diff --git a/app/modules/web/Controllers/AccountController.php b/app/modules/web/Controllers/AccountController.php
index 79352c19..fa9f6917 100644
--- a/app/modules/web/Controllers/AccountController.php
+++ b/app/modules/web/Controllers/AccountController.php
@@ -102,19 +102,16 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function searchAction()
{
try {
- $this->checkSecurityToken($this->session, $this->request);
+ $this->checkSecurityToken($this->previousSk, $this->request);
$accountSearchHelper = $this->dic->get(AccountSearchHelper::class);
$accountSearchHelper->getAccountSearch();
$this->eventDispatcher->notifyEvent('show.account.search', new Event($this));
- $data = [
- 'sk' => $this->session->generateSecurityKey(),
+ return $this->returnJsonResponseData([
'html' => $this->render()
- ];
-
- return $this->returnJsonResponseData($data);
+ ]);
} catch (\Exception $e) {
processException($e);
@@ -133,6 +130,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function viewAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountDetailsResponse = $this->accountService->getById($id);
$this->accountService
->withUsersById($accountDetailsResponse)
@@ -178,10 +177,10 @@ final class AccountController extends ControllerBase implements CrudControllerIn
*/
public function viewLinkAction($hash)
{
- $layoutHelper = $this->dic->get(LayoutHelper::class);
- $layoutHelper->getPublicLayout('account-link', 'account');
-
try {
+ $layoutHelper = $this->dic->get(LayoutHelper::class);
+ $layoutHelper->getPublicLayout('account-link', 'account');
+
$publicLinkService = $this->dic->get(PublicLinkService::class);
$publicLinkData = $publicLinkService->getByHash($hash);
@@ -247,6 +246,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function createAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountHelper = $this->dic->get(AccountHelper::class);
$accountHelper->setViewForBlank(Acl::ACCOUNT_CREATE);
@@ -285,6 +286,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function copyAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountDetailsResponse = $this->accountService->getById($id);
$this->accountService
->withUsersById($accountDetailsResponse)
@@ -329,6 +332,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function editAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountDetailsResponse = $this->accountService->getById($id);
$this->accountService
->withUsersById($accountDetailsResponse)
@@ -375,6 +380,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function deleteAction($id = null)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountDetailsResponse = $this->accountService->getById($id);
$this->accountService
->withUsersById($accountDetailsResponse)
@@ -418,6 +425,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function editPassAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountDetailsResponse = $this->accountService->getById($id);
$this->accountService
->withUsersById($accountDetailsResponse)
@@ -461,6 +470,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function viewHistoryAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountHistoryService = $this->dic->get(AccountHistoryService::class);
$accountHistoryData = $accountHistoryService->getById($id);
@@ -504,6 +515,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function requestAccessAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountHelper = $this->dic->get(AccountHelper::class);
$accountHelper->setIsView(true);
$accountHelper->setViewForRequest($this->accountService->getById($id), Acl::ACCOUNT_REQUEST);
@@ -536,6 +549,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function viewPassAction($id, $parentId = 0)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountPassHelper = $this->dic->get(AccountPasswordHelper::class);
$account = $this->accountService->getPasswordForId($id);
@@ -594,6 +609,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function viewPassHistoryAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountPassHelper = $this->dic->get(AccountPasswordHelper::class);
$account = $this->accountService->getPasswordHistoryForId($id);
@@ -634,9 +651,12 @@ final class AccountController extends ControllerBase implements CrudControllerIn
* @throws \SP\Core\Exceptions\QueryException
* @throws \SP\Repositories\NoSuchItemException
* @throws \SP\Services\ServiceException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function copyPassAction($id)
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountPassHelper = $this->dic->get(AccountPasswordHelper::class);
$account = $this->accountService->getPasswordForId($id);
@@ -668,9 +688,12 @@ final class AccountController extends ControllerBase implements CrudControllerIn
* @throws \SP\Core\Exceptions\QueryException
* @throws \SP\Repositories\NoSuchItemException
* @throws \SP\Services\ServiceException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function copyPassHistoryAction($id)
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountPassHelper = $this->dic->get(AccountPasswordHelper::class);
$account = $this->accountService->getPasswordHistoryForId($id);
@@ -702,6 +725,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function saveCreateAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$form = new AccountForm($this->dic);
$form->validate(Acl::ACCOUNT_CREATE);
@@ -748,6 +773,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function saveEditAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$form = new AccountForm($this->dic, $id);
$form->validate(Acl::ACCOUNT_EDIT);
@@ -793,6 +820,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function saveEditPassAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$form = new AccountForm($this->dic, $id);
$form->validate(Acl::ACCOUNT_EDIT_PASS);
@@ -835,6 +864,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function saveEditRestoreAction($historyId, $id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->accountService->editRestore($historyId, $id);
$accountDetails = $this->accountService->getById($id)->getAccountVData();
@@ -871,6 +902,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function saveDeleteAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if ($id === null) {
$this->accountService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -914,6 +947,8 @@ final class AccountController extends ControllerBase implements CrudControllerIn
public function saveRequestAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$description = $this->request->analyzeString('description');
if (empty($description)) {
diff --git a/app/modules/web/Controllers/AccountFileController.php b/app/modules/web/Controllers/AccountFileController.php
index e49c8a25..56b9b96b 100644
--- a/app/modules/web/Controllers/AccountFileController.php
+++ b/app/modules/web/Controllers/AccountFileController.php
@@ -66,6 +66,8 @@ final class AccountFileController extends ControllerBase implements CrudControll
public function viewAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (null === ($fileData = $this->accountFileService->getById($id))) {
throw new SPException(__u('El archivo no existe'), SPException::INFO);
}
@@ -118,6 +120,8 @@ final class AccountFileController extends ControllerBase implements CrudControll
public function downloadAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (null === ($fileData = $this->accountFileService->getById($id))) {
throw new SPException(__u('El archivo no existe'), SPException::INFO);
}
@@ -155,6 +159,8 @@ final class AccountFileController extends ControllerBase implements CrudControll
public function uploadAction($accountId)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$file = $this->router->request()->files()->get('inFile');
if ($accountId === 0 || null === $file) {
@@ -252,11 +258,17 @@ final class AccountFileController extends ControllerBase implements CrudControll
/**
* Search action
*
+ * @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::ACCOUNT_FILE_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -272,6 +284,8 @@ final class AccountFileController extends ControllerBase implements CrudControll
* getSearchGrid
*
* @return $this
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
*/
@@ -312,6 +326,8 @@ final class AccountFileController extends ControllerBase implements CrudControll
public function deleteAction($id = null)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if ($id === null) {
$this->accountFileService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -372,6 +388,8 @@ final class AccountFileController extends ControllerBase implements CrudControll
}
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->view->addTemplate('files-list', 'account');
$this->view->assign('deleteEnabled', $this->request->analyzeInt('del', false));
diff --git a/app/modules/web/Controllers/AccountHistoryManagerController.php b/app/modules/web/Controllers/AccountHistoryManagerController.php
index 6492e03f..ca7071d8 100644
--- a/app/modules/web/Controllers/AccountHistoryManagerController.php
+++ b/app/modules/web/Controllers/AccountHistoryManagerController.php
@@ -50,11 +50,16 @@ final class AccountHistoryManagerController extends ControllerBase
/**
* @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::ACCOUNTMGR_HISTORY_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -70,6 +75,8 @@ final class AccountHistoryManagerController extends ControllerBase
* getSearchGrid
*
* @return $this
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
*/
@@ -92,6 +99,8 @@ final class AccountHistoryManagerController extends ControllerBase
public function deleteAction($id = null)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if ($id === null) {
$this->accountHistoryService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -130,6 +139,8 @@ final class AccountHistoryManagerController extends ControllerBase
public function restoreAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$accountDetails = $this->accountHistoryService->getById($id);
$accountService = $this->dic->get(AccountService::class);
@@ -158,6 +169,8 @@ final class AccountHistoryManagerController extends ControllerBase
/**
* Initialize class
*
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Services\Auth\AuthException
*/
protected function initialize()
diff --git a/app/modules/web/Controllers/AccountManagerController.php b/app/modules/web/Controllers/AccountManagerController.php
index a2a7d05f..7d4eedca 100644
--- a/app/modules/web/Controllers/AccountManagerController.php
+++ b/app/modules/web/Controllers/AccountManagerController.php
@@ -73,6 +73,8 @@ final class AccountManagerController extends ControllerBase
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::ACCOUNTMGR_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -122,6 +124,8 @@ final class AccountManagerController extends ControllerBase
public function deleteAction($id = null)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if ($id === null) {
$this->accountService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -163,6 +167,8 @@ final class AccountManagerController extends ControllerBase
public function saveBulkEditAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$form = new AccountForm($this->dic);
$form->validate(Acl::ACCOUNTMGR_BULK_EDIT);
@@ -200,16 +206,18 @@ final class AccountManagerController extends ControllerBase
*/
public function bulkEditAction()
{
- if (!$this->acl->checkUserAccess(Acl::ACCOUNTMGR)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Actualización Masiva'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'accountManager/saveBulkEdit');
- $this->view->assign('itemsId', $this->getItemsIdFromRequest($this->request));
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::ACCOUNTMGR)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Actualización Masiva'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'accountManager/saveBulkEdit');
+ $this->view->assign('itemsId', $this->getItemsIdFromRequest($this->request));
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.account.bulkEdit', new Event($this));
@@ -229,7 +237,6 @@ final class AccountManagerController extends ControllerBase
{
$this->view->addTemplate('account_bulkedit', 'itemshow');
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ITEMS_MANAGE));
$clients = SelectItemAdapter::factory(ClientService::getItemsBasic())->getItemsFromModel();
@@ -250,8 +257,8 @@ final class AccountManagerController extends ControllerBase
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
}
diff --git a/app/modules/web/Controllers/AuthTokenController.php b/app/modules/web/Controllers/AuthTokenController.php
index 722c3248..d00290f8 100644
--- a/app/modules/web/Controllers/AuthTokenController.php
+++ b/app/modules/web/Controllers/AuthTokenController.php
