From c289e2747ccedd2acd3cc40441db281ef8b894ad Mon Sep 17 00:00:00 2001 From: Giuseppe Criscione Date: Wed, 25 Jul 2018 13:48:43 +0200 Subject: [PATCH 1/5] Fix Admin routes methods --- admin/src/Admin.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/admin/src/Admin.php b/admin/src/Admin.php index 6c18219e..46f20122 100755 --- a/admin/src/Admin.php +++ b/admin/src/Admin.php @@ -160,7 +160,6 @@ class Admin ); $this->router->add( - array('GET', 'POST'), '/dashboard/', array(new Controllers\Dashboard(), 'run') ); @@ -239,7 +238,7 @@ class Admin ); $this->router->add( - array('GET', 'POST'), + 'POST', '/cache/clear/', array(new Controllers\Cache(), 'clear') ); From e24c6d70260c35220d69a9d99d5b527ac86064bc Mon Sep 17 00:00:00 2001 From: Giuseppe Criscione Date: Tue, 31 Jul 2018 12:09:17 +0200 Subject: [PATCH 2/5] Fix Admin output escaping --- admin/src/Controllers/AbstractController.php | 5 +++++ admin/views/admin.php | 4 ++-- admin/views/dashboard/index.php | 2 +- admin/views/pages/editor.php | 4 ++-- admin/views/pages/list.php | 2 +- admin/views/users/index.php | 6 +++--- admin/views/users/profile.php | 6 +++--- 7 files changed, 17 insertions(+), 12 deletions(-) diff --git a/admin/src/Controllers/AbstractController.php b/admin/src/Controllers/AbstractController.php index c1f4c5e7..2d42a92a 100755 --- a/admin/src/Controllers/AbstractController.php +++ b/admin/src/Controllers/AbstractController.php @@ -94,6 +94,11 @@ abstract class AbstractController return Formwork::instance()->option($option); } + protected function escape($string) + { + return htmlspecialchars($string, ENT_COMPAT | ENT_SUBSTITUTE); + } + protected function field($field, $render = true) { return $this->view('fields.' . $field->type(), array('field' => $field), $render); diff --git a/admin/views/admin.php b/admin/views/admin.php index 93e8c3d2..aae71fc6 100755 --- a/admin/views/admin.php +++ b/admin/views/admin.php @@ -37,8 +37,8 @@
-
user()->fullname() ?>
-
user()->username() ?>
+
escape($this->user()->fullname()) ?>
+
escape($this->user()->username()) ?>
diff --git a/admin/views/dashboard/index.php b/admin/views/dashboard/index.php index 29a4ee21..e5033e2c 100755 --- a/admin/views/dashboard/index.php +++ b/admin/views/dashboard/index.php @@ -13,7 +13,7 @@

label('dashboard.statistics') ?>

-
+
diff --git a/admin/views/pages/editor.php b/admin/views/pages/editor.php index 942b2258..8e9bc289 100755 --- a/admin/views/pages/editor.php +++ b/admin/views/pages/editor.php @@ -4,7 +4,7 @@

label('pages.content') ?>

- +
published() && $page->routable()): ?>href="pageUri($page) ?>" target="_blank">slug() ?> @@ -21,7 +21,7 @@
- + diff --git a/admin/views/pages/list.php b/admin/views/pages/list.php index 57cfa8dc..e8cfa4cd 100755 --- a/admin/views/pages/list.php +++ b/admin/views/pages/list.php @@ -15,7 +15,7 @@ - title() ?> + escape($page->title()) ?>
href="pageUri($page) ?>" target="_blank">slug() ?> diff --git a/admin/views/users/index.php b/admin/views/users/index.php index 60c385a5..e6938e8c 100755 --- a/admin/views/users/index.php +++ b/admin/views/users/index.php @@ -8,10 +8,10 @@ ?>
- username() ?> + escape($user->username()) ?>
-
fullname() ?>
-
email() ?>
+
escape($user->fullname()) ?>
+
escape($user->email()) ?>
lastAccess()) ? '∞' : date($this->option('date.format') . ' ' . $this->option('date.hour_format'), $user->lastAccess()) ?>
-

fullname() ?>

- username() ?>
- email() ?>
+

escape($user->fullname()) ?>

+ escape($user->username()) ?>
+ escape($user->email()) ?>
label('user.last-access') ?>: lastAccess()) ? '∞' : date($this->option('date.format') . ' ' . $this->option('date.hour_format'), $user->lastAccess()) ?>
