public function preRequest(HTTPRequest $request, Session $session, DataModel $model)
 {
     // Bootstrap session so that Session::get() accesses the right instance
     $dummyController = new Controller();
     $dummyController->setSession($session);
     $dummyController->setRequest($request);
     $dummyController->pushCurrent();
     // Block non-authenticated users from setting the stage mode
     if (!Versioned::can_choose_site_stage($request)) {
         $permissionMessage = sprintf(_t("ContentController.DRAFT_SITE_ACCESS_RESTRICTION", 'You must log in with your CMS password in order to view the draft or archived content. ' . '<a href="%s">Click here to go back to the published site.</a>'), Convert::raw2xml(Controller::join_links(Director::baseURL(), $request->getURL(), "?stage=Live")));
         // Force output since RequestFilter::preRequest doesn't support response overriding
         $response = Security::permissionFailure($dummyController, $permissionMessage);
         $session->inst_save();
         $dummyController->popCurrent();
         // Prevent output in testing
         if (class_exists('SilverStripe\\Dev\\SapphireTest', false) && SapphireTest::is_running_test()) {
             throw new HTTPResponse_Exception($response);
         }
         $response->output();
         die;
     }
     Versioned::choose_site_stage();
     $dummyController->popCurrent();
     return true;
 }
 public function index()
 {
     // Web mode
     if (!Director::is_cli()) {
         $renderer = DebugView::create();
         echo $renderer->renderHeader();
         echo $renderer->renderInfo("SilverStripe Development Tools", Director::absoluteBaseURL());
         $base = Director::baseURL();
         echo '<div class="options"><ul>';
         $evenOdd = "odd";
         foreach (self::get_links() as $action => $description) {
             echo "<li class=\"{$evenOdd}\"><a href=\"{$base}dev/{$action}\"><b>/dev/{$action}:</b>" . " {$description}</a></li>\n";
             $evenOdd = $evenOdd == "odd" ? "even" : "odd";
         }
         echo $renderer->renderFooter();
         // CLI mode
     } else {
         echo "SILVERSTRIPE DEVELOPMENT TOOLS\n--------------------------\n\n";
         echo "You can execute any of the following commands:\n\n";
         foreach (self::get_links() as $action => $description) {
             echo "  sake dev/{$action}: {$description}\n";
         }
         echo "\n\n";
     }
 }
 /**
  * Provide downloadable url
  *
  * @param string $path
  * @return string|null
  */
 public function getPublicUrl($path)
 {
     $rootPath = realpath(BASE_PATH);
     $filesPath = realpath($this->pathPrefix);
     if (stripos($filesPath, $rootPath) === 0) {
         $dir = substr($filesPath, strlen($rootPath));
         return Controller::join_links(Director::baseURL(), $dir, $path);
     }
     // File outside of webroot can't be used
     return null;
 }
 /**
  * Set a cookie
  *
  * @param string $name The name of the cookie
  * @param string $value The value for the cookie to hold
  * @param int $expiry The number of days until expiry; 0 indicates a cookie valid for the current session
  * @param string $path The path to save the cookie on (falls back to site base)
  * @param string $domain The domain to make the cookie available on
  * @param boolean $secure Can the cookie only be sent over SSL?
  * @param boolean $httpOnly Prevent the cookie being accessible by JS
  */
 public function set($name, $value, $expiry = 90, $path = null, $domain = null, $secure = false, $httpOnly = true)
 {
     //are we setting or clearing a cookie? false values are reserved for clearing cookies (see PHP manual)
     $clear = false;
     if ($value === false || $value === '' || $expiry < 0) {
         $clear = true;
         $value = false;
     }
     //expiry === 0 is a special case where we set a cookie for the current user session
     if ($expiry !== 0) {
         //don't do the maths if we are clearing
         $expiry = $clear ? -1 : DBDatetime::now()->Format('U') + 86400 * $expiry;
     }
     //set the path up
     $path = $path ? $path : Director::baseURL();
     //send the cookie
     $this->outputCookie($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
     //keep our variables in check
     if ($clear) {
         unset($this->new[$name], $this->current[$name]);
     } else {
         $this->new[$name] = $this->current[$name] = $value;
     }
 }
 /**
  * Gets the combined configuration of all LeafAndMain subclasses required by the client app.