@@ -61,9 +61,12 @@ final class AuthTokenController extends ControllerBase implements CrudController
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -101,16 +104,17 @@ final class AuthTokenController extends ControllerBase implements CrudController
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nueva Autorización'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'authToken/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nueva Autorización'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'authToken/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.authToken.create', new Event($this));
@@ -143,15 +147,14 @@ final class AuthTokenController extends ControllerBase implements CrudController
$this->view->assign('users', SelectItemAdapter::factory(UserService::getItemsBasic())->getItemsFromModelSelected([$authToken->getUserId()]));
$this->view->assign('actions', SelectItemAdapter::factory(AuthTokenService::getTokenActions())->getItemsFromArraySelected([$authToken->getActionId()]));
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ACCESS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
$this->view->assign('customFields', $this->getCustomFieldsForItem(Acl::AUTHTOKEN, $authTokenId));
@@ -166,15 +169,18 @@ final class AuthTokenController extends ControllerBase implements CrudController
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Autorización'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'authToken/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Autorización'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'authToken/saveEdit/' . $id);
+
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.authToken.edit', new Event($this));
@@ -196,11 +202,13 @@ final class AuthTokenController extends ControllerBase implements CrudController
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->authTokenService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -239,11 +247,14 @@ final class AuthTokenController extends ControllerBase implements CrudController
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+
$form = new AuthTokenForm($this->dic);
$form->validate(Acl::AUTHTOKEN_CREATE);
@@ -274,11 +285,14 @@ final class AuthTokenController extends ControllerBase implements CrudController
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+
$form = new AuthTokenForm($this->dic, $id);
$form->validate(Acl::AUTHTOKEN_EDIT);
@@ -323,14 +337,17 @@ final class AuthTokenController extends ControllerBase implements CrudController
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Autorización'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::AUTHTOKEN_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Autorización'));
+ $this->view->assign('isView', true);
+
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.authToken',
diff --git a/app/modules/web/Controllers/CategoryController.php b/app/modules/web/Controllers/CategoryController.php
index 78410fd5..574a3d02 100644
--- a/app/modules/web/Controllers/CategoryController.php
+++ b/app/modules/web/Controllers/CategoryController.php
@@ -59,9 +59,12 @@ final class CategoryController extends ControllerBase implements CrudControllerI
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::CATEGORY_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -96,16 +99,17 @@ final class CategoryController extends ControllerBase implements CrudControllerI
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::CATEGORY_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nueva Categoría'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'category/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CATEGORY_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nueva Categoría'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'category/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.category.create', new Event($this));
@@ -136,15 +140,14 @@ final class CategoryController extends ControllerBase implements CrudControllerI
$this->view->assign('category', $category);
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ITEMS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
$this->view->assign('showViewCustomPass', $this->acl->checkUserAccess(Acl::CUSTOMFIELD_VIEW_PASS));
@@ -160,15 +163,18 @@ final class CategoryController extends ControllerBase implements CrudControllerI
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CATEGORY_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Categoría'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'category/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CATEGORY_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Categoría'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'category/saveEdit/' . $id);
+
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.category.edit', new Event($this));
@@ -190,11 +196,13 @@ final class CategoryController extends ControllerBase implements CrudControllerI
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::CATEGORY_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CATEGORY_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->categoryService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -233,11 +241,13 @@ final class CategoryController extends ControllerBase implements CrudControllerI
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::CATEGORY_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CATEGORY_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new CategoryForm($this->dic);
$form->validate(Acl::CATEGORY_CREATE);
@@ -273,11 +283,13 @@ final class CategoryController extends ControllerBase implements CrudControllerI
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CATEGORY_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CATEGORY_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new CategoryForm($this->dic, $id);
$form->validate(Acl::CATEGORY_EDIT);
@@ -313,14 +325,16 @@ final class CategoryController extends ControllerBase implements CrudControllerI
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CATEGORY_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Categoría'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CATEGORY_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Categoría'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.category', new Event($this));
diff --git a/app/modules/web/Controllers/ClientController.php b/app/modules/web/Controllers/ClientController.php
index 12b96368..9302cb1e 100644
--- a/app/modules/web/Controllers/ClientController.php
+++ b/app/modules/web/Controllers/ClientController.php
@@ -55,11 +55,17 @@ final class ClientController extends ControllerBase implements CrudControllerInt
/**
* Search action
*
+ * @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::CLIENT_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -75,6 +81,8 @@ final class ClientController extends ControllerBase implements CrudControllerInt
* getSearchGrid
*
* @return $this
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
*/
@@ -92,16 +100,17 @@ final class ClientController extends ControllerBase implements CrudControllerInt
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::CLIENT_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nuevo Cliente'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'client/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CLIENT_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nuevo Cliente'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'client/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.client.create', new Event($this));
@@ -132,15 +141,14 @@ final class ClientController extends ControllerBase implements CrudControllerInt
$this->view->assign('client', $client);
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ITEMS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
$this->view->assign('showViewCustomPass', $this->acl->checkUserAccess(Acl::CUSTOMFIELD_VIEW_PASS));
@@ -156,15 +164,17 @@ final class ClientController extends ControllerBase implements CrudControllerInt
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CLIENT_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Cliente'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'client/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CLIENT_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Cliente'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'client/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.client.edit', new Event($this));
@@ -186,11 +196,13 @@ final class ClientController extends ControllerBase implements CrudControllerInt
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::CLIENT_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CLIENT_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->clientService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -226,11 +238,13 @@ final class ClientController extends ControllerBase implements CrudControllerInt
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::CLIENT_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CLIENT_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new ClientForm($this->dic);
$form->validate(Acl::CLIENT_CREATE);
@@ -264,11 +278,13 @@ final class ClientController extends ControllerBase implements CrudControllerInt
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CLIENT_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CLIENT_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new ClientForm($this->dic, $id);
$form->validate(Acl::CLIENT_EDIT);
@@ -300,14 +316,16 @@ final class ClientController extends ControllerBase implements CrudControllerInt
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CLIENT_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Cliente'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CLIENT_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Cliente'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.client', new Event($this));
diff --git a/app/modules/web/Controllers/ConfigAccountController.php b/app/modules/web/Controllers/ConfigAccountController.php
index a42f3c1b..9cb7ddab 100644
--- a/app/modules/web/Controllers/ConfigAccountController.php
+++ b/app/modules/web/Controllers/ConfigAccountController.php
@@ -43,9 +43,13 @@ final class ConfigAccountController extends SimpleControllerBase
/**
* saveAction
+ *
+ * @throws \SP\Core\Exceptions\SPException
*/
public function saveAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$configData = $this->config->getConfigData();
$eventMessage = EventMessage::factory();
diff --git a/app/modules/web/Controllers/ConfigBackupController.php b/app/modules/web/Controllers/ConfigBackupController.php
index 522a052c..15d66780 100644
--- a/app/modules/web/Controllers/ConfigBackupController.php
+++ b/app/modules/web/Controllers/ConfigBackupController.php
@@ -46,9 +46,12 @@ final class ConfigBackupController extends SimpleControllerBase
/**
* @return bool
+ * @throws \SP\Core\Exceptions\SPException
*/
public function fileBackupAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if ($this->config->getConfigData()->isDemoEnabled()) {
return $this->returnJsonResponse(JsonResponse::JSON_WARNING, __u('Ey, esto es una DEMO!!'));
}
diff --git a/app/modules/web/Controllers/ConfigEncryptionController.php b/app/modules/web/Controllers/ConfigEncryptionController.php
index ea8f7d02..0f51bde8 100644
--- a/app/modules/web/Controllers/ConfigEncryptionController.php
+++ b/app/modules/web/Controllers/ConfigEncryptionController.php
@@ -50,11 +50,16 @@ final class ConfigEncryptionController extends SimpleControllerBase
/**
* @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
+ * @throws \SP\Core\Exceptions\SPException
* @throws \SP\Repositories\NoSuchItemException
* @throws \SP\Services\ServiceException
*/
public function saveAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$mastePassService = $this->dic->get(MasterPassService::class);
$currentMasterPass = $this->request->analyzeEncrypted('current_masterpass');
@@ -147,11 +152,13 @@ final class ConfigEncryptionController extends SimpleControllerBase
*/
public function refreshAction()
{
- if ($this->config->getConfigData()->isDemoEnabled()) {
- return $this->returnJsonResponse(JsonResponse::JSON_WARNING, __u('Ey, esto es una DEMO!!'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if ($this->config->getConfigData()->isDemoEnabled()) {
+ return $this->returnJsonResponse(JsonResponse::JSON_WARNING, __u('Ey, esto es una DEMO!!'));
+ }
+
$masterPassService = $this->dic->get(MasterPassService::class);
$masterPassService->updateConfig(Hash::hashKey(CryptSession::getSessionKey($this->session)));
@@ -175,6 +182,8 @@ final class ConfigEncryptionController extends SimpleControllerBase
public function saveTempAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$temporaryMasterPassService = $this->dic->get(TemporaryMasterPassService::class);
