Skip to content

Commit

Permalink
Merge pull request #324 from uzulla/issu279/check-http-method
Browse files Browse the repository at this point in the history 
アクセス時のHTTPリクエストmethodの厳格化 #279
  • Loading branch information
@fc2dev
fc2dev authored Jun 11, 2021
2 parents 679133e + 9561159 commit 6ee67c1
Show file tree
Hide file tree
Showing 36 changed files with 291 additions and 93 deletions.
60 changes: 52 additions & 8 deletions app/src/Web/Controller/Admin/BlogPluginsController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ class BlogPluginsController extends AdminController
*/
public function index(Request $request): string
{
if (!$request->isGet()) return $this->error400();

$blog_id = $this->getBlogIdFromSession();
$device_type = $request->get('device_type', (string)Config::get('DEVICE_PC'), Request::VALID_IN_ARRAY, Config::get('ALLOW_DEVICES'));
$this->set('device_type', $device_type);
Expand Down Expand Up @@ -53,6 +55,8 @@ public function index(Request $request): string
*/
public function official_search(Request $request): string
{
if (!$request->isGet()) return $this->error400();

return $this->plugin_search($request);
}

Expand All @@ -63,11 +67,13 @@ public function official_search(Request $request): string
*/
public function share_search(Request $request): string
{
if (!$request->isGet()) return $this->error400();

return $this->plugin_search($request, false);
}

/**
* プラグイン検索
* プラグイン検索 (内部呼び出し)
* @param Request $request
* @param bool $is_official
* @return string
Expand Down Expand Up @@ -142,6 +148,9 @@ public function create(Request $request): string
return "admin/blog_plugins/create.twig";
}

// 以下は更新処理なので、POST必須
if (!$request->isPost()) return $this->error400();

// 新規登録処理
$errors = array();
$white_list = array('title', 'title_align', 'title_color', 'contents', 'contents_align', 'contents_color', 'device_type', 'category');
Expand Down Expand Up @@ -179,7 +188,7 @@ public function edit(Request $request): string
$this->set('device_type', $request->get('blog_plugin.device_type'));
$this->set('device_type_sp', (string)Config::get('DEVICE_SP'));

// 編集対象のデータ取得
// 編集対象のデータ取得、なければリダイレクト
if (!$blog_plugin = $blog_plugins_model->findByIdAndBlogId($id, $blog_id)) {
$this->redirect($request, array('action' => 'index'));
}
Expand All @@ -190,6 +199,9 @@ public function edit(Request $request): string
return "admin/blog_plugins/edit.twig";
}

// 以下は更新処理なので、POST必須
if (!$request->isPost()) return $this->error400();

// 更新処理
$errors = array();
$white_list = array('title', 'title_align', 'title_color', 'contents', 'contents_align', 'contents_color');
Expand All @@ -211,8 +223,9 @@ public function edit(Request $request): string
/**
* 削除
* @param Request $request
* @return string
*/
public function delete(Request $request)
public function delete(Request $request): string
{
$blog_plugins_model = Model::load('BlogPlugins');

Expand All @@ -225,12 +238,16 @@ public function delete(Request $request)
$this->redirect($request, array('action' => 'index'));
}

// 以下は更新処理なので、POST必須
if (!$request->isPost()) return $this->error400();

if ($request->isValidSig()) {
// 削除処理
$blog_plugins_model->deleteByIdAndBlogId($id, $blog_id);
$this->setInfoMessage(__('I removed the plugin'));
}
$this->redirect($request, array('action' => 'index', 'device_type' => $blog_plugin['device_type']));
return "";
}

/**
Expand Down Expand Up @@ -267,6 +284,9 @@ public function register(Request $request): string
return 'admin/blog_plugins/register.twig';
}

// 以下は更新処理なので、POST必須
if (!$request->isPost()) return $this->error400();

// 新規登録処理
$errors = [];
$white_list = ['title', 'body'];
Expand All @@ -291,8 +311,9 @@ public function register(Request $request): string
/**
* 登録済みのプラグイン削除
* @param Request $request
* @return string
*/
public function plugin_delete(Request $request)
public function plugin_delete(Request $request): string
{
$plugins_model = Model::load('Plugins');