From d0423033813ca92682fe7a1c8082d92baa9e045b Mon Sep 17 00:00:00 2001 From: Giuseppe Criscione Date: Wed, 1 Aug 2018 11:15:12 +0200 Subject: [PATCH 3/5] Cleanup code --- admin/src/Controllers/AbstractController.php | 13 ++++++++----- admin/src/Controllers/Authentication.php | 6 ++++-- admin/src/Fields/Field.php | 2 +- admin/src/Security/CSRFToken.php | 4 +++- admin/src/Utils/Registry.php | 8 +++++--- formwork/Router/Router.php | 2 +- 6 files changed, 22 insertions(+), 13 deletions(-) diff --git a/admin/src/Controllers/AbstractController.php b/admin/src/Controllers/AbstractController.php index 2d42a92a..16df45fe 100755 --- a/admin/src/Controllers/AbstractController.php +++ b/admin/src/Controllers/AbstractController.php @@ -3,6 +3,7 @@ namespace Formwork\Admin\Controllers; use Formwork\Admin\Admin; +use Formwork\Admin\Fields\Field; use Formwork\Admin\Fields\Fields; use Formwork\Admin\Utils\Language; use Formwork\Admin\Utils\Notification; @@ -11,6 +12,7 @@ use Formwork\Core\Formwork; use Formwork\Utils\FileSystem; use Formwork\Utils\HTTPRequest; use Formwork\Utils\Uri; +use InvalidArgumentException; abstract class AbstractController { @@ -101,16 +103,17 @@ abstract class AbstractController protected function field($field, $render = true) { + if (!($field instanceof Field)) { + throw new InvalidArgumentException(__METHOD__ . ' accepts only instances of Formwork\Admin\Fields\Field'); + } return $this->view('fields.' . $field->type(), array('field' => $field), $render); } - protected function fields($fields, $render = true) + protected function fields(Fields $fields, $render = true) { $output = ''; - if ($fields instanceof Fields) { - foreach ($fields as $field) { - $output .= $this->field($field, false); - } + foreach ($fields as $field) { + $output .= $this->field($field, false); } if ($render) { echo $output; diff --git a/admin/src/Controllers/Authentication.php b/admin/src/Controllers/Authentication.php index dda5ab58..929a115a 100755 --- a/admin/src/Controllers/Authentication.php +++ b/admin/src/Controllers/Authentication.php @@ -34,11 +34,13 @@ class Authentication extends AbstractController $users = Admin::instance()->users(); + $postData = HTTPRequest::postData(); + foreach (array('username', 'password') as $var) { - if (!isset($_POST[$var])) { + if (!isset($postData[$var])) { return $this->error(); } - $this->$var = $_POST[$var]; + $this->$var = $postData[$var]; } if ($users->has($this->username) && $users->get($this->username)->authenticate($this->password)) { diff --git a/admin/src/Fields/Field.php b/admin/src/Fields/Field.php index a931ed17..53a1672a 100755 --- a/admin/src/Fields/Field.php +++ b/admin/src/Fields/Field.php @@ -90,7 +90,7 @@ class Field extends DataSetter if (!is_callable($callback)) { throw new LogicException('Invalid import callback'); } - $this->data[$key] = call_user_func($callback); + $this->data[$key] = $callback(); } } diff --git a/admin/src/Security/CSRFToken.php b/admin/src/Security/CSRFToken.php index f67f716d..ce03f168 100755 --- a/admin/src/Security/CSRFToken.php +++ b/admin/src/Security/CSRFToken.php @@ -2,6 +2,7 @@ namespace Formwork\Admin\Security; +use Formwork\Utils\HTTPRequest; use Formwork\Admin\Utils\Session; use RuntimeException; @@ -24,7 +25,8 @@ class CSRFToken public static function validate($token = null) { if (is_null($token)) { - $valid = isset($_POST['csrf-token']) && $_POST['csrf-token'] === static::get(); + $postData = HTTPRequest::postData(); + $valid = isset($postData['csrf-token']) && $postData['csrf-token'] === static::get(); } else { $valid = $token === static::get(); } diff --git a/admin/src/Utils/Registry.php b/admin/src/Utils/Registry.php index 8eee3d9b..489541b9 100644 --- a/admin/src/Utils/Registry.php +++ b/admin/src/Utils/Registry.php @@ -2,6 +2,8 @@ namespace Formwork\Admin\Utils; +use Formwork\Utils\FileSystem; + class Registry { protected $storage = array(); @@ -11,8 +13,8 @@ class Registry public function __construct($filename) { $this->filename = $filename; - if (file_exists($this->filename)) { - $this->storage = (array) json_decode(file_get_contents($filename), true); + if (FileSystem::exists($this->filename)) { + $this->storage = (array) json_decode(FileSystem::read($filename), true); } } @@ -43,7 +45,7 @@ class Registry public function save() { - file_put_contents($this->filename, json_encode($this->storage)); + FileSystem::write($this->filename, json_encode($this->storage)); } public function toArray() diff --git a/formwork/Router/Router.php b/formwork/Router/Router.php index d2f83752..0eac386e 100755 --- a/formwork/Router/Router.php +++ b/formwork/Router/Router.php @@ -92,7 +92,7 @@ class Router foreach ($this->routes as $route) { if (HTTPRequest::method() == $route['method'] && $this->match($route['route'])) { $this->dispatched = true; - return call_user_func($route['callback'], $this->params); + return $route['callback']($this->params); } } } From 44f923563aaa99b725c439c200ee80e82683c379 Mon Sep 17 00:00:00 2001 From: Giuseppe Criscione Date: Wed, 1 Aug 2018 13:13:16 +0200 Subject: [PATCH 4/5] Sort language strings --- admin/languages/en.yml | 40 ++++++++++++++++++++-------------------- admin/languages/it.yml | 40 ++++++++++++++++++++-------------------- 2 files changed, 40 insertions(+), 40 deletions(-) diff --git a/admin/languages/en.yml b/admin/languages/en.yml index db2566c0..8b05d87a 100755 --- a/admin/languages/en.yml +++ b/admin/languages/en.yml @@ -1,44 +1,33 @@ -admin.panel: Administration Panel admin.manage: Manage +admin.panel: Administration Panel admin.view-site: View Site cache.clear: Clear Cache cache.cleared: Cache cleared dashboard.dashboard: Dashboard dashboard.last-modified-pages: Last Edited Pages -dashboard.statistics: Statistics dashboard.online-users: Online users dashboard.quick-actions: Quick Actions +dashboard.statistics: Statistics dashboard.welcome: Welcome date.months.long: ['January', 'February', 'March', 'April', 'May', 'June', 'July' ,'August', 'September', 'October', 'November', 'December'] date.months.short: ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'] date.today: Today date.weekdays.short: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'] language.name: English -register.register: Register New User -register.create-user: Formwork Admin is installed but no users were found. Please register a user now. login.attempt.failed: Login attempt failed! Try again. -login.suspicious-request-detected: A suspicious request has been detected, and for security reasons you have been logged out. Please log in again. login.login: Login login.logout: Logout login.password: Password +login.suspicious-request-detected: A suspicious request has been detected, and for security reasons you have been logged out. Please log in again. login.username: Username -password-reset.password-reset: Password Reset -password-reset.email: E-mail Address -password-reset.new-password: New Password -password-reset.confirm-new-password: Confirm New Password -password-reset.reset: Reset -password-reset.email-sent: An email has been sent to %s with instructions to reset your password. -password-reset.invalid-link: The password reset link is either expired or invalid. Please try again. -password-reset.passwords-not-matching: The new password and the confirmation password do not match. Please try again. -password-reset.password-changed: The password has been changed. Please log in with your new credentials. modal.action.cancel: Cancel modal.action.continue: Continue modal.action.delete: Delete modal.action.save: Save modal.action.upload-file: Upload a File -modal.images.title: Select an Image modal.images.no-images: