public function boot() { $grav = Grav::instance(); /** @var \Grav\Plugin\Admin $admin */ $admin = $grav['admin']; /** @var Uri $uri */ $uri = $grav['uri']; $parts = array_filter(explode('/', $admin->route), function ($var) { return $var !== ''; }); // Set theme. $theme = array_shift($parts); $this->setTheme($theme); /** @var Request $request */ $request = $this->container['request']; // Figure out the action we want to make. $this->method = $request->getMethod(); $this->path = $parts; if (!$theme) { $this->resource = array_shift($this->path) ?: 'themes'; } else { if (!$this->path) { $this->path = ['configurations', 'styles']; } $this->resource = array_shift($this->path); } $this->format = $uri->extension('html'); $ajax = $this->format == 'json'; $this->params = ['ajax' => $ajax, 'location' => $this->resource, 'method' => $this->method, 'format' => $this->format, 'params' => $request->post->getJsonArray('params')]; $this->container['base_url'] = $grav['gantry5_plugin']->base; $this->container['ajax_suffix'] = '.json'; $this->container['routes'] = ['1' => '/%s', 'themes' => '', 'picker/layouts' => '/layouts']; $nonce = Utils::getNonce('gantry-admin'); $this->container['routes'] = ['1' => '/%s?nonce=' . $nonce, 'themes' => '', 'picker/layouts' => '/layouts?nonce=' . $nonce]; }
/** * Used to add a nonce to a form. Call {{ nonce_field('action') }} specifying a string representing the action. * * For maximum protection, ensure that the string representing the action is as specific as possible. * * @todo evaluate if adding referrer or not * * @param string action the action * @param string nonceParamName a custom nonce param name * * @return string the nonce input field */ public function nonceFieldFunc($action, $nonceParamName = 'nonce') { $string = '<input type="hidden" id="' . $nonceParamName . '" name="' . $nonceParamName . '" value="' . Utils::getNonce($action) . '" />'; return $string; }
/** * Handle the email password recovery procedure. * * @return bool True if the action was performed. */ protected function taskForgot() { $param_sep = $this->grav['config']->get('system.param_sep', ':'); $data = $this->post; $username = isset($data['username']) ? $data['username'] : ''; $user = !empty($username) ? User::load($username) : null; /** @var Language $l */ $language = $this->grav['language']; $messages = $this->grav['messages']; if (!isset($this->grav['Email'])) { $messages->add($language->translate('PLUGIN_ADMIN.FORGOT_EMAIL_NOT_CONFIGURED'), 'error'); $this->setRedirect('/'); return true; } if (!$user || !$user->exists()) { $messages->add($language->translate(['PLUGIN_ADMIN.FORGOT_USERNAME_DOES_NOT_EXIST', $username]), 'error'); $this->setRedirect('/forgot'); return true; } if (empty($user->email)) { $messages->add($language->translate(['PLUGIN_ADMIN.FORGOT_CANNOT_RESET_EMAIL_NO_EMAIL', $username]), 'error'); $this->setRedirect('/forgot'); return true; } $token = md5(uniqid(mt_rand(), true)); $expire = time() + 604800; // next week $user->reset = $token . '::' . $expire; $user->save(); $author = $this->grav['config']->get('site.author.name', ''); $fullname = $user->fullname ?: $username; $reset_link = $this->grav['base_url_absolute'] . $this->grav['config']->get('plugins.login.route_reset') . '/task:login.reset/token' . $param_sep . $token . '/user' . $param_sep . $username . '/nonce' . $param_sep . Utils::getNonce('reset-form'); $sitename = $this->grav['config']->get('site.title', 'Website'); $from = $this->grav['config']->get('plugins.email.from'); if (empty($from)) { $messages->add($language->translate('PLUGIN_ADMIN.FORGOT_EMAIL_NOT_CONFIGURED'), 'error'); $this->setRedirect('/forgot'); return true; } $to = $user->email; $subject = $language->translate(['PLUGIN_ADMIN.FORGOT_EMAIL_SUBJECT', $sitename]); $content = $language->translate(['PLUGIN_ADMIN.FORGOT_EMAIL_BODY', $fullname, $reset_link, $author, $sitename]); $sent = LoginUtils::sendEmail($subject, $content, $to); if ($sent < 1) { $messages->add($language->translate('PLUGIN_ADMIN.FORGOT_FAILED_TO_EMAIL'), 'error'); } else { $messages->add($language->translate(['PLUGIN_ADMIN.FORGOT_INSTRUCTIONS_SENT_VIA_EMAIL', $to]), 'info'); } $this->setRedirect('/'); return true; }
