deblan/php-censor
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Refactored Csrf form widget. + Added unit tests for Csrt.

Browse source
This commit is contained in:
Dmitry Khomutov 2018-03-12 22:58:12 +07:00
commit 7abd3febc1
No known key found for this signature in database
GPG key ID: EC19426474B37AAC
9 changed files with 175 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/Controller/GroupController.php
View file

@ -92,9 +92,12 @@ class GroupController extends Controller
}
$form = new Form();
$form->setMethod('POST');
$form->setAction(APP_URL . 'group/edit' . (!is_null($groupId) ? '/' . $groupId : ''));
$form->addField(new Form\Element\Csrf('group_form'));
$title = new Form\Element\Text('title');
$title->setContainerClass('form-group');
$title->setClass('form-control');

4
src/Controller/ProjectController.php
View file

@ -421,9 +421,9 @@ class ProjectController extends PHPCensor\Controller
$form = new Form();
$form->setMethod('POST');
$form->setAction(APP_URL.'project/' . $type);
$form->setAction(APP_URL . 'project/' . $type);
$form->addField(new Form\Element\Csrf('csrf'));
$form->addField(new Form\Element\Csrf('project_form'));
$form->addField(new Form\Element\Hidden('pubkey'));
$options = [

107
src/Controller/SessionController.php
View file

@ -2,6 +2,7 @@
namespace PHPCensor\Controller;
use PHPCensor\Form\Element\Csrf;
use PHPCensor\Helper\Email;
use PHPCensor\Helper\Lang;
use PHPCensor\Controller;
@ -38,6 +39,44 @@ class SessionController extends Controller
$this->authentication = Service::getInstance();
}
protected function loginForm($values)
{
$form = new \PHPCensor\Form();
$form->setMethod('POST');
$form->setAction(APP_URL . 'session/login');
$form->addField(new Csrf('login_form'));
$email = new \PHPCensor\Form\Element\Text('email');
$email->setLabel(Lang::get('login'));
$email->setRequired(true);
$email->setContainerClass('form-group');
$email->setClass('form-control');
$form->addField($email);
$pwd = new \PHPCensor\Form\Element\Password('password');
$pwd->setLabel(Lang::get('password'));
$pwd->setRequired(true);
$pwd->setContainerClass('form-group');
$pwd->setClass('form-control');
$form->addField($pwd);
$remember = \PHPCensor\Form\Element\Checkbox::create('remember_me', Lang::get('remember_me'), false);
$remember->setContainerClass('form-group');
$remember->setCheckedValue(1);
$remember->setValue(0);
$form->addField($remember);
$pwd = new \PHPCensor\Form\Element\Submit();
$pwd->setValue(Lang::get('log_in'));
$pwd->setClass('btn-success');
$form->addField($pwd);
$form->setValues($values);
return $form;
}
/**
* Handles user login (form and processing)
*/
@ -55,15 +94,22 @@ class SessionController extends Controller
}
}
$method = $this->request->getMethod();
if ($method === 'POST') {
$values = $this->getParams();
} else {
$values = [];
}
$form = $this->loginForm($values);
$isLoginFailure = false;
if ($this->request->getMethod() == 'POST') {
$token = $this->getParam('token');
if (!isset($token, $_SESSION['login_token']) || $token !== $_SESSION['login_token']) {
if ($this->request->getMethod() === 'POST') {
if (!$form->getChild('login_form')->validate()) {
$isLoginFailure = true;
} else {
unset($_SESSION['login_token']);
$email = $this->getParam('email');
$password = $this->getParam('password', '');
$rememberMe = (bool)$this->getParam('remember_me', 0);
@ -116,41 +162,6 @@ class SessionController extends Controller
}
}
$form = new \PHPCensor\Form();
$form->setMethod('POST');
$form->setAction(APP_URL . 'session/login');
$email = new \PHPCensor\Form\Element\Text('email');
$email->setLabel(Lang::get('login'));
$email->setRequired(true);
$email->setContainerClass('form-group');
$email->setClass('form-control');
$form->addField($email);
$pwd = new \PHPCensor\Form\Element\Password('password');
$pwd->setLabel(Lang::get('password'));
$pwd->setRequired(true);
$pwd->setContainerClass('form-group');
$pwd->setClass('form-control');
$form->addField($pwd);
$remember = \PHPCensor\Form\Element\Checkbox::create('remember_me', Lang::get('remember_me'), false);
$remember->setContainerClass('form-group');
$remember->setCheckedValue(1);
$remember->setValue(0);
$form->addField($remember);
$pwd = new \PHPCensor\Form\Element\Submit();
$pwd->setValue(Lang::get('log_in'));
$pwd->setClass('btn-success');
$form->addField($pwd);
$tokenValue = $this->generateToken();
$_SESSION['login_token'] = $tokenValue;
$token = new \PHPCensor\Form\Element\Hidden('token');
$token->setValue($tokenValue);
$form->addField($token);
$this->view->form = $form->render();
$this->view->failed = $isLoginFailure;
@ -261,20 +272,4 @@ class SessionController extends Controller
return $rtn;
}
/** Generate a random token.
*
* @return string
*/
protected function generateToken()
{
if (function_exists('openssl_random_pseudo_bytes')) {
return bin2hex(openssl_random_pseudo_bytes(16));
}
return sprintf("%04x", mt_rand(0, 0xFFFF))
. sprintf("%04x", mt_rand(0, 0xFFFF))
. sprintf("%04x", mt_rand(0, 0xFFFF))
. sprintf("%04x", mt_rand(0, 0xFFFF));
}
}

18
src/Controller/UserController.php
View file

@ -84,9 +84,12 @@ class UserController extends Controller
$this->layout->subtitle = Lang::get('edit_profile');
$form = new Form();
$form->setAction(APP_URL.'user/profile');
$form->setAction(APP_URL . 'user/profile');
$form->setMethod('POST');
$form->addField(new Form\Element\Csrf('profile_form'));
$name = new Form\Element\Text('name');
$name->setClass('form-control');
$name->setContainerClass('form-group');
@ -159,15 +162,15 @@ class UserController extends Controller
$method = $this->request->getMethod();
if ($method == 'POST') {
if ($method === 'POST') {
$values = $this->getParams();
} else {
$values = [];
}
$form = $this->userForm($values);
$form = $this->userForm($values);
if ($method != 'POST' || ($method == 'POST' && !$form->validate())) {
if ($method !== 'POST' || ($method == 'POST' && !$form->validate())) {
$view = new View('User/edit');
$view->type = 'add';
$view->user = null;
@ -236,9 +239,11 @@ class UserController extends Controller
protected function userForm($values, $type = 'add')
{
$form = new Form();
$form->setMethod('POST');
$form->setAction(APP_URL.'user/' . $type);
$form->addField(new Form\Element\Csrf('csrf'));
$form->setAction(APP_URL . 'user/' . $type);
$form->addField(new Form\Element\Csrf('user_form'));
$field = new Form\Element\Email('email');
$field->setRequired(true);
@ -281,6 +286,7 @@ class UserController extends Controller
$form->addField($field);
$form->setValues($values);
return $form;
}