$key = $temporaryMasterPassService->create($this->request->analyzeInt('temporary_masterpass_maxtime', 3600));
diff --git a/app/modules/web/Controllers/ConfigGeneralController.php b/app/modules/web/Controllers/ConfigGeneralController.php
index f642fc16..df293f6d 100644
--- a/app/modules/web/Controllers/ConfigGeneralController.php
+++ b/app/modules/web/Controllers/ConfigGeneralController.php
@@ -43,9 +43,13 @@ final class ConfigGeneralController extends SimpleControllerBase
/**
* saveAction
+ *
+ * @throws \SP\Core\Exceptions\SPException
*/
public function saveAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$configData = $this->config->getConfigData();
$eventMessage = EventMessage::factory();
diff --git a/app/modules/web/Controllers/ConfigImportController.php b/app/modules/web/Controllers/ConfigImportController.php
index 887e4767..1a8be2a7 100644
--- a/app/modules/web/Controllers/ConfigImportController.php
+++ b/app/modules/web/Controllers/ConfigImportController.php
@@ -49,9 +49,12 @@ final class ConfigImportController extends SimpleControllerBase
/**
* @throws ContainerExceptionInterface
* @throws NotFoundExceptionInterface
+ * @throws \SP\Core\Exceptions\SPException
*/
public function importAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if ($this->config->getConfigData()->isDemoEnabled()) {
return $this->returnJsonResponse(JsonResponse::JSON_WARNING, __u('Ey, esto es una DEMO!!'));
}
@@ -64,7 +67,6 @@ final class ConfigImportController extends SimpleControllerBase
$importParams->setCsvDelimiter($this->request->analyzeString('csvDelimiter'));
try {
-
$this->eventDispatcher->notifyEvent('run.import.start', new Event($this));
SessionContext::close();
diff --git a/app/modules/web/Controllers/ConfigLdapController.php b/app/modules/web/Controllers/ConfigLdapController.php
index a0ac0389..1ccaf39f 100644
--- a/app/modules/web/Controllers/ConfigLdapController.php
+++ b/app/modules/web/Controllers/ConfigLdapController.php
@@ -54,6 +54,8 @@ final class ConfigLdapController extends SimpleControllerBase
public function saveAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$eventMessage = EventMessage::factory();
$configData = $this->config->getConfigData();
@@ -98,7 +100,7 @@ final class ConfigLdapController extends SimpleControllerBase
return $this->saveConfig($configData, $this->config, function () use ($eventMessage) {
$this->eventDispatcher->notifyEvent('save.config.ldap', new Event($this, $eventMessage));
});
- } catch (ValidationException $e) {
+ } catch (\Exception $e) {
return $this->returnJsonResponseException($e);
}
}
@@ -132,6 +134,8 @@ final class ConfigLdapController extends SimpleControllerBase
public function checkAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$ldapParams = $this->getLdapParamsFromRequest();
// Valores para la configuración de LDAP
@@ -168,6 +172,8 @@ final class ConfigLdapController extends SimpleControllerBase
public function checkImportAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$ldapParams = $this->getLdapParamsFromRequest();
// Valores para la configuración de LDAP
@@ -214,6 +220,8 @@ final class ConfigLdapController extends SimpleControllerBase
public function importAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if ($this->configData->isDemoEnabled()) {
return $this->returnJsonResponse(JsonResponse::JSON_WARNING, __u('Ey, esto es una DEMO!!'));
}
diff --git a/app/modules/web/Controllers/ConfigMailController.php b/app/modules/web/Controllers/ConfigMailController.php
index 9a5ff0a1..67bcf254 100644
--- a/app/modules/web/Controllers/ConfigMailController.php
+++ b/app/modules/web/Controllers/ConfigMailController.php
@@ -45,9 +45,13 @@ final class ConfigMailController extends SimpleControllerBase
/**
* saveAction
+ *
+ * @throws \SP\Core\Exceptions\SPException
*/
public function saveAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$eventMessage = EventMessage::factory();
$configData = $this->config->getConfigData();
@@ -109,9 +113,13 @@ final class ConfigMailController extends SimpleControllerBase
/**
* checkAction
+ *
+ * @throws \SP\Core\Exceptions\SPException
*/
public function checkAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$mailParams = new MailParams();
$mailParams->server = $this->request->analyzeString('mail_server');
$mailParams->port = $this->request->analyzeInt('mail_port', 25);
diff --git a/app/modules/web/Controllers/ConfigWikiController.php b/app/modules/web/Controllers/ConfigWikiController.php
index d1916a57..128b1379 100644
--- a/app/modules/web/Controllers/ConfigWikiController.php
+++ b/app/modules/web/Controllers/ConfigWikiController.php
@@ -42,9 +42,13 @@ final class ConfigWikiController extends SimpleControllerBase
/**
* saveAction
+ *
+ * @throws \SP\Core\Exceptions\SPException
*/
public function saveAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$eventMessage = EventMessage::factory();
$configData = $this->config->getConfigData();
diff --git a/app/modules/web/Controllers/ControllerBase.php b/app/modules/web/Controllers/ControllerBase.php
index dad66d74..f5254e2f 100644
--- a/app/modules/web/Controllers/ControllerBase.php
+++ b/app/modules/web/Controllers/ControllerBase.php
@@ -73,9 +73,13 @@ abstract class ControllerBase
*/
protected $dic;
/**
- * @var
+ * @var bool
*/
protected $isAjax = false;
+ /**
+ * @var string
+ */
+ protected $previousSk;
/**
* Constructor
@@ -98,6 +102,7 @@ abstract class ControllerBase
$this->view->setBase(strtolower($this->controllerName));
$this->isAjax = $this->request->isAjax();
+ $this->previousSk = $this->session->getSecurityKey();
if ($this->session->isLoggedIn()) {
$this->userData = clone $this->session->getUserData();
@@ -116,7 +121,7 @@ abstract class ControllerBase
*/
private function setViewVars()
{
- $this->view->assign('timeStart', $this->router->request()->server()->get('REQUEST_TIME_FLOAT'));
+ $this->view->assign('timeStart', $this->request->getServer('REQUEST_TIME_FLOAT'));
$this->view->assign('queryTimeStart', microtime());
$this->view->assign('ctx_userId', $this->userData->getId());
$this->view->assign('ctx_userGroupId', $this->userData->getUserGroupId());
@@ -126,9 +131,10 @@ abstract class ControllerBase
$this->view->assign('isDemo', $this->configData->isDemoEnabled());
$this->view->assign('icons', $this->theme->getIcons());
$this->view->assign('configData', $this->configData);
+ $this->view->assign('sk', $this->session->isLoggedIn() ? $this->session->generateSecurityKey() : '');
// Pass the action name to the template as a variable
- $this->view->assign($this->actionName);
+ $this->view->assign($this->actionName, true);
}
/**
diff --git a/app/modules/web/Controllers/CustomFieldController.php b/app/modules/web/Controllers/CustomFieldController.php
index d0deb210..1b3884e9 100644
--- a/app/modules/web/Controllers/CustomFieldController.php
+++ b/app/modules/web/Controllers/CustomFieldController.php
@@ -56,11 +56,17 @@ final class CustomFieldController extends ControllerBase implements CrudControll
/**
* Search action
*
+ * @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -76,6 +82,8 @@ final class CustomFieldController extends ControllerBase implements CrudControll
* getSearchGrid
*
* @return $this
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
*/
@@ -93,16 +101,17 @@ final class CustomFieldController extends ControllerBase implements CrudControll
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nuevo Campo'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'customField/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nuevo Campo'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'customField/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.customField.create', new Event($this));
@@ -134,15 +143,14 @@ final class CustomFieldController extends ControllerBase implements CrudControll
$this->view->assign('types', SelectItemAdapter::factory(CustomFieldTypeService::getItemsBasic())->getItemsFromModelSelected([$customField->getTypeId()]));
$this->view->assign('modules', SelectItemAdapter::factory(CustomFieldDefService::getFieldModules())->getItemsFromArraySelected([$customField->getModuleId()]));
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ITEMS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
}
@@ -155,15 +163,17 @@ final class CustomFieldController extends ControllerBase implements CrudControll
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Campo'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'customField/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Campo'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'customField/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.customField.edit', new Event($this));
@@ -185,11 +195,13 @@ final class CustomFieldController extends ControllerBase implements CrudControll
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->customFieldService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -217,11 +229,13 @@ final class CustomFieldController extends ControllerBase implements CrudControll
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new CustomFieldDefForm($this->dic);
$form->validate(Acl::CUSTOMFIELD_CREATE);
@@ -254,11 +268,13 @@ final class CustomFieldController extends ControllerBase implements CrudControll
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new CustomFieldDefForm($this->dic, $id);
$form->validate(Acl::CUSTOMFIELD_EDIT);
@@ -291,14 +307,16 @@ final class CustomFieldController extends ControllerBase implements CrudControll
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Campo'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::CUSTOMFIELD_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Campo'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.customField', new Event($this));
diff --git a/app/modules/web/Controllers/EventlogController.php b/app/modules/web/Controllers/EventlogController.php
index 2d604808..468118cd 100644
--- a/app/modules/web/Controllers/EventlogController.php
+++ b/app/modules/web/Controllers/EventlogController.php
@@ -54,9 +54,12 @@ final class EventlogController extends ControllerBase
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function indexAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::EVENTLOG)) {
return;
}
@@ -94,9 +97,12 @@ final class EventlogController extends ControllerBase
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::EVENTLOG_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -113,6 +119,8 @@ final class EventlogController extends ControllerBase
public function clearAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->eventLogService->clear();
$this->eventDispatcher->notifyEvent('clear.eventlog',
diff --git a/app/modules/web/Controllers/Helpers/Account/AccountActionsHelper.php b/app/modules/web/Controllers/Helpers/Account/AccountActionsHelper.php
index 7b25a074..99b4dcec 100644
--- a/app/modules/web/Controllers/Helpers/Account/AccountActionsHelper.php
+++ b/app/modules/web/Controllers/Helpers/Account/AccountActionsHelper.php
@@ -523,7 +523,7 @@ final class AccountActionsHelper extends HelperBase
*/
protected function initialize()
{
- $this->sk = $this->context->generateSecurityKey();
+ $this->sk = $this->view->get('sk');
$this->icons = $this->view->getTheme()->getIcons();
}
}
\ No newline at end of file
diff --git a/app/modules/web/Controllers/Helpers/Account/AccountHelper.php b/app/modules/web/Controllers/Helpers/Account/AccountHelper.php
index 6d066c12..37f37b51 100644
--- a/app/modules/web/Controllers/Helpers/Account/AccountHelper.php
+++ b/app/modules/web/Controllers/Helpers/Account/AccountHelper.php
@@ -156,9 +156,12 @@ final class AccountHelper extends HelperBase
$this->view->assign('users', $selectUsers->getItemsFromModelSelected([$accountData->getUserId()]));
$this->view->assign('userGroups', $selectUserGroups->getItemsFromModelSelected([$accountData->getUserGroupId()]));
- $this->view->assign('tags', $selectTags->getItemsFromModelSelected(SelectItemAdapter::getIdFromArrayOfObjects($accountDetailsResponse->getTags())));
+ $this->view->assign('tags',
+ $selectTags->getItemsFromModelSelected(SelectItemAdapter::getIdFromArrayOfObjects($accountDetailsResponse->getTags())));
- $this->view->assign('historyData', $this->accountHistoryService->getHistoryForAccount($this->accountId));
+ $this->view->assign('historyData', SelectItemAdapter::factory(
+ $this->accountHistoryService->getHistoryForAccount($this->accountId))
+ ->getItemsFromArray());
$this->view->assign('isModified', strtotime($accountData->getDateEdit()) !== false);
$this->view->assign('maxFileSize', round($this->configData->getFilesAllowedSize() / 1024, 1));
@@ -185,11 +188,19 @@ final class AccountHelper extends HelperBase
$userData = $this->context->getUserData();
