xarvh/fipamo
1
0
Fork 0
forked from projects/fipamo
Code Pull requests Activity

added form token auth to page editing, updated API

Browse source
This commit is contained in:
Ro 2021-09-13 15:43:54 -07:00
parent fdc6cb2cf2
commit ccbf55bb54
5 changed files with 26 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
brain/api/v1/PagesAPI.inc.php
View file

@ -104,7 +104,24 @@ class PagesAPI
case "delete": case "delete":
case "create": case "create":
case "write": case "write":
$result = (new Book("../content/pages"))->editPage($task, $request); $body = $request->getParsedBody();
if (!isset($body["form_token"])) {
$result = [
"message" => "No form token. Not good, sport.",
"type" => "TASK_FORM_AUTH",
];
} else {
if ($body["form_token"] == Session::get("form_token")) {
//TODO: Verify form fields
$result = (new Book("../content/pages"))->editPage($task, $request);
} else {
$result = [
"message" => "Form token, auth failed. Uh oh.",
"type" => "TASK_FORM_AUTH",
];
}
}
break; break;
case "add-entry-image": case "add-entry-image":
$result = ImagesAPI::uploadImage($request); $result = ImagesAPI::uploadImage($request);

2
brain/views/dash/page-edit.twig
View file

@ -78,7 +78,7 @@
{% endapply %} {% endapply %}
<input id="featured-image-upload" type="file" name="featured-image-upload"/> <input id="featured-image-upload" type="file" name="featured-image-upload"/>
<input id="post-image-upload" type="file" name="post-image-upload"/> <input id="post-image-upload" type="file" name="post-image-upload"/>
<input name="token" type="hidden" value="{{ token }}"> <input id="form_token" name="token" type="hidden" value="{{ token }}">
</div> </div>
</div> </div>
</div> </div>

4
public/assets/scripts/dash.min.js vendored
View file

File diff suppressed because one or more lines are too long

4
src/com/actions/PageActions.js
View file

@ -56,6 +56,10 @@ export default class PostActions {
"published", "published",
document.getElementById("option-published").getAttribute("data-active") document.getElementById("option-published").getAttribute("data-active")
); );
pageInfo.append(
"form_token",
document.getElementById("form_token").value
);
if (image != null || image != undefined) { if (image != null || image != undefined) {
if (image.type.match("image.*")) { if (image.type.match("image.*")) {
pageInfo.append("feature_image", image, image.name); pageInfo.append("feature_image", image, image.name);

1
src/libraries/FipamoAdminAPI.js
View file

@ -217,6 +217,7 @@ class FipamoAdminAPI {
* @param {boolean} form[].menu - property that indicates page is included in site menu * @param {boolean} form[].menu - property that indicates page is included in site menu
* @param {boolean} form[].featured - property that indicates page is featured * @param {boolean} form[].featured - property that indicates page is featured
* @param {boolean} form[].published - property that indicates page is public * @param {boolean} form[].published - property that indicates page is public
* @param {string} form[].form_token - hidden property to authenticate form submission
* @param {input} form[].feature_image - main image for page * @param {input} form[].feature_image - main image for page
* @example * @example
* api.pageActions(TASK, data).then(response=>{ * api.pageActions(TASK, data).then(response=>{