\CSRFHandler();
// check that the csrf token is valid
if (!$this->csrfValid()) {
sendBack();
}
$csrf_token = $csrf->getToken();
// make csrf token available to smarty templates
$this->view->set('csrf_token', $csrf_token);
if (isLoggedIn()) {
$this->checkPermission();
}
// output standard arrays to smarty
$this->view->set("module_css", $this->get_css());
$this->view->set("module_js", $this->get_js());
$this->view->set('current_user', $this->user);
$action = $this->action;
$controller = $this->controller;
$theme = '';
if (defined('EGS_COMPANY_ID') && EGS_COMPANY_ID !== 'null' && EGS_COMPANY_ID > 0) {
$sc = DataObjectFactory::Factory('Systemcompany');
$sc->load(EGS_COMPANY_ID);
if ($sc->isLoaded()) {
define('SYSTEM_COMPANY', $sc->company);
define('COMPANY_ID', $sc->company_id);
$theme = $sc->theme;
$this->available = $sc->access_enabled == 'NONE' ? FALSE : TRUE;
$this->audit = $sc->audit_enabled == 't' ? TRUE : FALSE;
$this->debug = $sc->debug_enabled == 't' ? TRUE : FALSE;
$this->view->set('info_message', $sc->info_message);
$this->view->set('systemcompany', $sc);
}
}
$policy = DataObjectFactory::Factory('SystemObjectPolicy');
if ($policy->getCount() > 0) {
define('SYSTEM_POLICIES_ENABLED', TRUE);
} else {
define('SYSTEM_POLICIES_ENABLED', FALSE);
}
if (!defined('SYSTEM_COMPANY')) {
define('SYSTEM_COMPANY', '');
}
if (!defined('COMPANY_ID')) {
define('COMPANY_ID', '');
}
// Set auditing/debugging for logged in user
if ($this->user) {
$this->audit = $this->audit ? $this->audit : ($this->user->audit_enabled == 't' ? TRUE : FALSE);
$this->debug = $this->debug ? $this->debug : ($this->user->debug_enabled == 't' ? TRUE : FALSE);
$this->available = $this->available ? $this->user->access_enabled == 't' ? TRUE : FALSE : $this->available;
}
if (!$this->available && isLoggedIn()) {
$_SESSION['loggedin'] = FALSE;
$_SESSION['username'] = null;
$flash = Flash::Instance();
$flash->addError('The system is unavailable at present');
$flash->save();
sendto('');
}
define('AUDIT', $this->audit);
define('DEBUG', $this->debug);
$db = DB::Instance();
$db->debug(DEBUG);
if (defined('LOGIN_PAGE_THEME') && $this->modules['module'] == 'login') {
$theme = LOGIN_PAGE_THEME;
}
if (!empty($theme)) {
define('THEME', $theme);
} else {
define('THEME', 'default');
}
$this->view->set('theme', THEME);
if (!defined('EGS_CURRENCY')) {
define('EGS_CURRENCY', 'GBP');
}
if (class_exists('Currency')) {
$currency = DataObjectFactory::Factory('Currency');
$currency->loadBy('currency', EGS_CURRENCY);
if ($currency) {
define('EGS_CURRENCY_SYMBOL', utf8_decode($currency->symbol));
}
}
if (!defined('EGS_CURRENCY_SYMBOL')) {
define('EGS_CURRENCY_SYMBOL', utf8_decode('£'));
}
/**
* *BEGIN CACHE CHECK*****
*/
if (!defined('EGS_COMPANY_ID')) {
define('EGS_COMPANY_ID', '');
}
if (DEBUG) {
$this->writeDebug();
}
$cache_key = md5($_SERVER['REQUEST_URI'] . EGS_COMPANY_ID . EGS_USERNAME);
if (TRUE || !$smarty->isCached('index.tpl', $cache_key)) {
$flash = Flash::Instance();
$config = Config::Instance();
// output all the variables to smarty
// this replaces $smarty.const.setting_name
$this->view->assign('config', $config->get_all());
setRefererPage();
debug('system::display Calling function ' . get_class($controller) . '::' . $action);
// echo 'system::display (1),'.microtime(TRUE).'<br>';
$controller->checkRequest($this->request, $action)->{$action}();
// echo 'system::display (2),'.microtime(TRUE).'<br>';
$flash->save();
// Save any flash messages for audit purposes
$this->flash['errors'] = $flash->getMessages('errors');
$this->flash['warnings'] = $flash->getMessages('warnings');
$this->flash['messages'] = $flash->getMessages('messages');
if (isLoggedIn()) {
$this->access->save();
}
// assign stuff to smarty
$controller->assignModels();
// this code fires $controller->index() if (perhaps) getPrintActions doesn't exist,
// thus overwriting the sidebar. Only fire if subclass of printController
if (is_subclass_of($controller, 'printController') && $action != 'printDialog') {
$this->view->assign('printaction', $controller->getPrintActions());
}
$controllername = str_replace('Controller', '', get_class($controller));
$this->pid = $this->access->getPermission($this->modules, $controllername, $action);
$self = array();
if (!empty($this->pid)) {
$self['pid'] = $this->pid;
}
$self['modules'] = $this->modules;
// $self['controller']=$controllername;
// $self['action']=$action;
$qstring = $_GET;
foreach ($qstring as $qname => $qvalue) {
if (!in_array($qname, array('orderby', 'page'))) {
$self[$qname] = $qvalue;
}
}
$this->view->assign('self', $self);
if (isset($this->user)) {
$this->view->assign('current_user', $this->user);
}
// Session timed out on input form so save the form data while the user logs back in
// See system::setController for where the form data is read after logging back in
if ($this->modules['module'] == 'login' && !empty($_POST)) {
$_SESSION['data'] = $_POST;
}
$echo = $controller->view->get('echo');
if (($this->ajax || $this->json) && $echo !== FALSE) {
echo $controller->view->get('echo');
exit;
} elseif ($this->modules['module'] == 'login') {
$current = getParamsArray($_SERVER['QUERY_STRING']);
$referer['modules'] = $current['modules'];
$referer['controller'] = 'Index';
$referer['action'] = 'index';
unset($referer['other']);
$_SESSION['referer'][setParamsString($current)] = setParamsString($referer);
} elseif (!isset($_GET['ajax'])) {
$referer = '';
if (!empty($_POST)) {
// This is a save form so set the referer to be the referer's referer!
$referer = isset($_SESSION['refererPage']) ? $_SESSION['refererPage'] : '';
}
setReferer($referer);
$current = getParamsArray($_SERVER['QUERY_STRING']);
$flash = Flash::Instance();
$current += array('messages' => $flash->getMessages('messages'), 'warnings' => $flash->getMessages('warnings'), 'errors' => $flash->getMessages('errors'));
$_SESSION['submit_token']['current'] = $current;
}
}
showtime('pre-display');
// echo 'System::display end '.(gettimeofday(TRUE)-$start).'<br>';
// echo 'system::display (3),'.microtime(TRUE).'<br>';
$this->view->display('index_page.tpl', $cache_key);
// echo 'system::display (4),'.microtime(TRUE).'<br>';
showtime('post-display');
}
