openrat-cms

OpenRat Content Management System
git clone http://git.code.weiherhei.de/openrat-cms.git
Log | Files | Refs | README
commit 04776dc6529cf20c34b5a6ff782b8efc7ba0888a
parent 51fcf404034a1d775d281b25a65bdc946b480691
Author: Jan Dankert <develop@jandankert.de>
Date:   Wed, 18 Nov 2020 20:42:57 +0100

Getting/Setting cookies with constants, this is more safe.

Diffstat:

Mmodules/cms/Dispatcher.class.php | 8++++----


Mmodules/cms/action/Action.class.php | 32+++++++++++++++++++++++++++++---


Mmodules/cms/action/ProfileAction.class.php | 20++++++++------------


Mmodules/cms/action/login/LoginLoginAction.class.php | 8++++----


Mmodules/cms/action/login/LoginLogoutAction.class.php | 5+++--


Mmodules/cms/action/profile/ProfileAvailableAction.class.php | 28+++++++++++++++++++++++++---


Mmodules/cms/auth/CookieAuth.class.php | 5+++--


Mmodules/cms/auth/RememberAuth.class.php | 9+++++----


Mmodules/template_engine/components/html/component_date/component-date.php | 5+++--


9 files changed, 84 insertions(+), 36 deletions(-)

diff --git a/modules/cms/Dispatcher.class.php b/modules/cms/Dispatcher.class.php
@@ -248,8 +248,8 @@ class Dispatcher
 
             // Sprache lesen
 			$languages = [];
-			if (isset($_COOKIE['or_language']))
-				$languages[] = $_COOKIE['or_language'];
+			if (isset($_COOKIE[ Action::COOKIE_LANGUAGE]))
+				$languages[] = $_COOKIE[Action::COOKIE_LANGUAGE];
 
 			$i18nConfig = (new Config($conf))->subset('i18n');
 
@@ -382,8 +382,8 @@ class Dispatcher
             $dbid = $this->request->getRequestVar('dbid',RequestParams::FILTER_ALPHANUM);
         elseif   ( Session::getDatabaseId() )
             $dbid = Session::getDatabaseId();
-        elseif   ( isset($_COOKIE['or_dbid']) )
-            $dbid = $_COOKIE['or_dbid'];
+        elseif   ( isset($_COOKIE[Action::COOKIE_DB_ID]) )
+            $dbid = $_COOKIE[Action::COOKIE_DB_ID];
         else {
             $databases = Configuration::subset('database')->subsets();
 
diff --git a/modules/cms/action/Action.class.php b/modules/cms/action/Action.class.php
@@ -399,12 +399,38 @@ class Action
 
 
 	/**
+	 * Language ISO code.
+	 */
+	const COOKIE_LANGUAGE = 'or_language';
+
+	/**
+	 * Last used username.
+	 */
+	const COOKIE_USERNAME = 'or_username';
+	/**
+	 * Login token.
+	 */
+	const COOKIE_TOKEN    = 'or_token';
+
+	/**
+	 * Database id.
+	 */
+	const COOKIE_DB_ID    = 'or_dbid';
+
+	/**
+	 * Timezone offset
+	 */
+	const COOKIE_TIMEZONE_OFFSET = 'or_timezone_offset';
+
+
+
+	/**
 	 * Sets a cookie.
 	 *
-	 * @param $name cookie name
-	 * @param string $value cookie value, null to delete
+	 * @param $name string cookie name
+	 * @param $value string cookie value, null or empty to delete
 	 */
-	protected function setCookie($name,$value='' ) {
+	protected function setCookie($name, $value = '' ) {
 
 		$cookieConfig = Configuration::subset('security')->subset('cookie');
 
diff --git a/modules/cms/action/ProfileAction.class.php b/modules/cms/action/ProfileAction.class.php
@@ -34,18 +34,13 @@ use util\UIUtils;
 
 
 /**
- * Action-Klasse zum Bearbeiten des Benutzerprofiles
- *
- * @author $Author$
- * @version $Revision$
- * @package openrat.actions
+ * profile data of current user.
  */
 class ProfileAction extends BaseAction
 {
 	public $security = Action::SECURITY_USER;
 
 	protected $user;
-	var $defaultSubAction = 'edit';
 
