From beaaef3c0f83b75d19b4eb8a2169f0da3f8d3329 Mon Sep 17 00:00:00 2001 From: mMarinetti Date: Fri, 28 Oct 2011 10:10:27 +0000 Subject: [PATCH] [*] All : modified run() to use checkAccess in the Controller class [+] BO : #PSFV-94 - invalid token is now correctly handled. its uses initCursedPage // die2Exception git-svn-id: http://dev.prestashop.com/svn/v1/branches/1.5.x@9705 b9a71923-0436-4b27-9f14-aed3839534dd --- classes/AdminController.php | 22 ++++++++++---- classes/Controller.php | 58 +++++++++++++++++++++++++------------ classes/FrontController.php | 15 ++++++++++ 3 files changed, 71 insertions(+), 24 deletions(-) diff --git a/classes/AdminController.php b/classes/AdminController.php index 5d3f0fd98..f0caaf258 100644 --- a/classes/AdminController.php +++ b/classes/AdminController.php @@ -771,7 +771,8 @@ class AdminControllerCore extends Controller if (!$this->checkToken()) { // If this is an XSS attempt, then we should only display a simple, secure page - // ${1} in the replacement string of the regexp is required, because the token may begin with a number and mix up with it (e.g. $17) + // ${1} in the replacement string of the regexp is required, + // because the token may begin with a number and mix up with it (e.g. $17) $url = preg_replace('/([&?]token=)[^&]*(&.*)?$/', '${1}'.$this->token.'$2', $_SERVER['REQUEST_URI']); if (false === strpos($url, '?token=') && false === strpos($url, '&token=')) $url .= '&token='.$this->token; @@ -779,8 +780,9 @@ class AdminControllerCore extends Controller $url = str_replace('&token', '?controller=AdminHome&token', $url); $this->context->smarty->assign('url', htmlentities($url)); - $this->context->smarty->display('invalid_token.tpl'); + return false; } + return true; } /** @@ -1082,6 +1084,16 @@ class AdminControllerCore extends Controller )); } + /** + * initialize the invalid doom page of death + * + * @return void + */ + public function initCursedPage() + { + $this->layout = 'invalid_token.tpl'; + } + /** * Assign smarty variables for the footer */ @@ -1279,7 +1291,7 @@ class AdminControllerCore extends Controller // ob_start(); if (Tools::getValue('ajax')) $this->ajax = '1'; - $this->checkAccess(); + $this->timerStart = microtime(true); if (isset($_GET['logout'])) @@ -1498,7 +1510,7 @@ class AdminControllerCore extends Controller } if (!Validate::isTableOrIdentifier($this->table)) - die (Tools::displayError('Table name is invalid:').' "'.$this->table.'"'); + throw new PrestashopException(sprintf('Table name %s is invalid:', $this->table)); if (empty($order_by)) $order_by = $this->context->cookie->__get($this->table.'Orderby') ? $this->context->cookie->__get($this->table.'Orderby') : $this->_defaultOrderBy; @@ -1513,7 +1525,7 @@ class AdminControllerCore extends Controller if (!Validate::isOrderBy($order_by) || !Validate::isOrderWay($order_way) || !is_numeric($start) || !is_numeric($limit) || !Validate::isUnsignedId($id_lang)) - die(Tools::displayError('get list params is not valid')); + throw new PrestashopException('get list params is not valid'); /* Determine offset from current page */ if ((isset($_POST['submitFilter'.$this->table]) || diff --git a/classes/Controller.php b/classes/Controller.php index 774a00ae0..e6081558a 100644 --- a/classes/Controller.php +++ b/classes/Controller.php @@ -65,6 +65,11 @@ abstract class ControllerCore */ protected $ajax = false; + /** + * check that the controller is available for the current user/visitor + */ + abstract public function checkAccess(); + /** * Initialize the page */ @@ -117,29 +122,39 @@ abstract class ControllerCore { $this->init(); - // postProcess handles ajaxProcess - $this->postProcess(); - - if ($this->display_header) + if ($this->checkAccess()) { - $this->setMedia(); - $this->initHeader(); - } - - $this->initContent(); - if ($this->display_footer) - $this->initFooter(); + if ($this->ajax && method_exists($this, 'ajaxPreprocess')) + $this->ajaxPreProcess(); - if ($this->ajax) - { - $action = Tools::getValue('action'); - if (!empty($action) && method_exists($this, 'displayAjax'.Tools::toCamelCase($action))) - $this->{'displayAjax'.$action}(); - elseif (method_exists($this, 'displayAjax')) - $this->displayAjax(); + // postProcess handles ajaxProcess + $this->postProcess(); + + if ($this->display_header) + { + $this->setMedia(); + $this->initHeader(); + } + + $this->initContent(); + if ($this->display_footer) + $this->initFooter(); + + // default behavior for ajax process is to use $_POST[action] or $_GET[action] + // then using displayAjax[action] + if ($this->ajax) + { + $action = Tools::getValue('action'); + if (!empty($action) && method_exists($this, 'displayAjax'.Tools::toCamelCase($action))) + $this->{'displayAjax'.$action}(); + elseif (method_exists($this, 'displayAjax')) + $this->displayAjax(); + } } else - $this->display(); + $this->initCursedPage(); + + $this->display(); } public function displayHeader($display = true) @@ -167,6 +182,11 @@ abstract class ControllerCore */ abstract public function initContent(); + /** + * Assign smarty variables when access is forbidden + */ + abstract public function initCursedPage(); + /** * Assign smarty variables for the page footer */ diff --git a/classes/FrontController.php b/classes/FrontController.php index ded2d96d6..7537629ba 100755 --- a/classes/FrontController.php +++ b/classes/FrontController.php @@ -63,6 +63,16 @@ class FrontControllerCore extends Controller $useSSL = $this->ssl; } + /** + * checkAccess + * + * @return void + */ + public function checkAccess() + { + return true; + } + public function init() { /* @@ -358,6 +368,11 @@ class FrontControllerCore extends Controller $this->process(); } + public function initCursedPage() + { + return $this->displayMaintenancePage(); + } + public function process() { }