added field check for page edits to make sure unnecessary fields are not being added

This commit is contained in:
Ro 2021-09-14 12:47:57 -07:00
parent ccbf55bb54
commit 934d29f4cf
2 changed files with 38 additions and 2 deletions

View file

@ -105,6 +105,7 @@ class PagesAPI
case "create": case "create":
case "write": case "write":
$body = $request->getParsedBody(); $body = $request->getParsedBody();
$passed = true;
if (!isset($body["form_token"])) { if (!isset($body["form_token"])) {
$result = [ $result = [
"message" => "No form token. Not good, sport.", "message" => "No form token. Not good, sport.",
@ -113,7 +114,40 @@ class PagesAPI
} else { } else {
if ($body["form_token"] == Session::get("form_token")) { if ($body["form_token"] == Session::get("form_token")) {
//TODO: Verify form fields //TODO: Verify form fields
$result = (new Book("../content/pages"))->editPage($task, $request); $keys = [
"id",
"uuid",
"layout",
"current_title",
"content",
"title",
"created",
"slug",
"tags",
"menu",
"featured",
"published",
"form_token",
"feature_image",
];
foreach ($body as $key => $item) {
if (!in_array($key, $keys)) {
//found unnecessary key, so reject submission
$passed = false;
}
}
if ($passed) {
$result = (new Book("../content/pages"))->editPage(
$task,
$request
);
} else {
$result = [
"message" => "Form token, auth failed. Uh oh.",
"type" => "TASK_FORM_AUTH",
];
}
} else { } else {
$result = [ $result = [
"message" => "Form token, auth failed. Uh oh.", "message" => "Form token, auth failed. Uh oh.",

View file

@ -148,7 +148,9 @@ class Book
"id" => $uuid, "id" => $uuid,
]; ];
//**just testing to see why indexing isn't working ** //TODO: When form submission is successful, make new form token
$form_token = md5(uniqid(microtime(), true));
Session::set("form_token", $form_token);
//once saved, update menu //once saved, update menu
$body["path"] = $path; $body["path"] = $path;