Add flags to configure use of cookies.

Adds 2 new flags to the CMS:

- DisableCsrfSecurityToken
- DisableAuthenicatedFinishAction

DisableAuthenicatedFinishAction disables the session check on the finish completed action as this normally validates the user correctly posted a form. This page is normally just basic content so requiring a session cookie is sometimes a hassle.

DisableCsrfSecurityToken allows security token to not be added to the form. Normally acceptable as forms don't usually alter the state of the database.
This commit is contained in:
Will Rossiter 2014-07-27 20:51:23 +12:00
parent 5568ee7875
commit 42932ea47f

View File

@ -26,7 +26,9 @@ class UserDefinedForm extends Page {
"ShowClearButton" => "Boolean", "ShowClearButton" => "Boolean",
'DisableSaveSubmissions' => 'Boolean', 'DisableSaveSubmissions' => 'Boolean',
'EnableLiveValidation' => 'Boolean', 'EnableLiveValidation' => 'Boolean',
'HideFieldLabels' => 'Boolean' 'HideFieldLabels' => 'Boolean',
'DisableAuthenicatedFinishAction' => 'Boolean',
'DisableCsrfSecurityToken' => 'Boolean'
); );
/** /**
@ -380,7 +382,9 @@ SQL;
new TextField("ClearButtonText", _t('UserDefinedForm.TEXTONCLEAR', 'Text on clear button:'), $clear), new TextField("ClearButtonText", _t('UserDefinedForm.TEXTONCLEAR', 'Text on clear button:'), $clear),
new CheckboxField("ShowClearButton", _t('UserDefinedForm.SHOWCLEARFORM', 'Show Clear Form Button'), $this->ShowClearButton), new CheckboxField("ShowClearButton", _t('UserDefinedForm.SHOWCLEARFORM', 'Show Clear Form Button'), $this->ShowClearButton),
new CheckboxField("EnableLiveValidation", _t('UserDefinedForm.ENABLELIVEVALIDATION', 'Enable live validation')), new CheckboxField("EnableLiveValidation", _t('UserDefinedForm.ENABLELIVEVALIDATION', 'Enable live validation')),
new CheckboxField("HideFieldLabels", _t('UserDefinedForm.HIDEFIELDLABELS', 'Hide field labels')) new CheckboxField("HideFieldLabels", _t('UserDefinedForm.HIDEFIELDLABELS', 'Hide field labels')),
new CheckboxField('DisableCsrfSecurityToken', _t('UserDefinedForm.DISABLECSRFSECURITYTOKEN', 'Disable CSRF Token')),
new CheckboxField('DisableAuthenicatedFinishAction', _t('UserDefinedForm.DISABLEAUTHENICATEDFINISHACTION', 'Disable Authenication on finish action'))
); );
$this->extend('updateFormOptions', $options); $this->extend('updateFormOptions', $options);
@ -515,6 +519,10 @@ class UserDefinedForm_Controller extends Page_Controller {
$this->extend('updateForm', $form); $this->extend('updateForm', $form);
if($this->DisableCsrfSecurityToken) {
$form->disableSecurityToken();
}
return $form; return $form;
} }
@ -1039,17 +1047,20 @@ JS
$referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : ""; $referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : "";
// set a session variable from the security ID to stop people accessing the finished method directly // set a session variable from the security ID to stop people accessing
if (isset($data['SecurityID'])) { // the finished method directly.
Session::set('FormProcessed',$data['SecurityID']); if(!$this->DisableAuthenicatedFinishAction) {
} else { if (isset($data['SecurityID'])) {
// if the form has had tokens disabled we still need to set FormProcessed Session::set('FormProcessed',$data['SecurityID']);
// to allow us to get through the finshed method } else {
if (!$this->Form()->getSecurityToken()->isEnabled()) { // if the form has had tokens disabled we still need to set FormProcessed
$randNum = rand(1, 1000); // to allow us to get through the finshed method
$randHash = md5($randNum); if (!$this->Form()->getSecurityToken()->isEnabled()) {
Session::set('FormProcessed',$randHash); $randNum = rand(1, 1000);
Session::set('FormProcessedNum',$randNum); $randHash = md5($randNum);
Session::set('FormProcessed',$randHash);
Session::set('FormProcessedNum',$randNum);
}
} }
} }
@ -1075,22 +1086,25 @@ JS
$referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null; $referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null;
$formProcessed = Session::get('FormProcessed'); if(!$this->DisableAuthenicatedFinishAction) {
if (!isset($formProcessed)) { $formProcessed = Session::get('FormProcessed');
return $this->redirect($this->Link() . $referrer);
} else { if (!isset($formProcessed)) {
$securityID = Session::get('SecurityID'); return $this->redirect($this->Link() . $referrer);
// make sure the session matches the SecurityID and is not left over from another form } else {
if ($formProcessed != $securityID) { $securityID = Session::get('SecurityID');
// they may have disabled tokens on the form // make sure the session matches the SecurityID and is not left over from another form
$securityID = md5(Session::get('FormProcessedNum'));
if ($formProcessed != $securityID) { if ($formProcessed != $securityID) {
return $this->redirect($this->Link() . $referrer); // they may have disabled tokens on the form
$securityID = md5(Session::get('FormProcessedNum'));
if ($formProcessed != $securityID) {
return $this->redirect($this->Link() . $referrer);
}
} }
} }
Session::clear('FormProcessed');
} }
// remove the session variable as we do not want it to be re-used
Session::clear('FormProcessed');
return $this->customise(array( return $this->customise(array(
'Content' => $this->customise(array( 'Content' => $this->customise(array(