There are no images here modal.images.no-images.upload: Please upload some images +modal.images.title: Select an Image options.info: Info options.options: Options options.site: Site @@ -66,8 +55,8 @@ pages.files.upload-label: 'Click to choose a file to upload or pages.new-page: New Page pages.new-page.parent: Parent Page pages.new-page.title: Title -pages.new-page.uri: Page URI pages.new-page.uri-suggestion: letters, numbers and dashes only +pages.new-page.uri: Page URI pages.not-published: Not published pages.not-routable: Non routable pages.options: Options @@ -76,8 +65,8 @@ pages.page.cannot-create: Cannot create page pages.page.cannot-create.already-exists: Cannot create page, a page with the same uri already exists pages.page.cannot-create.invalid-parent: Cannot create page, invalid parent page pages.page.cannot-create.var-missing: 'Cannot create page, missing %s variable' -pages.page.cannot-delete: 'Cannot delete page, %s' pages.page.cannot-delete-file: 'Cannot delete file, %s' +pages.page.cannot-delete: 'Cannot delete page, %s' pages.page.cannot-delete.not-deletable: Cannot delete page, the page is not deletable pages.page.cannot-edit.page-missing: Cannot edit page, page not found pages.page.cannot-edit.var-missing: 'Cannot edit page, missing variable %s' @@ -85,20 +74,31 @@ pages.page.cannot-move: 'Cannot move page' pages.page.created: Page created! pages.page.deleted: Page deleted pages.page.edited: Page edited -pages.page.moved: Page moved! pages.page.file-deleted: File deleted +pages.page.moved: Page moved! pages.page.not-found: Page not found pages.pages: Pages pages.pages.collapse-all: Collapse All pages.pages.expand-all: Expand All pages.pages.search: Search Pages... -pages.preview: Preview pages.preview-file: Preview +pages.preview: Preview pages.publish: Publish pages.save: Save pages.status.not-published: Not Published pages.status.not-routable: Not Routable pages.status.published: Published +password-reset.confirm-new-password: Confirm New Password +password-reset.email-sent: An email has been sent to %s with instructions to reset your password. +password-reset.email: E-mail Address +password-reset.invalid-link: The password reset link is either expired or invalid. Please try again. +password-reset.new-password: New Password +password-reset.password-changed: The password has been changed. Please log in with your new credentials. +password-reset.password-reset: Password Reset +password-reset.passwords-not-matching: The new password and the confirmation password do not match. Please try again. +password-reset.reset: Reset +register.create-user: Formwork Admin is installed but no users were found. Please register a user now. +register.register: Register New User uploader.erorr.cannot-write: Failed to write file to disk uploader.error: Cannot upload file. %s. uploader.error.file-name: Invalid file name @@ -125,8 +125,8 @@ users.new-user: New User users.new-user.password-suggestion: at least 8 characters users.new-user.username-suggestion: between 3-20 letters, digits and dashes users.options: Options -users.user: User users.user-profile: '%s User Profile' +users.user: User users.user.cannot-create.already-exists: Cannot create user, a user with the same name already exists users.user.cannot-create.var-missing: 'Cannot create user, missing %s variable' users.user.cannot-delete.logged: Cannot delete user, the user is logged diff --git a/admin/languages/it.yml b/admin/languages/it.yml index 24a694ab..1272c395 100755 --- a/admin/languages/it.yml +++ b/admin/languages/it.yml @@ -1,44 +1,33 @@ -admin.panel: Pannello di Amministrazione admin.manage: Gestione +admin.panel: Pannello di Amministrazione admin.view-site: Visualizza sito cache.clear: Svuota cache cache.cleared: Cache svuotata