commit 04776dc6529cf20c34b5a6ff782b8efc7ba0888a
parent 51fcf404034a1d775d281b25a65bdc946b480691
Author: Jan Dankert <develop@jandankert.de>
Date: Wed, 18 Nov 2020 20:42:57 +0100
Getting/Setting cookies with constants, this is more safe.
Diffstat:
9 files changed, 84 insertions(+), 36 deletions(-)
diff --git a/modules/cms/Dispatcher.class.php b/modules/cms/Dispatcher.class.php
@@ -248,8 +248,8 @@ class Dispatcher
// Sprache lesen
$languages = [];
- if (isset($_COOKIE['or_language']))
- $languages[] = $_COOKIE['or_language'];
+ if (isset($_COOKIE[ Action::COOKIE_LANGUAGE]))
+ $languages[] = $_COOKIE[Action::COOKIE_LANGUAGE];
$i18nConfig = (new Config($conf))->subset('i18n');
@@ -382,8 +382,8 @@ class Dispatcher
$dbid = $this->request->getRequestVar('dbid',RequestParams::FILTER_ALPHANUM);
elseif ( Session::getDatabaseId() )
$dbid = Session::getDatabaseId();
- elseif ( isset($_COOKIE['or_dbid']) )
- $dbid = $_COOKIE['or_dbid'];
+ elseif ( isset($_COOKIE[Action::COOKIE_DB_ID]) )
+ $dbid = $_COOKIE[Action::COOKIE_DB_ID];
else {
$databases = Configuration::subset('database')->subsets();
diff --git a/modules/cms/action/Action.class.php b/modules/cms/action/Action.class.php
@@ -399,12 +399,38 @@ class Action
/**
+ * Language ISO code.
+ */
+ const COOKIE_LANGUAGE = 'or_language';
+
+ /**
+ * Last used username.
+ */
+ const COOKIE_USERNAME = 'or_username';
+ /**
+ * Login token.
+ */
+ const COOKIE_TOKEN = 'or_token';
+
+ /**
+ * Database id.
+ */
+ const COOKIE_DB_ID = 'or_dbid';
+
+ /**
+ * Timezone offset
+ */
+ const COOKIE_TIMEZONE_OFFSET = 'or_timezone_offset';
+
+
+
+ /**
* Sets a cookie.
*
- * @param $name cookie name
- * @param string $value cookie value, null to delete
+ * @param $name string cookie name
+ * @param $value string cookie value, null or empty to delete
*/
- protected function setCookie($name,$value='' ) {
+ protected function setCookie($name, $value = '' ) {
$cookieConfig = Configuration::subset('security')->subset('cookie');
diff --git a/modules/cms/action/ProfileAction.class.php b/modules/cms/action/ProfileAction.class.php
@@ -34,18 +34,13 @@ use util\UIUtils;
/**
- * Action-Klasse zum Bearbeiten des Benutzerprofiles
- *
- * @author $Author$
- * @version $Revision$
- * @package openrat.actions
+ * profile data of current user.
*/
class ProfileAction extends BaseAction
{
public $security = Action::SECURITY_USER;
protected $user;
- var $defaultSubAction = 'edit';
/**
* Konstruktor.
@@ -60,18 +55,19 @@ class ProfileAction extends BaseAction
/**
- * Setzt eine Sprache für den Benutzer.
+ * Setting new language for current session.
*
- * @param $l string Sprache
+ * @param $languageISOcode string ISO coded language
*/
- protected function setLanguage($l)
+ protected function setLanguage($languageISOcode )
{
$conf = Session::getConfig();
$language = new Language();
- $conf['language'] = $language->getLanguage($l,PRODUCTION);
- $conf['language']['language_code'] = $l;
+ $conf['language'] = $language->getLanguage($languageISOcode);
+ $conf['language']['language_code'] = $languageISOcode;
+
Session::setConfig($conf);
- $this->setCookie('or_language',$l);
+ $this->setCookie( Action::COOKIE_LANGUAGE,$languageISOcode);
}
diff --git a/modules/cms/action/login/LoginLoginAction.class.php b/modules/cms/action/login/LoginLoginAction.class.php
@@ -144,8 +144,8 @@ class LoginLoginAction extends LoginAction implements Method {
}
// Cookie setzen
- $this->setCookie('or_username',$loginName );
- $this->setCookie('or_dbid' ,$this->getRequestVar('dbid'));
+ $this->setCookie(Action::COOKIE_USERNAME,$loginName );
+ $this->setCookie(Action::COOKIE_DB_ID ,$this->getRequestVar('dbid'));
// Jedes Authentifizierungsmodul durchlaufen, bis ein Login erfolgreich ist.
