mirror of
https://github.com/silverstripe/silverstripe-userforms.git
synced 2024-10-22 15:05:42 +00:00
Add flags to configure use of cookies.
Adds 2 new flags to the CMS: - DisableCsrfSecurityToken - DisableAuthenicatedFinishAction DisableAuthenicatedFinishAction disables the session check on the finish completed action as this normally validates the user correctly posted a form. This page is normally just basic content so requiring a session cookie is sometimes a hassle. DisableCsrfSecurityToken allows security token to not be added to the form. Normally acceptable as forms don't usually alter the state of the database.
This commit is contained in:
parent
5568ee7875
commit
42932ea47f
@ -26,7 +26,9 @@ class UserDefinedForm extends Page {
|
|||||||
"ShowClearButton" => "Boolean",
|
"ShowClearButton" => "Boolean",
|
||||||
'DisableSaveSubmissions' => 'Boolean',
|
'DisableSaveSubmissions' => 'Boolean',
|
||||||
'EnableLiveValidation' => 'Boolean',
|
'EnableLiveValidation' => 'Boolean',
|
||||||
'HideFieldLabels' => 'Boolean'
|
'HideFieldLabels' => 'Boolean',
|
||||||
|
'DisableAuthenicatedFinishAction' => 'Boolean',
|
||||||
|
'DisableCsrfSecurityToken' => 'Boolean'
|
||||||
);
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -380,7 +382,9 @@ SQL;
|
|||||||
new TextField("ClearButtonText", _t('UserDefinedForm.TEXTONCLEAR', 'Text on clear button:'), $clear),
|
new TextField("ClearButtonText", _t('UserDefinedForm.TEXTONCLEAR', 'Text on clear button:'), $clear),
|
||||||
new CheckboxField("ShowClearButton", _t('UserDefinedForm.SHOWCLEARFORM', 'Show Clear Form Button'), $this->ShowClearButton),
|
new CheckboxField("ShowClearButton", _t('UserDefinedForm.SHOWCLEARFORM', 'Show Clear Form Button'), $this->ShowClearButton),
|
||||||
new CheckboxField("EnableLiveValidation", _t('UserDefinedForm.ENABLELIVEVALIDATION', 'Enable live validation')),
|
new CheckboxField("EnableLiveValidation", _t('UserDefinedForm.ENABLELIVEVALIDATION', 'Enable live validation')),
|
||||||
new CheckboxField("HideFieldLabels", _t('UserDefinedForm.HIDEFIELDLABELS', 'Hide field labels'))
|
new CheckboxField("HideFieldLabels", _t('UserDefinedForm.HIDEFIELDLABELS', 'Hide field labels')),
|
||||||
|
new CheckboxField('DisableCsrfSecurityToken', _t('UserDefinedForm.DISABLECSRFSECURITYTOKEN', 'Disable CSRF Token')),
|
||||||
|
new CheckboxField('DisableAuthenicatedFinishAction', _t('UserDefinedForm.DISABLEAUTHENICATEDFINISHACTION', 'Disable Authenication on finish action'))
|
||||||
);
|
);
|
||||||
|
|
||||||
$this->extend('updateFormOptions', $options);
|
$this->extend('updateFormOptions', $options);
|
||||||
@ -515,6 +519,10 @@ class UserDefinedForm_Controller extends Page_Controller {
|
|||||||
|
|
||||||
$this->extend('updateForm', $form);
|
$this->extend('updateForm', $form);
|
||||||
|
|
||||||
|
if($this->DisableCsrfSecurityToken) {
|
||||||
|
$form->disableSecurityToken();
|
||||||
|
}
|
||||||
|
|
||||||
return $form;
|
return $form;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1039,17 +1047,20 @@ JS
|
|||||||
$referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : "";
|
$referrer = (isset($data['Referrer'])) ? '?referrer=' . urlencode($data['Referrer']) : "";
|
||||||
|
|
||||||
|
|
||||||
// set a session variable from the security ID to stop people accessing the finished method directly
|
// set a session variable from the security ID to stop people accessing
|
||||||
if (isset($data['SecurityID'])) {
|
// the finished method directly.
|
||||||
Session::set('FormProcessed',$data['SecurityID']);
|
if(!$this->DisableAuthenicatedFinishAction) {
|
||||||
} else {
|
if (isset($data['SecurityID'])) {
|
||||||
// if the form has had tokens disabled we still need to set FormProcessed
|
Session::set('FormProcessed',$data['SecurityID']);
|
||||||
// to allow us to get through the finshed method
|
} else {
|
||||||
if (!$this->Form()->getSecurityToken()->isEnabled()) {
|
// if the form has had tokens disabled we still need to set FormProcessed
|
||||||
$randNum = rand(1, 1000);
|
// to allow us to get through the finshed method
|
||||||
$randHash = md5($randNum);
|
if (!$this->Form()->getSecurityToken()->isEnabled()) {
|
||||||
Session::set('FormProcessed',$randHash);
|
$randNum = rand(1, 1000);
|
||||||
Session::set('FormProcessedNum',$randNum);
|
$randHash = md5($randNum);
|
||||||
|
Session::set('FormProcessed',$randHash);
|
||||||
|
Session::set('FormProcessedNum',$randNum);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1075,22 +1086,25 @@ JS
|
|||||||
|
|
||||||
$referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null;
|
$referrer = isset($_GET['referrer']) ? urldecode($_GET['referrer']) : null;
|
||||||
|
|
||||||
$formProcessed = Session::get('FormProcessed');
|
if(!$this->DisableAuthenicatedFinishAction) {
|
||||||
if (!isset($formProcessed)) {
|
$formProcessed = Session::get('FormProcessed');
|
||||||
return $this->redirect($this->Link() . $referrer);
|
|
||||||
} else {
|
if (!isset($formProcessed)) {
|
||||||
$securityID = Session::get('SecurityID');
|
return $this->redirect($this->Link() . $referrer);
|
||||||
// make sure the session matches the SecurityID and is not left over from another form
|
} else {
|
||||||
if ($formProcessed != $securityID) {
|
$securityID = Session::get('SecurityID');
|
||||||
// they may have disabled tokens on the form
|
// make sure the session matches the SecurityID and is not left over from another form
|
||||||
$securityID = md5(Session::get('FormProcessedNum'));
|
|
||||||
if ($formProcessed != $securityID) {
|
if ($formProcessed != $securityID) {
|
||||||
return $this->redirect($this->Link() . $referrer);
|
// they may have disabled tokens on the form
|
||||||
|
$securityID = md5(Session::get('FormProcessedNum'));
|
||||||
|
if ($formProcessed != $securityID) {
|
||||||
|
return $this->redirect($this->Link() . $referrer);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Session::clear('FormProcessed');
|
||||||
}
|
}
|
||||||
// remove the session variable as we do not want it to be re-used
|
|
||||||
Session::clear('FormProcessed');
|
|
||||||
|
|
||||||
return $this->customise(array(
|
return $this->customise(array(
|
||||||
'Content' => $this->customise(array(
|
'Content' => $this->customise(array(
|
||||||
|
Loading…
x
Reference in New Issue
Block a user