Expand All @@ -304,19 +325,24 @@ public function plugin_delete(Request $request)
$this->redirect($request, array('action' => 'search'));
}

// 以下は更新処理なので、POST必須
if (!$request->isPost()) return $this->error400();

if ($request->isValidSig()) {
// 削除処理
$plugins_model->deleteByIdAndUserId($id, $user_id);
$this->setInfoMessage(__('I removed the plugin'));
}
$this->redirectBack($request, array('action' => 'search'));
return "";
}

/**
* プラグインのダウンロード
* @param Request $request
* @return string
*/
public function download(Request $request)
public function download(Request $request): string
{
$id = $request->get('id');
$plugin = Model::load('Plugins')->findById($id);
Expand All @@ -325,6 +351,9 @@ public function download(Request $request)
$this->redirectBack($request, array('controller' => 'blog_plugins', 'action' => 'index'));
}

// 以下は更新処理なので、POST必須
if (!$request->isPost()) return $this->error400();

if ($request->isValidSig()) {
// 追加用のデータを取得データから作成
$blog_plugin_data = array(
Expand All @@ -344,35 +373,44 @@ public function download(Request $request)
$this->setErrorMessage(__('I failed to download the plug-in'));
}
$this->redirectBack($request, array('controller' => 'blog_plugins', 'action' => 'index'));
return "";
}

/**
* 並べ替え
* @param Request $request
* @return string
*/
public function sort(Request $request)
public function sort(Request $request): string
{
if (!$request->isPost()) return $this->error400();

$blog_plugins_model = Model::load('BlogPlugins');

$blog_id = $this->getBlogIdFromSession();
$device_type = $request->get('device_type', Config::get('DEVICE_PC'), Request::VALID_IN_ARRAY, Config::get('ALLOW_DEVICES'));

// 並べ替え処理
// TODO Sigチェック不足
$blog_plugins_model->sort($request->get('blog_plugins', array()), $device_type, $blog_id);

$this->setInfoMessage(__('I have completed the sorting'));
if (App::isSP($request)) {
$this->redirect($request, array('action' => 'index', 'device_type' => $device_type, 'state' => 'sort'));
}
$this->redirect($request, array('action' => 'index', 'device_type' => $device_type));
return "";
}

/**
* プラグインの表示設定
* @param Request $request
* @return string
*/
public function display_changes(Request $request)
public function display_changes(Request $request): string
{
if (!$request->isPost()) return $this->error400();

$blog_plugins_model = Model::load('BlogPlugins');

$blog_id = $this->getBlogIdFromSession();
Expand All @@ -388,14 +426,19 @@ public function display_changes(Request $request)
$this->redirect($request, array('action' => 'index', 'device_type' => $device_type, 'state' => 'display'));
}
$this->redirect($request, array('action' => 'index', 'device_type' => $device_type));
return "";
}

/**
* プラグインの表示設定
* @param Request $request
* @return string
*/
public function display_change(Request $request)
public function display_change(Request $request): string
{
// TODO クライアント側の修正も行う
// if(!$request->isPost()) return $this->error400();

$blog_plugins_model = Model::load('BlogPlugins');

$id = $request->get('id');
Expand All @@ -410,6 +453,7 @@ public function display_change(Request $request)
// 表示・非表示設定
$blog_plugins_model->updateByIdAndBlogId(array('display' => $display), $id, $blog_id);
// $blog_plugins_model->updateDisplay(array($id=>$request->get('display')), $blog_id); // TODO:後でこちらに置き換え
return "";
}
}

5 changes: 1 addition & 4 deletions app/src/Web/Controller/Admin/BlogSettingsController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@

class BlogSettingsController extends AdminController
{

/**
* コメント編集
* @param Request $request
Expand Down Expand Up @@ -78,7 +77,7 @@ private function settingEdit(Request $request, $white_list, $action): string
$blog_id = $this->getBlogIdFromSession();

// 初期表示時に編集データの取得&設定
if (!$request->get('blog_setting') || !$request->isValidSig()) {
if (!$request->get('blog_setting') || !$request->isValidPost()) {
$blog_setting = $blog_settings_model->findByBlogId($blog_id);
$request->set('blog_setting', $blog_setting);
return $this->get('template_path');
Expand Down Expand Up @@ -112,6 +111,4 @@ private function settingEdit(Request $request, $white_list, $action): string

return $this->get('template_path');
}

}

22 changes: 18 additions & 4 deletions app/src/Web/Controller/Admin/BlogTemplatesController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ class BlogTemplatesController extends AdminController
*/
public function index(Request $request): string
{
if (!$request->isGet()) return $this->error400();

