← Back to branch summary

~xibo-maintainers/xibo/tempel

« back to all changes in this revision

Viewing changes to lib/Middleware/CsrfGuard.php

  • Committer: Dan Garner
  • Date: 2015-08-11 09:29:02 UTC
  • mto: This revision was merged to the branch mainline in revision 453.
  • Revision ID: git-v1:a86fb4369b7395c13367577d23b14c0ab4528c1a
Transitions fixes.

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/Middleware/CsrfGuard.php
23
23
namespace Xibo\Middleware;
24
24
 
25
25
use Slim\Middleware;
 
26
use Xibo\Exception\AccessDeniedException;
26
27
use Xibo\Exception\TokenExpiredException;
 
28
use Xibo\Helper\Theme;
27
29
 
28
30
class CsrfGuard extends Middleware
29
31
{
56
58
    public function call()
57
59
    {
58
60
        // Attach as hook.
59
 
        $this->app->hook('slim.before.dispatch', array($this, 'check'));
 
61
        $this->app->hook('slim.before', array($this, 'check'));
60
62
 
61
63
        // Call next middleware.
62
64
        $this->next->call();
64
66
 
65
67
    /**
66
68
     * Check CSRF token is valid.
67
 
     * @throws TokenExpiredException
68
69
     */
69
 
    public function check()
70
 
    {
71
 
        $session = $this->app->session;
72
 
        /* @var \Xibo\Helper\Session $session */
73
 
 
74
 
        if (!$session->get($this->key)) {
75
 
            $session->set($this->key, sha1(serialize($_SERVER) . rand(0, 0xffffffff)));
76
 
        }
77
 
 
78
 
        $token = $session->get($this->key);
 
70
    public function check() {
 
71
        // Check sessions are enabled.
 
72
        if (session_id() === '') {
 
73
            throw new \Exception('Sessions are required to use the CSRF Guard middleware.');
 
74
        }
 
75
 
 
76
        if (! isset($_SESSION[$this->key])) {
 
77
            $_SESSION[$this->key] = sha1(serialize($_SERVER) . rand(0, 0xffffffff));
 
78
        }
 
79
 
 
80
        $token = $_SESSION[$this->key];
79
81
 
80
82
        // Validate the CSRF token.
81
83
        if (in_array($this->app->request()->getMethod(), array('POST', 'PUT', 'DELETE'))) {
82
 
            // Validate the token unless we are on an excluded route
83
 
            $route = $this->app->router()->getCurrentRoute()->getPattern();
84
 
 
85
 
            if ($this->app->excludedCsrfRoutes == null || ($route != null && !in_array($route, $this->app->excludedCsrfRoutes))) {
86
 
 
87
 
                $userToken = $this->app->request()->headers('X-XSRF-TOKEN');
88
 
                if ($userToken == '') {
89
 
                    $userToken = $this->app->request()->params($this->key);
90
 
                }
91
 
 
92
 
                if ($token !== $userToken) {
93
 
                    throw new TokenExpiredException('Sorry the form has expired. Please refresh.');
94
 
                }
 
84
            $userToken = $this->app->request()->headers('X-XSRF-TOKEN');
 
85
            if ($userToken == '') {
 
86
                $userToken = $this->app->request()->params($this->key);
 
87
            }
 
88
 
 
89
            if ($token !== $userToken) {
 
90
                throw new TokenExpiredException('Sorry the form has expired. Please refresh.');
95
91
            }
96
92
        }
97
93