  *
  * @return array
  *
  * WARNING: Experimental API
  */
 public function getCombinedClientConfig()
 {
     $combinedClientConfig = ['sections' => []];
     $cmsClassNames = CMSMenu::get_cms_classes('SilverStripe\\Admin\\LeftAndMain', true, CMSMenu::URL_PRIORITY);
     foreach ($cmsClassNames as $className) {
         $combinedClientConfig['sections'][$className] = Injector::inst()->get($className)->getClientConfig();
     }
     // Pass in base url (absolute and relative)
     $combinedClientConfig['baseUrl'] = Director::baseURL();
     $combinedClientConfig['absoluteBaseUrl'] = Director::absoluteBaseURL();
     $combinedClientConfig['adminUrl'] = AdminRootController::admin_url();
     // Get "global" CSRF token for use in JavaScript
     $token = SecurityToken::inst();
     $combinedClientConfig[$token->getName()] = $token->getValue();
     // Set env
     $combinedClientConfig['environment'] = Director::get_environment_type();
     $combinedClientConfig['debugging'] = $this->config()->client_debugging;
     return Convert::raw2json($combinedClientConfig);
 }
 /**
  * Redirect back. Uses either the HTTP-Referer or a manually set request-variable called "BackURL".
  * This variable is needed in scenarios where HTTP-Referer is not sent (e.g when calling a page by
  * location.href in IE). If none of the two variables is available, it will redirect to the base
  * URL (see {@link Director::baseURL()}).
  *
  * @uses redirect()
  *
  * @return bool|HTTPResponse
  */
 public function redirectBack()
 {
     // Don't cache the redirect back ever
     HTTP::set_cache_age(0);
     $url = null;
     // In edge-cases, this will be called outside of a handleRequest() context; in that case,
     // redirect to the homepage - don't break into the global state at this stage because we'll
     // be calling from a test context or something else where the global state is inappropraite
     if ($this->getRequest()) {
         if ($this->getRequest()->requestVar('BackURL')) {
             $url = $this->getRequest()->requestVar('BackURL');
         } else {
             if ($this->getRequest()->isAjax() && $this->getRequest()->getHeader('X-Backurl')) {
                 $url = $this->getRequest()->getHeader('X-Backurl');
             } else {
                 if ($this->getRequest()->getHeader('Referer')) {
                     $url = $this->getRequest()->getHeader('Referer');
                 }
             }
         }
     }
     if (!$url) {
         $url = Director::baseURL();
     }
     // absolute redirection URLs not located on this site may cause phishing
     if (Director::is_site_url($url)) {
         $url = Director::absoluteURL($url, true);
         return $this->redirect($url);
     } else {
         return false;
     }
 }
Exemplo n.º 7
0
    /**
     * Check if the user has permissions to run URL debug tools,
     * else redirect them to log in.
     */
    public static function require_developer_login()
    {
        if (Director::isDev()) {
            return;
        }
        if (isset($_SESSION['loggedInAs'])) {
            // We have to do some raw SQL here, because this method is called in Object::defineMethods().
            // This means we have to be careful about what objects we create, as we don't want Object::defineMethods()
            // being called again.
            // This basically calls Permission::checkMember($_SESSION['loggedInAs'], 'ADMIN');
            // @TODO - Rewrite safely using DataList::filter
            $memberID = $_SESSION['loggedInAs'];
            $permission = DB::prepared_query('
				SELECT "ID" FROM "Permission"
				INNER JOIN "Group_Members" ON "Permission"."GroupID" = "Group_Members"."GroupID"
				WHERE "Permission"."Code" = ?
				AND "Permission"."Type" = ?
				AND "Group_Members"."MemberID" = ?', array('ADMIN', Permission::GRANT_PERMISSION, $memberID))->value();
            if ($permission) {
                return;
            }
        }
        // This basically does the same as
        // Security::permissionFailure(null, "You need to login with developer access to make use of debugging tools.")
        // We have to do this because of how early this method is called in execution.
        $_SESSION['SilverStripe\\Security\\Security']['Message']['message'] = "You need to login with developer access to make use of debugging tools.";
        $_SESSION['SilverStripe\\Security\\Security']['Message']['type'] = 'warning';
        $_SESSION['BackURL'] = $_SERVER['REQUEST_URI'];
        header($_SERVER['SERVER_PROTOCOL'] . " 302 Found");
        header("Location: " . Director::baseURL() . Security::login_url());
        die;
    }
 /**
  * Get the URL of the logout page.
  *
  * To update the logout url use the "Security.logout_url" config setting.
