From 13ceb37df7e84f3322a87eae88ff3ccdc825a2a6 Mon Sep 17 00:00:00 2001
From: Simon Vieille <simon@deblan.fr>
Date: Mon, 23 Nov 2015 21:59:50 +0100
Subject: [PATCH] security

---
 app/bootstrap.php.d/20-twig.php                |  5 +++--
 app/bootstrap.php.d/30-trans.php               |  1 -
 app/bootstrap.php.d/70-security.php            |  7 ++++---
 app/config/routing.yml                         |  6 +++++-
 src/Gist/Controller/LoginController.php        | 10 +---------
 src/Gist/Resources/views/Login/login.html.twig |  2 +-
 src/Gist/Resources/views/base.html.twig        |  2 +-
 web/app_dev.php                                | 14 ++++++++++++++
 8 files changed, 29 insertions(+), 18 deletions(-)
 create mode 100644 web/app_dev.php

diff --git a/app/bootstrap.php.d/20-twig.php b/app/bootstrap.php.d/20-twig.php
index 9610fee..54fc2ab 100644
--- a/app/bootstrap.php.d/20-twig.php
+++ b/app/bootstrap.php.d/20-twig.php
@@ -7,8 +7,9 @@ $app->register(new TwigServiceProvider(), array(
 ));
 
 $app->extend('twig', function ($twig, $app) {
-    $twig->addGlobal('web_path', $app['request']->getBaseUrl().'/');
-
+    $base = str_replace($app['request']->server->get('SCRIPT_NAME'), '', $app['request']->getBaseUrl());
+    $twig->addGlobal('web_path', $base.'/');
+    
     return $twig;
 });
 
diff --git a/app/bootstrap.php.d/30-trans.php b/app/bootstrap.php.d/30-trans.php
index 2ba8e80..287a76f 100644
--- a/app/bootstrap.php.d/30-trans.php
+++ b/app/bootstrap.php.d/30-trans.php
@@ -44,7 +44,6 @@ $app->get('/', function (Request $request) use ($app) {
     $accept = AcceptHeader::fromString($request->headers->get('Accept-Language'));
     $cookie = $request->cookies->get('locale');
 
-    
     if (!empty($cookie) && in_array($cookie, $app['locales'])) {
         $foundLocale = $cookie;
     } else {
diff --git a/app/bootstrap.php.d/70-security.php b/app/bootstrap.php.d/70-security.php
index 54d44ef..1ee530c 100644
--- a/app/bootstrap.php.d/70-security.php
+++ b/app/bootstrap.php.d/70-security.php
@@ -37,7 +37,7 @@ $app['security.authentication_listener.factory.form'] = $app->protect(function (
             $app['security.authentication_provider.'.$name.'.form']
         );
     });
-    
+   
     return [
         'security.authentication_provider.'.$name.'.form',
         'security.authentication_listener.'.$name.'.form',
@@ -55,12 +55,13 @@ $app->register(
                 'anonymous' => true,
                 'form' => [
                     'login_path' => '_login',
-                    'check_path' => '_login_check',
+                    'check_path' => '/login_check',
                     'always_use_default_target_path' => true,
-                    'default_target_path' => $app['url_generator']->generate('my'),
+                    'default_target_path' => '/',
                 ],
                 'logout' => [
                     'path' => '/logout',
+                    'target' => '/',
                 ],
                 'users' => $app->share(function () use ($app) {
                     return $app['user.provider'];
diff --git a/app/config/routing.yml b/app/config/routing.yml
index c24dbaf..1fe48e7 100644
--- a/app/config/routing.yml
+++ b/app/config/routing.yml
@@ -30,11 +30,15 @@ register:
     path: /register
     defaults: {_controller: Gist\Controller\LoginController::registerAction, _locale: en}
 
+login:
+    path: /login
+    defaults: {_controller: Gist\Controller\LoginController::loginAction, _locale: en}
+
 _login:
     path: /login
     defaults: {_controller: Gist\Controller\LoginController::loginAction, _locale: en}
 
-_login_check:
+login_check:
     path: /login_check
 
 logout:
diff --git a/src/Gist/Controller/LoginController.php b/src/Gist/Controller/LoginController.php
index ea59980..7a854bf 100644
--- a/src/Gist/Controller/LoginController.php
+++ b/src/Gist/Controller/LoginController.php
@@ -79,7 +79,7 @@ class LoginController extends Controller
 
         $form = $form->build()->getForm();
 
-        if ($request->query->get('error')) {
+        if ($app['security.last_error']($request)) {
             $error = $app['translator']->trans('login.login.invalid');
         }
 
@@ -91,12 +91,4 @@ class LoginController extends Controller
             ]
         );
     }
-
-    public function loginCheckAction()
-    {
-    }
-
-    public function logoutAction()
-    {
-    }
 }
diff --git a/src/Gist/Resources/views/Login/login.html.twig b/src/Gist/Resources/views/Login/login.html.twig
index ae09fc6..a59cea0 100644
--- a/src/Gist/Resources/views/Login/login.html.twig
+++ b/src/Gist/Resources/views/Login/login.html.twig
@@ -14,7 +14,7 @@
 			</div>
 		{% endif %}
 
-		<form action="{{ path('_login_check') }}" method="post" id="main-form">
+		<form action="{{ path('login_check') }}" method="post" id="main-form">
 			<div class="col-md-12">
 				<div class="panel panel-default">
 					<div class="panel-heading">
diff --git a/src/Gist/Resources/views/base.html.twig b/src/Gist/Resources/views/base.html.twig
index e0c2c1d..939cd0f 100644
--- a/src/Gist/Resources/views/base.html.twig
+++ b/src/Gist/Resources/views/base.html.twig
@@ -50,7 +50,7 @@
 								</li>
 							{% elseif app.enable_login %}
 								<li>
-									<a href="{{ path('_login') }}">
+									<a href="{{ path('login') }}">
 										{{ 'app.menu.my.login.title'|trans }}
 									</a>
 								</li>
diff --git a/web/app_dev.php b/web/app_dev.php
new file mode 100644
index 0000000..e471856
--- /dev/null
+++ b/web/app_dev.php
@@ -0,0 +1,14 @@
+<?php
+
+if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])
+    || !in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1'))
+) {
+    header('HTTP/1.0 403 Forbidden');
+    exit('You are not allowed to access this file. Check '.basename(__FILE__).' for more information.');
+}
+
+$app = require __DIR__.'/../app/bootstrap.php';
+
+$app['env'] = 'dev';
+
+$app->run();