Initialize CSRF token in session
| public initCsrfToken ( ) : void | ||
| return | void | |
public function testConfigureThemeWithNoLogoFileAndNoPreviousLogoFile()
{
$themeName = self::THEME;
$this->assertEquals('', (string) get_theme_option('logo', $themeName));
// specify the files array for the post
$_FILES = array('logo' => array('name' => '', 'type' => '', 'tmp_name' => '', 'error' => 4, 'size' => 0), 'header_background' => array('name' => '', 'type' => '', 'tmp_name' => '', 'error' => 4, 'size' => 0));
// specify the theme options for the post
$themeOptions = array('display_featured_item' => '1', 'display_featured_collection' => '1', 'display_featured_exhibit' => '1', 'homepage_recent_items' => '', 'homepage_text' => '', 'footer_text' => '', 'display_footer_copyright' => '0');
$csrf = new Zend_Form_Element_Hash('theme_config_csrf');
$csrf->initCsrfToken();
// specify other post data
$otherPostData = array('hidden_file_logo' => '', 'hidden_file_header_background' => '', 'MAX_FILE_SIZE' => '33554432', 'submit' => 'Save Changes', 'theme_config_csrf' => $csrf->getHash());
// set the the post data
$post = array_merge($themeOptions, $otherPostData);
$this->getRequest()->setParam('name', $themeName);
$this->getRequest()->setPost($post);
$this->getRequest()->setMethod('POST');
// dispatch the controller action
$this->dispatch('themes/config');
$actualOptions = Theme::getOptions(self::THEME);
$this->assertArrayNotHasKey('theme_config_csrf', $actualOptions);
foreach ($themeOptions as $name => $value) {
$this->assertArrayHasKey($name, $actualOptions);
$this->assertEquals($actualOptions[$name], $value, "Option '{$name}' was not correctly set.");
}
// verify that logo is empty
$this->assertEmpty(get_theme_option('logo', $themeName));
}
/**
* Create the snippets content
*
* This is a stub function either override getHtmlOutput() or override render()
*
* @param \Zend_View_Abstract $view Just in case it is needed here
* @return \MUtil_Html_HtmlInterface Something that can be rendered
*/
public function getHtmlOutput(\Zend_View_Abstract $view)
{
// Again, just to be sure all changes are set on the form
$this->populateForm();
// Hook for subclasses
$this->beforeDisplay();
if ($this->_csrf) {
$this->_csrf->initCsrfToken();
}
return $this->_form;
}
/**
* Perform some actions on the form, right before it is displayed but already populated
*
* Here we add the table display to the form.
*
* @return \Zend_Form
*/
public function beforeDisplay()
{
if ($this->_csrf) {
$this->_csrf->initCsrfToken();
}
if ($this->layoutAutoWidthFactor || $this->layoutFixedWidth) {
$div = new \MUtil_Html_DivFormElement();
if ($this->layoutFixedWidth) {
$div->setAsFormLayout($this->_form, $this->layoutFixedWidth);
} else {
$div->setAutoWidthFormLayout($this->_form, $this->layoutAutoWidthFactor);
}
}
}
public function indexAction()
{
$configs = Application_Model_ConfigsMapper::i()->fetchAll();
$form = $this->_initConfigsForm($configs);
$defaultValues = array();
foreach ($configs as $config) {
/* @var $config Application_Model_Config */
$elementName = $config->getSection() . '_' . str_replace('.', '_', $config->getKey());
$defaultValues[$elementName] = $config->getValue();
}
$form->setDefaults($defaultValues);
$plugins = Application_Model_PluginsMapper::i()->fetchAll();
$csrf = new Zend_Form_Element_Hash('csrf', array('salt' => __CLASS__));
$csrf->initCsrfToken();
$this->view->csrf = $csrf->getHash();