$userProfileData = $this->context->getUserProfile();
- $this->view->assign('allowPrivate', ($userProfileData->isAccPrivate() && $accountData->getUserId() === $userData->getId()) || $userData->getIsAdminApp());
- $this->view->assign('allowPrivateGroup', ($userProfileData->isAccPrivateGroup() && $accountData->getUserGroupId() === $userData->getUserGroupId()) || $userData->getIsAdminApp());
+ $this->view->assign('allowPrivate',
+ ($userProfileData->isAccPrivate()
+ && $accountData->getUserId() === $userData->getId())
+ || $userData->getIsAdminApp());
+
+ $this->view->assign('allowPrivateGroup',
+ ($userProfileData->isAccPrivateGroup()
+ && $accountData->getUserGroupId() === $userData->getUserGroupId())
+ || $userData->getIsAdminApp());
$this->view->assign('accountPassDate', date('Y-m-d H:i:s', $accountData->getPassDate()));
- $this->view->assign('accountPassDateChange', $accountData->getPassDateChange() > 0 ? gmdate('Y-m-d', $accountData->getPassDateChange()) : 0);
+ $this->view->assign('accountPassDateChange',
+ $accountData->getPassDateChange() > 0 ? gmdate('Y-m-d', $accountData->getPassDateChange()) : 0);
$this->view->assign('linkedAccounts', $this->accountService->getLinked($this->accountId));
$this->view->assign('accountId', $accountData->getId());
@@ -239,7 +250,8 @@ final class AccountHelper extends HelperBase
*/
protected function checkAccess(AccountDetailsResponse $accountDetailsResponse)
{
- $accountAcl = $this->dic->get(AccountAclService::class)->getAcl($this->actionId, AccountAclDto::makeFromAccount($accountDetailsResponse));
+ $accountAcl = $this->dic->get(AccountAclService::class)
+ ->getAcl($this->actionId, AccountAclDto::makeFromAccount($accountDetailsResponse));
if ($accountAcl === null || $accountAcl->checkAccountAccess($this->actionId) === false) {
throw new AccountPermissionException(AccountPermissionException::INFO);
@@ -259,27 +271,36 @@ final class AccountHelper extends HelperBase
*/
protected function setViewCommon()
{
- $this->view->assign('actionId', $this->actionId);
$this->view->assign('isView', $this->isView);
$this->view->assign('accountIsHistory', false);
$this->view->assign('customFields', $this->getCustomFieldsForItem(ActionsInterface::ACCOUNT, $this->accountId));
- $this->view->assign('categories', SelectItemAdapter::factory($this->dic->get(CategoryService::class)->getAllBasic())->getItemsFromModel());
- $this->view->assign('clients', SelectItemAdapter::factory($this->dic->get(ClientService::class)->getAllForUser())->getItemsFromModel());
+
+ $this->view->assign('categories',
+ SelectItemAdapter::factory($this->dic->get(CategoryService::class)
+ ->getAllBasic())->getItemsFromModel());
+
+ $this->view->assign('clients',
+ SelectItemAdapter::factory($this->dic->get(ClientService::class)
+ ->getAllForUser())->getItemsFromModel());
$this->view->assign('mailRequestEnabled', $this->configData->isMailRequestsEnabled());
$this->view->assign('passToImageEnabled', $this->configData->isAccountPassToImage());
$this->view->assign('otherAccounts', $this->accountService->getForUser($this->accountId));
- $this->view->assign('addClientEnabled', !$this->isView && $this->acl->checkUserAccess(ActionsInterface::CLIENT));
+ $this->view->assign('addClientEnabled',
+ !$this->isView && $this->acl->checkUserAccess(ActionsInterface::CLIENT));
$this->view->assign('addClientRoute', Acl::getActionRoute(ActionsInterface::CLIENT_CREATE));
- $this->view->assign('addCategoryEnabled', !$this->isView && $this->acl->checkUserAccess(ActionsInterface::CATEGORY));
+ $this->view->assign('addCategoryEnabled',
+ !$this->isView && $this->acl->checkUserAccess(ActionsInterface::CATEGORY));
+
$this->view->assign('addCategoryRoute', Acl::getActionRoute(ActionsInterface::CATEGORY_CREATE));
- $this->view->assign('addTagEnabled', !$this->isView && $this->acl->checkUserAccess(ActionsInterface::TAG));
+ $this->view->assign('addTagEnabled',
+ !$this->isView && $this->acl->checkUserAccess(ActionsInterface::TAG));
$this->view->assign('addTagRoute', Acl::getActionRoute(ActionsInterface::TAG_CREATE));
$this->view->assign('fileListRoute', Acl::getActionRoute(ActionsInterface::ACCOUNT_FILE_LIST));
@@ -367,7 +388,9 @@ final class AccountHelper extends HelperBase
$this->view->assign('accountId', 0);
$this->view->assign('gotData', false);
- $this->view->assign('accountActions', $this->dic->get(AccountActionsHelper::class)->getActionsForAccount($this->accountAcl, new AccountActionsDto($this->accountId)));
+ $this->view->assign('accountActions',
+ $this->dic->get(AccountActionsHelper::class)
+ ->getActionsForAccount($this->accountAcl, new AccountActionsDto($this->accountId)));
$this->setViewCommon();
}
@@ -399,7 +422,9 @@ final class AccountHelper extends HelperBase
$this->view->assign('accountId', $accountData->getId());
$this->view->assign('accountData', $accountDetailsResponse->getAccountVData());
- $this->view->assign('accountActions', $this->dic->get(AccountActionsHelper::class)->getActionsForAccount($this->accountAcl, new AccountActionsDto($this->accountId, null, $accountData->getParentId())));
+ $this->view->assign('accountActions',
+ $this->dic->get(AccountActionsHelper::class)
+ ->getActionsForAccount($this->accountAcl, new AccountActionsDto($this->accountId, null, $accountData->getParentId())));
return true;
}
@@ -424,9 +449,8 @@ final class AccountHelper extends HelperBase
$this->publicLinkService = $this->dic->get(PublicLinkService::class);
$this->itemPresetService = $this->dic->get(ItemPresetService::class);
- $this->view->assign('changesHash');
- $this->view->assign('chkUserEdit');
- $this->view->assign('chkGroupEdit');
- $this->view->assign('sk', $this->context->generateSecurityKey());
+ $this->view->assign('changesHash', '');
+ $this->view->assign('chkUserEdit', false);
+ $this->view->assign('chkGroupEdit', false);
}
}
\ No newline at end of file
diff --git a/app/modules/web/Controllers/Helpers/Account/AccountHistoryHelper.php b/app/modules/web/Controllers/Helpers/Account/AccountHistoryHelper.php
index 2ab5e536..048de2bf 100644
--- a/app/modules/web/Controllers/Helpers/Account/AccountHistoryHelper.php
+++ b/app/modules/web/Controllers/Helpers/Account/AccountHistoryHelper.php
@@ -79,6 +79,8 @@ final class AccountHistoryHelper extends HelperBase
* @throws AccountPermissionException
* @throws UnauthorizedPageException
* @throws UpdatedMasterPassException
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
* @throws \SP\Repositories\NoSuchItemException
@@ -99,23 +101,36 @@ final class AccountHistoryHelper extends HelperBase
$this->view->assign('accountAcl', $this->accountAcl);
$this->view->assign('actionId', $this->actionId);
$this->view->assign('accountId', $this->accountId);
- $this->view->assign('accountHistoryId', $this->accountHistoryId);
- $this->view->assign('historyData', $this->accountHistoryService->getHistoryForAccount($this->accountId));
+
+ $this->view->assign('historyData',
+ SelectItemAdapter::factory($this->accountHistoryService->getHistoryForAccount($this->accountId))
+ ->getItemsFromArraySelected([$this->accountHistoryId]));
+
$this->view->assign('accountPassDate', date('Y-m-d H:i:s', $accountHistoryData->getPassDate()));
$this->view->assign('accountPassDateChange', date('Y-m-d', $accountHistoryData->getPassDateChange() ?: 0));
- $this->view->assign('categories', SelectItemAdapter::factory(CategoryService::getItemsBasic())->getItemsFromModelSelected([$accountHistoryData->getCategoryId()]));
- $this->view->assign('clients', SelectItemAdapter::factory(ClientService::getItemsBasic())->getItemsFromModelSelected([$accountHistoryData->getClientId()]));
+ $this->view->assign('categories',
+ SelectItemAdapter::factory(CategoryService::getItemsBasic())
+ ->getItemsFromModelSelected([$accountHistoryData->getCategoryId()]));
+ $this->view->assign('clients',
+ SelectItemAdapter::factory(ClientService::getItemsBasic())
+ ->getItemsFromModelSelected([$accountHistoryData->getClientId()]));
$this->view->assign('isModified', strtotime($accountHistoryData->getDateEdit()) !== false);
$accountActionsHelper = $this->dic->get(AccountActionsHelper::class);
- $this->view->assign('accountActions', $accountActionsHelper->getActionsForAccount($this->accountAcl, new AccountActionsDto($this->accountId, $this->accountHistoryId, 0)));
- $this->view->assign('accountActionsMenu', $accountActionsHelper->getActionsGrouppedForAccount($this->accountAcl, new AccountActionsDto($this->accountId, $this->accountHistoryId, 0)));
+ $accountActionsDto = new AccountActionsDto($this->accountId, $this->accountHistoryId, 0);
+
+ $this->view->assign('accountActions',
+ $accountActionsHelper->getActionsForAccount($this->accountAcl, $accountActionsDto));
+ $this->view->assign('accountActionsMenu',
+ $accountActionsHelper->getActionsGrouppedForAccount($this->accountAcl, $accountActionsDto));
}
/**
* @throws UnauthorizedPageException
* @throws UpdatedMasterPassException
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Repositories\NoSuchItemException
* @throws \SP\Services\ServiceException
*/
@@ -125,7 +140,9 @@ final class AccountHistoryHelper extends HelperBase
throw new UnauthorizedPageException(UnauthorizedPageException::INFO);
}
- if (!$this->dic->get(MasterPassService::class)->checkUserUpdateMPass($this->context->getUserData()->getLastUpdateMPass())) {
+ if (!$this->dic->get(MasterPassService::class)
+ ->checkUserUpdateMPass($this->context->getUserData()->getLastUpdateMPass())
+ ) {
throw new UpdatedMasterPassException(UpdatedMasterPassException::INFO);
}
}
@@ -136,6 +153,8 @@ final class AccountHistoryHelper extends HelperBase
* @param AccountHistoryData $accountHistoryData
*
* @throws AccountPermissionException
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
*/
@@ -147,9 +166,12 @@ final class AccountHistoryHelper extends HelperBase
$this->accountHistoryService->getUserGroupsByAccountId($this->accountId)
);
- $this->accountAcl = $this->dic->get(AccountAclService::class)->getAcl($this->actionId, $acccountAclDto, true);
+ $this->accountAcl = $this->dic->get(AccountAclService::class)
+ ->getAcl($this->actionId, $acccountAclDto, true);
- if ($this->accountAcl === null || $this->accountAcl->checkAccountAccess($this->actionId) === false) {
+ if ($this->accountAcl === null
+ || $this->accountAcl->checkAccountAccess($this->actionId) === false
+ ) {
throw new AccountPermissionException(SPException::INFO);
}
}
@@ -164,7 +186,5 @@ final class AccountHistoryHelper extends HelperBase
{
$this->acl = $this->dic->get(Acl::class);
$this->accountHistoryService = $this->dic->get(AccountHistoryService::class);;
-
- $this->view->assign('sk', $this->context->generateSecurityKey());
}
}
\ No newline at end of file
diff --git a/app/modules/web/Controllers/Helpers/Account/AccountPasswordHelper.php b/app/modules/web/Controllers/Helpers/Account/AccountPasswordHelper.php
index 5bdd7791..6d986d8e 100644
--- a/app/modules/web/Controllers/Helpers/Account/AccountPasswordHelper.php
+++ b/app/modules/web/Controllers/Helpers/Account/AccountPasswordHelper.php
@@ -53,10 +53,12 @@ final class AccountPasswordHelper extends HelperBase
*
* @return array
* @throws HelperException
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \Defuse\Crypto\Exception\CryptoException
+ * @throws \SP\Core\Exceptions\FileNotFoundException
* @throws \SP\Repositories\NoSuchItemException
* @throws \SP\Services\ServiceException
- * @throws \SP\Core\Exceptions\FileNotFoundException
*/
public function getPasswordView(AccountPassData $accountData, bool $useImage)
{
@@ -79,8 +81,6 @@ final class AccountPasswordHelper extends HelperBase
$this->view->assign('pass', htmlentities($pass));
}
- $this->view->assign('sk', $this->context->generateSecurityKey());
-
return [
'useimage' => $useImage,
'html' => $this->view->render()
@@ -104,6 +104,8 @@ final class AccountPasswordHelper extends HelperBase
*
* @return string
* @throws HelperException
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \Defuse\Crypto\Exception\CryptoException
* @throws \SP\Repositories\NoSuchItemException
* @throws \SP\Services\ServiceException
@@ -119,6 +121,10 @@ final class AccountPasswordHelper extends HelperBase
return trim(Crypt::decrypt($accountData->getPass(), $accountData->getKey(), CryptSession::getSessionKey($this->context)));
}
+ /**
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
+ */
protected function initialize()
{
$this->acl = $this->dic->get(Acl::class);
diff --git a/app/modules/web/Controllers/Helpers/Account/AccountSearchHelper.php b/app/modules/web/Controllers/Helpers/Account/AccountSearchHelper.php
index 6e8b52ce..efd84a46 100644
--- a/app/modules/web/Controllers/Helpers/Account/AccountSearchHelper.php
+++ b/app/modules/web/Controllers/Helpers/Account/AccountSearchHelper.php
@@ -148,16 +148,16 @@ final class AccountSearchHelper extends HelperBase