/** * Handle the email to activate the user account. * * @return bool True if the action was performed. */ protected function sendActivationEmail($user) { if (empty($user->email)) { throw new \RuntimeException($this->grav['language']->translate('PLUGIN_LOGIN.USER_NEEDS_EMAIL_FIELD')); } $token = md5(uniqid(mt_rand(), true)); $expire = time() + 604800; // next week $user->activation_token = $token . '::' . $expire; $user->save(); $param_sep = $this->grav['config']->get('system.param_sep', ':'); $activation_link = $this->grav['base_url_absolute'] . $this->config->get('plugins.login.route_activate') . '/token' . $param_sep . $token . '/username' . $param_sep . $user->username . '/nonce' . $param_sep . Utils::getNonce('user-activation'); $sitename = $this->grav['config']->get('site.title', 'Website'); $subject = $this->grav['language']->translate(['PLUGIN_LOGIN.ACTIVATION_EMAIL_SUBJECT', $sitename]); $content = $this->grav['language']->translate(['PLUGIN_LOGIN.ACTIVATION_EMAIL_BODY', $user->username, $activation_link, $sitename]); $to = $user->email; $sent = LoginUtils::sendEmail($subject, $content, $to); if ($sent < 1) { throw new \RuntimeException($this->grav['language']->translate('PLUGIN_LOGIN.EMAIL_SENDING_FAILURE')); } return true; }
/** * Handle the backup action * * @return bool True if the action was performed. */ protected function taskBackup() { $param_sep = $this->grav['config']->get('system.param_sep', ':'); if (!$this->authorizeTask('backup', ['admin.maintenance', 'admin.super'])) { return; } $download = $this->grav['uri']->param('download'); if ($download) { Utils::download(base64_decode(urldecode($download)), true); } $log = JsonFile::instance($this->grav['locator']->findResource("log://backup.log", true, true)); try { $backup = ZipBackup::backup(); } catch (\Exception $e) { $this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.AN_ERROR_OCCURRED') . '. ' . $e->getMessage()]; return true; } $download = urlencode(base64_encode($backup)); $url = rtrim($this->grav['uri']->rootUrl(true), '/') . '/' . trim($this->admin->base, '/') . '/task' . $param_sep . 'backup/download' . $param_sep . $download . '/admin-nonce' . $param_sep . Utils::getNonce('admin-form'); $log->content(['time' => time(), 'location' => $backup]); $log->save(); $this->admin->json_response = ['status' => 'success', 'message' => $this->admin->translate('PLUGIN_ADMIN.YOUR_BACKUP_IS_READY_FOR_DOWNLOAD') . '. <a href="' . $url . '" class="button">' . $this->admin->translate('PLUGIN_ADMIN.DOWNLOAD_BACKUP') . '</a>', 'toastr' => ['timeOut' => 0, 'closeButton' => true]]; return true; }
/** * Static helper method to return the admin form nonce * * @return string */ public static function getNonce() { $action = 'admin-form'; return Utils::getNonce($action); }
public function testAddNonce() { $url = 'http://localhost/foo'; $this->assertStringStartsWith($url, Uri::addNonce($url, 'test-action')); $this->assertStringStartsWith($url . '/nonce:', Uri::addNonce($url, 'test-action')); $this->uri->initializeWithURL(Uri::addNonce($url, 'test-action'))->init(); $this->assertTrue(is_string($this->uri->param('nonce'))); $this->assertSame(Utils::getNonce('test-action'), $this->uri->param('nonce')); }
/** * Adds the nonce to a URL for a specific action * * @param string $url the url * @param string $action the action * @param string $nonceParamName the param name to use * * @return string the url with the nonce */ public static function addNonce($url, $action, $nonceParamName = 'nonce') { $urlWithNonce = $url . '/' . $nonceParamName . Grav::instance()['config']->get('system.param_sep', ':') . Utils::getNonce($action); return $urlWithNonce; }
public static function getNonce() { $action = 'form-plugin'; return Utils::getNonce($action); }
public function testVerifyNonce() { $this->assertTrue(Utils::verifyNonce(Utils::getNonce('test-action'), 'test-action')); }