dashboard.dashboard: Riepilogo dashboard.last-modified-pages: Ultime pagine modificate -dashboard.statistics: Statistiche dashboard.online-users: Utenti collegati dashboard.quick-actions: Azioni rapide +dashboard.statistics: Statistiche dashboard.welcome: Benvenuto/a date.months.long: ['Gennaio', 'Febbraio', 'Marzo', 'Aprile', 'Maggio', 'Giugno', 'Luglio' ,'Agosto', 'Settembre', 'Ottobre', 'Novembre', 'Dicembre'] date.months.short: ['Gen', 'Feb', 'Mar', 'Apr', 'Mag', 'Giu', 'Lug', 'Ago', 'Set', 'Ott', 'Nov', 'Dic'] date.today: Oggi date.weekdays.short: ['Dom', 'Lun', 'Mar', 'Mer', 'Gio', 'Ven', 'Sab'] language.name: Italiano -register.register: Registra nuovo utente -register.create-user: Formwork Admin è installato ma non è stato trovato alcun utente. Registrane uno ora. login.attempt.failed: Tentativo di accesso fallito! Riprova. -login.suspicious-request-detected: È stata rilevata una richiesta sospetta e per ragioni di sicurezza si è usciti dalla sessione. Effettua nuovamente l’accesso. login.login: Accedi login.logout: Esci login.password: Password +login.suspicious-request-detected: È stata rilevata una richiesta sospetta e per ragioni di sicurezza si è usciti dalla sessione. Effettua nuovamente l’accesso. login.username: Nome utente -password-reset.password-reset: Reimposta password -password-reset.email: Indirizzo e-mail -password-reset.new-password: Nuova password -password-reset.confirm-new-password: Conferma password -password-reset.reset: Reimposta -password-reset.email-sent: Un’e-mail è stata inviata all’indirizzo %s con le istruzioni per reimpostare la password. -password-reset.invalid-link: Il link per reimpostare la password è scaduto o non valido. Riprova. -password-reset.passwords-not-matching: La nuova password e la password di conferma non corrispondono. Riprova. -password-reset.password-changed: La password è stata cambiata. Accedi ora con le nuove credenziali. modal.action.cancel: Annulla modal.action.continue: Continua modal.action.delete: Elimina modal.action.save: Salva modal.action.upload-file: Carica file -modal.images.title: Seleziona immagine modal.images.no-images: Qui non ci sono immagini modal.images.no-images.upload: Carica qualche immagine +modal.images.title: Seleziona immagine options.info: Informazioni options.options: Impostazioni options.site: Sito @@ -66,8 +55,8 @@ pages.files.upload-label: 'Fai click per selezionare un file da pages.new-page: Nuova pagina pages.new-page.parent: Pagina superiore pages.new-page.title: Titolo -pages.new-page.uri: URI pagina pages.new-page.uri-suggestion: solo lettere, numeri e trattini +pages.new-page.uri: URI pagina pages.not-published: Non pubblicata pages.not-routable: Non raggiungibile pages.options: Opzioni @@ -76,8 +65,8 @@ pages.page.cannot-create: Impossibile creare la pagina pages.page.cannot-create.already-exists: Impossibile creare la pagina, una pagina con lo stesso indirizzo esiste già pages.page.cannot-create.invalid-parent: Impossibile creare la pagina, la pagina superiore specificata non è valida pages.page.cannot-create.var-missing: 'Impossibile creare la pagina, manca la variabile %s' -pages.page.cannot-delete: 'Impossibile eliminare la pagina, %s' pages.page.cannot-delete-file: Impossibile eliminare il file +pages.page.cannot-delete: 'Impossibile eliminare la pagina, %s' pages.page.cannot-delete.not-deletable: Impossibile eliminare la pagina, la pagina non è eliminabile pages.page.cannot-edit.page-missing: Impossibile modificare la pagina, pagina non trovata pages.page.cannot-edit.var-missing: 'Impossibile modificare la pagina, manca la variabile %s' @@ -85,20 +74,31 @@ pages.page.cannot-move: 'Impossibile spostare la pagina' pages.page.created: Pagina creata! pages.page.deleted: Pagina eliminata