Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-04-30 19:29:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Admin panel: Pages csrf

Browse Source
This commit is contained in:
slawkens 2023-11-11 07:37:21 +01:00
parent 56306dfb0a
commit 13e6eb5666
4 changed files with 198 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
admin/pages/pages.php
View File

@ -9,11 +9,14 @@
*/ */
use MyAAC\Models\Pages as ModelsPages; use MyAAC\Models\Pages as ModelsPages;
use MyAAC\Admin\Pages;
defined('MYAAC') or die('Direct access not allowed!'); defined('MYAAC') or die('Direct access not allowed!');
$title = 'Pages'; $title = 'Pages';
$use_datatable = true; $use_datatable = true;
csrfProtect();
if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) { if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
echo 'Access denied.'; echo 'Access denied.';
return; return;
@ -29,31 +32,37 @@ $enable_tinymce = true;
$access = 0; $access = 0;
// some constants, used mainly by database (cannot by modified without schema changes) // some constants, used mainly by database (cannot by modified without schema changes)
define('PAGE_TITLE_LIMIT', 30); const PAGE_TITLE_LIMIT = 30;
define('PAGE_NAME_LIMIT', 30); const PAGE_NAME_LIMIT = 30;
define('PAGE_BODY_LIMIT', 65535); // maximum page body length const PAGE_BODY_LIMIT = 65535; // maximum page body length
$action = $_POST['action'] ?? '';
if (!empty($action)) { if (!empty($action)) {
if ($action == 'delete' || $action == 'edit' || $action == 'hide') if ($action == 'delete' || $action == 'edit' || $action == 'hide') {
$id = $_REQUEST['id']; $id = $_POST['id'];
if (isset($_REQUEST['name']))
$name = $_REQUEST['name'];
if (isset($_REQUEST['title']))
$p_title = $_REQUEST['title'];
$php = isset($_REQUEST['php']) && $_REQUEST['php'] == 1;
$enable_tinymce = isset($_REQUEST['enable_tinymce']) && $_REQUEST['enable_tinymce'] == 1;
if ($php)
$body = $_REQUEST['body'];
else if (isset($_REQUEST['body'])) {
//$body = $_REQUEST['body'];
$body = html_entity_decode(stripslashes($_REQUEST['body']));
} }
if (isset($_REQUEST['access'])) if (isset($_POST['name'])) {
$access = $_REQUEST['access']; $name = $_POST['name'];
}
if (isset($_POST['title'])) {
$p_title = $_POST['title'];
}
$php = isset($_POST['php']) && $_POST['php'] == 1;
$enable_tinymce = isset($_POST['enable_tinymce']) && $_POST['enable_tinymce'] == 1;
if ($php) {
$body = $_POST['body'];
}
else if (isset($_POST['body'])) {
//$body = $_POST['body'];
$body = html_entity_decode(stripslashes($_POST['body']));
}
if (isset($_POST['access'])) {
$access = $_POST['access'];
}
$errors = array(); $errors = array();
$player_id = 1; $player_id = 1;
@ -70,7 +79,7 @@ if (!empty($action)) {
if (Pages::delete($id, $errors)) if (Pages::delete($id, $errors))
success('Page with id ' . $id . ' has been deleted'); success('Page with id ' . $id . ' has been deleted');
} else if ($action == 'edit') { } else if ($action == 'edit') {
if (isset($id) && !isset($_REQUEST['name'])) { if (isset($id) && !isset($_POST['name'])) {
$_page = Pages::get($id); $_page = Pages::get($id);
$name = $_page['name']; $name = $_page['name'];
$p_title = $_page['title']; $p_title = $_page['title'];
@ -90,7 +99,7 @@ if (!empty($action)) {
} }
} else if ($action == 'hide') { } else if ($action == 'hide') {
if (Pages::toggleHidden($id, $errors, $status)) { if (Pages::toggleHidden($id, $errors, $status)) {
