protected function checkSecurityToken()
{
/** @var Request $request */
$request = $this->container['request'];
$nonce = $request->get->get('nonce');
return isset($nonce) && Utils::verifyNonce($nonce, 'gantry-admin');
}
/**
* Initialize login controller
*/
public function loginController()
{
/** @var Uri $uri */
$uri = $this->grav['uri'];
$task = !empty($_POST['task']) ? $_POST['task'] : $uri->param('task');
$task = substr($task, strlen('login.'));
$post = !empty($_POST) ? $_POST : [];
if (method_exists('Grav\\Common\\Utils', 'getNonce')) {
if ($task == 'login') {
if (!isset($post['login-form-nonce']) || !Utils::verifyNonce($post['login-form-nonce'], 'login-form')) {
$this->grav['messages']->add($this->grav['language']->translate('PLUGIN_LOGIN.ACCESS_DENIED'), 'info');
$this->authenticated = false;
$twig = $this->grav['twig'];
$twig->twig_vars['notAuthorized'] = true;
return;
}
} else {
if ($task == 'logout') {
$nonce = $this->grav['uri']->param('logout-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) {
return;
}
} else {
if ($task == 'forgot') {
if (!isset($post['forgot-form-nonce']) || !Utils::verifyNonce($post['forgot-form-nonce'], 'forgot-form')) {
$this->grav['messages']->add($this->grav['language']->translate('PLUGIN_LOGIN.ACCESS_DENIED'), 'info');
return;
}
} else {
if ($task == 'reset') {
if (!isset($post['reset-form-nonce']) || !Utils::verifyNonce($post['reset-form-nonce'], 'reset-form')) {
//$this->grav['messages']->add($this->grav['language']->translate('PLUGIN_LOGIN.ACCESS_DENIED'), 'info');
//return;
}
}
}
}
}
}
$controller = new Login\LoginController($this->grav, $task, $post);
$controller->execute();
$controller->redirect();
}
/**
* Performs a task.
*
* @return bool True if the action was performed successfully.
*/
public function execute()
{
if (method_exists('Grav\\Common\\Utils', 'getNonce')) {
if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') {
if (!isset($this->post['admin-nonce']) || !Utils::verifyNonce($this->post['admin-nonce'], 'admin-form')) {
$this->admin->setMessage('Unauthorized', 'error');
return false;
}
unset($this->post['admin-nonce']);
} else {
if ($this->task == 'logout') {
$nonce = $this->grav['uri']->param('logout-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) {
$this->admin->setMessage('Unauthorized', 'error');
return false;
}
} else {
$nonce = $this->grav['uri']->param('admin-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'admin-form')) {
$this->admin->setMessage('Unauthorized', 'error');
return false;
}
}
}
}
$success = false;
$method = 'task' . ucfirst($this->task);
if (method_exists($this, $method)) {
try {
$success = call_user_func(array($this, $method));
} catch (\RuntimeException $e) {
$success = true;
$this->admin->setMessage($e->getMessage(), 'error');
}
// Grab redirect parameter.
$redirect = isset($this->post['_redirect']) ? $this->post['_redirect'] : null;
unset($this->post['_redirect']);
// Redirect if requested.
if ($redirect) {
$this->setRedirect($redirect);
}
}
return $success;
}
/**
* Handle form processing on POST action.
*/
public function post()
{
if (isset($_POST)) {
$values = (array) $_POST;
if (method_exists('Grav\\Common\\Utils', 'getNonce')) {
if (!isset($values['form-nonce']) || !Utils::verifyNonce($values['form-nonce'], 'form')) {
$event = new Event(['form' => $this, 'message' => self::getGrav()['language']->translate('PLUGIN_FORM.NONCE_NOT_VALIDATED')]);
self::getGrav()->fireEvent('onFormValidationError', $event);
return;
}
}
unset($values['form-nonce']);
foreach ($this->items['fields'] as $field) {
if ($field['type'] == 'checkbox') {
$name = $field['name'];
$values[$name] = isset($values[$name]) ? true : false;
}
}
// Add post values to form dataset
$this->values->merge($values);
}
// Validate and filter data
try {
$this->values->validate();
$this->values->filter();
self::getGrav()->fireEvent('onFormValidationProcessed', new Event(['form' => $this]));
} catch (\RuntimeException $e) {
$event = new Event(['form' => $this, 'message' => $e->getMessage()]);
self::getGrav()->fireEvent('onFormValidationError', $event);
if ($event->isPropagationStopped()) {
return;
}
}
$process = isset($this->items['process']) ? $this->items['process'] : array();
if (is_array($process)) {
foreach ($process as $action => $data) {
if (is_numeric($action)) {
$action = \key($data);
$data = $data[$action];
}
self::getGrav()->fireEvent('onFormProcessed', new Event(['form' => $this, 'action' => $action, 'params' => $data]));
}
} else {
// Default action.
}
}
/**
* Handle form processing on POST action.
