diff options
Diffstat (limited to 'application')
8 files changed, 230 insertions, 7 deletions
diff --git a/application/front/controller/admin/PasswordController.php b/application/front/controller/admin/PasswordController.php new file mode 100644 index 00000000..6e8f0bcb --- /dev/null +++ b/application/front/controller/admin/PasswordController.php | |||
@@ -0,0 +1,100 @@ | |||
1 | <?php | ||
2 | |||
3 | declare(strict_types=1); | ||
4 | |||
5 | namespace Shaarli\Front\Controller\Admin; | ||
6 | |||
7 | use Shaarli\Container\ShaarliContainer; | ||
8 | use Shaarli\Front\Exception\OpenShaarliPasswordException; | ||
9 | use Shaarli\Front\Exception\ShaarliFrontException; | ||
10 | use Slim\Http\Request; | ||
11 | use Slim\Http\Response; | ||
12 | use Throwable; | ||
13 | |||
14 | /** | ||
15 | * Class PasswordController | ||
16 | * | ||
17 | * Slim controller used to handle passwords update. | ||
18 | */ | ||
19 | class PasswordController extends ShaarliAdminController | ||
20 | { | ||
21 | public function __construct(ShaarliContainer $container) | ||
22 | { | ||
23 | parent::__construct($container); | ||
24 | |||
25 | $this->assignView( | ||
26 | 'pagetitle', | ||
27 | t('Change password') .' - '. $this->container->conf->get('general.title', 'Shaarli') | ||
28 | ); | ||
29 | } | ||
30 | |||
31 | /** | ||
32 | * GET /password - Displays the change password template | ||
33 | */ | ||
34 | public function index(Request $request, Response $response): Response | ||
35 | { | ||
36 | return $response->write($this->render('changepassword')); | ||
37 | } | ||
38 | |||
39 | /** | ||
40 | * POST /password - Change admin password - existing and new passwords need to be provided. | ||
41 | */ | ||
42 | public function change(Request $request, Response $response): Response | ||
43 | { | ||
44 | $this->checkToken($request); | ||
45 | |||
46 | if ($this->container->conf->get('security.open_shaarli', false)) { | ||
47 | throw new OpenShaarliPasswordException(); | ||
48 | } | ||
49 | |||
50 | $oldPassword = $request->getParam('oldpassword'); | ||
51 | $newPassword = $request->getParam('setpassword'); | ||
52 | |||
53 | if (empty($newPassword) || empty($oldPassword)) { | ||
54 | $this->saveErrorMessage(t('You must provide the current and new password to change it.')); | ||
55 | |||
56 | return $response | ||
57 | ->withStatus(400) | ||
58 | ->write($this->render('changepassword')) | ||
59 | ; | ||
60 | } | ||
61 | |||
62 | // Make sure old password is correct. | ||
63 | $oldHash = sha1( | ||
64 | $oldPassword . | ||
65 | $this->container->conf->get('credentials.login') . | ||
66 | $this->container->conf->get('credentials.salt') | ||
67 | ); | ||
68 | |||
69 | if ($oldHash !== $this->container->conf->get('credentials.hash')) { | ||
70 | $this->saveErrorMessage(t('The old password is not correct.')); | ||
71 | |||
72 | return $response | ||
73 | ->withStatus(400) | ||
74 | ->write($this->render('changepassword')) | ||
75 | ; | ||
76 | } | ||
77 | |||
78 | // Save new password | ||
79 | // Salt renders rainbow-tables attacks useless. | ||
80 | $this->container->conf->set('credentials.salt', sha1(uniqid('', true) .'_'. mt_rand())); | ||
81 | $this->container->conf->set( | ||
82 | 'credentials.hash', | ||
83 | sha1( | ||
84 | $newPassword | ||
85 | . $this->container->conf->get('credentials.login') | ||
86 | . $this->container->conf->get('credentials.salt') | ||
87 | ) | ||
88 | ); | ||
89 | |||
90 | try { | ||
91 | $this->container->conf->write($this->container->loginManager->isLoggedIn()); | ||
92 | } catch (Throwable $e) { | ||
93 | throw new ShaarliFrontException($e->getMessage(), 500, $e); | ||
94 | } | ||
95 | |||
96 | $this->saveSuccessMessage(t('Your password has been changed')); | ||
97 | |||
98 | return $response->write($this->render('changepassword')); | ||
99 | } | ||