 	/**
 	 * Konstruktor.
@@ -60,18 +55,19 @@ class ProfileAction extends BaseAction
 
 
     /**
-     * Setzt eine Sprache für den Benutzer.
+     * Setting new language for current session.
      *
-     * @param $l string Sprache
+     * @param $languageISOcode string ISO coded language
      */
-    protected function setLanguage($l)
+    protected function setLanguage($languageISOcode )
     {
         $conf = Session::getConfig();
         $language = new Language();
-        $conf['language'] = $language->getLanguage($l,PRODUCTION);
-        $conf['language']['language_code'] = $l;
+        $conf['language'] = $language->getLanguage($languageISOcode);
+        $conf['language']['language_code'] = $languageISOcode;
+
         Session::setConfig($conf);
-        $this->setCookie('or_language',$l);
+        $this->setCookie( Action::COOKIE_LANGUAGE,$languageISOcode);
     }
 
 
diff --git a/modules/cms/action/login/LoginLoginAction.class.php b/modules/cms/action/login/LoginLoginAction.class.php
@@ -144,8 +144,8 @@ class LoginLoginAction extends LoginAction implements Method {
 		}
 		
 		// Cookie setzen
-		$this->setCookie('or_username',$loginName );
-		$this->setCookie('or_dbid'    ,$this->getRequestVar('dbid'));
+		$this->setCookie(Action::COOKIE_USERNAME,$loginName );
+		$this->setCookie(Action::COOKIE_DB_ID   ,$this->getRequestVar('dbid'));
 
 		// Jedes Authentifizierungsmodul durchlaufen, bis ein Login erfolgreich ist.
 		$result = AuthRunner::checkLogin('authenticate',$loginName,$loginPassword, $token );
@@ -237,8 +237,8 @@ class LoginLoginAction extends LoginAction implements Method {
 			if	( $this->hasRequestVar('remember') )
 			{
 				// Cookie setzen
-				$this->setCookie('or_username',$user->name         );
-                $this->setCookie('or_token'   ,$user->createNewLoginToken() );
+				$this->setCookie(Action::COOKIE_USERNAME,$user->name                  );
+                $this->setCookie(Action::COOKIE_TOKEN   ,$user->createNewLoginToken() );
 			}
 				
 			// Anmeldung erfolgreich.
diff --git a/modules/cms/action/login/LoginLogoutAction.class.php b/modules/cms/action/login/LoginLogoutAction.class.php
@@ -1,5 +1,6 @@
 <?php
 namespace cms\action\login;
+use cms\action\Action;
 use cms\action\LoginAction;
 use cms\action\Method;
 use cms\base\Configuration;
@@ -16,14 +17,14 @@ class LoginLogoutAction extends LoginAction implements Method {
 			$this->recreateSession();
 
         // Reading the login token cookie
-        list( $selector,$token ) = array_pad( explode('.',@$_COOKIE['or_token']),2,'');
+        list( $selector,$token ) = array_pad( explode('.',@$_COOKIE[Action::COOKIE_TOKEN]),2,'');
 
         // Logout forces the removal of all login tokens
 		if   ( $selector )
 		    $this->currentUser->deleteLoginToken( $selector );
 
 		// Cookie mit Logintoken löschen.
-        $this->setCookie('or_token'   ,null );
+        $this->setCookie(Action::COOKIE_TOKEN );
 
         Session::setUser(null);
 
diff --git a/modules/cms/action/profile/ProfileAvailableAction.class.php b/modules/cms/action/profile/ProfileAvailableAction.class.php
@@ -7,20 +7,40 @@ use util\ClassName;
 
 class ProfileAvailableAction extends ProfileAction implements Method {
 
-	public $security = Action::SECURITY_GUEST;
+	public $security = Action::SECURITY_GUEST; // Available for all
 
     public function view() {
 
 		$action = $this->getRequestVar('queryaction');
 