*/
public function post()
{
$grav = Grav::instance();
$uri = $grav['uri']->url;
$session = $grav['session'];
if (isset($_POST)) {
$this->values = new Data(isset($_POST) ? (array) $_POST : []);
$data = $this->values->get('data');
// Add post data to form dataset
if (!$data) {
$data = $this->values->toArray();
}
if (method_exists('Grav\\Common\\Utils', 'getNonce')) {
if (!$this->values->get('form-nonce') || !Utils::verifyNonce($this->values->get('form-nonce'), 'form')) {
$event = new Event(['form' => $this, 'message' => $grav['language']->translate('PLUGIN_FORM.NONCE_NOT_VALIDATED')]);
$grav->fireEvent('onFormValidationError', $event);
return;
}
}
$i = 0;
foreach ($this->items['fields'] as $key => $field) {
$name = isset($field['name']) ? $field['name'] : $key;
if (!isset($field['name'])) {
if (isset($data[$i])) {
//Handle input@ false fields
$data[$name] = $data[$i];
unset($data[$i]);
}
}
if ($field['type'] == 'checkbox') {
$data[$name] = isset($data[$name]) ? true : false;
}
$i++;
}
$this->data->merge($data);
}
// Validate and filter data
try {
$this->data->validate();
$this->data->filter();
$grav->fireEvent('onFormValidationProcessed', new Event(['form' => $this]));
} catch (\RuntimeException $e) {
$event = new Event(['form' => $this, 'message' => $e->getMessage(), 'messages' => $e->getMessages()]);
$grav->fireEvent('onFormValidationError', $event);
if ($event->isPropagationStopped()) {
return;
}
}
// Process previously uploaded files for the current URI
// and finally store them. Everything else will get discarded
$queue = $session->getFlashObject('files-upload');
$queue = $queue[base64_encode($uri)];
if (is_array($queue)) {
foreach ($queue as $key => $files) {
foreach ($files as $destination => $file) {
if (!rename($file['tmp_name'], $destination)) {
throw new \RuntimeException(sprintf($grav['language']->translate('PLUGIN_FORM.FILEUPLOAD_UNABLE_TO_MOVE', null, true), '"' . $file['tmp_name'] . '"', $destination));
}
unset($files[$destination]['tmp_name']);
}
$this->data->merge([$key => $files]);
}
}
$process = isset($this->items['process']) ? $this->items['process'] : [];
if (is_array($process)) {
$event = null;
foreach ($process as $action => $data) {
if (is_numeric($action)) {
$action = \key($data);
$data = $data[$action];
}
$previousEvent = $event;
$event = new Event(['form' => $this, 'action' => $action, 'params' => $data]);
if ($previousEvent) {
if (!$previousEvent->isPropagationStopped()) {
$grav->fireEvent('onFormProcessed', $event);
} else {
break;
}
} else {
$grav->fireEvent('onFormProcessed', $event);
}
}
} else {
// Default action.
}
}
/**
* Performs a task.
*
* @return bool True if the action was performed successfully.
*/
public function execute()
{
if (method_exists('Grav\\Common\\Utils', 'getNonce')) {
if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') {
if (isset($this->post['admin-nonce'])) {
$nonce = $this->post['admin-nonce'];
} else {
$nonce = $this->grav['uri']->param('admin-nonce');
}
if (!$nonce || !Utils::verifyNonce($nonce, 'admin-form')) {
if ($this->task == 'addmedia') {
$message = sprintf($this->admin->translate('PLUGIN_ADMIN.FILE_TOO_LARGE', null, true), ini_get('post_max_size'));
//In this case it's more likely that the image is too big than POST can handle. Show message
$this->admin->json_response = ['status' => 'error', 'message' => $message];
return false;
}
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN'), 'error');
$this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN')];
return false;
}
unset($this->post['admin-nonce']);
} else {
if ($this->task == 'logout') {
$nonce = $this->grav['uri']->param('logout-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN'), 'error');
$this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN')];
return false;
}
} else {
$nonce = $this->grav['uri']->param('admin-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'admin-form')) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN'), 'error');
$this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN')];
return false;
}
}
}
}
$success = false;
$method = 'task' . ucfirst($this->task);
if (method_exists($this, $method)) {
try {
$success = call_user_func([$this, $method]);
} catch (\RuntimeException $e) {
$success = true;
$this->admin->setMessage($e->getMessage(), 'error');
}
} else {
$success = $this->grav->fireEvent('onAdminTaskExecute', new Event(['controller' => $this, 'method' => $method]));
}
// Grab redirect parameter.
$redirect = isset($this->post['_redirect']) ? $this->post['_redirect'] : null;
unset($this->post['_redirect']);
// Redirect if requested.
if ($redirect) {
$this->setRedirect($redirect);
}
return $success;
}
public function testVerifyNonce()
{
$this->assertTrue(Utils::verifyNonce(Utils::getNonce('test-action'), 'test-action'));
}
protected function validateNonce()
{
if (method_exists('Grav\\Common\\Utils', 'getNonce')) {
if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') {
if (isset($this->post['admin-nonce'])) {
$nonce = $this->post['admin-nonce'];
} else {
$nonce = $this->grav['uri']->param('admin-nonce');
}
if (!$nonce || !Utils::verifyNonce($nonce, 'admin-form')) {
if ($this->task == 'addmedia') {
$message = sprintf($this->admin->translate('PLUGIN_ADMIN.FILE_TOO_LARGE', null), ini_get('post_max_size'));
//In this case it's more likely that the image is too big than POST can handle. Show message
$this->admin->json_response = ['status' => 'error', 'message' => $message];
return false;
}
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN'), 'error');
$this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN')];
return false;
}
unset($this->post['admin-nonce']);
} else {
if ($this->task == 'logout') {
$nonce = $this->grav['uri']->param('logout-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN'), 'error');
$this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN')];
return false;
}
} else {
$nonce = $this->grav['uri']->param('admin-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'admin-form')) {
$this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN'), 'error');
$this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN')];
return false;
}
}
}
}
return true;
}
