From 42932ea47f7b28eab91d5f8199b64dc7a888d6e6 Mon Sep 17 00:00:00 2001 From: Will Rossiter Date: Sun, 27 Jul 2014 20:51:23 +1200 Subject: [PATCH] Add flags to configure use of cookies. Adds 2 new flags to the CMS: - DisableCsrfSecurityToken - DisableAuthenicatedFinishAction DisableAuthenicatedFinishAction disables the session check on the finish completed action as this normally validates the user correctly posted a form. This page is normally just basic content so requiring a session cookie is sometimes a hassle. DisableCsrfSecurityToken allows security token to not be added to the form. Normally acceptable as forms don't usually alter the state of the database. --- code/model/UserDefinedForm.php | 66 ++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 26 deletions(-) diff --git a/code/model/UserDefinedForm.php b/code/model/UserDefinedForm.php index 0bd1361..a1eeb64 100755 --- a/code/model/UserDefinedForm.php +++ b/code/model/UserDefinedForm.php @@ -26,7 +26,9 @@ class UserDefinedForm extends Page { "ShowClearButton" => "Boolean", 'DisableSaveSubmissions' => 'Boolean', 'EnableLiveValidation' => 'Boolean', - 'HideFieldLabels' => 'Boolean' + 'HideFieldLabels' => 'Boolean', + 'DisableAuthenicatedFinishAction' => 'Boolean', + 'DisableCsrfSecurityToken' => 'Boolean' ); /** @@ -380,7 +382,9 @@ SQL; new TextField("ClearButtonText", _t('UserDefinedForm.TEXTONCLEAR', 'Text on clear button:'), $clear), new CheckboxField("ShowClearButton", _t('UserDefinedForm.SHOWCLEARFORM', 'Show Clear Form Button'), $this->ShowClearButton), new CheckboxField("EnableLiveValidation", _t('UserDefinedForm.ENABLELIVEVALIDATION', 'Enable live validation')), - new CheckboxField("HideFieldLabels", _t('UserDefinedForm.HIDEFIELDLABELS', 'Hide field labels')) + new CheckboxField("HideFieldLabels", _t('UserDefinedForm.HIDEFIELDLABELS', 'Hide field labels')), + new CheckboxField('DisableCsrfSecurityToken', _t('UserDefinedForm.DISABLECSRFSECURITYTOKEN', 'Disable CSRF Token')), + new CheckboxField('DisableAuthenicatedFinishAction', _t('UserDefinedForm.DISABLEAUTHENICATEDFINISHACTION', 'Disable Authenication on finish action')) ); $this->extend('updateFormOptions', $options); @@ -514,6 +518,10 @@ class UserDefinedForm_Controller extends Page_Controller { if(is_array($data)) $form->loadDataFrom($data); $this->extend('updateForm', $form); + + if($this->DisableCsrfSecurityToken) { + $form->disableSecurityToken(); + } return $form; } @@ -1039,20 +1047,23 @@ JS $referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : ""; - // set a session variable from the security ID to stop people accessing the finished method directly - if (isset($data['SecurityID'])) { - Session::set('FormProcessed',$data['SecurityID']); - } else { - // if the form has had tokens disabled we still need to set FormProcessed - // to allow us to get through the finshed method - if (!$this->Form()->getSecurityToken()->isEnabled()) { - $randNum = rand(1, 1000); - $randHash = md5($randNum); - Session::set('FormProcessed',$randHash); - Session::set('FormProcessedNum',$randNum); + // set a session variable from the security ID to stop people accessing + // the finished method directly. + if(!$this->DisableAuthenicatedFinishAction) { + if (isset($data['SecurityID'])) { + Session::set('FormProcessed',$data['SecurityID']); + } else { + // if the form has had tokens disabled we still need to set FormProcessed + // to allow us to get through the finshed method + if (!$this->Form()->getSecurityToken()->isEnabled()) { + $randNum = rand(1, 1000); + $randHash = md5($randNum); + Session::set('FormProcessed',$randHash); + Session::set('FormProcessedNum',$randNum); + } } } - + if(!$this->DisableSaveSubmissions) { Session::set('userformssubmission'. $this->ID, $submittedForm->ID); } @@ -1075,22 +1086,25 @@ JS $referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null; - $formProcessed = Session::get('FormProcessed'); - if (!isset($formProcessed)) { - return $this->redirect($this->Link() . $referrer); - } else { - $securityID = Session::get('SecurityID'); - // make sure the session matches the SecurityID and is not left over from another form - if ($formProcessed != $securityID) { - // they may have disabled tokens on the form - $securityID = md5(Session::get('FormProcessedNum')); + if(!$this->DisableAuthenicatedFinishAction) { + $formProcessed = Session::get('FormProcessed'); + + if (!isset($formProcessed)) { + return $this->redirect($this->Link() . $referrer); + } else { + $securityID = Session::get('SecurityID'); + // make sure the session matches the SecurityID and is not left over from another form if ($formProcessed != $securityID) { - return $this->redirect($this->Link() . $referrer); + // they may have disabled tokens on the form + $securityID = md5(Session::get('FormProcessedNum')); + if ($formProcessed != $securityID) { + return $this->redirect($this->Link() . $referrer); + } } } + + Session::clear('FormProcessed'); } - // remove the session variable as we do not want it to be re-used - Session::clear('FormProcessed'); return $this->customise(array( 'Content' => $this->customise(array(