-		$viewMethods = array_filter( ['pub','prop','history','rights','add','pw','memberships','advanced','switch','changetemplate','src','size','maintenance','settings','archive','rights','remove','preview','order'],
+		$viewMethods = array_filter( [
+			// All UI-related methods (reachable via dropdown menus)
+			'pub',
+			'prop',
+			'history',
+			'rights',
+			'add',
+			'pw',
+			'memberships',
+			'advanced',
+			'switch',
+			'changetemplate',
+			'src',
+			'size',
+			'maintenance',
+			'settings',
+			'archive',
+			'rights',
+			'remove',
+			'preview',
+			'order'
+			],
 			function ($methodName) use ($action) {
 
 				// Filter existent methods
 				while( true ) {
 					$actionClassName = new ClassName( ucfirst($action) . ucfirst($methodName) . 'Action');
 					$actionClassName->addNamespace( ['cms','action',$action] );
-					//echo "check: "; print_r($actionClassName->get() ); echo "\n";
 
 					if ( $actionClassName->exists() )
 						return true;
@@ -40,6 +60,8 @@ class ProfileAvailableAction extends ProfileAction implements Method {
 
 		$this->setTemplateVar('views', $viewMethods);
     }
+
+
     public function post() {
     }
 }
diff --git a/modules/cms/auth/CookieAuth.class.php b/modules/cms/auth/CookieAuth.class.php
@@ -2,6 +2,7 @@
 
 namespace cms\auth;
 
+use cms\action\Action;
 use cms\auth\Auth;
 
 /**
@@ -13,8 +14,8 @@ class CookieAuth implements Auth
 {
 	public function username()
 	{
-		if (isset($_COOKIE['or_username']))
-			return $_COOKIE['or_username'];
+		if (isset($_COOKIE[ Action::COOKIE_USERNAME ]))
+			return $_COOKIE[ Action::COOKIE_USERNAME ];
 		else
 			return null;
 	}
diff --git a/modules/cms/auth/RememberAuth.class.php b/modules/cms/auth/RememberAuth.class.php
@@ -2,6 +2,7 @@
 
 namespace cms\auth;
 
+use cms\action\Action;
 use cms\auth\Auth;
 use cms\base\Configuration;
 use cms\model\Text;
@@ -24,11 +25,11 @@ class RememberAuth implements Auth
 	public function username()
 	{
 		// Ermittelt den Benutzernamen aus den Login-Cookies.
-		if (isset($_COOKIE['or_token']) &&
-			isset($_COOKIE['or_dbid'])) {
+		if (isset($_COOKIE[Action::COOKIE_TOKEN]) &&
+			isset($_COOKIE[Action::COOKIE_DB_ID])) {
 			try {
-				list($selector, $token) = array_pad(explode('.', $_COOKIE['or_token']), 2, '');
-				$dbid = $_COOKIE['or_dbid'];
+				list($selector, $token) = array_pad(explode('.', $_COOKIE[Action::COOKIE_TOKEN]), 2, '');
+				$dbid = $_COOKIE[Action::COOKIE_DB_ID];
 
 				$dbConfig = Configuration::subset('database');
 
diff --git a/modules/template_engine/components/html/component_date/component-date.php b/modules/template_engine/components/html/component_date/component-date.php
@@ -1,5 +1,6 @@
 <?php
 
+use cms\action\Action;
 use language\Messages;
 use template_engine\Output;
 
@@ -10,10 +11,10 @@ function component_date($time )
 	else
 	{
 		// Benutzereinstellung 'Zeitzonen-Offset' auswerten.
-		if	( isset($_COOKIE['or_timezone_offset']) )
+		if	( isset($_COOKIE[Action::COOKIE_TIMEZONE_OFFSET]) )
 		{
 			$time -= (int)date('Z');
-			$time += ((int)$_COOKIE['or_timezone_offset']*60);
+			$time += ((int)$_COOKIE[Action::COOKIE_TIMEZONE_OFFSET]*60);
 		}
 	
 		echo '<span class="or-table-sort-value">'.str_pad($time, 20, "0", STR_PAD_LEFT).'</span>'; // For sorting a table.