success(($status == 1 ? 'Show' : 'Hide') . ' successful.'); success(($status == 0 ? 'Show' : 'Hide') . ' successful.');
} }
} }
@ -108,7 +117,7 @@ $pages = ModelsPages::all()->map(function ($e) {
]; ];
})->toArray(); })->toArray();
$twig->display('admin.pages.form.html.twig', array( $twig->display('admin.pages.form.html.twig', [
'action' => $action, 'action' => $action,
'id' => $action == 'edit' ? $id : null, 'id' => $action == 'edit' ? $id : null,
'name' => $name, 'name' => $name,
@ -118,138 +127,8 @@ $twig->display('admin.pages.form.html.twig', array(
'body' => isset($body) ? escapeHtml($body) : '', 'body' => isset($body) ? escapeHtml($body) : '',
'groups' => $groups->getGroups(), 'groups' => $groups->getGroups(),
'access' => $access 'access' => $access
)); ]);
$twig->display('admin.pages.html.twig', array( $twig->display('admin.pages.html.twig', [
'pages' => $pages 'pages' => $pages
));
class Pages
{
static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
{
if(!isset($title[0]) || !isset($body[0])) {
$errors[] = 'Please fill all inputs.';
return false;
}
if(strlen($name) > PAGE_NAME_LIMIT) {
$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
return false;
}
if(strlen($title) > PAGE_TITLE_LIMIT) {
$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
return false;
}
if(strlen($body) > PAGE_BODY_LIMIT) {
$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
return false;
}
if(!isset($player_id) || $player_id == 0) {
$errors[] = 'Player ID is wrong.';
return false;
}
if(!isset($php) || ($php != 0 && $php != 1)) {
$errors[] = 'Enable PHP is wrong.';
return false;
}
if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
return false;
}
if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
$errors[] = 'Enable TinyMCE is wrong.';
return false;
}
if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
$errors[] = 'Access is wrong.';
return false;
}
return true;
}
static public function get($id)
{
$row = ModelsPages::find($id);
if ($row) {
return $row->toArray();
}
return false;
}
static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
{
if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
return false;
}
if (!ModelsPages::where('name', $name)->exists())
ModelsPages::create([
'name' => $name,
'title' => $title,
'body' => $body,
'player_id' => $player_id,
'php' => $php ? '1' : '0',
'enable_tinymce' => $enable_tinymce ? '1' : '0',
'access' => $access
]); ]);
else
$errors[] = 'Page with this link already exists.';
return !count($errors);
}
static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
{
if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
return false;
}
ModelsPages::where('id', $id)->update([
'name' => $name,
'title' => $title,
'body' => $body,
'player_id' => $player_id,
'php' => $php ? '1' : '0',
'enable_tinymce' => $enable_tinymce ? '1' : '0',
'access' => $access
]);
return true;
}
static public function delete($id, &$errors)
{
if (isset($id)) {
$row = ModelsPages::find($id);
if ($row) {
$row->delete();
}
else
$errors[] = 'Page with id ' . $id . ' does not exists.';
} else
$errors[] = 'id not set';
return !count($errors);
}
static public function toggleHidden($id, &$errors, &$status)
{
if (isset($id)) {
$row = ModelsPages::find($id);
if ($row) {
$row->hidden = $row->hidden == 1 ? 0 : 1;
if (!$row->save()) {
$errors[] = 'Fail during toggle hidden Page.';
}
$status = $row->hidden;
}
else {
$errors[] = 'Page with id ' . $id . ' does not exists.';
}
} else
$errors[] = 'id not set';
return !count($errors);
}
}