100 | } | ||
diff --git a/application/front/controller/admin/ShaarliAdminController.php b/application/front/controller/admin/ShaarliAdminController.php index ea703f62..3385006c 100644 --- a/application/front/controller/admin/ShaarliAdminController.php +++ b/application/front/controller/admin/ShaarliAdminController.php | |||
@@ -7,7 +7,19 @@ namespace Shaarli\Front\Controller\Admin; | |||
7 | use Shaarli\Container\ShaarliContainer; | 7 | use Shaarli\Container\ShaarliContainer; |
8 | use Shaarli\Front\Controller\Visitor\ShaarliVisitorController; | 8 | use Shaarli\Front\Controller\Visitor\ShaarliVisitorController; |
9 | use Shaarli\Front\Exception\UnauthorizedException; | 9 | use Shaarli\Front\Exception\UnauthorizedException; |
10 | use Shaarli\Front\Exception\WrongTokenException; | ||
11 | use Shaarli\Security\SessionManager; | ||
12 | use Slim\Http\Request; | ||
10 | 13 | ||
14 | /** | ||
15 | * Class ShaarliAdminController | ||
16 | * | ||
17 | * All admin controllers (for logged in users) MUST extend this abstract class. | ||
18 | * It makes sure that the user is properly logged in, and otherwise throw an exception | ||
19 | * which will redirect to the login page. | ||
20 | * | ||
21 | * @package Shaarli\Front\Controller\Admin | ||
22 | */ | ||
11 | abstract class ShaarliAdminController extends ShaarliVisitorController | 23 | abstract class ShaarliAdminController extends ShaarliVisitorController |
12 | { | 24 | { |
13 | public function __construct(ShaarliContainer $container) | 25 | public function __construct(ShaarliContainer $container) |
@@ -18,4 +30,51 @@ abstract class ShaarliAdminController extends ShaarliVisitorController | |||
18 | throw new UnauthorizedException(); | 30 | throw new UnauthorizedException(); |
19 | } | 31 | } |
20 | } | 32 | } |
33 | |||
34 | /** | ||
35 | * Any persistent action to the config or data store must check the XSRF token validity. | ||
36 | */ | ||
37 | protected function checkToken(Request $request): void | ||
38 | { | ||
39 | if (!$this->container->sessionManager->checkToken($request->getParam('token'))) { | ||
40 | throw new WrongTokenException(); | ||
41 | } | ||
42 | } | ||
43 | |||
44 | /** | ||
45 | * Save a SUCCESS message in user session, which will be displayed on any template page. | ||
46 | */ | ||
47 | protected function saveSuccessMessage(string $message): void | ||
48 | { | ||
49 | $this->saveMessage(SessionManager::KEY_SUCCESS_MESSAGES, $message); | ||
50 | } | ||
51 | |||
52 | /** | ||
53 | * Save a WARNING message in user session, which will be displayed on any template page. | ||
54 | */ | ||
55 | protected function saveWarningMessage(string $message): void | ||
56 | { | ||
57 | $this->saveMessage(SessionManager::KEY_WARNING_MESSAGES, $message); | ||
58 | } | ||
59 | |||
60 | /** | ||
61 | * Save an ERROR message in user session, which will be displayed on any template page. | ||
62 | */ | ||
63 | protected function saveErrorMessage(string $message): void | ||
64 | { | ||
65 | $this->saveMessage(SessionManager::KEY_ERROR_MESSAGES, $message); | ||
66 | } | ||
67 | |||
68 | /** | ||
69 | * Use the sessionManager to save the provided message using the proper type. | ||
70 | * | ||
71 | * @param string $type successed/warnings/errors | ||
72 | */ | ||
73 | protected function saveMessage(string $type, string $message): void | ||
74 | { | ||
75 | $messages = $this->container->sessionManager->getSessionParameter($type) ?? []; | ||
76 | $messages[] = $message; | ||
77 | |||
78 | $this->container->sessionManager->setSessionParameter($type, $messages); | ||
79 | } | ||
21 | } | 80 | } |
diff --git a/application/front/controller/visitor/ShaarliVisitorController.php b/application/front/controller/visitor/ShaarliVisitorController.php index 655b3baa..f12915c1 100644 --- a/application/front/controller/visitor/ShaarliVisitorController.php +++ b/application/front/controller/visitor/ShaarliVisitorController.php | |||