$accountSearchService = $this->dic->get(AccountSearchService::class);
- $Grid = $this->getGrid();
- $Grid->getData()->setData($accountSearchService->processSearchResults($this->accountSearchFilter));
- $Grid->updatePager();
- $Grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
+ $dataGrid = $this->getGrid();
+ $dataGrid->getData()->setData($accountSearchService->processSearchResults($this->accountSearchFilter));
+ $dataGrid->updatePager();
+ $dataGrid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
// Establecer el filtro de búsqueda en la sesión como un objeto
$this->context->setSearchFilters($this->accountSearchFilter);
- $this->view->assign('data', $Grid);
+ $this->view->assign('data', $dataGrid);
}
/**
@@ -200,23 +200,23 @@ final class AccountSearchHelper extends HelperBase
$actions = $this->dic->get(AccountActionsHelper::class);
- $grid = new DataGrid($this->view->getTheme());
- $grid->setId('gridSearch');
- $grid->setDataHeaderTemplate('search-header', $this->view->getBase());
- $grid->setDataRowTemplate('search-rows', $this->view->getBase());
- $grid->setDataPagerTemplate('datagrid-nav-full', 'grid');
- $grid->setHeader($this->getHeaderSort());
- $grid->addDataAction($actions->getViewAction());
- $grid->addDataAction($actions->getViewPassAction());
- $grid->addDataAction($actions->getCopyPassAction());
- $grid->addDataAction($actions->getEditAction(), !$showOptionalActions);
- $grid->addDataAction($actions->getCopyAction(), !$showOptionalActions);
- $grid->addDataAction($actions->getDeleteAction(), !$showOptionalActions);
- $grid->addDataAction($actions->getRequestAction());
- $grid->setPager($gridPager);
- $grid->setData(new DataGridData());
+ $dataGrid = new DataGrid($this->view->getTheme());
+ $dataGrid->setId('gridSearch');
+ $dataGrid->setDataHeaderTemplate('search-header', $this->view->getBase());
+ $dataGrid->setDataRowTemplate('search-rows', $this->view->getBase());
+ $dataGrid->setDataPagerTemplate('datagrid-nav-full', 'grid');
+ $dataGrid->setHeader($this->getHeaderSort());
+ $dataGrid->addDataAction($actions->getViewAction());
+ $dataGrid->addDataAction($actions->getViewPassAction());
+ $dataGrid->addDataAction($actions->getCopyPassAction());
+ $dataGrid->addDataAction($actions->getEditAction(), !$showOptionalActions);
+ $dataGrid->addDataAction($actions->getCopyAction(), !$showOptionalActions);
+ $dataGrid->addDataAction($actions->getDeleteAction(), !$showOptionalActions);
+ $dataGrid->addDataAction($actions->getRequestAction());
+ $dataGrid->setPager($gridPager);
+ $dataGrid->setData(new DataGridData());
- return $grid;
+ return $dataGrid;
}
/**
@@ -275,14 +275,11 @@ final class AccountSearchHelper extends HelperBase
/**
* Initialize
- *
- * @throws \Psr\Container\ContainerExceptionInterface
*/
protected function initialize()
{
$this->queryTimeStart = microtime(true);
- $this->sk = $this->context->generateSecurityKey();
- $this->view->assign('sk', $this->sk);
+ $this->sk = $this->view->get('sk');
$this->setVars();
}
diff --git a/app/modules/web/Controllers/Helpers/Grid/AccountGrid.php b/app/modules/web/Controllers/Helpers/Grid/AccountGrid.php
index 87dfa7f5..163f5eef 100644
--- a/app/modules/web/Controllers/Helpers/Grid/AccountGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/AccountGrid.php
@@ -69,11 +69,16 @@ final class AccountGrid extends GridBase
$grid->addDataAction($this->getViewAction());
$grid->addDataAction($this->getDeleteAction());
- $grid->addDataAction($this->getBulkEditAction(), true);
+ $grid->addDataAction(
+ $this->getBulkEditAction()
+ ->setIsSelection(true),
+ true);
+
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/AccountHistoryGrid.php b/app/modules/web/Controllers/Helpers/Grid/AccountHistoryGrid.php
index 5f26f880..f392f40b 100644
--- a/app/modules/web/Controllers/Helpers/Grid/AccountHistoryGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/AccountHistoryGrid.php
@@ -68,7 +68,8 @@ final class AccountHistoryGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/AuthTokenGrid.php b/app/modules/web/Controllers/Helpers/Grid/AuthTokenGrid.php
index 1c503d00..76a83dd3 100644
--- a/app/modules/web/Controllers/Helpers/Grid/AuthTokenGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/AuthTokenGrid.php
@@ -71,7 +71,8 @@ final class AuthTokenGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/CategoryGrid.php b/app/modules/web/Controllers/Helpers/Grid/CategoryGrid.php
index 65faf865..68e897ac 100644
--- a/app/modules/web/Controllers/Helpers/Grid/CategoryGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/CategoryGrid.php
@@ -70,7 +70,8 @@ final class CategoryGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/ClientGrid.php b/app/modules/web/Controllers/Helpers/Grid/ClientGrid.php
index a3c72ae9..c9b7cacf 100644
--- a/app/modules/web/Controllers/Helpers/Grid/ClientGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/ClientGrid.php
@@ -69,7 +69,8 @@ final class ClientGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/CustomFieldGrid.php b/app/modules/web/Controllers/Helpers/Grid/CustomFieldGrid.php
index d000dbd6..90570b69 100644
--- a/app/modules/web/Controllers/Helpers/Grid/CustomFieldGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/CustomFieldGrid.php
@@ -70,7 +70,8 @@ final class CustomFieldGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
diff --git a/app/modules/web/Controllers/Helpers/Grid/FileGrid.php b/app/modules/web/Controllers/Helpers/Grid/FileGrid.php
index 907fe441..f81166aa 100644
--- a/app/modules/web/Controllers/Helpers/Grid/FileGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/FileGrid.php
@@ -69,7 +69,8 @@ final class FileGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
diff --git a/app/modules/web/Controllers/Helpers/Grid/ItemPresetGrid.php b/app/modules/web/Controllers/Helpers/Grid/ItemPresetGrid.php
index 1ca33017..120b92b5 100644
--- a/app/modules/web/Controllers/Helpers/Grid/ItemPresetGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/ItemPresetGrid.php
@@ -70,9 +70,12 @@ final class ItemPresetGrid extends GridBase
$grid->addDataAction($this->getCreateAccountPasswordAction(), true);
$grid->addDataAction($this->getEditAction());
$grid->addDataAction($this->getDeleteAction());
- $grid->addDataAction($this->getDeleteAction()
- ->setTitle(__('Eliminar Seleccionados'))
- ->setName(__('Eliminar Seleccionados')), true);
+ $grid->addDataAction(
+ $this->getDeleteAction()
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setName(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
+ true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/NotificationGrid.php b/app/modules/web/Controllers/Helpers/Grid/NotificationGrid.php
index 0fd424f5..b951264f 100644
--- a/app/modules/web/Controllers/Helpers/Grid/NotificationGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/NotificationGrid.php
@@ -84,7 +84,8 @@ final class NotificationGrid extends GridBase
$this->setNonAdminFilter(
$this->getDeleteAction()
->setTitle(__('Eliminar Seleccionados'))
- ->setName(__('Eliminar Seleccionados'))),
+ ->setName(__('Eliminar Seleccionados'))
+ ->setIsSelection(true)),
true);
diff --git a/app/modules/web/Controllers/Helpers/Grid/PublicLinkGrid.php b/app/modules/web/Controllers/Helpers/Grid/PublicLinkGrid.php
index baf11484..71847224 100644
--- a/app/modules/web/Controllers/Helpers/Grid/PublicLinkGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/PublicLinkGrid.php
@@ -71,7 +71,8 @@ final class PublicLinkGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
diff --git a/app/modules/web/Controllers/Helpers/Grid/TagGrid.php b/app/modules/web/Controllers/Helpers/Grid/TagGrid.php
index 3ef2e8e9..7bd1ae66 100644
--- a/app/modules/web/Controllers/Helpers/Grid/TagGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/TagGrid.php
@@ -70,7 +70,8 @@ final class TagGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/UserGrid.php b/app/modules/web/Controllers/Helpers/Grid/UserGrid.php
index aa0e03e6..ec0c8b94 100644
--- a/app/modules/web/Controllers/Helpers/Grid/UserGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/UserGrid.php
@@ -80,7 +80,8 @@ final class UserGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/UserGroupGrid.php b/app/modules/web/Controllers/Helpers/Grid/UserGroupGrid.php
index 615f346f..06001a08 100644
--- a/app/modules/web/Controllers/Helpers/Grid/UserGroupGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/UserGroupGrid.php
@@ -71,7 +71,8 @@ final class UserGroupGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/Grid/UserProfileGrid.php b/app/modules/web/Controllers/Helpers/Grid/UserProfileGrid.php
index 71be7d31..2ad63903 100644
--- a/app/modules/web/Controllers/Helpers/Grid/UserProfileGrid.php
+++ b/app/modules/web/Controllers/Helpers/Grid/UserProfileGrid.php
@@ -71,7 +71,8 @@ final class UserProfileGrid extends GridBase
$grid->addDataAction(
$this->getDeleteAction()
->setName(__('Eliminar Seleccionados'))
- ->setTitle(__('Eliminar Seleccionados')),
+ ->setTitle(__('Eliminar Seleccionados'))
+ ->setIsSelection(true),
true);
$grid->setTime(round(getElapsedTime($this->queryTimeStart), 5));
diff --git a/app/modules/web/Controllers/Helpers/LayoutHelper.php b/app/modules/web/Controllers/Helpers/LayoutHelper.php
index e377e3ca..46810345 100644
--- a/app/modules/web/Controllers/Helpers/LayoutHelper.php
+++ b/app/modules/web/Controllers/Helpers/LayoutHelper.php
@@ -66,7 +66,7 @@ final class LayoutHelper extends HelperBase
public function getFullLayout($page, Acl $acl = null)
{
$this->view->addTemplate('main', '_layouts');
- $this->view->assign('useFixedHeader');
+ $this->view->assign('useFixedHeader', true);
$this->setPage($page);
$this->initBody();
@@ -97,17 +97,12 @@ final class LayoutHelper extends HelperBase
*/
public function initBody()
{
- $this->view->assign('startTime', microtime());
-
$this->view->assign('isInstalled', $this->configData->isInstalled());
- $this->view->assign('sk', $this->loggedIn ? $this->context->generateSecurityKey() : '');
$this->view->assign('app_name', AppInfoInterface::APP_NAME);
$this->view->assign('app_desc', AppInfoInterface::APP_DESC);
$this->view->assign('app_website_url', AppInfoInterface::APP_WEBSITE_URL);
$this->view->assign('app_blog_url', AppInfoInterface::APP_BLOG_URL);
$this->view->assign('app_version', Installer::VERSION_TEXT);
- $this->view->assign('isDemoMode', $this->configData->isDemoEnabled());
- $this->view->assign('icons', $this->theme->getIcons());
$this->view->assign('logoIcon', Bootstrap::$WEBURI . '/public/images/logo_icon.png');
$this->view->assign('logoNoText', Bootstrap::$WEBURI . '/public/images/logo_icon.svg');
$this->view->assign('logo', Bootstrap::$WEBURI . '/public/images/logo_full_bg.png');
@@ -117,6 +112,7 @@ final class LayoutHelper extends HelperBase
$this->loggedIn = $this->context->isLoggedIn();
+ $this->view->assign('sk', $this->view->get('sk') ?: $this->context->generateSecurityKey());
$this->view->assign('loggedIn', $this->loggedIn);
$this->view->assign('lang', $this->loggedIn ? Language::$userLang : substr(Language::$globalLang, 0, 2));
$this->view->assign('loadApp', $this->context->getAuthCompleted());
@@ -193,7 +189,7 @@ final class LayoutHelper extends HelperBase
foreach ($this->dic->get(PluginManager::class)->getLoadedPlugins() as $plugin) {
$base = str_replace(APP_ROOT, '', $plugin->getBase());
$base .= DIRECTORY_SEPARATOR . 'public';
-
+
$jsResources = $plugin->getJsResources();
$cssResources = $plugin->getCssResources();
@@ -373,7 +369,7 @@ final class LayoutHelper extends HelperBase
{
$this->view->addTemplate('main', '_layouts');
$this->view->addContentTemplate($template);
- $this->view->assign('useFixedHeader');
+ $this->view->assign('useFixedHeader', true);
$this->setPage($page);
$this->initBody();
diff --git a/app/modules/web/Controllers/Helpers/TabsGridHelper.php b/app/modules/web/Controllers/Helpers/TabsGridHelper.php
index a80b922e..cb5024b7 100644
--- a/app/modules/web/Controllers/Helpers/TabsGridHelper.php
+++ b/app/modules/web/Controllers/Helpers/TabsGridHelper.php
@@ -56,7 +56,6 @@ final class TabsGridHelper extends HelperBase
$this->view->assign('activeTab', $activeTab);
$this->view->assign('maxNumActions', self::MAX_NUM_ACTIONS);
$this->view->assign('tabsRoute', $route);
- $this->view->assign('sk', $this->context->generateSecurityKey());
}
/**
diff --git a/app/modules/web/Controllers/Helpers/TabsHelper.php b/app/modules/web/Controllers/Helpers/TabsHelper.php
index 5ec64fa1..00d38ff9 100644
--- a/app/modules/web/Controllers/Helpers/TabsHelper.php
+++ b/app/modules/web/Controllers/Helpers/TabsHelper.php
@@ -56,7 +56,6 @@ final class TabsHelper extends HelperBase
$this->view->assign('activeTab', $activeTab);
$this->view->assign('maxNumActions', self::MAX_NUM_ACTIONS);
$this->view->assign('tabsRoute', $route);
