← Back to branch summary

~xibo-maintainers/xibo/tempel

« back to all changes in this revision

Viewing changes to lib/Middleware/CsrfGuard.php

  • Committer: Dan Garner
  • Date: 2015-03-26 14:08:33 UTC
  • Revision ID: git-v1:70d14044444f8dc5d602b99890d59dea46d9470c
Moved web servable files to web folder

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/Middleware/CsrfGuard.php
23
23
namespace Xibo\Middleware;
24
24
 
25
25
use Slim\Middleware;
26
 
use Xibo\Exception\TokenExpiredException;
 
26
use Xibo\Exception\AccessDeniedException;
 
27
use Xibo\Helper\Theme;
27
28
 
28
29
class CsrfGuard extends Middleware
29
30
{
56
57
    public function call()
57
58
    {
58
59
        // Attach as hook.
59
 
        $this->app->hook('slim.before.dispatch', array($this, 'check'));
 
60
        $this->app->hook('slim.before', array($this, 'check'));
60
61
 
61
62
        // Call next middleware.
62
63
        $this->next->call();
64
65
 
65
66
    /**
66
67
     * Check CSRF token is valid.
67
 
     * @throws TokenExpiredException
68
68
     */
69
 
    public function check()
70
 
    {
71
 
        $session = $this->app->session;
72
 
        /* @var \Xibo\Helper\Session $session */
73
 
 
74
 
        if (!$session->get($this->key)) {
75
 
            $session->set($this->key, sha1(serialize($_SERVER) . rand(0, 0xffffffff)));
76
 
        }
77
 
 
78
 
        $token = $session->get($this->key);
 
69
    public function check() {
 
70
        // Check sessions are enabled.
 
71
        if (session_id() === '') {
 
72
            throw new \Exception('Sessions are required to use the CSRF Guard middleware.');
 
73
        }
 
74
 
 
75
        if (! isset($_SESSION[$this->key])) {
 
76
            $_SESSION[$this->key] = sha1(serialize($_SERVER) . rand(0, 0xffffffff));
 
77
        }
 
78
 
 
79
        $token = $_SESSION[$this->key];
79
80
 
80
81
        // Validate the CSRF token.
81
82
        if (in_array($this->app->request()->getMethod(), array('POST', 'PUT', 'DELETE'))) {
82
 
            // Validate the token unless we are on an excluded route
83
 
            $route = $this->app->router()->getCurrentRoute()->getPattern();
84
 
 
85
 
            if ($this->app->excludedCsrfRoutes == null || ($route != null && !in_array($route, $this->app->excludedCsrfRoutes))) {
86
 
 
87
 
                $userToken = $this->app->request()->headers('X-XSRF-TOKEN');
88
 
                if ($userToken == '') {
89
 
                    $userToken = $this->app->request()->params($this->key);
 
83
            $userToken = $this->app->request()->post($this->key);
 
84
            if ($token !== $userToken) {
 
85
                if ($this->app->request->isAjax()) {
 
86
                    // Return a JSON error response
 
87
                    $this->app->state->Error(__('Sorry the form has expired. Please refresh.'));
 
88
                    $this->app->render('response', array('response' => $this->app->state));
 
89
                    $this->app->halt(200);
90
90
                }
91
 
 
92
 
                if ($token !== $userToken) {
93
 
                    throw new TokenExpiredException('Sorry the form has expired. Please refresh.');
 
91
                else {
 
92
                    // Quit entirely
 
93
                    $this->app->flash('login_message', __('Sorry the form has expired. Please refresh.'));
 
94
                    throw new AccessDeniedException();
94
95
                }
95
96
            }
96
97
        }
97
98
 
98
99
        // Assign CSRF token key and value to view.
99
 
        $this->app->view()->appendData(array(
100
 
            'csrfKey'=> $this->key,
101
 
            'csrfToken' => $token
102
 
        ));
 
100
        Theme::Set('csrfKey', $this->key);
 
101
        Theme::Set('csrfToken', $token);
103
102
    }
104
103
}
 
 
b'\\ No newline at end of file'