  *
  * @return string
  */
 public static function lost_password_url()
 {
     return Controller::join_links(Director::baseURL(), self::config()->lost_password_url);
 }
 /**
  * Returns the Absolute URL of the site root, embedding the current basic-auth credentials into
  * the URL.
  *
  * @return string
  */
 public static function absoluteBaseURLWithAuth()
 {
     $login = "";
     if (isset($_SERVER['PHP_AUTH_USER'])) {
         $login = "******";
     }
     return Director::protocol() . $login . $_SERVER['HTTP_HOST'] . Director::baseURL();
 }
 public function Link($action = null)
 {
     /** @skipUpgrade */
     return Controller::join_links(Director::baseURL(), "CMSSecurity", $action);
 }
Exemplo n.º 11
0
 public function inst_destroy($removeCookie = true)
 {
     if (session_id()) {
         if ($removeCookie) {
             $path = Config::inst()->get('SilverStripe\\Control\\Session', 'cookie_path') ?: Director::baseURL();
             $domain = Config::inst()->get('SilverStripe\\Control\\Session', 'cookie_domain');
             $secure = Config::inst()->get('SilverStripe\\Control\\Session', 'cookie_secure');
             Cookie::force_expiry(session_name(), $path, $domain, $secure, true);
         }
         session_destroy();
         // Clean up the superglobal - session_destroy does not do it.
         // http://nz1.php.net/manual/en/function.session-destroy.php
         unset($_SESSION);
         $this->data = array();
     }
 }
 public function testRedirectBackByBackUrl()
 {
     $internalRelativeUrl = Controller::join_links(Director::baseURL(), '/some-url');
     $internalAbsoluteUrl = Controller::join_links(Director::absoluteBaseURL(), '/some-url');
     $response = $this->get('ControllerTest_Controller/redirectbacktest?BackURL=' . urlencode($internalRelativeUrl));
     $this->assertEquals(302, $response->getStatusCode());
     $this->assertEquals($internalAbsoluteUrl, $response->getHeader('Location'), "Redirects on internal relative URLs");
     $internalAbsoluteUrl = Director::absoluteBaseURL() . '/some-url';
     $response = $this->get('ControllerTest_Controller/redirectbacktest?BackURL=' . urlencode($internalAbsoluteUrl));
     $this->assertEquals($internalAbsoluteUrl, $response->getHeader('Location'));
     $this->assertEquals(302, $response->getStatusCode(), "Redirects on internal absolute URLs");
     $externalAbsoluteUrl = 'http://myhost.com/some-url';
     $response = $this->get('ControllerTest_Controller/redirectbacktest?BackURL=' . urlencode($externalAbsoluteUrl));
     $this->assertEquals(200, $response->getStatusCode(), "Doesn't redirect on external URLs");
 }
 /**
  * Provide secure downloadable
  *
  * @param string $path
  * @return string|null
  */
 public function getProtectedUrl($path)
 {
     // Public URLs are handled via a request handler within /assets.
     // If assets are stored locally, then asset paths of protected files should be equivalent.
     return Controller::join_links(Director::baseURL(), ASSETS_DIR, $path);
 }
 public function testCommentedOutScriptTagIsIgnored()
 {
     $template = '<html><head></head><body><!--<script>alert("commented out");</script>-->' . '<h1>more content</h1></body></html>';
     /** @var Requirements_Backend $backend */
     $backend = Injector::inst()->create('SilverStripe\\View\\Requirements_Backend');
     $this->setupRequirements($backend);
     $backend->setSuffixRequirements(false);
     $src = $this->getCurrentRelativePath() . '/RequirementsTest_a.js';
     $urlSrc = ControllerTest_ContainerController::join_links(Director::baseURL(), $src);
     $backend->javascript($src);
     $html = $backend->includeInHTML($template);
     $this->assertEquals('<html><head></head><body><!--<script>alert("commented out");</script>-->' . '<h1>more content</h1><script type="application/javascript" src="' . $urlSrc . '"></script></body></html>', $html);
 }
 public function testForceSSLAlternateDomain()
 {
     Config::inst()->update('SilverStripe\\Control\\Director', 'alternate_base_url', '/');
     $_SERVER['REQUEST_URI'] = Director::baseURL() . 'admin';
     $output = Director::forceSSL(array('/^admin/'), 'secure.mysite.com');
     $this->assertEquals($output, 'https://secure.mysite.com/admin');
 }