- $this->view->assign('sk', $this->context->generateSecurityKey());
}
/**
diff --git a/app/modules/web/Controllers/ItemPresetController.php b/app/modules/web/Controllers/ItemPresetController.php
index f105135d..7e660fcb 100644
--- a/app/modules/web/Controllers/ItemPresetController.php
+++ b/app/modules/web/Controllers/ItemPresetController.php
@@ -63,14 +63,16 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Valor'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Valor'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.itemPreset', new Event($this));
@@ -126,15 +128,14 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
}
$this->view->assign('preset', $itemPresetData);
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ACCESS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
}
@@ -142,11 +143,16 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
* Search action
*
* @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -184,23 +190,24 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $args = func_get_args();
- $type = null;
-
- if (count($args) > 0) {
- $type = Filter::getString($args[0]);
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nuevo Valor'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'itemPreset/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $args = func_get_args();
+ $type = null;
+
+ if (count($args) > 0) {
+ $type = Filter::getString($args[0]);
+ }
+
+ $this->view->assign('header', __('Nuevo Valor'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'itemPreset/saveCreate');
+
$this->setViewData(null, $type);
$this->eventDispatcher->notifyEvent('show.itemPreset.create', new Event($this));
@@ -222,15 +229,17 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Valor'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'itemPreset/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Valor'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'itemPreset/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.itemPreset.edit', new Event($this));
@@ -252,11 +261,13 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->itemPresetService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -291,11 +302,13 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new ItemsPresetForm($this->dic);
$form->validate(Acl::ITEMPRESET_CREATE);
@@ -330,11 +343,13 @@ final class ItemPresetController extends ControllerBase implements CrudControlle
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::ITEMPRESET_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new ItemsPresetForm($this->dic, $id);
$form->validate(Acl::ITEMPRESET_EDIT);
diff --git a/app/modules/web/Controllers/ItemsController.php b/app/modules/web/Controllers/ItemsController.php
index 1ed2b1ec..24ec5dbc 100644
--- a/app/modules/web/Controllers/ItemsController.php
+++ b/app/modules/web/Controllers/ItemsController.php
@@ -133,7 +133,6 @@ final class ItemsController extends SimpleControllerBase
'notifications' => $notifications,
'hash' => sha1(implode('', $notifications))
]);
- $jsonResponse->setCsrf($this->session->getSecurityKey());
Json::factory($this->router->response())
->returnJson($jsonResponse);
diff --git a/app/modules/web/Controllers/LoginController.php b/app/modules/web/Controllers/LoginController.php
index 74263dfc..ab021b02 100644
--- a/app/modules/web/Controllers/LoginController.php
+++ b/app/modules/web/Controllers/LoginController.php
@@ -51,6 +51,8 @@ final class LoginController extends ControllerBase
public function loginAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$loginService = $this->dic->get(LoginService::class);
$from = $this->getSignedUriFromRequest();
diff --git a/app/modules/web/Controllers/NotificationController.php b/app/modules/web/Controllers/NotificationController.php
index 2a79527a..7348399a 100644
--- a/app/modules/web/Controllers/NotificationController.php
+++ b/app/modules/web/Controllers/NotificationController.php
@@ -55,11 +55,16 @@ final class NotificationController extends ControllerBase implements CrudControl
/**
* indexAction
*
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function indexAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::NOTIFICATION)) {
return;
}
@@ -98,14 +103,16 @@ final class NotificationController extends ControllerBase implements CrudControl
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Notificación'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Notificación'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.notification', new Event($this));
@@ -139,15 +146,14 @@ final class NotificationController extends ControllerBase implements CrudControl
$this->view->assign('users', SelectItemAdapter::factory(UserService::getItemsBasic())->getItemsFromModelSelected([$notification->userId]));
}
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::NOTIFICATION));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
}
@@ -157,9 +163,12 @@ final class NotificationController extends ControllerBase implements CrudControl
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -175,16 +184,17 @@ final class NotificationController extends ControllerBase implements CrudControl
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nueva Notificación'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'notification/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nueva Notificación'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'notification/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.notification.create', new Event($this));
@@ -206,16 +216,17 @@ final class NotificationController extends ControllerBase implements CrudControl
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Editar Notificación'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'notification/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Notificación'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'notification/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.notification.edit', new Event($this));
@@ -237,11 +248,13 @@ final class NotificationController extends ControllerBase implements CrudControl
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
if ($this->userData->getIsAdminApp()) {
$this->notificationService->deleteAdminBatch($this->getItemsIdFromRequest($this->request));
@@ -288,11 +301,13 @@ final class NotificationController extends ControllerBase implements CrudControl
*/
public function checkAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_CHECK)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_CHECK)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$this->notificationService->setCheckedById($id);
$this->eventDispatcher->notifyEvent('check.notification',
@@ -315,11 +330,13 @@ final class NotificationController extends ControllerBase implements CrudControl
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new NotificationForm($this->dic);
$form->validate(Acl::NOTIFICATION_CREATE);
@@ -348,11 +365,13 @@ final class NotificationController extends ControllerBase implements CrudControl
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::NOTIFICATION_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new NotificationForm($this->dic, $id);
$form->validate(Acl::NOTIFICATION_EDIT);
diff --git a/app/modules/web/Controllers/PluginController.php b/app/modules/web/Controllers/PluginController.php
index eb421a29..f589e213 100644
--- a/app/modules/web/Controllers/PluginController.php
+++ b/app/modules/web/Controllers/PluginController.php
@@ -54,11 +54,16 @@ final class PluginController extends ControllerBase
/**
* indexAction
*
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function indexAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::PLUGIN)) {
return;
}
@@ -96,9 +101,12 @@ final class PluginController extends ControllerBase
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::PLUGIN_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -118,14 +126,16 @@ final class PluginController extends ControllerBase
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::PLUGIN_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Plugin'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PLUGIN_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Plugin'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.plugin', new Event($this));
@@ -159,15 +169,14 @@ final class PluginController extends ControllerBase
$this->view->assign('plugin', $pluginData);
$this->view->assign('pluginInfo', $pluginInfo);
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ITEMS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
}
@@ -181,6 +190,8 @@ final class PluginController extends ControllerBase
public function enableAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->pluginService->toggleEnabled($id, 1);
$this->eventDispatcher->notifyEvent('edit.plugin.enable',
@@ -206,6 +217,8 @@ final class PluginController extends ControllerBase
public function disableAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->pluginService->toggleEnabled($id, 0);
$this->eventDispatcher->notifyEvent('edit.plugin.disable',
@@ -231,6 +244,8 @@ final class PluginController extends ControllerBase
public function resetAction($id)
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->pluginService->resetById($id);
$this->eventDispatcher->notifyEvent('edit.plugin.reset',
diff --git a/app/modules/web/Controllers/PublicLinkController.php b/app/modules/web/Controllers/PublicLinkController.php
index 6cbbb51a..99449c8a 100644
--- a/app/modules/web/Controllers/PublicLinkController.php
+++ b/app/modules/web/Controllers/PublicLinkController.php
@@ -64,9 +64,12 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -101,16 +104,17 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nuevo Enlace Público'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'publicLink/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nuevo Enlace Público'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'publicLink/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.publicLink.create', new Event($this));
@@ -141,7 +145,6 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
$this->view->assign('usageInfo', unserialize($publicLink->getUseInfo()));
$this->view->assign('accounts', SelectItemAdapter::factory($this->dic->get(AccountService::class)->getForUser())->getItemsFromModelSelected([$publicLink->getItemId()]));
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ACCESS_MANAGE));
if ($this->view->isView === true) {
@@ -149,8 +152,8 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
}
@@ -163,11 +166,13 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
*/
public function refreshAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_REFRESH)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_REFRESH)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$this->publicLinkService->refresh($id);
$this->eventDispatcher->notifyEvent('edit.publicLink.refresh', new Event($this));
@@ -189,15 +194,17 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Enlace Público'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'publicLink/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Enlace Público'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'publicLink/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.publicLink.edit', new Event($this));
@@ -219,11 +226,13 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->publicLinkService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -260,11 +269,13 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new PublicLinkForm($this->dic);
$form->validate(Acl::PUBLICLINK_CREATE);
@@ -292,11 +303,13 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
*/
public function saveCreateFromAccountAction($accountId, $notify)
{
- if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$publicLinkData = new PublicLinkData();
$publicLinkData->setTypeId(PublicLinkService::TYPE_ACCOUNT);
$publicLinkData->setItemId($accountId);
@@ -334,14 +347,16 @@ final class PublicLinkController extends ControllerBase implements CrudControlle
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Enlace'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PUBLICLINK_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Enlace'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.publicLink', new Event($this));
diff --git a/app/modules/web/Controllers/SimpleControllerBase.php b/app/modules/web/Controllers/SimpleControllerBase.php
index 29dffddb..7d6c57cb 100644
--- a/app/modules/web/Controllers/SimpleControllerBase.php
+++ b/app/modules/web/Controllers/SimpleControllerBase.php
@@ -42,6 +42,10 @@ abstract class SimpleControllerBase
* @var ContainerInterface
*/
protected $dic;
+ /**
+ * @var string
+ */
+ protected $previousSk;
/**
* SimpleControllerBase constructor.