@@ -9,6 +9,14 @@ use Shaarli\Container\ShaarliContainer; | |||
9 | use Slim\Http\Request; | 9 | use Slim\Http\Request; |
10 | use Slim\Http\Response; | 10 | use Slim\Http\Response; |
11 | 11 | ||
12 | /** | ||
13 | * Class ShaarliVisitorController | ||
14 | * | ||
15 | * All controllers accessible by visitors (non logged in users) should extend this abstract class. | ||
16 | * Contains a few helper function for template rendering, plugins, etc. | ||
17 | * | ||
18 | * @package Shaarli\Front\Controller\Visitor | ||
19 | */ | ||
12 | abstract class ShaarliVisitorController | 20 | abstract class ShaarliVisitorController |
13 | { | 21 | { |
14 | /** @var ShaarliContainer */ | 22 | /** @var ShaarliContainer */ |
diff --git a/application/front/exceptions/OpenShaarliPasswordException.php b/application/front/exceptions/OpenShaarliPasswordException.php new file mode 100644 index 00000000..a6f0b3ae --- /dev/null +++ b/application/front/exceptions/OpenShaarliPasswordException.php | |||
@@ -0,0 +1,18 @@ | |||
1 | <?php | ||
2 | |||
3 | declare(strict_types=1); | ||
4 | |||
5 | namespace Shaarli\Front\Exception; | ||
6 | |||
7 | /** | ||
8 | * Class OpenShaarliPasswordException | ||
9 | * | ||
10 | * Raised if the user tries to change the admin password on an open shaarli instance. | ||
11 | */ | ||
12 | class OpenShaarliPasswordException extends ShaarliFrontException | ||
13 | { | ||
14 | public function __construct() | ||
15 | { | ||
16 | parent::__construct(t('You are not supposed to change a password on an Open Shaarli.'), 403); | ||
17 | } | ||
18 | } | ||
diff --git a/application/front/exceptions/ShaarliFrontException.php b/application/front/exceptions/ShaarliFrontException.php index fc8eb92b..73847e6d 100644 --- a/application/front/exceptions/ShaarliFrontException.php +++ b/application/front/exceptions/ShaarliFrontException.php | |||
@@ -9,11 +9,11 @@ use Throwable; | |||
9 | /** | 9 | /** |
10 | * Class ShaarliException | 10 | * Class ShaarliException |
11 | * | 11 | * |
12 | * Abstract exception class used to defined any custom exception thrown during front rendering. | 12 | * Exception class used to defined any custom exception thrown during front rendering. |
13 | * | 13 | * |
14 | * @package Front\Exception | 14 | * @package Front\Exception |
15 | */ | 15 | */ |
16 | abstract class ShaarliFrontException extends \Exception | 16 | class ShaarliFrontException extends \Exception |
17 | { | 17 | { |
18 | /** Override parent constructor to force $message and $httpCode parameters to be set. */ | 18 | /** Override parent constructor to force $message and $httpCode parameters to be set. */ |
19 | public function __construct(string $message, int $httpCode, Throwable $previous = null) | 19 | public function __construct(string $message, int $httpCode, Throwable $previous = null) |
diff --git a/application/front/exceptions/WrongTokenException.php b/application/front/exceptions/WrongTokenException.php new file mode 100644 index 00000000..42002720 --- /dev/null +++ b/application/front/exceptions/WrongTokenException.php | |||
@@ -0,0 +1,18 @@ | |||
1 | <?php | ||
2 | |||
3 | declare(strict_types=1); | ||
4 | |||
5 | namespace Shaarli\Front\Exception; | ||
6 | |||
7 | /** | ||
8 | * Class OpenShaarliPasswordException | ||
9 | * | ||
10 | * Raised if the user tries to perform an action with an invalid XSRF token. | ||
11 | */ | ||
12 | class WrongTokenException extends ShaarliFrontException | ||
13 | { | ||
14 | public function __construct() | ||
15 | { | ||
16 | parent::__construct(t('Wrong token.'), 403); | ||
17 | } | ||
18 | } | ||
diff --git a/application/render/PageBuilder.php b/application/render/PageBuilder.php index f4fefda8..264cd33b 100644 --- a/application/render/PageBuilder.php +++ b/application/render/PageBuilder.php | |||
