diff --git a/UPGRADE-5.10.md b/UPGRADE-5.10.md index 3d757ecdd0..65d2308ccd 100644 --- a/UPGRADE-5.10.md +++ b/UPGRADE-5.10.md @@ -1,6 +1,37 @@ UPGRADE FROM 5.9 to 5.10 ======================== +General +------- + +### CSRF protection + +CSRF protection was added to multiple routes in the cms. No passing a csrf token to those routes +is deprecated and will be required in 6.0. Below is a list of controller actions that will require +a csrf token. Check the specific twig templates or the deprecation messages for the specific csrf token id that needs to +be used. + +* `Kunstmaan\AdminListBundle\Controller\AdminListController::doDeleteAction` +* `Kunstmaan\AdminBundle\Controller\ExceptionController::resolveAllAction` +* `Kunstmaan\AdminBundle\Controller\ExceptionController::toggleResolveAction` +* `Kunstmaan\MediaBundle\Controller\FolderController::deleteAction` +* `Kunstmaan\MediaBundle\Controller\MediaController::deleteAction` +* `Kunstmaan\FormBundle\Controller\FormSubmissionsController::deleteAction` +* `Kunstmaan\UserManagementBundle\Controller\GroupsController::deleteAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::recopyFromOtherLanguageAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::deleteAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::duplicateAction` +* `Kunstmaan\NodeBundle\Controller\NodeAdminController::duplicateWithChildrenAction` +* `Kunstmaan\UserManagementBundle\Controller\RolesController::deleteAction` +* `Kunstmaan\TranslatorBundle\Controller\TranslatorController::deleteAction` + +Together with the CSRF token some of those routes will only be available to post requests in 6.0 + +* `Kunstmaan\AdminBundle\Controller\ExceptionController::resolveAllAction` +* `Kunstmaan\AdminBundle\Controller\ExceptionController::toggleResolveAction` +* `Kunstmaan\MediaBundle\Controller\FolderController::deleteAction` +* `Kunstmaan\MediaBundle\Controller\MediaController::deleteAction` + AdminBundle ------------ diff --git a/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php b/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php index 9d8227b062..949c837a30 100644 --- a/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php +++ b/src/Kunstmaan/AdminBundle/Controller/ExceptionController.php @@ -36,7 +36,7 @@ public function indexAction(Request $request) } /** - * @Route("/resolve_all", name="kunstmaanadminbundle_admin_exception_resolve_all") + * @Route("/resolve_all", name="kunstmaanadminbundle_admin_exception_resolve_all", methods={"GET", "POST"}) * * @return RedirectResponse * @@ -44,8 +44,24 @@ public function indexAction(Request $request) * @throws \Doctrine\ORM\NoResultException * @throws \InvalidArgumentException */ - public function resolveAllAction() + public function resolveAllAction(Request $request) { + // NEXT_MAJOR: remove check and change methods property in route annotation + if ($request->isMethod(Request::METHOD_GET)) { + @trigger_error(sprintf('Calling the action "%s" with a GET request is deprecated since KunstmaanAdminBundle 5.10 and will only allow a POST request in KunstmaanAdminBundle 6.0.', __METHOD__), E_USER_DEPRECATED); + } + + $csrfId = 'exception-resolve_all'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminBundle 5.10 and will be required in KunstmaanAdminBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('kunstmaanadminbundle_admin_exception')); + } + $this->getEntityManager()->getRepository(Exception::class)->markAllAsResolved(); $indexUrl = $this->getAdminListConfigurator()->getIndexUrl(); @@ -59,7 +75,7 @@ public function resolveAllAction() } /** - * @Route("/toggle_resolve/{id}", name="kunstmaanadminbundle_admin_exception_toggle_resolve") + * @Route("/toggle_resolve/{id}", name="kunstmaanadminbundle_admin_exception_toggle_resolve", methods={"GET", "POST"}) * * @return RedirectResponse * @@ -69,6 +85,22 @@ public function resolveAllAction() */ public function toggleResolveAction(Request $request, Exception $model) { + // NEXT_MAJOR: remove check and change methods property in route annotation + if ($request->isMethod(Request::METHOD_GET)) { + @trigger_error(sprintf('Calling the action "%s" with a GET request is deprecated since KunstmaanAdminBundle 5.10 and will only allow a POST request in KunstmaanAdminBundle 6.0.', __METHOD__), E_USER_DEPRECATED); + } + + $csrfId = 'exception-resolve-item'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminBundle 5.10 and will be required in KunstmaanAdminBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('kunstmaanadminbundle_admin_exception')); + } + /* @var EntityManager $em */ $em = $this->getEntityManager(); diff --git a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig index 8bf6bbb636..9fb4fba394 100644 --- a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig +++ b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve.html.twig @@ -1,8 +1,12 @@ {% set action = itemAction.getUrlFor(item) %} - - {% if item.isResolved() %} - {{ "settings.exceptions.unresolved" | trans }} - {% else %} - {{ "settings.exceptions.resolved" | trans }} - {% endif %} - +
+ + + +
diff --git a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig index 3e1c1acd34..15640e2602 100644 --- a/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig +++ b/src/Kunstmaan/AdminBundle/Resources/views/Settings/button_resolve_all.html.twig @@ -1,3 +1,7 @@ - - {{ action.getLabel() | trans }} - +
+ + + +
diff --git a/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php b/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php index 18706d74fd..18c2fde1ae 100644 --- a/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php +++ b/src/Kunstmaan/AdminListBundle/Controller/AbstractAdminListController.php @@ -20,6 +20,7 @@ use Kunstmaan\AdminListBundle\Service\ExportService; use Kunstmaan\NodeBundle\Entity\HasNodeInterface; use Kunstmaan\NodeBundle\Entity\NodeTranslation; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy; @@ -353,6 +354,22 @@ protected function doViewAction(AbstractAdminListConfigurator $configurator, $en */ protected function doDeleteAction(AbstractAdminListConfigurator $configurator, $entityId, Request $request) { + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($configurator->getEntityName()); + + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminListBundle 5.10 and will be required in KunstmaanAdminListBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + $indexUrl = $configurator->getIndexUrl(); + + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + /* @var $em EntityManager */ $em = $this->getEntityManager(); $helper = $em->getRepository($configurator->getRepositoryName())->findOneById($entityId); @@ -583,6 +600,7 @@ public static function getSubscribedServices(): array 'kunstmaan_entity.admin_entity.entity_version_lock_service' => EntityVersionLockService::class, 'translator' => interface_exists(TranslatorInterface::class) ? TranslatorInterface::class : LegacyTranslatorInterface::class, 'event_dispatcher' => EventDispatcherInterface::class, + 'kunstmaan_utilities.slugifier' => SlugifierInterface::class, ]); } } diff --git a/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php b/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php index 50d4dd3e6c..f4e9c14b49 100644 --- a/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php +++ b/src/Kunstmaan/AdminListBundle/Controller/AdminListController.php @@ -17,6 +17,7 @@ use Kunstmaan\AdminListBundle\Service\EntityVersionLockService; use Kunstmaan\NodeBundle\Entity\HasNodeInterface; use Kunstmaan\NodeBundle\Entity\NodeTranslation; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Symfony\Bundle\FrameworkBundle\Controller\Controller; use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -350,6 +351,21 @@ protected function doViewAction(AbstractAdminListConfigurator $configurator, $en */ protected function doDeleteAction(AbstractAdminListConfigurator $configurator, $entityId, Request $request) { + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($configurator->getEntityName()); + + $hasToken = $request->request->has('token'); + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanAdminListBundle 5.10 and will be required in KunstmaanAdminListBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + $indexUrl = $configurator->getIndexUrl(); + + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + /* @var $em EntityManager */ $em = $this->getEntityManager(); $helper = $em->getRepository($configurator->getRepositoryName())->findOneById($entityId); diff --git a/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig b/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig index c2f035ee1c..79eb38951a 100644 --- a/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig +++ b/src/Kunstmaan/AdminListBundle/Resources/views/AdminListTwigExtension/sure-modal.html.twig @@ -12,6 +12,8 @@
+ +
{{ 'form.deletesure' | trans }} diff --git a/src/Kunstmaan/AdminListBundle/composer.json b/src/Kunstmaan/AdminListBundle/composer.json index b8f310d261..e1c251f227 100644 --- a/src/Kunstmaan/AdminListBundle/composer.json +++ b/src/Kunstmaan/AdminListBundle/composer.json @@ -16,6 +16,7 @@ "php": "^7.2|^8.0", "box/spout": "^2.5", "kunstmaan/admin-bundle": "^5.9|^6.0", + "kunstmaan/utilities-bundle": "^5.10|^6.0", "pagerfanta/core": "^2.4", "pagerfanta/doctrine-orm-adapter": "^2.4", "pagerfanta/twig": "^2.4" diff --git a/src/Kunstmaan/FormBundle/Controller/FormSubmissionsController.php b/src/Kunstmaan/FormBundle/Controller/FormSubmissionsController.php index fa3f8015a6..8eb54dcebf 100644 --- a/src/Kunstmaan/FormBundle/Controller/FormSubmissionsController.php +++ b/src/Kunstmaan/FormBundle/Controller/FormSubmissionsController.php @@ -14,6 +14,7 @@ use Kunstmaan\FormBundle\Entity\FormSubmissionField; use Kunstmaan\NodeBundle\Entity\Node; use Kunstmaan\NodeBundle\Entity\NodeTranslation; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template; use Symfony\Bundle\FrameworkBundle\Controller\Controller; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -145,8 +146,6 @@ public function exportAction($nodeTranslationId, $_format) * @param int $id * * @return RedirectResponse - * - * @throws AccessDeniedException */ public function deleteAction(Request $request, $id) { @@ -156,6 +155,23 @@ public function deleteAction(Request $request, $id) $node = $em->getRepository(Node::class)->find($submission->getNode()); $nt = $node->getNodeTranslation($request->getLocale()); + $configurator = new FormSubmissionAdminListConfigurator($em, $nt, $this->getParameter('kunstmaan_form.deletable_formsubmissions')); + + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($configurator->getEntityName()); + + $hasToken = $request->request->has('token'); + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanFormBundle 5.10 and will be required in KunstmaanFormBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + $indexUrl = $configurator->getIndexUrl(); + + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + $this->denyAccessUnlessGranted(PermissionMap::PERMISSION_DELETE, $node); $url = $this->get('router')->generate( diff --git a/src/Kunstmaan/MediaBundle/Controller/FolderController.php b/src/Kunstmaan/MediaBundle/Controller/FolderController.php index ac88ee22a4..11c71566fa 100644 --- a/src/Kunstmaan/MediaBundle/Controller/FolderController.php +++ b/src/Kunstmaan/MediaBundle/Controller/FolderController.php @@ -98,12 +98,28 @@ public function showAction(Request $request, $folderId) /** * @param int $folderId * - * @Route("/delete/{folderId}", requirements={"folderId" = "\d+"}, name="KunstmaanMediaBundle_folder_delete") + * @Route("/delete/{folderId}", requirements={"folderId" = "\d+"}, name="KunstmaanMediaBundle_folder_delete", methods={"GET", "POST"}) * * @return RedirectResponse */ public function deleteAction(Request $request, $folderId) { + // NEXT_MAJOR: remove check and change methods property in route annotation + if ($request->isMethod(Request::METHOD_GET)) { + @trigger_error(sprintf('Calling the action "%s" with a GET request is deprecated since KunstmaanMediaBundle 5.10 and will only allow a POST request in KunstmaanMediaBundle 6.0.', __METHOD__), E_USER_DEPRECATED); + } + + $csrfId = 'media-folder-delete'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanMediaBundle 5.10 and will be required in KunstmaanMediaBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('')); + } + /** @var EntityManager $em */ $em = $this->getDoctrine()->getManager(); diff --git a/src/Kunstmaan/MediaBundle/Controller/MediaController.php b/src/Kunstmaan/MediaBundle/Controller/MediaController.php index 8daab8e41f..a9c7289e2d 100644 --- a/src/Kunstmaan/MediaBundle/Controller/MediaController.php +++ b/src/Kunstmaan/MediaBundle/Controller/MediaController.php @@ -77,12 +77,28 @@ public function showAction(Request $request, $mediaId) /** * @param int $mediaId * - * @Route("/delete/{mediaId}", requirements={"mediaId" = "\d+"}, name="KunstmaanMediaBundle_media_delete") + * @Route("/delete/{mediaId}", requirements={"mediaId" = "\d+"}, name="KunstmaanMediaBundle_media_delete", methods={"GET", "POST"}) * * @return RedirectResponse */ public function deleteAction(Request $request, $mediaId) { + // NEXT_MAJOR: remove check and change methods property in route annotation + if ($request->isMethod(Request::METHOD_GET)) { + @trigger_error(sprintf('Calling the action "%s" with a GET request is deprecated since KunstmaanMediaBundle 5.10 and will only allow a POST request in KunstmaanMediaBundle 6.0.', __METHOD__), E_USER_DEPRECATED); + } + + $csrfId = 'media-delete'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanMediaBundle 5.10 and will be required in KunstmaanMediaBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('')); + } + $em = $this->getDoctrine()->getManager(); /* @var Media $media */ diff --git a/src/Kunstmaan/MediaBundle/Resources/views/Folder/delete-modal.html.twig b/src/Kunstmaan/MediaBundle/Resources/views/Folder/delete-modal.html.twig index 7ff987bf54..bf1c59bc1f 100644 --- a/src/Kunstmaan/MediaBundle/Resources/views/Folder/delete-modal.html.twig +++ b/src/Kunstmaan/MediaBundle/Resources/views/Folder/delete-modal.html.twig @@ -21,12 +21,16 @@
- - {{ 'form.delete' |trans }} - - + + + + + +
diff --git a/src/Kunstmaan/MediaBundle/Resources/views/Media/delete-modal.html.twig b/src/Kunstmaan/MediaBundle/Resources/views/Media/delete-modal.html.twig index 48e9316601..06a2dbfd36 100644 --- a/src/Kunstmaan/MediaBundle/Resources/views/Media/delete-modal.html.twig +++ b/src/Kunstmaan/MediaBundle/Resources/views/Media/delete-modal.html.twig @@ -19,12 +19,16 @@
- - {{ 'form.delete' | trans }} - - +
+ + + + +
diff --git a/src/Kunstmaan/NodeBundle/Controller/NodeAdminController.php b/src/Kunstmaan/NodeBundle/Controller/NodeAdminController.php index a4170ca661..8073e0d931 100644 --- a/src/Kunstmaan/NodeBundle/Controller/NodeAdminController.php +++ b/src/Kunstmaan/NodeBundle/Controller/NodeAdminController.php @@ -218,6 +218,17 @@ public function copyFromOtherLanguageAction(Request $request, $id) */ public function recopyFromOtherLanguageAction(Request $request, $id) { + $csrfId = 'recopy-from-language'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanNodeBundle 5.10 and will be required in KunstmaanNodeBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('KunstmaanNodeBundle_nodes_edit', ['id' => $id])); + } + $this->init($request); /* @var Node $node */ $node = $this->em->getRepository(Node::class)->find($id); @@ -393,6 +404,17 @@ public function unSchedulePublishAction(Request $request, $id) */ public function deleteAction(Request $request, $id) { + $csrfId = 'node-delete'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanNodeBundle 5.10 and will be required in KunstmaanNodeBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('KunstmaanNodeBundle_nodes_edit', ['id' => $id])); + } + $this->init($request); /* @var Node $node */ $node = $this->em->getRepository(Node::class)->find($id); @@ -457,6 +479,17 @@ public function deleteAction(Request $request, $id) */ public function duplicateAction(Request $request, $id) { + $csrfId = 'node-duplicate'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanNodeBundle 5.10 and will be required in KunstmaanNodeBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('KunstmaanNodeBundle_nodes_edit', ['id' => $id])); + } + $this->init($request); /* @var Node $parentNode */ $originalNode = $this->em->getRepository(Node::class) @@ -525,6 +558,17 @@ public function duplicateAction(Request $request, $id) */ public function duplicateWithChildrenAction(Request $request, $id) { + $csrfId = 'node-duplicate-with-children'; + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanNodeBundle 5.10 and will be required in KunstmaanNodeBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl('KunstmaanNodeBundle_nodes_edit', ['id' => $id])); + } + if (!$this->getParameter('kunstmaan_node.show_duplicate_with_children')) { return $this->redirectToRoute('KunstmaanNodeBundle_nodes_edit', ['id' => $id]); } diff --git a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_delete.html.twig b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_delete.html.twig index eb7ef20d5e..01177f3bc1 100644 --- a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_delete.html.twig +++ b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_delete.html.twig @@ -18,6 +18,8 @@
+ + @@ -28,4 +30,4 @@
- \ No newline at end of file + diff --git a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate.html.twig b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate.html.twig index 42d690c623..58f3624915 100644 --- a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate.html.twig +++ b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate.html.twig @@ -11,6 +11,7 @@ +
@@ -34,4 +35,4 @@
- \ No newline at end of file + diff --git a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate_with_children.html.twig b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate_with_children.html.twig index 7d242105b7..c832545c78 100644 --- a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate_with_children.html.twig +++ b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_duplicate_with_children.html.twig @@ -11,6 +11,7 @@
+
diff --git a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_recopy.html.twig b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_recopy.html.twig index b402b3ca0f..356bca65a2 100644 --- a/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_recopy.html.twig +++ b/src/Kunstmaan/NodeBundle/Resources/views/NodeAdmin/Modals/_recopy.html.twig @@ -22,6 +22,7 @@
+
@@ -50,4 +51,4 @@
-{% endif %} \ No newline at end of file +{% endif %} diff --git a/src/Kunstmaan/TranslatorBundle/Controller/TranslatorController.php b/src/Kunstmaan/TranslatorBundle/Controller/TranslatorController.php index 56e6ea8909..47d6296936 100644 --- a/src/Kunstmaan/TranslatorBundle/Controller/TranslatorController.php +++ b/src/Kunstmaan/TranslatorBundle/Controller/TranslatorController.php @@ -11,6 +11,7 @@ use Kunstmaan\TranslatorBundle\Entity\Translation; use Kunstmaan\TranslatorBundle\Form\TranslationAdminType; use Kunstmaan\TranslatorBundle\Form\TranslationsFileUploadType; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template; use Symfony\Component\Form\FormBuilderInterface; use Symfony\Component\Form\FormError; @@ -277,10 +278,29 @@ public function editSearchAction($domain, $locale, $keyword) */ public function deleteAction(Request $request, $id) { + // NEXT_MAJOR: remove check and change methods property in route annotation + if ($request->isMethod(Request::METHOD_GET)) { + @trigger_error(sprintf('Calling the action "%s" with a GET request is deprecated since KunstmaanTranslatorBundle 5.10 and will only allow a POST request in KunstmaanTranslatorBundle 6.0.', __METHOD__), E_USER_DEPRECATED); + } + + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($this->getAdminListConfigurator()->getEntityName()); + + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanTranslatorBundle 5.10 and will be required in KunstmaanTranslatorBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + $indexUrl = $this->getAdminListConfigurator()->getIndexUrl(); + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + /* @var EntityManager $em */ $em = $this->getDoctrine()->getManager(); - $indexUrl = $this->getAdminListConfigurator()->getIndexUrl(); if ($request->isMethod('POST')) { $em->getRepository(Translation::class)->removeTranslations($id); } diff --git a/src/Kunstmaan/UserManagementBundle/Controller/GroupsController.php b/src/Kunstmaan/UserManagementBundle/Controller/GroupsController.php index a99fbf615c..5b52723513 100644 --- a/src/Kunstmaan/UserManagementBundle/Controller/GroupsController.php +++ b/src/Kunstmaan/UserManagementBundle/Controller/GroupsController.php @@ -9,6 +9,7 @@ use Kunstmaan\AdminBundle\Form\GroupType; use Kunstmaan\AdminListBundle\AdminList\AdminList; use Kunstmaan\UserManagementBundle\AdminList\GroupAdminListConfigurator; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\Request; @@ -144,8 +145,27 @@ public function editAction(Request $request, $id) * * @return RedirectResponse */ - public function deleteAction($id) + public function deleteAction(Request $request, $id) { + $em = $this->getDoctrine()->getManager(); + $configurator = new GroupAdminListConfigurator($em); + + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($configurator->getEntityName()); + + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanUserManagementBundle 5.10 and will be required in KunstmaanUserManagementBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + $indexUrl = $configurator->getIndexUrl(); + + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + $this->denyAccessUnlessGranted('ROLE_SUPER_ADMIN'); /* @var EntityManager $em */ diff --git a/src/Kunstmaan/UserManagementBundle/Controller/RolesController.php b/src/Kunstmaan/UserManagementBundle/Controller/RolesController.php index 5acdc363ad..29f098c2ac 100644 --- a/src/Kunstmaan/UserManagementBundle/Controller/RolesController.php +++ b/src/Kunstmaan/UserManagementBundle/Controller/RolesController.php @@ -9,6 +9,7 @@ use Kunstmaan\AdminBundle\Form\RoleType; use Kunstmaan\AdminListBundle\AdminList\AdminList; use Kunstmaan\UserManagementBundle\AdminList\RoleAdminListConfigurator; +use Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface; use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\Request; @@ -143,8 +144,27 @@ public function editAction(Request $request, $id) * * @return RedirectResponse */ - public function deleteAction($id) + public function deleteAction(Request $request, $id) { + $em = $this->getDoctrine()->getManager(); + $configurator = new RoleAdminListConfigurator($em); + + /** @var SlugifierInterface $slugifier */ + $slugifier = $this->container->get('kunstmaan_utilities.slugifier'); + $csrfId = 'delete-' . $slugifier->slugify($configurator->getEntityName()); + + $hasToken = $request->request->has('token'); + // NEXT_MAJOR remove hasToken check and make csrf token required + if (!$hasToken) { + @trigger_error(sprintf('Not passing as csrf token with id "%s" in field "token" is deprecated in KunstmaanUserManagementBundle 5.10 and will be required in KunstmaanUserManagementBundle 6.0. If you override the adminlist delete action template make sure to post a csrf token.', $csrfId), E_USER_DEPRECATED); + } + + if ($hasToken && !$this->isCsrfTokenValid($csrfId, $request->request->get('token'))) { + $indexUrl = $configurator->getIndexUrl(); + + return new RedirectResponse($this->generateUrl($indexUrl['path'], $indexUrl['params'] ?? [])); + } + $this->denyAccessUnlessGranted('ROLE_SUPER_ADMIN'); /* @var EntityManager $em */ diff --git a/src/Kunstmaan/UtilitiesBundle/Resources/config/services.yml b/src/Kunstmaan/UtilitiesBundle/Resources/config/services.yml index 316e6c7c50..a261024076 100644 --- a/src/Kunstmaan/UtilitiesBundle/Resources/config/services.yml +++ b/src/Kunstmaan/UtilitiesBundle/Resources/config/services.yml @@ -4,6 +4,9 @@ parameters: kunstmaan_utilities.cipher.class: 'Kunstmaan\UtilitiesBundle\Helper\Cipher\UrlSafeCipher' services: + # Autowire aliases + Kunstmaan\UtilitiesBundle\Helper\SlugifierInterface: '@kunstmaan_utilities.slugifier' + kunstmaan_utilities.shell: class: '%kunstmaan_utilities.shell.class%'