@@ -59,6 +63,8 @@ abstract class SimpleControllerBase
$this->setUp($container);
+ $this->previousSk = $this->session->getSecurityKey();
+
if (method_exists($this, 'initialize')) {
$this->initialize();
}
@@ -90,7 +96,9 @@ abstract class SimpleControllerBase
*/
protected function checkAccess($action)
{
- if (!$this->session->getUserData()->getIsAdminApp() && !$this->acl->checkUserAccess($action)) {
+ if (!$this->session->getUserData()->getIsAdminApp()
+ && !$this->acl->checkUserAccess($action)
+ ) {
throw new UnauthorizedPageException(UnauthorizedPageException::INFO);
}
}
diff --git a/app/modules/web/Controllers/TagController.php b/app/modules/web/Controllers/TagController.php
index a972f507..e036cca7 100644
--- a/app/modules/web/Controllers/TagController.php
+++ b/app/modules/web/Controllers/TagController.php
@@ -58,9 +58,12 @@ final class TagController extends ControllerBase implements CrudControllerInterf
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::TAG_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -95,16 +98,17 @@ final class TagController extends ControllerBase implements CrudControllerInterf
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::TAG_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nueva Etiqueta'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'tag/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TAG_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nueva Etiqueta'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'tag/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.tag.create', new Event($this));
@@ -134,15 +138,14 @@ final class TagController extends ControllerBase implements CrudControllerInterf
$this->view->assign('tag', $tag);
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ITEMS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
}
@@ -155,15 +158,17 @@ final class TagController extends ControllerBase implements CrudControllerInterf
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::TAG_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Etiqueta'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'tag/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TAG_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Etiqueta'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'tag/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.tag.edit', new Event($this));
@@ -185,11 +190,13 @@ final class TagController extends ControllerBase implements CrudControllerInterf
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::TAG_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TAG_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->tagService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -219,11 +226,13 @@ final class TagController extends ControllerBase implements CrudControllerInterf
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::TAG_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TAG_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new TagForm($this->dic);
$form->validate(Acl::TAG_CREATE);
@@ -250,11 +259,13 @@ final class TagController extends ControllerBase implements CrudControllerInterf
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::TAG_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TAG_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new TagForm($this->dic, $id);
$form->validate(Acl::TAG_EDIT);
@@ -281,14 +292,16 @@ final class TagController extends ControllerBase implements CrudControllerInterf
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::TAG_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Etiqueta'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TAG_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Etiqueta'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.tag', new Event($this));
diff --git a/app/modules/web/Controllers/TrackController.php b/app/modules/web/Controllers/TrackController.php
index 0c6e9bad..fc8ca254 100644
--- a/app/modules/web/Controllers/TrackController.php
+++ b/app/modules/web/Controllers/TrackController.php
@@ -56,9 +56,12 @@ final class TrackController extends ControllerBase
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
* @throws UnauthorizedActionException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::TRACK_SEARCH)) {
throw new UnauthorizedActionException(UnauthorizedActionException::ERROR);
}
@@ -98,11 +101,13 @@ final class TrackController extends ControllerBase
*/
public function unlockAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::TRACK_UNLOCK)) {
- throw new UnauthorizedActionException(UnauthorizedActionException::ERROR);
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TRACK_UNLOCK)) {
+ throw new UnauthorizedActionException(UnauthorizedActionException::ERROR);
+ }
+
$this->trackService->unlock($id);
$this->eventDispatcher->notifyEvent('unlock.track', new Event($this));
@@ -123,11 +128,13 @@ final class TrackController extends ControllerBase
*/
public function clearAction()
{
- if (!$this->acl->checkUserAccess(Acl::TRACK_CLEAR)) {
- throw new UnauthorizedActionException(UnauthorizedActionException::ERROR);
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::TRACK_CLEAR)) {
+ throw new UnauthorizedActionException(UnauthorizedActionException::ERROR);
+ }
+
$this->trackService->clear();
$this->eventDispatcher->notifyEvent('clear.track', new Event($this));
diff --git a/app/modules/web/Controllers/Traits/JsonTrait.php b/app/modules/web/Controllers/Traits/JsonTrait.php
index ced1a8d7..aedd0329 100644
--- a/app/modules/web/Controllers/Traits/JsonTrait.php
+++ b/app/modules/web/Controllers/Traits/JsonTrait.php
@@ -112,6 +112,10 @@ trait JsonTrait
$jsonResponse->setMessages([$exception->getHint()]);
}
+ if (property_exists($this, 'session')) {
+ $jsonResponse->setCsrf($this->session->getSecurityKey());
+ }
+
return Json::fromDic()->returnJson($jsonResponse);
}
}
\ No newline at end of file
diff --git a/app/modules/web/Controllers/UserController.php b/app/modules/web/Controllers/UserController.php
index 0a1bfd3b..35d355bb 100644
--- a/app/modules/web/Controllers/UserController.php
+++ b/app/modules/web/Controllers/UserController.php
@@ -60,11 +60,17 @@ final class UserController extends ControllerBase implements CrudControllerInter
/**
* Search action
*
+ * @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::USER_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -80,6 +86,8 @@ final class UserController extends ControllerBase implements CrudControllerInter
* getSearchGrid
*
* @return $this
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
*/
@@ -97,16 +105,17 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::USER_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nuevo Usuario'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'user/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::USER_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nuevo Usuario'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'user/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.user.create', new Event($this));
@@ -137,7 +146,6 @@ final class UserController extends ControllerBase implements CrudControllerInter
$this->view->assign('groups', SelectItemAdapter::factory(UserGroupService::getItemsBasic())->getItemsFromModel());
$this->view->assign('profiles', SelectItemAdapter::factory(UserProfileService::getItemsBasic())->getItemsFromModel());
$this->view->assign('isUseSSO', $this->configData->isAuthBasicAutoLoginEnabled());
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('mailEnabled', $this->configData->isMailEnabled());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ACCESS_MANAGE));
@@ -165,8 +173,8 @@ final class UserController extends ControllerBase implements CrudControllerInter
return $value;
}, $this->userService->getUsageForUser($userId)));
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
$this->view->assign('showViewCustomPass', $this->acl->checkUserAccess(Acl::CUSTOMFIELD_VIEW_PASS));
@@ -182,16 +190,17 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::USER_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Editar Usuario'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'user/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::USER_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Usuario'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'user/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.user.edit', new Event($this));
@@ -213,20 +222,20 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function editPassAction($id)
{
- // Comprobar si el usuario a modificar es distinto al de la sesión
- if (!$this->acl->checkUserAccess(Acl::USER_EDIT_PASS, $id)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->addTemplate('user_pass', 'itemshow');
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Cambio de Clave'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'user/saveEditPass/' . $id);
- $this->view->assign('sk', $this->session->generateSecurityKey());
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ // Comprobar si el usuario a modificar es distinto al de la sesión
+ if (!$this->acl->checkUserAccess(Acl::USER_EDIT_PASS, $id)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->addTemplate('user_pass', 'itemshow');
+
+ $this->view->assign('header', __('Cambio de Clave'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'user/saveEditPass/' . $id);
+
$user = $id ? $this->userService->getById($id) : new UserData();
$this->view->assign('user', $user);
@@ -250,13 +259,13 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::USER_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::USER_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->userService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -292,11 +301,13 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::USER_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::USER_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new UserForm($this->dic);
$form->validate(Acl::USER_CREATE);
@@ -328,6 +339,8 @@ final class UserController extends ControllerBase implements CrudControllerInter
* @param int $userId
* @param UserData $userData
*
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \Defuse\Crypto\Exception\EnvironmentIsBrokenException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
@@ -353,11 +366,13 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::USER_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::USER_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new UserForm($this->dic, $id);
$form->validate(Acl::USER_EDIT);
@@ -394,11 +409,13 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function saveEditPassAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::USER_EDIT_PASS, $id)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::USER_EDIT_PASS, $id)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new UserForm($this->dic, $id);
$form->validate(Acl::USER_EDIT_PASS);
@@ -431,15 +448,16 @@ final class UserController extends ControllerBase implements CrudControllerInter
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::USER_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Ver Usuario'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::USER_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Usuario'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.user', new Event($this));
diff --git a/app/modules/web/Controllers/UserGroupController.php b/app/modules/web/Controllers/UserGroupController.php
index 45d595db..5a1a069c 100644
--- a/app/modules/web/Controllers/UserGroupController.php
+++ b/app/modules/web/Controllers/UserGroupController.php
@@ -67,9 +67,12 @@ final class UserGroupController extends ControllerBase implements CrudController
* @throws \DI\DependencyException
* @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::GROUP_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -104,16 +107,17 @@ final class UserGroupController extends ControllerBase implements CrudController
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::GROUP_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nuevo Grupo'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'userGroup/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::GROUP_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nuevo Grupo'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'userGroup/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.userGroup.create', new Event($this));
@@ -151,15 +155,14 @@ final class UserGroupController extends ControllerBase implements CrudController
->getItemsFromModelSelected($users));
$this->view->assign('usedBy', $this->userGroupService->getUsageByUsers($userGroupId));
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ACCESS_MANAGE));
if ($this->view->isView === true) {
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
$this->view->assign('showViewCustomPass', $this->acl->checkUserAccess(Acl::CUSTOMFIELD_VIEW_PASS));
@@ -175,15 +178,17 @@ final class UserGroupController extends ControllerBase implements CrudController
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::GROUP_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Grupo'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'userGroup/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::GROUP_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Grupo'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'userGroup/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.userGroup.edit', new Event($this));
@@ -205,11 +210,13 @@ final class UserGroupController extends ControllerBase implements CrudController