$result = AuthRunner::checkLogin('authenticate',$loginName,$loginPassword, $token );
@@ -237,8 +237,8 @@ class LoginLoginAction extends LoginAction implements Method {
if ( $this->hasRequestVar('remember') )
{
// Cookie setzen
- $this->setCookie('or_username',$user->name );
- $this->setCookie('or_token' ,$user->createNewLoginToken() );
+ $this->setCookie(Action::COOKIE_USERNAME,$user->name );
+ $this->setCookie(Action::COOKIE_TOKEN ,$user->createNewLoginToken() );
}
// Anmeldung erfolgreich.
diff --git a/modules/cms/action/login/LoginLogoutAction.class.php b/modules/cms/action/login/LoginLogoutAction.class.php
@@ -1,5 +1,6 @@
<?php
namespace cms\action\login;
+use cms\action\Action;
use cms\action\LoginAction;
use cms\action\Method;
use cms\base\Configuration;
@@ -16,14 +17,14 @@ class LoginLogoutAction extends LoginAction implements Method {
$this->recreateSession();
// Reading the login token cookie
- list( $selector,$token ) = array_pad( explode('.',@$_COOKIE['or_token']),2,'');
+ list( $selector,$token ) = array_pad( explode('.',@$_COOKIE[Action::COOKIE_TOKEN]),2,'');
// Logout forces the removal of all login tokens
if ( $selector )
$this->currentUser->deleteLoginToken( $selector );
// Cookie mit Logintoken löschen.
- $this->setCookie('or_token' ,null );
+ $this->setCookie(Action::COOKIE_TOKEN );
Session::setUser(null);
diff --git a/modules/cms/action/profile/ProfileAvailableAction.class.php b/modules/cms/action/profile/ProfileAvailableAction.class.php
@@ -7,20 +7,40 @@ use util\ClassName;
class ProfileAvailableAction extends ProfileAction implements Method {
- public $security = Action::SECURITY_GUEST;
+ public $security = Action::SECURITY_GUEST; // Available for all
public function view() {
$action = $this->getRequestVar('queryaction');
- $viewMethods = array_filter( ['pub','prop','history','rights','add','pw','memberships','advanced','switch','changetemplate','src','size','maintenance','settings','archive','rights','remove','preview','order'],
+ $viewMethods = array_filter( [
+ // All UI-related methods (reachable via dropdown menus)
+ 'pub',
+ 'prop',
+ 'history',
+ 'rights',
+ 'add',
+ 'pw',
+ 'memberships',
+ 'advanced',
+ 'switch',
+ 'changetemplate',
+ 'src',
+ 'size',
+ 'maintenance',
+ 'settings',
+ 'archive',
+ 'rights',
+ 'remove',
+ 'preview',
+ 'order'
+ ],
function ($methodName) use ($action) {
// Filter existent methods
while( true ) {
$actionClassName = new ClassName( ucfirst($action) . ucfirst($methodName) . 'Action');
$actionClassName->addNamespace( ['cms','action',$action] );
- //echo "check: "; print_r($actionClassName->get() ); echo "\n";
if ( $actionClassName->exists() )
return true;
@@ -40,6 +60,8 @@ class ProfileAvailableAction extends ProfileAction implements Method {
$this->setTemplateVar('views', $viewMethods);
}
+
+
public function post() {
}
}
diff --git a/modules/cms/auth/CookieAuth.class.php b/modules/cms/auth/CookieAuth.class.php
@@ -2,6 +2,7 @@
namespace cms\auth;
+use cms\action\Action;
use cms\auth\Auth;
/**
@@ -13,8 +14,8 @@ class CookieAuth implements Auth
{
public function username()
{
- if (isset($_COOKIE['or_username']))
- return $_COOKIE['or_username'];
+ if (isset($_COOKIE[ Action::COOKIE_USERNAME ]))
+ return $_COOKIE[ Action::COOKIE_USERNAME ];
else
return null;
}
diff --git a/modules/cms/auth/RememberAuth.class.php b/modules/cms/auth/RememberAuth.class.php
@@ -2,6 +2,7 @@
namespace cms\auth;
+use cms\action\Action;
use cms\auth\Auth;
use cms\base\Configuration;
use cms\model\Text;
@@ -24,11 +25,11 @@ class RememberAuth implements Auth
public function username()
{
// Ermittelt den Benutzernamen aus den Login-Cookies.
- if (isset($_COOKIE['or_token']) &&
- isset($_COOKIE['or_dbid'])) {
+ if (isset($_COOKIE[Action::COOKIE_TOKEN]) &&
+ isset($_COOKIE[Action::COOKIE_DB_ID])) {
try {
- list($selector, $token) = array_pad(explode('.', $_COOKIE['or_token']), 2, '');
- $dbid = $_COOKIE['or_dbid'];
+ list($selector, $token) = array_pad(explode('.', $_COOKIE[Action::COOKIE_TOKEN]), 2, '');
+ $dbid = $_COOKIE[Action::COOKIE_DB_ID];
$dbConfig = Configuration::subset('database');
diff --git a/modules/template_engine/components/html/component_date/component-date.php b/modules/template_engine/components/html/component_date/component-date.php
@@ -1,5 +1,6 @@
<?php
+use cms\action\Action;
use language\Messages;
use template_engine\Output;
@@ -10,10 +11,10 @@ function component_date($time )
else
{
// Benutzereinstellung 'Zeitzonen-Offset' auswerten.
- if ( isset($_COOKIE['or_timezone_offset']) )
+ if ( isset($_COOKIE[Action::COOKIE_TIMEZONE_OFFSET]) )
{
$time -= (int)date('Z');
- $time += ((int)$_COOKIE['or_timezone_offset']*60);
+ $time += ((int)$_COOKIE[Action::COOKIE_TIMEZONE_OFFSET]*60);
}
echo '<span class="or-table-sort-value">'.str_pad($time, 20, "0", STR_PAD_LEFT).'</span>'; // For sorting a table.