diff --git a/UPGRADE-5.10.md b/UPGRADE-5.10.md index 3d757ecdd0..65d2308ccd 100644 --- a/UPGRADE-5.10.md +++ b/UPGRADE-5.10.md @@ -1,6 +1,37 @@ UPGRADE FROM 5.9 to 5.10 ======================== +General +------- + +### CSRF protection + +CSRF protection was added to multiple routes in the cms. No passing a csrf token to those routes +is deprecated and will be required in 6.0. Below is a list of controller actions that will require +a csrf token. Check the specific twig templates or the deprecation messages for the specific csrf token id that needs to +be used. + +* `Kunstmaan\AdminListBundle\Controller\AdminListController::doDeleteAction` +* `Kunstmaan\AdminBundle\Controller\ExceptionController::resolveAllAction` +* `Kunstmaan\AdminBundle\Controller\ExceptionController::toggleResolveAction` +* `Kunstmaan\MediaBundle\Controller\FolderController::deleteAction` +* `Kunstmaan\MediaBundle\Controller\MediaController::deleteAction` +* `Kunstmaan\FormBundle\Controller\FormSubmissionsController::deleteAction` +* `Kunstmaan\UserManagementBundle\Controller\GroupsController::deleteAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::recopyFromOtherLanguageAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::deleteAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::duplicateAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::duplicateWithChildrenAction` +* `Kunstmaan\UserManagementBundle\Controller\RolesController::deleteAction` +* `Kunstmaan\TranslatorBundle\Controller\TranslatorController::deleteAction` + +Together with the CSRF token some of those routes will only be available to post requests in 6.0 + +* `Kunstmaan\AdminBundle\Controller\ExceptionController::resolveAllAction` +* `Kunstmaan\AdminBundle\Controller\ExceptionController::toggleResolveAction` +* `Kunstmaan\MediaBundle\Controller\FolderController::deleteAction` +* `Kunstmaan\MediaBundle\Controller\MediaController::deleteAction` + AdminBundle ------------ diff --git a/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php b/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php index 9d8227b062..949c837a30 100644 --- a/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php +++ b/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php @@ -36,7 +36,7 @@ public function indexAction(Request $request) } /** - * @Route("/resolve_all", name="kunstmaanadminbundle_admin_exception_resolve_all") + * @Route("/resolve_all", name="kunstmaanadminbundle_admin_exception_resolve_all", methods={"GET", "POST"}) * * @return RedirectResponse * @@ -44,8 +44,24 @@ public function indexAction(Request $request) * @throws \Doctrine\ORM\NoResultException * @throws \InvalidArgumentException */ - public function resolveAllAction() + public function resolveAllAction(Request $request) { + // NEXT_MAJOR: remove check and change methods property in route annotation + if ($request->isMethod(Request::METHOD_GET)) { + @trigger_error(sprintf('Calling the action "%s" with a GET request is deprecated since KunstmaanAdminBundle 5.10 and will only allow a POST request in KunstmaanAdminBundle 6.0.', __METHOD__), E_USER_DEPRECATED); + } + + $csrfId = 'exception-resolve_all'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminBundle 5.10 and will be required in KunstmaanAdminBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('kunstmaanadminbundle_admin_exception')); + } + $this->getEntityManager()->getRepository(Exception::class)->markAllAsResolved(); $indexUrl = $this->getAdminListConfigurator()->getIndexUrl(); @@ -59,7 +75,7 @@ public function resolveAllAction() } /** - * @Route("/toggle_resolve/{id}", name="kunstmaanadminbundle_admin_exception_toggle_resolve") + * @Route("/toggle_resolve/{id}", name="kunstmaanadminbundle_admin_exception_toggle_resolve", methods={"GET", "POST"}) * * @return RedirectResponse * @@ -69,6 +85,22 @@ public function resolveAllAction() */ public function toggleResolveAction(Request $request, Exception $model) { + // NEXT_MAJOR: remove check and change methods property in route annotation + if ($request->isMethod(Request::METHOD_GET)) { + @trigger_error(sprintf('Calling the action "%s" with a GET request is deprecated since KunstmaanAdminBundle 5.10 and will only allow a POST request in KunstmaanAdminBundle 6.0.', __METHOD__), E_USER_DEPRECATED); + } + + $csrfId = 'exception-resolve-item'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminBundle 5.10 and will be required in KunstmaanAdminBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('kunstmaanadminbundle_admin_exception')); + } + /* @var EntityManager $em */ $em = $this->getEntityManager(); diff --git a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig index 8bf6bbb636..9fb4fba394 100644 --- a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig +++ b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig @@ -1,8 +1,12 @@ {% set action = itemAction.getUrlFor(item) %} - - {% if item.isResolved() %} - {{ "settings.exceptions.unresolved" | trans }} - {% else %} - {{ "settings.exceptions.resolved" | trans }} - {% endif %} - +
diff --git a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig index 3e1c1acd34..15640e2602 100644 --- a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig +++ b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig @@ -1,3 +1,7 @@ - - {{ action.getLabel() | trans }} - + diff --git a/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php b/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php index 18706d74fd..18c2fde1ae 100644 --- a/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php +++ b/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php @@ -20,6 +20,7 @@ use Kunstmaan\AdminListBundle\Service\ExportService; use Kunstmaan\NodeBundle\Entity\HasNodeInterface; use Kunstmaan\NodeBundle\Entity\NodeTranslation; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy; @@ -353,6 +354,22 @@ protected function doViewAction(AbstractAdminListConfigurator $configurator, $en */ protected function doDeleteAction(AbstractAdminListConfigurator $configurator, $entityId, Request $request) { + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($configurator->getEntityName()); + + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminListBundle 5.10 and will be required in KunstmaanAdminListBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + $indexUrl = $configurator->getIndexUrl(); + + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + /* @var $em EntityManager */ $em = $this->getEntityManager(); $helper = $em->getRepository($configurator->getRepositoryName())->findOneById($entityId); @@ -583,6 +600,7 @@ public static function getSubscribedServices(): array 'kunstmaan_entity.admin_entity.entity_version_lock_service' => EntityVersionLockService::class, 'translator' => interface_exists(TranslatorInterface::class) ? TranslatorInterface::class : LegacyTranslatorInterface::class, 'event_dispatcher' => EventDispatcherInterface::class, + 'kunstmaan_utilities.slugifier' => SlugifierInterface::class, ]); } } diff --git a/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php b/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php index 50d4dd3e6c..f4e9c14b49 100644 --- a/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php +++ b/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php @@ -17,6 +17,7 @@ use Kunstmaan\AdminListBundle\Service\EntityVersionLockService; use Kunstmaan\NodeBundle\Entity\HasNodeInterface; use Kunstmaan\NodeBundle\Entity\NodeTranslation; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Symfony\Bundle\FrameworkBundle\Controller\Controller; use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -350,6 +351,21 @@ protected function doViewAction(AbstractAdminListConfigurator $configurator, $en */ protected function doDeleteAction(AbstractAdminListConfigurator $configurator, $entityId, Request $request) { + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($configurator->getEntityName()); + + $hasToken = $request->request->has('token'); + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminListBundle 5.10 and will be required in KunstmaanAdminListBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + $indexUrl = $configurator->getIndexUrl(); + + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + /* @var $em EntityManager */ $em = $this->getEntityManager(); $helper = $em->getRepository($configurator->getRepositoryName())->findOneById($entityId); diff --git a/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig b/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig index c2f035ee1c..79eb38951a 100644 --- a/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig +++ b/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig @@ -12,6 +12,8 @@