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::GROUP_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::GROUP_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->userGroupService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -245,11 +252,13 @@ final class UserGroupController extends ControllerBase implements CrudController
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::GROUP_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::GROUP_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new UserGroupForm($this->dic);
$form->validate(Acl::GROUP_CREATE);
@@ -284,11 +293,13 @@ final class UserGroupController extends ControllerBase implements CrudController
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::GROUP_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::GROUP_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new UserGroupForm($this->dic, $id);
$form->validate(Acl::GROUP_EDIT);
@@ -323,14 +334,16 @@ final class UserGroupController extends ControllerBase implements CrudController
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::GROUP_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Grupo'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::GROUP_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Grupo'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.userGroup', new Event($this));
diff --git a/app/modules/web/Controllers/UserPassResetController.php b/app/modules/web/Controllers/UserPassResetController.php
index d14183eb..543cfd7a 100644
--- a/app/modules/web/Controllers/UserPassResetController.php
+++ b/app/modules/web/Controllers/UserPassResetController.php
@@ -79,6 +79,8 @@ final class UserPassResetController extends ControllerBase
public function saveRequestAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->checkTracking();
$login = $this->request->analyzeString('login');
@@ -142,9 +144,12 @@ final class UserPassResetController extends ControllerBase
*
* @throws \DI\DependencyException
* @throws \DI\NotFoundException
+ * @throws SPException
*/
public function resetAction($hash = null)
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->dic->get(LayoutHelper::class)
->getCustomLayout('reset', strtolower($this->controllerName));
@@ -163,6 +168,8 @@ final class UserPassResetController extends ControllerBase
public function saveResetAction()
{
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
$this->checkTracking();
$pass = $this->request->analyzeEncrypted('password');
@@ -201,6 +208,8 @@ final class UserPassResetController extends ControllerBase
}
/**
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\InvalidArgumentException
*/
protected function initialize()
diff --git a/app/modules/web/Controllers/UserProfileController.php b/app/modules/web/Controllers/UserProfileController.php
index 5a0f2bfb..4676b36b 100644
--- a/app/modules/web/Controllers/UserProfileController.php
+++ b/app/modules/web/Controllers/UserProfileController.php
@@ -55,11 +55,17 @@ final class UserProfileController extends ControllerBase implements CrudControll
/**
* Search action
*
+ * @return bool
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
+ * @throws \SP\Core\Exceptions\SPException
*/
public function searchAction()
{
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
if (!$this->acl->checkUserAccess(Acl::PROFILE_SEARCH)) {
return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
}
@@ -75,6 +81,8 @@ final class UserProfileController extends ControllerBase implements CrudControll
* getSearchGrid
*
* @return $this
+ * @throws \DI\DependencyException
+ * @throws \DI\NotFoundException
* @throws \SP\Core\Exceptions\ConstraintException
* @throws \SP\Core\Exceptions\QueryException
*/
@@ -92,16 +100,17 @@ final class UserProfileController extends ControllerBase implements CrudControll
*/
public function createAction()
{
- if (!$this->acl->checkUserAccess(Acl::PROFILE_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign(__FUNCTION__, 1);
- $this->view->assign('header', __('Nuevo Perfil'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'userProfile/saveCreate');
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PROFILE_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Nuevo Perfil'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'userProfile/saveCreate');
+
$this->setViewData();
$this->eventDispatcher->notifyEvent('show.userProfile.create', new Event($this));
@@ -133,7 +142,6 @@ final class UserProfileController extends ControllerBase implements CrudControll
$this->view->assign('profile', $profile);
$this->view->assign('profileData', $profile->getProfile() ?: new ProfileData());
- $this->view->assign('sk', $this->session->generateSecurityKey());
$this->view->assign('nextAction', Acl::getActionRoute(Acl::ACCESS_MANAGE));
if ($this->view->isView === true) {
@@ -142,8 +150,8 @@ final class UserProfileController extends ControllerBase implements CrudControll
$this->view->assign('disabled', 'disabled');
$this->view->assign('readonly', 'readonly');
} else {
- $this->view->assign('disabled');
- $this->view->assign('readonly');
+ $this->view->assign('disabled', false);
+ $this->view->assign('readonly', false);
}
$this->view->assign('showViewCustomPass', $this->acl->checkUserAccess(Acl::CUSTOMFIELD_VIEW_PASS));
@@ -159,15 +167,17 @@ final class UserProfileController extends ControllerBase implements CrudControll
*/
public function editAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::PROFILE_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Editar Perfil'));
- $this->view->assign('isView', false);
- $this->view->assign('route', 'userProfile/saveEdit/' . $id);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PROFILE_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Editar Perfil'));
+ $this->view->assign('isView', false);
+ $this->view->assign('route', 'userProfile/saveEdit/' . $id);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.userProfile.edit', new Event($this));
@@ -189,11 +199,13 @@ final class UserProfileController extends ControllerBase implements CrudControll
*/
public function deleteAction($id = null)
{
- if (!$this->acl->checkUserAccess(Acl::PROFILE_DELETE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PROFILE_DELETE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
if ($id === null) {
$this->userProfileService->deleteByIdBatch($this->getItemsIdFromRequest($this->request));
@@ -229,11 +241,13 @@ final class UserProfileController extends ControllerBase implements CrudControll
*/
public function saveCreateAction()
{
- if (!$this->acl->checkUserAccess(Acl::PROFILE_CREATE)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PROFILE_CREATE)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new UserProfileForm($this->dic);
$form->validate(Acl::PROFILE_CREATE);
@@ -264,11 +278,13 @@ final class UserProfileController extends ControllerBase implements CrudControll
*/
public function saveEditAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::PROFILE_EDIT)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PROFILE_EDIT)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
$form = new UserProfileForm($this->dic, $id);
$form->validate(Acl::PROFILE_EDIT);
@@ -300,14 +316,16 @@ final class UserProfileController extends ControllerBase implements CrudControll
*/
public function viewAction($id)
{
- if (!$this->acl->checkUserAccess(Acl::PROFILE_VIEW)) {
- return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
- }
-
- $this->view->assign('header', __('Ver Perfil'));
- $this->view->assign('isView', true);
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ if (!$this->acl->checkUserAccess(Acl::PROFILE_VIEW)) {
+ return $this->returnJsonResponse(JsonResponse::JSON_ERROR, __u('No tiene permisos para realizar esta operación'));
+ }
+
+ $this->view->assign('header', __('Ver Perfil'));
+ $this->view->assign('isView', true);
+
$this->setViewData($id);
$this->eventDispatcher->notifyEvent('show.userProfile', new Event($this));
diff --git a/app/modules/web/Controllers/UserSettingsGeneralController.php b/app/modules/web/Controllers/UserSettingsGeneralController.php
index c3804734..806faba0 100644
--- a/app/modules/web/Controllers/UserSettingsGeneralController.php
+++ b/app/modules/web/Controllers/UserSettingsGeneralController.php
@@ -47,22 +47,24 @@ final class UserSettingsGeneralController extends SimpleControllerBase
*/
public function saveAction()
{
- $userData = $this->session->getUserData();
-
- $userPreferencesData = clone $userData->getPreferences();
-
- $userPreferencesData->setUserId($userData->getId());
- $userPreferencesData->setLang($this->request->analyzeString('userlang'));
- $userPreferencesData->setTheme($this->request->analyzeString('usertheme', 'material-blue'));
- $userPreferencesData->setResultsPerPage($this->request->analyzeInt('resultsperpage', 12));
- $userPreferencesData->setAccountLink($this->request->analyzeBool('account_link', false));
- $userPreferencesData->setSortViews($this->request->analyzeBool('sort_views', false));
- $userPreferencesData->setTopNavbar($this->request->analyzeBool('top_navbar', false));
- $userPreferencesData->setOptionalActions($this->request->analyzeBool('optional_actions', false));
- $userPreferencesData->setResultsAsCards($this->request->analyzeBool('resultsascards', false));
- $userPreferencesData->setCheckNotifications($this->request->analyzeBool('check_notifications', false));
-
try {
+ $this->checkSecurityToken($this->previousSk, $this->request);
+
+ $userData = $this->session->getUserData();
+
+ $userPreferencesData = clone $userData->getPreferences();
+
+ $userPreferencesData->setUserId($userData->getId());
+ $userPreferencesData->setLang($this->request->analyzeString('userlang'));
+ $userPreferencesData->setTheme($this->request->analyzeString('usertheme', 'material-blue'));
+ $userPreferencesData->setResultsPerPage($this->request->analyzeInt('resultsperpage', 12));
+ $userPreferencesData->setAccountLink($this->request->analyzeBool('account_link', false));
+ $userPreferencesData->setSortViews($this->request->analyzeBool('sort_views', false));
+ $userPreferencesData->setTopNavbar($this->request->analyzeBool('top_navbar', false));
+ $userPreferencesData->setOptionalActions($this->request->analyzeBool('optional_actions', false));
+ $userPreferencesData->setResultsAsCards($this->request->analyzeBool('resultsascards', false));
+ $userPreferencesData->setCheckNotifications($this->request->analyzeBool('check_notifications', false));
+
$this->userService->updatePreferencesById($userData->getId(), $userPreferencesData);
// Guardar las preferencias en la sesión
diff --git a/app/modules/web/Controllers/UserSettingsManagerController.php b/app/modules/web/Controllers/UserSettingsManagerController.php
index fcab6593..58b349c7 100644
--- a/app/modules/web/Controllers/UserSettingsManagerController.php
+++ b/app/modules/web/Controllers/UserSettingsManagerController.php
@@ -81,13 +81,7 @@ final class UserSettingsManagerController extends ControllerBase implements Exte
$template->assign('langs', SelectItemAdapter::factory(Language::getAvailableLanguages())->getItemsFromArraySelected([$userPreferences->getLang() ?: $this->configData->getSiteLang()]));
$template->assign('themes', SelectItemAdapter::factory($this->theme->getThemesAvailable())->getItemsFromArraySelected([$userPreferences->getTheme() ?: $this->configData->getSiteTheme()]));
- $template->assign('chkAccountLink', $userPreferences->isAccountLink() ? 'checked="checked"' : '');
- $template->assign('resultsPerPage', $userPreferences->getResultsPerPage() ?: $this->configData->getAccountCount());
- $template->assign('chkSortViews', $userPreferences->isSortViews() ? 'checked="checked"' : '');
- $template->assign('chkTopNavbar', $userPreferences->isTopNavbar() ? 'checked="checked"' : '');
- $template->assign('chkOptionalActions', $userPreferences->isOptionalActions() ? 'checked="checked"' : '');
- $template->assign('chkResultsAsCards', $userPreferences->isResultsAsCards() ? 'checked="checked"' : '');
- $template->assign('chkNotifications', $userPreferences->isCheckNotifications() ? 'checked="checked"' : '');
+ $template->assign('userPreferences', $userPreferences);
$template->assign('route', 'userSettingsGeneral/save');
return new DataTab(__('Preferencias'), $template);
diff --git a/app/modules/web/themes/material-blue/views/_layouts/main.inc b/app/modules/web/themes/material-blue/views/_layouts/main.inc
index 6f5bec87..ff395cec 100644
--- a/app/modules/web/themes/material-blue/views/_layouts/main.inc
+++ b/app/modules/web/themes/material-blue/views/_layouts/main.inc
@@ -1,16 +1,21 @@
-
+
-
+
- <?php printf('%s :: %s', $app_name, $app_desc); ?>
+ <?php printf('%s :: %s', $_getvar('app_name'), $_getvar('app_desc')); ?>
-
-
+
+
-
+
-
includePartial('fixed-header');
elseif ($this->hashContentTemplates()):
foreach ($this->getContentTemplates() as $template):
@@ -37,7 +42,7 @@
includePartial('footer'); ?>
-
+
@@ -47,7 +52,7 @@
sysPassApp.log.info("ready");
- sysPassApp.sk.set("");
+ sysPassApp.sk.set("");
});
diff --git a/app/modules/web/themes/material-blue/views/_partials/error-list.inc b/app/modules/web/themes/material-blue/views/_partials/error-list.inc
index 2363ceb4..c54aa6fd 100644
--- a/app/modules/web/themes/material-blue/views/_partials/error-list.inc
+++ b/app/modules/web/themes/material-blue/views/_partials/error-list.inc
@@ -1,11 +1,12 @@
- 0): ?>
+ 0): ?>
-
+
-
diff --git a/app/modules/web/themes/material-blue/views/_partials/error.inc b/app/modules/web/themes/material-blue/views/_partials/error.inc
index 907a38e6..779141dd 100644
--- a/app/modules/web/themes/material-blue/views/_partials/error.inc
+++ b/app/modules/web/themes/material-blue/views/_partials/error.inc
@@ -1,13 +1,13 @@
includePartial('error-list'); ?>
-
+