$this->view->plugins = $plugins;
$this->view->form = $form;
$this->view->messages = array_merge($this->_helper->flashMessenger->getMessages(), $this->_helper->flashMessenger->getCurrentMessages());
}
function indexAction()
{
$filter = $this->getRequest()->getParam('filter', 'all');
$plugins = array();
switch ($filter) {
case 'installed':
$plugins = Application_Model_PluginsMapper::i()->fetchByType(Application_Model_Plugin::USER);
break;
case 'disabled':
$plugins = Application_Model_PluginsMapper::i()->fetchAll();
// filter out disabled
foreach ($plugins as $key => $value) {
/* @var $value Application_Model_Plugin */
if ($value->isEnabled()) {
unset($plugins[$key]);
}
}
break;
case 'enabled':
$plugins = Application_Model_PluginsMapper::i()->fetchAll();
// filter out disabled
foreach ($plugins as $key => $value) {
/* @var $value Application_Model_Plugin */
if (!$value->isEnabled()) {
unset($plugins[$key]);
}
}
break;
case 'all':
default:
$plugins = Application_Model_PluginsMapper::i()->fetchAll();
break;
}
$csrf = new Zend_Form_Element_Hash('csrf', array('salt' => __CLASS__));
$csrf->initCsrfToken();
$this->view->csrf = $csrf->getHash();
$this->view->messages = $this->_helper->flashMessenger->getMessages();
$this->view->plugins = $plugins;
$this->view->filter = $filter;
}
function changeAction()
{
$key = $this->getRequest()->getParam('key', false);
$class = $this->getRequest()->getParam('class', false);
$csrf = $this->getRequest()->getParam('csrf', false);
$this->_helper->viewRenderer->setNoRender(true);
$this->_helper->layout->disableLayout();
if (!$key) {
$this->_helper->json(array('success' => false, 'message' => X_Env::_("p_auth_acl_err_missingkey")), true, false);
return;
}
$key = X_Env::decode($key);
if (!$class) {
$this->_helper->json(array('success' => false, 'message' => X_Env::_("p_auth_acl_err_missingclass")), true, false);
return;
}
$hash = new Zend_Form_Element_Hash('csrf', array('salt' => __CLASS__));
if (!$hash->isValid($csrf)) {
$this->_helper->json(array('success' => false, 'message' => X_Env::_("p_auth_acl_err_invalidcsrf")), true, false);
return;
}
$hash->initCsrfToken();
$resource = X_VlcShares_Plugins::helpers()->acl()->getResourceDescriptor($key);
if ($resource->isNew()) {
$this->_helper->json(array('success' => false, 'message' => X_Env::_("p_auth_acl_err_invalidkey")), true, false);
return;
}
$resource->setClass($class);
try {
Application_Model_AclResourcesMapper::i()->save($resource);
$this->_helper->json(array('success' => true, 'csrf' => $hash->getHash()), true, false);
return;
} catch (Exception $e) {
$this->_helper->json(array('success' => false, 'message' => $e->getMessage()), true, false);
return;
}
}
private function _getCsrfToken()
{
$hash = new Zend_Form_Element_Hash('user_csrf');
$hash->initCsrfToken();
return $hash->getHash();
}
/**
* Initialize CSRF token in adapter or session if adapter is not set
*
* @return void
*/
public function initCsrfToken()
{
if (null !== $this->getAdapter()) {
$this->_adapter->initCsrfToken();
} else {
parent::initCsrfToken();
}
}
protected function _makePost($post = null)
{
$this->request->setMethod('POST');
if (!$post) {
$hash = new Zend_Form_Element_Hash('batch_edit_hash');
$hash->initCsrfToken();
$itemIds = array();
foreach ($this->_items as $item) {
$itemIds[] = $item->id;
}
$post = array('items' => $itemIds, 'metadata' => array('public' => 1, 'featured' => 1, 'item_type_id' => 1, 'tags' => 'lorem,ipsum,dolor'), 'batch_edit_hash' => $hash->getHash());
