Improved form token generation and validation.

Core/Base/Controller.php

@@ -123,7 +123,7 @@ public function __construct(string $className, string $uri = '')
         $this->className = $className;
         $this->dataBase = new DataBase();
         $this->empresa = new Empresa();
-        $this->multiRequestProtection = new MultiRequestProtection($className);
+        $this->multiRequestProtection = new MultiRequestProtection();
         $this->request = Request::createFromGlobals();
         $this->template = $this->className . '.html.twig';
         $this->uri = $uri;
@@ -201,6 +201,9 @@ public function privateCore(&$response, $user, $permissions)
         // Select the default company for the user
         $this->empresa = Empresas::get($this->user->idempresa);
 
+        // add the user to the token generation seed
+        $this->multiRequestProtection->addSeed($user->nick);
+
         // Have this user a default page?
         $defaultPage = $this->request->query->get('defaultPage', '');
         if ($defaultPage === 'TRUE') {

Core/Controller/AdminPlugins.php

@@ -16,12 +16,13 @@
  * You should have received a copy of the GNU Lesser General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
+
 namespace FacturaScripts\Core\Controller;
 
 use FacturaScripts\Core\Base;
 use FacturaScripts\Dinamic\Model\User;
-use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
+use Symfony\Component\HttpFoundation\Response;
 
 /**
  * AdminPlugins.
@@ -41,10 +42,9 @@ class AdminPlugins extends Base\Controller
     public $pluginManager;
 
     /**
-     * 
      * @return array
      */
-    public function getAllPlugins()
+    public function getAllPlugins(): array
     {
         $downloadTools = new Base\DownloadTools();
         $json = json_decode($downloadTools->getContents(self::PLUGIN_LIST_URL, 3), true);
@@ -54,7 +54,7 @@ public function getAllPlugins()
 
         $list = [];
         foreach ($json as $item) {
-            /// plugin is already installed?
+            // plugin is already installed?
             $item['installed'] = false;
             foreach ($this->getPlugins() as $plug) {
                 if ($plug['name'] == $item['name']) {
@@ -101,14 +101,14 @@ public function getPageData()
     public function getPlugins()
     {
         $installedPlugins = $this->pluginManager->installedPlugins();
-        if (!defined('FS_HIDDEN_PLUGINS')) {
+        if (false === defined('FS_HIDDEN_PLUGINS')) {
             return $installedPlugins;
         }
 
-        /// exclude hidden plugins
-        $hiddenPlugins = \explode(',', \FS_HIDDEN_PLUGINS);
+        // exclude hidden plugins
+        $hiddenPlugins = explode(',', FS_HIDDEN_PLUGINS);
         foreach ($installedPlugins as $key => $plugin) {
-            if (\in_array($plugin['name'], $hiddenPlugins, false)) {
+            if (in_array($plugin['name'], $hiddenPlugins, false)) {
                 unset($installedPlugins[$key]);
             }
         }
@@ -118,9 +118,9 @@ public function getPlugins()
     /**
      * Runs the controller's private logic.
      *
-     * @param Response                      $response
-     * @param User                          $user
-     * @param Base\ControllerPermissions    $permissions
+     * @param Response $response
+     * @param User $user
+     * @param Base\ControllerPermissions $permissions
      */
     public function privateCore(&$response, $user, $permissions)
     {
@@ -169,7 +169,7 @@ private function enablePlugin($pluginName)
 
     /**
      * Execute main actions.
-     * 
+     *
      * @param string $action
      */
     private function execAction($action)
@@ -198,8 +198,8 @@ private function execAction($action)
                 break;
 
             default:
-                if (\FS_DEBUG) {
-                    /// On debug mode, always deploy the contents of Dinamic.
+                if (FS_DEBUG) {
+                    // On debug mode, always deploy the contents of Dinamic.
                     $this->pluginManager->deploy(true, true);
                     $this->toolBox()->cache()->clear();
                 }
@@ -232,6 +232,25 @@ private function removePlugin($pluginName)
      */
     private function uploadPlugin($uploadFiles)
     {
+        // check user permissions
+        if (false === $this->permissions->allowUpdate) {
+            $this->toolBox()->i18nLog()->warning('not-allowed-update');
+            return;
+        }
+
+        // valid request?
+        $token = $this->request->request->get('multireqtoken', '');
+        if (empty($token) || false === $this->multiRequestProtection->validate($token)) {
+            $this->toolBox()->i18nLog()->warning('invalid-request');
+            return;
+        }
+
+        // duplicated request?
+        if ($this->multiRequestProtection->tokenExist($token)) {
+            $this->toolBox()->i18nLog()->warning('duplicated-request');
+            return;
+        }
+
         foreach ($uploadFiles as $uploadFile) {
             if (false === $uploadFile->isValid()) {
                 $this->toolBox()->log()->error($uploadFile->getErrorMessage());
@@ -244,7 +263,7 @@ private function uploadPlugin($uploadFiles)
             }
 
             $this->pluginManager->install($uploadFile->getPathname(), $uploadFile->getClientOriginalName());
-            \unlink($uploadFile->getPathname());
+            unlink($uploadFile->getPathname());
         }
 
         if ($this->pluginManager->deploymentRequired()) {

Core/Controller/DocumentStitcher.php

@@ -119,7 +119,7 @@ public function privateCore(&$response, $user, $permissions)
         if ($status) {
             // validate form request?
             $token = $this->request->request->get('multireqtoken', '');
-            if (empty($token) || false === $this->multiRequestProtection->validate($token, $this->user->logkey)) {
+            if (empty($token) || false === $this->multiRequestProtection->validate($token)) {
                 $this->toolBox()->i18nLog()->warning('invalid-request');
                 return;
             }