$blog_id = $this->getBlogIdFromSession();
if (App::isPC($request)) {
$device_type = $request->get('device_type', 0);
Expand Down Expand Up @@ -55,6 +57,8 @@ public function index(Request $request): string
*/
public function fc2_index(Request $request): string
{
if (!$request->isGet()) return $this->error400();

// デバイスタイプの設定
$device_type = $request->get('device_type', (string)Config::get('DEVICE_PC'));
$request->set('device_type', $device_type);
Expand Down Expand Up @@ -85,6 +89,8 @@ public function fc2_index(Request $request): string
*/
public function fc2_view(Request $request): string
{
if (!$request->isGet()) return $this->error400();

// 戻る用URLの設定
$back_url = $request->getReferer();
if (!empty($back_url)) {
Expand Down Expand Up @@ -120,7 +126,7 @@ public function create(Request $request): string
$this->set('template_syntaxes', array_merge(array_keys(Config::get('fc2_template_foreach')), array_keys(Config::get('fc2_template_if'))));

// 初期表示時
if (!$request->get('blog_template') || !$request->isValidSig()) {
if (!$request->get('blog_template') || !$request->isValidPost()) {
// FC2テンプレートダウンロード
if ($request->get('fc2_id')) {
$device_type = $request->get('device_type');
Expand All @@ -142,6 +148,7 @@ public function create(Request $request): string
}

// 新規登録処理
if (!$request->isPost()) return $this->error400();
$errors = [];
$white_list = ['title', 'html', 'css', 'device_type'];
$errors['blog_template'] = $blog_templates_model->validate($request->get('blog_template'), $blog_template_data, $white_list);
Expand Down Expand Up @@ -172,7 +179,7 @@ public function edit(Request $request): string
$blog_id = $this->getBlogIdFromSession();

// 初期表示時に編集データの取得&設定
if (!$request->get('blog_template') || !$request->isValidSig()) {
if (!$request->get('blog_template') || !$request->isValidPost()) {
if (!$blog_template = $blog_templates_model->findByIdAndBlogId($id, $blog_id)) {
$this->redirect($request, ['action' => 'index']);
}
Expand All @@ -181,6 +188,7 @@ public function edit(Request $request): string
}

// 更新処理
if (!$request->isPost()) return $this->error400();
$errors = [];
$white_list = ['title', 'html', 'css'];
$errors['blog_template'] = $blog_templates_model->validate($request->get('blog_template'), $blog_template_data, $white_list);
Expand All @@ -203,6 +211,9 @@ public function edit(Request $request): string
*/
public function apply(Request $request)
{
// TODO post化
// if(!$request->isPost()) return $this->error400();

$blog_templates_model = Model::load('BlogTemplates');

$id = $request->get('id');
Expand All @@ -223,12 +234,14 @@ public function apply(Request $request)
}

/**
* テンプレートダウンロード
* テンプレートダウンロード(SP用)
* @param Request $request
* @return string
*/
public function download(Request $request): string
{
// TODO POST化

/** @var BlogTemplatesModel $blog_templates_model */
$blog_templates_model = Model::load('BlogTemplates');

Expand Down Expand Up @@ -282,7 +295,7 @@ public function delete(Request $request)
$id = $request->get('id');
$blog_id = $this->getBlogIdFromSession();

// 使用中のテンプレート判定
// 使用中のテンプレートであれば削除させない
$blog = BlogService::getById($blog_id);
$template_ids = BlogsModel::getTemplateIds($blog);
if (in_array($id, $template_ids)) {
Expand All @@ -295,6 +308,7 @@ public function delete(Request $request)
$this->redirect($request, array('action' => 'index'));
}

// TODO 削除処理のPOST必須化
if ($request->isValidSig()) {
// 削除処理
$blog_templates_model->deleteByIdAndBlogId($id, $blog_id);
Expand Down
Loading

0 comments on commit 6ee67c1

Please sign in to comment.