pages.page.edited: Pagina modificata! -pages.page.moved: Pagina spostata! pages.page.file-deleted: File eliminato +pages.page.moved: Pagina spostata! pages.page.not-found: Pagina non trovata pages.pages: Pagine pages.pages.collapse-all: Riduci tutte pages.pages.expand-all: Espandi tutte pages.pages.search: Cerca pagine... -pages.preview: Anteprima pages.preview-file: Anteprima +pages.preview: Anteprima pages.publish: Pubblica pages.save: Salva pages.status.not-published: Non pubblicato pages.status.not-routable: Non raggiungibile pages.status.published: Pubblicato +password-reset.confirm-new-password: Conferma password +password-reset.email-sent: Un’e-mail è stata inviata all’indirizzo %s con le istruzioni per reimpostare la password. +password-reset.email: Indirizzo e-mail +password-reset.invalid-link: Il link per reimpostare la password è scaduto o non valido. Riprova. +password-reset.new-password: Nuova password +password-reset.password-changed: La password è stata cambiata. Accedi ora con le nuove credenziali. +password-reset.password-reset: Reimposta password +password-reset.passwords-not-matching: La nuova password e la password di conferma non corrispondono. Riprova. +password-reset.reset: Reimposta +register.create-user: Formwork Admin è installato ma non è stato trovato alcun utente. Registrane uno ora. +register.register: Registra nuovo utente uploader.erorr.cannot-write: Impossibile salvare il file sul disco uploader.error: 'Impossibile caricare il file. %s.' uploader.error.file-name: Nome del file non valido @@ -125,8 +125,8 @@ users.new-user: Nuovo utente users.new-user.password-suggestion: almeno 8 caratteri users.new-user.username-suggestion: 'da 3 a 20 lettere, numeri, - e _' users.options: Opzioni -users.user: Utente users.user-profile: Profilo utente %s +users.user: Utente users.user.cannot-create.already-exists: Impossibile creare l’utente, un utente con lo stesso nome esiste già users.user.cannot-create.var-missing: 'Impossibile creare l’utente, manca la variabile %s' users.user.cannot-delete.logged: Impossibile eliminare l’utente, l’utente è connesso From 2dcf2d9e06ddc4e462a164de45fe1bf61fac84df Mon Sep 17 00:00:00 2001 From: Giuseppe Criscione Date: Wed, 1 Aug 2018 15:20:43 +0200 Subject: [PATCH 5/5] Add logout notification --- admin/languages/en.yml | 1 + admin/languages/it.yml | 1 + admin/src/Controllers/Authentication.php | 1 + 3 files changed, 3 insertions(+) diff --git a/admin/languages/en.yml b/admin/languages/en.yml index 8b05d87a..8490a024 100755 --- a/admin/languages/en.yml +++ b/admin/languages/en.yml @@ -15,6 +15,7 @@ date.today: Today date.weekdays.short: ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'] language.name: English login.attempt.failed: Login attempt failed! Try again. +login.logged-out: You have been logged out login.login: Login login.logout: Logout login.password: Password diff --git a/admin/languages/it.yml b/admin/languages/it.yml index 1272c395..ac967865 100755 --- a/admin/languages/it.yml +++ b/admin/languages/it.yml @@ -15,6 +15,7 @@ date.today: Oggi date.weekdays.short: ['Dom', 'Lun', 'Mar', 'Mer', 'Gio', 'Ven', 'Sab'] language.name: Italiano login.attempt.failed: Tentativo di accesso fallito! Riprova. +login.logged-out: Sei stato disconnesso login.login: Accedi login.logout: Esci login.password: Password diff --git a/admin/src/Controllers/Authentication.php b/admin/src/Controllers/Authentication.php index 929a115a..f4ffda7e 100755 --- a/admin/src/Controllers/Authentication.php +++ b/admin/src/Controllers/Authentication.php @@ -59,6 +59,7 @@ class Authentication extends AbstractController { CSRFToken::destroy(); Session::remove('FORMWORK_USERNAME'); + $this->notify($this->label('login.logged-out'), 'success'); $this->redirect('/', 302, true); }