Core/Controller/EditApiKey.php

@@ -16,9 +16,9 @@
  * You should have received a copy of the GNU Lesser General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
+
 namespace FacturaScripts\Core\Controller;
 
-use Exception;
 use FacturaScripts\Core\Base\DataBase\DataBaseWhere;
 use FacturaScripts\Core\Lib\ExtendedController\BaseView;
 use FacturaScripts\Core\Lib\ExtendedController\EditController;
@@ -34,7 +34,6 @@ class EditApiKey extends EditController
 {
 
     /**
-     * 
      * @return array
      */
     public function getAccessRules(): array
@@ -63,7 +62,7 @@ public function getAccessRules(): array
 
     /**
      * Returns the model name.
-     * 
+     *
      * @return string
      */
     public function getModelClassName()
@@ -96,7 +95,6 @@ protected function createViews()
     }
 
     /**
-     * 
      * @param string $viewName
      */
     protected function createViewsAccess(string $viewName = 'ApiAccess')
@@ -105,29 +103,36 @@ protected function createViewsAccess(string $viewName = 'ApiAccess')
     }
 
     /**
-     * 
      * @return bool
      */
     protected function editRulesAction(): bool
     {
+        // check user permissions
+        if (false === $this->permissions->allowUpdate) {
+            $this->toolBox()->i18nLog()->warning('not-allowed-update');
+            return true;
+        } elseif (false === $this->validateFormToken()) {
+            return true;
+        }
+
         $allowGet = $this->request->request->get('allowget');
         $allowPut = $this->request->request->get('allowput');
         $allowPost = $this->request->request->get('allowpost');
         $allowDelete = $this->request->request->get('allowdelete');
 
-        /// update current access rules
+        // update current access rules
         $accessModel = new ApiAccess();
         $where = [new DataBaseWhere('idapikey', $this->request->query->get('code'))];
         $rules = $accessModel->all($where, [], 0, 0);
         foreach ($rules as $access) {
-            $access->allowget = \is_array($allowGet) && \in_array($access->resource, $allowGet);
-            $access->allowput = \is_array($allowPut) && \in_array($access->resource, $allowPut);
-            $access->allowpost = \is_array($allowPost) && \in_array($access->resource, $allowPost);
-            $access->allowdelete = \is_array($allowDelete) && \in_array($access->resource, $allowDelete);
+            $access->allowget = is_array($allowGet) && in_array($access->resource, $allowGet);
+            $access->allowput = is_array($allowPut) && in_array($access->resource, $allowPut);
+            $access->allowpost = is_array($allowPost) && in_array($access->resource, $allowPost);
+            $access->allowdelete = is_array($allowDelete) && in_array($access->resource, $allowDelete);
             $access->save();
         }
 
-        /// add new rules
+        // add new rules
         foreach ($allowGet as $resource) {
             $found = false;
             foreach ($rules as $rule) {
@@ -140,14 +145,14 @@ protected function editRulesAction(): bool
                 continue;
             }
 
-            /// add
+            // add
             $newAccess = new ApiAccess();
             $newAccess->idapikey = $this->request->query->get('code');
             $newAccess->resource = $resource;
-            $newAccess->allowget = \is_array($allowGet) && \in_array($resource, $allowGet);
-            $newAccess->allowput = \is_array($allowPut) && \in_array($resource, $allowPut);
-            $newAccess->allowpost = \is_array($allowPost) && \in_array($resource, $allowPost);
-            $newAccess->allowdelete = \is_array($allowDelete) && \in_array($resource, $allowDelete);
+            $newAccess->allowget = is_array($allowGet) && in_array($resource, $allowGet);
+            $newAccess->allowput = is_array($allowPut) && in_array($resource, $allowPut);
+            $newAccess->allowpost = is_array($allowPost) && in_array($resource, $allowPost);
+            $newAccess->allowdelete = is_array($allowDelete) && in_array($resource, $allowDelete);
             $newAccess->save();
         }
 
@@ -183,29 +188,29 @@ protected function getResources(): array
     {
         $resources = [];
 
-        $path = \FS_FOLDER . DIRECTORY_SEPARATOR . 'Dinamic' . DIRECTORY_SEPARATOR . 'Lib' . DIRECTORY_SEPARATOR . 'API';
-        foreach (\scandir($path, SCANDIR_SORT_NONE) as $resource) {
-            if (\substr($resource, -4) !== '.php') {
+        $path = FS_FOLDER . DIRECTORY_SEPARATOR . 'Dinamic' . DIRECTORY_SEPARATOR . 'Lib' . DIRECTORY_SEPARATOR . 'API';
+        foreach (scandir($path, SCANDIR_SORT_NONE) as $resource) {
+            if (substr($resource, -4) !== '.php') {
                 continue;
             }
 
             $class = substr('\\FacturaScripts\\Dinamic\\Lib\\API\\' . $resource, 0, -4);
             $APIClass = new $class($this->response, $this->request, []);
-            if (isset($APIClass) && \method_exists($APIClass, 'getResources')) {
+            if (isset($APIClass) && method_exists($APIClass, 'getResources')) {
                 foreach ($APIClass->getResources() as $name => $data) {
                     $resources[] = $name;
                 }
             }
         }
 
-        \sort($resources);
+        sort($resources);
         return $resources;
     }
 
     /**
      * Load view data.
      *
-     * @param string   $viewName
+     * @param string $viewName
      * @param BaseView $view
      */
     protected function loadData($viewName, $view)