Skip to content

Commit

Permalink
Fix: csrf
Browse files Browse the repository at this point in the history
  • Loading branch information
@robertSt7 @dvesh3
robertSt7 authored and dvesh3 committed Jul 4, 2023
1 parent e53f4b7 commit c7c7c54
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
11 changes: 10 additions & 1 deletion src/Controller/CartController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\Routing\Annotation\Route;

class CartController extends FrontendController
Expand Down Expand Up @@ -105,15 +106,23 @@ public function cartListingAction(Request $request, BreadcrumbHelperService $bre
$cart = $this->getCart();

if ($request->getMethod() == Request::METHOD_POST) {
if (!$this->isCsrfTokenValid('cartListing', $request->get('_csrf_token'))) {
throw new AccessDeniedHttpException('Invalid request');
}

$items = $request->get('items');

foreach ($items as $itemKey => $quantity) {
if (!is_numeric($quantity)) {
continue;
}

if ($cart->getItemCount() > 99) {
break;
}
$product = AbstractProduct::getById($itemKey);
if ($product instanceof CheckoutableInterface) {
$cart->updateItem($itemKey, $product, $quantity, true);
$cart->updateItem($itemKey, $product, floor($quantity), true);
}
}
$cart->save();
Expand Down
1 change: 1 addition & 0 deletions templates/cart/cart_listing.html.twig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
<h4 class="mb-3">{{ 'cart.title' | trans }}</h4>
<div class="card shopping-cart">
<form method="post">
<input type="hidden" name="_csrf_token" value="{{ csrf_token('cartListing') }}">
<div class="card-body">

{% for item in cart.items %}
Expand Down

0 comments on commit c7c7c54

Please sign in to comment.