134
system/src/Admin/Pages.php Normal file
View File

@ -0,0 +1,134 @@
<?php
namespace MyAAC\Admin;
use MyAAC\Models\Pages as ModelsPages;
class Pages
{
static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
{
if(!isset($title[0]) || !isset($body[0])) {
$errors[] = 'Please fill all inputs.';
return false;
}
if(strlen($name) > PAGE_NAME_LIMIT) {
$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
return false;
}
if(strlen($title) > PAGE_TITLE_LIMIT) {
$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
return false;
}
if(strlen($body) > PAGE_BODY_LIMIT) {
$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
return false;
}
if(!isset($player_id) || $player_id == 0) {
$errors[] = 'Player ID is wrong.';
return false;
}
if(!isset($php) || ($php != 0 && $php != 1)) {
$errors[] = 'Enable PHP is wrong.';
return false;
}
if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
return false;
}
if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
$errors[] = 'Enable TinyMCE is wrong.';
return false;
}
if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
$errors[] = 'Access is wrong.';
return false;
}
return true;
}
static public function get($id)
{
$row = ModelsPages::find($id);
if ($row) {
return $row->toArray();
}
return false;
}
static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
{
if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
return false;
}
if (!ModelsPages::where('name', $name)->exists())
ModelsPages::create([
'name' => $name,
'title' => $title,
'body' => $body,
'player_id' => $player_id,
'php' => $php ? '1' : '0',
'enable_tinymce' => $enable_tinymce ? '1' : '0',
'access' => $access
]);
else
$errors[] = 'Page with this link already exists.';
return !count($errors);
}
static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
{
if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
return false;
}
ModelsPages::where('id', $id)->update([
'name' => $name,
'title' => $title,
'body' => $body,
'player_id' => $player_id,
'php' => $php ? '1' : '0',
'enable_tinymce' => $enable_tinymce ? '1' : '0',
'access' => $access
]);
return true;
}
static public function delete($id, &$errors)
{
if (isset($id)) {
$row = ModelsPages::find($id);
if ($row) {
$row->delete();
}
else
$errors[] = 'Page with id ' . $id . ' does not exists.';
} else
$errors[] = 'id not set';
return !count($errors);
}
static public function toggleHidden($id, &$errors, &$status)
{
if (isset($id)) {
$row = ModelsPages::find($id);
if ($row) {
$row->hidden = $row->hidden == 1 ? 0 : 1;
if (!$row->save()) {
$errors[] = 'Fail during toggle hidden Page.';
}
$status = $row->hidden;
}
else {
$errors[] = 'Page with id ' . $id . ' does not exists.';
}
} else
$errors[] = 'id not set';
return !count($errors);
}
}

3
system/templates/admin.pages.form.html.twig
View File

@ -3,8 +3,9 @@
<div class="card-header"> <div class="card-header">
<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} page</h5> <h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} page</h5>
</div> </div>
<form id="form" class="form-horizontal" method="post" action="?p=pages&action={% if action == 'edit' %}edit{% else %}new{% endif %}"> <form id="form" class="form-horizontal" method="post">
{{ csrf() }} {{ csrf() }}
<input type="hidden" name="action" value="{{ action }}" />
{% if action == 'edit' %} {% if action == 'edit' %}
<input type="hidden" name="id" value="{{ id }}"/> <input type="hidden" name="id" value="{{ id }}"/>
{% endif %} {% endif %}

36
system/templates/admin.pages.html.twig
View File

@ -1,7 +1,12 @@
<div class="card card-info card-outline"> <div class="card card-info card-outline">
<div class="card-header"> <div class="card-header">
<h5 class="m-0">Pages <h5 class="m-0">Pages
<a href="?p=pages&action=new" class="float-right"><span class="btn btn-sm btn-success">New</span></a></h5> <form method="post" class="float-right">
{{ csrf() }}
<input type="hidden" name="action" value="new" />
<button type="submit" class="btn btn-sm btn-success">New</button>
</form>
</h5>
</div> </div>
<div class="card-body"> <div class="card-body">
<table class="table table-striped table-bordered table-responsive d-md-table" id="tb_pages"> <table class="table table-striped table-bordered table-responsive d-md-table" id="tb_pages">
@ -21,15 +26,26 @@
<td>{% if page.php %}Yes{% else %}No{% endif %}</td> <td>{% if page.php %}Yes{% else %}No{% endif %}</td>
<td> <td>
<div class="btn-group"> <div class="btn-group">
<a href="?p=pages&action=edit&id={{ page.id }}" class="btn btn-success btn-sm" title="Edit"> <form method="post">
<i class="fas fa-pencil-alt"></i> {{ csrf() }}
</a> <input type="hidden" name="action" value="edit" />
<a href="?p=pages&action=delete&id={{ page.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete"> <input type="hidden" name="id" value="{{ page.id }}" />
<i class="fas fa-trash"></i> <button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
</a> </form>
<a href="?p=pages&action=hide&id={{ page.id }}" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}">
<i class="fas fa-eye{{ (page.hidden != 1) ? '' : '-slash' }}"></i> <form method="post">
</a> {{ csrf() }}
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="id" value="{{ page.id }}" />
<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
</form>
<form method="post">
{{ csrf() }}
<input type="hidden" name="action" value="hide" />
<input type="hidden" name="id" value="{{ page.id }}" />
<button type="submit" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
</form>
</div> </div>
</td> </td>
</tr> </tr>