}
$this->request->setPost($post);
}
function accountsAction()
{
$accounts = Application_Model_AuthAccountsMapper::i()->fetchAll();
$csrf = new Zend_Form_Element_Hash('csrf', array('salt' => __CLASS__));
$csrf->initCsrfToken();
$this->view->ip = '%IP_ADDRESS%';
$this->view->csrf = $csrf->getHash();
$this->view->accounts = $accounts;
$this->view->messages = $this->_helper->flashMessenger->getMessages();
}
public function testDelete()
{
$hash = new Zend_Form_Element_Hash('confirm_delete_hash');
$hash->initCsrfToken();
$this->_makePost(array('confirm_delete_hash' => $hash->getHash()));
$this->dispatch('/items/delete/1');
$this->assertEquals(0, $this->db->getTable('Item')->count());
$this->assertRedirectTo('/items/browse');
}
public function bookmarkAction()
{
$csrf = new Zend_Form_Element_Hash('csrf', array('salt' => __CLASS__));
$validCheck = $csrf->isValid($this->getRequest()->getParam('csrf', false));
$csrf->initCsrfToken();
$hash = $csrf->getHash();
$return = array('success' => true, 'api' => array('resolver' => $this->_helper->url->url(array('controller' => 'bookmarklets', 'action' => 'resolver', 'csrf' => $hash)), 'adder' => $this->_helper->url->url(array('controller' => 'bookmarklets', 'action' => 'add', 'csrf' => $hash)), 'bookmark' => $this->_helper->url->url(array('controller' => 'bookmarklets', 'action' => 'bookmark', 'csrf' => $hash))));
if ($validCheck) {
$url = $this->getRequest()->getParam("url", false);
$title = strip_tags($this->getRequest()->getParam("title", false));
$description = strip_tags($this->getRequest()->getParam("description", false));
$thumbnail = $this->getRequest()->getParam("thumbnail", false);
$ua = $this->getRequest()->getParam("ua", false);
$cookies = $this->getRequest()->getParam("cookies", false);
if ($url && $title) {
$model = new Application_Model_Bookmark();
$model->setUrl($url);
$model->setTitle($title);
if ($thumbnail) {
$model->setThumbnail($thumbnail);
}
if ($description) {
$model->setDescription($description);
}
if ($ua) {
$model->setUa($ua);
}
if ($cookies) {
$model->setCookies($cookies);
}
try {
Application_Model_BookmarksMapper::i()->save($model);
} catch (Exception $e) {
X_Debug::e("DB Error: {$e->getMessage()}");
$return['success'] = false;
}
} else {
X_Debug::e("Missing data");
$return['success'] = false;
}
} else {
X_Debug::e("Invalid CSRF");
$return['success'] = false;
}
$this->_helper->json($return, true, false);
}
private function _dispatchChangePassword(array $form)
{
$hash = new Zend_Form_Element_Hash('password_csrf');
$hash->initCsrfToken();
$form['password_csrf'] = $hash->getHash();
$this->getRequest()->setPost($form);
$this->getRequest()->setMethod('post');
$this->dispatch(self::FORM_URL);
}
function clearAction()
{
$id = $this->getRequest()->getParam('id', false);
$csrf = $this->getRequest()->getParam('csrf', false);
if (!$id) {
throw new Exception("Thread id missing");
}
$hash = new Zend_Form_Element_Hash('csrf', array('salt' => __CLASS__));
if (!$hash->isValid($csrf)) {
throw new Exception("Invalid token");
}
$hash->initCsrfToken();
$thread = X_Threads_Manager::instance()->getMonitor()->getThread($id);
X_Threads_Manager::instance()->getMessenger()->clearQueue($thread);
$this->_helper->flashMessenger(array('type' => 'success', 'text' => X_Env::_('threads_done')));
$this->_helper->redirector('index', 'tmanager');
}
