Merge branch 'master' into PHRAS-4088-improve-workerrunningjob-finished

alchemy-fr · Oct 23, 2024 · 5064b93 · 5064b93
2 parents 99dec4e + 47371bb
commit 5064b93
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 4 deletions.
diff --git a/lib/Alchemy/Phrasea/Controller/Root/AccountController.php b/lib/Alchemy/Phrasea/Controller/Root/AccountController.php
@@ -318,6 +318,8 @@ public function displayAccount()
 
         $initiatedValidations = $this->getBasketRepository()->findby(['vote_initiator' => $user, ]);
 
+        $this->setSessionFormToken('userAccount');
+
         return $this->render('account/account.html.twig', [
             'user'                  => $user,
             'evt_mngr'              => $manager,
@@ -417,6 +419,10 @@ public function confirmDeleteAccount(Request $request)
      */
     public function updateAccount(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'userAccount')) {
+            return new Response('invalid crsf token form', 403);
+        }
+
         $registrations = $request->request->get('registrations', []);
 
         if (false === is_array($registrations)) {

diff --git a/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php b/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php
@@ -171,6 +171,10 @@ public function authorizeGrantPassword(Request $request, ApiApplication $applica
      */
     public function newApp(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'newApplication')) {
+            return new Response('invalid crsf token form', 403);
+        }
+
         if ($request->request->get('type') === ApiApplication::DESKTOP_TYPE) {
             $form = new \API_OAuth2_Form_DevAppDesktop($request);
         } else {
@@ -223,6 +227,8 @@ public function listApps()
      */
     public function displayFormApp(Request $request)
     {
+        $this->setSessionFormToken('newApplication');
+
         return $this->render('developers/application_form.html.twig', [
             "violations" => null,
             'form'       => null,

diff --git a/lib/Alchemy/Phrasea/Core/Configuration/DisplaySettingService.php b/lib/Alchemy/Phrasea/Core/Configuration/DisplaySettingService.php
@@ -98,6 +98,10 @@ public function getUserSetting(User $user, $name, $default = null)
             return array_key_exists($name, $this->usersSettings) ? $this->usersSettings[$name] : $default;
         }
 
+        if ($name == 'start_page_query') {
+            return htmlentities($user->getSettings()->get($name)->getValue());
+        }
+
         return $user->getSettings()->get($name)->getValue();
     }
 

diff --git a/templates/web/account/account.html.twig b/templates/web/account/account.html.twig
@@ -293,6 +293,7 @@
 
                     </div>
                 </div>
+                <input type="hidden" name="userAccount_token" value="{{ app['session'].get('userAccount_token') }}">
             </form>
         </div>
     </div>

diff --git a/templates/web/developers/application_form.html.twig b/templates/web/developers/application_form.html.twig
@@ -123,5 +123,6 @@
         </div>
 
     </div>
+    <input type="hidden" name="newApplication_token" value="{{ app['session'].get('newApplication_token') }}">
   </form>
 {% endblock %}
diff --git a/templates/web/prod/index.html.twig b/templates/web/prod/index.html.twig
@@ -986,7 +986,7 @@
                                     {{ 'Aide' | trans }}
                                 </option>
                             </select>
-                            <input type="text" class="span4" name="start_page_value" value="{{ app['settings'].getUserSetting(app.getAuthenticatedUser(), 'start_page_query')}}" style="display:{% if start_page_pref == 'QUERY' %}inline{% else %}none{% endif %}" />
+                            <input type="text" class="span4" name="start_page_value" value="{{ app['settings'].getUserSetting(app.getAuthenticatedUser(), 'start_page_query') | raw }}" style="display:{% if start_page_pref == 'QUERY' %}inline{% else %}none{% endif %}" />
                             <input type="button" class="btn btn-inverse preferences-options-submit" value="{{'boutton::valider'  | trans }}" />
                         </form>
                     </div>

diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php
@@ -384,6 +384,7 @@ public function testUpdateAccount()
         $app = $this->getApplication();
         $client = $this->getClient();
         $bases = $notifs = [];
+        $randomValue = $this->setSessionFormToken('userAccount');
 
         foreach ($app->getDataboxes() as $databox) {
             foreach ($databox->get_collections() as $collection) {
@@ -424,7 +425,8 @@ public function testUpdateAccount()
             'form_retryFTP'        => '',
             'notifications'        => $notifs,
             'form_defaultdataFTP'  => ['document', 'preview', 'caption'],
-            'mail_notifications' => '1'
+            'mail_notifications' => '1',
+            'userAccount_token'    => $randomValue
         ]);
 
         $response = $client->getResponse();

diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php
@@ -39,14 +39,17 @@ public function testDisplayformApp()
      */
     public function testPostNewAppInvalidArguments()
     {
+        $randomValue = $this->setSessionFormToken('newApplication');
+
         $crawler = self::$DI['client']->request('POST', '/developers/application/', [
             'type'            => ApiApplication::WEB_TYPE,
             'name'            => '',
             'description'     => 'okok',
             'website'         => 'my.website.com',
             'callback'        => 'my.callback.com',
             'scheme-website'  => 'http://',
-            'scheme-callback' => 'http://'
+            'scheme-callback' => 'http://',
+            'newApplication_token' => $randomValue
             ]);
 
         $this->assertTrue(self::$DI['client']->getResponse()->isOk());
@@ -63,6 +66,7 @@ public function testPostNewApp()
     {
         $apps = self::$DI['app']['repo.api-applications']->findByCreator(self::$DI['user']);
         $nbApp = count($apps);
+        $randomValue = $this->setSessionFormToken('newApplication');
 
         self::$DI['client']->request('POST', '/developers/application/', [
             'type'            => ApiApplication::WEB_TYPE,
@@ -71,7 +75,8 @@ public function testPostNewApp()
             'website'         => 'my.website.com',
             'callback'        => 'my.callback.com',
             'scheme-website'  => 'http://',
-            'scheme-callback' => 'http://'
+            'scheme-callback' => 'http://',
+            'newApplication_token' => $randomValue
         ]);
 
         $apps = self::$DI['app']['repo.api-applications']->findByCreator(self::$DI['user']);
-Original file line number
+Diff line change
@@ Expand Up / @@ -293,6 +293,7 @@ @@
                         </div>
                     </div>
+                    <input type="hidden" name="userAccount_token" value="{{ app['session'].get('userAccount_token') }}">
                 </form>
             </div>
         </div>
@@ Expand Down @@