[*] All : modified run() to use checkAccess in the Controller class
[+] BO : #PSFV-94 - invalid token is now correctly handled. its uses initCursedPage // die2Exception
This commit is contained in:
mMarinetti
@@ -771,7 +771,8 @@ class AdminControllerCore extends Controller
|
||||
if (!$this->checkToken())
|
||||
{
|
||||
// If this is an XSS attempt, then we should only display a simple, secure page
|
||||
// ${1} in the replacement string of the regexp is required, because the token may begin with a number and mix up with it (e.g. $17)
|
||||
// ${1} in the replacement string of the regexp is required,
|
||||
// because the token may begin with a number and mix up with it (e.g. $17)
|
||||
$url = preg_replace('/([&?]token=)[^&]*(&.*)?$/', '${1}'.$this->token.'$2', $_SERVER['REQUEST_URI']);
|
||||
if (false === strpos($url, '?token=') && false === strpos($url, '&token='))
|
||||
$url .= '&token='.$this->token;
|
||||
@@ -779,8 +780,9 @@ class AdminControllerCore extends Controller
|
||||
$url = str_replace('&token', '?controller=AdminHome&token', $url);
|
||||
|
||||
$this->context->smarty->assign('url', htmlentities($url));
|
||||
$this->context->smarty->display('invalid_token.tpl');
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1082,6 +1084,16 @@ class AdminControllerCore extends Controller
|
||||
));
|
||||
}
|
||||
|
||||
/**
|
||||
* initialize the invalid doom page of death
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function initCursedPage()
|
||||
{
|
||||
$this->layout = 'invalid_token.tpl';
|
||||
}
|
||||
|
||||
/**
|
||||
* Assign smarty variables for the footer
|
||||
*/
|
||||
@@ -1279,7 +1291,7 @@ class AdminControllerCore extends Controller
|
||||
// ob_start();
|
||||
if (Tools::getValue('ajax'))
|
||||
$this->ajax = '1';
|
||||
$this->checkAccess();
|
||||
|
||||
$this->timerStart = microtime(true);
|
||||
|
||||
if (isset($_GET['logout']))
|
||||
@@ -1498,7 +1510,7 @@ class AdminControllerCore extends Controller
|
||||
}
|
||||
|
||||
if (!Validate::isTableOrIdentifier($this->table))
|
||||
die (Tools::displayError('Table name is invalid:').' "'.$this->table.'"');
|
||||
throw new PrestashopException(sprintf('Table name %s is invalid:', $this->table));
|
||||
|
||||
if (empty($order_by))
|
||||
$order_by = $this->context->cookie->__get($this->table.'Orderby') ? $this->context->cookie->__get($this->table.'Orderby') : $this->_defaultOrderBy;
|
||||
@@ -1513,7 +1525,7 @@ class AdminControllerCore extends Controller
|
||||
if (!Validate::isOrderBy($order_by) || !Validate::isOrderWay($order_way)
|
||||
|| !is_numeric($start) || !is_numeric($limit)
|
||||
|| !Validate::isUnsignedId($id_lang))
|
||||
die(Tools::displayError('get list params is not valid'));
|
||||
throw new PrestashopException('get list params is not valid');
|
||||
|
||||
/* Determine offset from current page */
|
||||
if ((isset($_POST['submitFilter'.$this->table]) ||
|
||||
|
||||
+39
-19
@@ -65,6 +65,11 @@ abstract class ControllerCore
|
||||
*/
|
||||
protected $ajax = false;
|
||||
|
||||
/**
|
||||
* check that the controller is available for the current user/visitor
|
||||
*/
|
||||
abstract public function checkAccess();
|
||||
|
||||
/**
|
||||
* Initialize the page
|
||||
*/
|
||||
@@ -117,29 +122,39 @@ abstract class ControllerCore
|
||||
{
|
||||
$this->init();
|
||||
|
||||
// postProcess handles ajaxProcess
|
||||
$this->postProcess();
|
||||
|
||||
if ($this->display_header)
|
||||
if ($this->checkAccess())
|
||||
{
|
||||
$this->setMedia();
|
||||
$this->initHeader();
|
||||
}
|
||||
|
||||
$this->initContent();
|
||||
if ($this->display_footer)
|
||||
$this->initFooter();
|
||||
if ($this->ajax && method_exists($this, 'ajaxPreprocess'))
|
||||
$this->ajaxPreProcess();
|
||||
|
||||
if ($this->ajax)
|
||||
{
|
||||
$action = Tools::getValue('action');
|
||||
if (!empty($action) && method_exists($this, 'displayAjax'.Tools::toCamelCase($action)))
|
||||
$this->{'displayAjax'.$action}();
|
||||
elseif (method_exists($this, 'displayAjax'))
|
||||
$this->displayAjax();
|
||||
// postProcess handles ajaxProcess
|
||||
$this->postProcess();
|
||||
|
||||
if ($this->display_header)
|
||||
{
|
||||
$this->setMedia();
|
||||
$this->initHeader();
|
||||
}
|
||||
|
||||
$this->initContent();
|
||||
if ($this->display_footer)
|
||||
$this->initFooter();
|
||||
|
||||
// default behavior for ajax process is to use $_POST[action] or $_GET[action]
|
||||
// then using displayAjax[action]
|
||||
if ($this->ajax)
|
||||
{
|
||||
$action = Tools::getValue('action');
|
||||
if (!empty($action) && method_exists($this, 'displayAjax'.Tools::toCamelCase($action)))
|
||||
$this->{'displayAjax'.$action}();
|
||||
elseif (method_exists($this, 'displayAjax'))
|
||||
$this->displayAjax();
|
||||
}
|
||||
}
|
||||
else
|
||||
$this->display();
|
||||
$this->initCursedPage();
|
||||
|
||||
$this->display();
|
||||
}
|
||||
|
||||
public function displayHeader($display = true)
|
||||
@@ -167,6 +182,11 @@ abstract class ControllerCore
|
||||
*/
|
||||
abstract public function initContent();
|
||||
|
||||
/**
|
||||
* Assign smarty variables when access is forbidden
|
||||
*/
|
||||
abstract public function initCursedPage();
|
||||
|
||||
/**
|
||||
* Assign smarty variables for the page footer
|
||||
*/
|
||||
|
||||
@@ -63,6 +63,16 @@ class FrontControllerCore extends Controller
|
||||
$useSSL = $this->ssl;
|
||||
}
|
||||
|
||||
/**
|
||||
* checkAccess
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function checkAccess()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
public function init()
|
||||
{
|
||||
/*
|
||||
@@ -358,6 +368,11 @@ class FrontControllerCore extends Controller
|
||||
$this->process();
|
||||
}
|
||||
|
||||
public function initCursedPage()
|
||||
{
|
||||
return $this->displayMaintenancePage();
|
||||
}
|
||||
|
||||
public function process()
|
||||
{
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user