@@ -7,6 +7,7 @@ use RainTPL; | |||
7 | use Shaarli\ApplicationUtils; | 7 | use Shaarli\ApplicationUtils; |
8 | use Shaarli\Bookmark\BookmarkServiceInterface; | 8 | use Shaarli\Bookmark\BookmarkServiceInterface; |
9 | use Shaarli\Config\ConfigManager; | 9 | use Shaarli\Config\ConfigManager; |
10 | use Shaarli\Security\SessionManager; | ||
10 | use Shaarli\Thumbnailer; | 11 | use Shaarli\Thumbnailer; |
11 | 12 | ||
12 | /** | 13 | /** |
@@ -136,17 +137,28 @@ class PageBuilder | |||
136 | $this->tpl->assign('thumbnails_width', $this->conf->get('thumbnails.width')); | 137 | $this->tpl->assign('thumbnails_width', $this->conf->get('thumbnails.width')); |
137 | $this->tpl->assign('thumbnails_height', $this->conf->get('thumbnails.height')); | 138 | $this->tpl->assign('thumbnails_height', $this->conf->get('thumbnails.height')); |
138 | 139 | ||
139 | if (!empty($_SESSION['warnings'])) { | ||
140 | $this->tpl->assign('global_warnings', $_SESSION['warnings']); | ||
141 | unset($_SESSION['warnings']); | ||
142 | } | ||
143 | |||
144 | $this->tpl->assign('formatter', $this->conf->get('formatter', 'default')); | 140 | $this->tpl->assign('formatter', $this->conf->get('formatter', 'default')); |
145 | 141 | ||
146 | // To be removed with a proper theme configuration. | 142 | // To be removed with a proper theme configuration. |
147 | $this->tpl->assign('conf', $this->conf); | 143 | $this->tpl->assign('conf', $this->conf); |
148 | } | 144 | } |
149 | 145 | ||
146 | protected function finalize(): void | ||
147 | { | ||
148 | // TODO: use the SessionManager | ||
149 | $messageKeys = [ | ||
150 | SessionManager::KEY_SUCCESS_MESSAGES, | ||
151 | SessionManager::KEY_WARNING_MESSAGES, | ||
152 | SessionManager::KEY_ERROR_MESSAGES | ||
153 | ]; | ||
154 | foreach ($messageKeys as $messageKey) { | ||
155 | if (!empty($_SESSION[$messageKey])) { | ||
156 | $this->tpl->assign('global_' . $messageKey, $_SESSION[$messageKey]); | ||
157 | unset($_SESSION[$messageKey]); | ||
158 | } | ||
159 | } | ||
160 | } | ||
161 | |||
150 | /** | 162 | /** |
151 | * The following assign() method is basically the same as RainTPL (except lazy loading) | 163 | * The following assign() method is basically the same as RainTPL (except lazy loading) |
152 | * | 164 | * |
@@ -196,6 +208,8 @@ class PageBuilder | |||
196 | $this->initialize(); | 208 | $this->initialize(); |
197 | } | 209 | } |
198 | 210 | ||
211 | $this->finalize(); | ||
212 | |||
199 | $this->tpl->draw($page); | 213 | $this->tpl->draw($page); |
200 | } | 214 | } |
201 | 215 | ||
@@ -213,6 +227,8 @@ class PageBuilder | |||
213 | $this->initialize(); | 227 | $this->initialize(); |
214 | } | 228 | } |
215 | 229 | ||
230 | $this->finalize(); | ||
231 | |||
216 | return $this->tpl->draw($page, true); | 232 | return $this->tpl->draw($page, true); |
217 | } | 233 | } |
218 | 234 | ||
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php index 8b77d362..0ac17d9a 100644 --- a/application/security/SessionManager.php +++ b/application/security/SessionManager.php | |||
@@ -12,6 +12,10 @@ class SessionManager | |||
12 | public const KEY_VISIBILITY = 'visibility'; | 12 | public const KEY_VISIBILITY = 'visibility'; |
13 | public const KEY_UNTAGGED_ONLY = 'untaggedonly'; | 13 | public const KEY_UNTAGGED_ONLY = 'untaggedonly'; |
14 | 14 | ||
15 | public const KEY_SUCCESS_MESSAGES = 'successes'; | ||
16 | public const KEY_WARNING_MESSAGES = 'warnings'; | ||
17 | public const KEY_ERROR_MESSAGES = 'errors'; | ||
18 | |||
15 | /** @var int Session expiration timeout, in seconds */ | 19 | /** @var int Session expiration timeout, in seconds */ |
16 | public static $SHORT_TIMEOUT = 3600; // 1 hour | 20 | public static $SHORT_TIMEOUT = 3600; // 1 hour |
17 | 21 | ||