Merge pull request #76 from JaroslawZielinski/bugfix/csrf-verse-edit-…

…fix-ajax-check CSRF Verse Edit fix ajax check
JaroslawZielinski · May 15, 2023 · d6ef618 · d6ef618
2 parents cd65f51 + 0e085da
commit d6ef618
Show file tree

Hide file tree

Showing 6 changed files with 152 additions and 6 deletions.
diff --git a/Controller/Adminhtml/Ajax.php b/Controller/Adminhtml/Ajax.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace JaroslawZielinski\TorahVerse\Controller\Adminhtml;
+
+use Magento\Backend\App\Action;
+use Magento\Backend\App\Action\Context;
+use Magento\Backend\Block\Admin\Formkey;
+use Magento\Framework\App\Request\Http;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\Controller\Result\Json;
+use Magento\Framework\Controller\Result\JsonFactory;
+
+abstract class Ajax extends Action
+{
+    /**
+     * @var FormKey
+     */
+    private $formKey;
+    /**
+     * @var JsonFactory
+     */
+    protected $resultJsonFactory;
+
+    /**
+     * @inheritDoc
+     */
+    public function __construct(
+        FormKey $formKey,
+        JsonFactory $resultJsonFactory,
+        Context $context
+    ) {
+        $this->formKey = $formKey;
+        $this->resultJsonFactory = $resultJsonFactory;
+        parent::__construct($context);
+    }
+
+    public function ajax(array $data): Json
+    {
+        $result = $this->resultJsonFactory->create();
+        /** @var RequestInterface|Http $request */
+        $request = $this->getRequest();
+        if (!$request->isAjax()) {
+            return $result->setData([
+                'status' => 'ERROR',
+                'message' => __('It is not an ajax.'),
+                'result' => __('It is not an ajax.')
+            ]);
+        }
+        if ($request->getParam('form_key', '') !== $this->formKey->getFormKey()) {
+            return $result->setData([
+                'status' => 'ERROR',
+                'message' => __('CSRF attack possible.'),
+                'result' => __('Form is broken.')
+            ]);
+        }
+        return $result->setData($data);
+    }
+}
diff --git a/Controller/Adminhtml/Siglum/Preview.php b/Controller/Adminhtml/Siglum/Preview.php
@@ -0,0 +1,86 @@
+<?php
+
+declare(strict_types=1);
+
+namespace JaroslawZielinski\TorahVerse\Controller\Adminhtml\Siglum;
+
+use JaroslawZielinski\TorahVerse\Controller\Adminhtml\Ajax;
+use Magento\Backend\App\Action\Context;
+use Magento\Framework\Controller\Result\JsonFactory;
+use GuzzleHttp\Client;
+use JaroslawZielinski\Torah\Bible\Service;
+use JaroslawZielinski\Torah\Bible\Torah;
+use JaroslawZielinski\Torah\Bible\Torah\SiglumFactory;
+use JaroslawZielinski\Torah\Bible\TorahValidator;
+use Psr\Log\LoggerInterface;
+use JaroslawZielinski\TorahVerse\Model\Config;
+use Magento\Backend\Block\Admin\Formkey;
+
+class Preview extends Ajax
+{
+    /**
+     * @var Config
+     */
+    private $config;
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
+    /**
+     * @inheritDoc
+     */
+    public function __construct(
+        Config $config,
+        LoggerInterface $logger,
+        FormKey $formKey,
+        JsonFactory $resultJsonFactory,
+        Context $context
+    ) {
+        $this->config = $config;
+        $this->logger = $logger;
+        parent::__construct($formKey, $resultJsonFactory, $context);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function execute()
+    {
+        try {
+            $client = new Service\Client($this->logger, new Client());
+            $torah = new Torah(new TorahValidator(), new Service($client));
+            $request = $this->getRequest();
+            $translationParameter = $request->getParam('translation');
+            if (empty($translationParameter)) {
+                throw new \Exception('Translation is not set!');
+            }
+            $siglumParameter = $request->getParam('siglum');
+            if (empty(trim($siglumParameter))) {
+                throw new \Exception('String is empty!');
+            }
+            $siglum =  SiglumFactory::createFromTranslationAndString($translationParameter, $siglumParameter);
+            $language = $this->config->getInternalizationLanguage();
+            $text = $torah->getTextBySiglum($siglum, $language);
+            if (!empty($text)) {
+                $content = $text->getOrdered();
+                $description = $text->getDescription();
+                $previewText = <<<EOT
+{$content}
+
+{$description}
+EOT;
+            } else {
+                $previewText = implode(<<<EOT
+
+EOT, $torah->getErrors());
+            }
+            $data['status'] = 'ok';
+        } catch (\Exception $e) {
+            $previewText = $e->getMessage();
+            $data['status'] = 'error';
+        }
+        $data['result'] = $previewText;
+        return $this->ajax($data);
+    }
+}
diff --git a/etc/adminhtml/di.xml b/etc/adminhtml/di.xml
@@ -13,8 +13,6 @@
 
     <type name="JaroslawZielinski\TorahVerse\Plugin\Ui\Component\Form\FieldPlugin">
         <arguments>
-            <!-- force Frontend Url -->
-            <argument name="urlBuilder" xsi:type="object" shared="false">Magento\Framework\Url</argument>
             <argument name="key" xsi:type="string">previewUrl</argument>
             <argument name="fields" xsi:type="array">
                 <item name="0" xsi:type="string">siglum</item>

diff --git a/view/adminhtml/ui_component/jaroslawzielinski_torahverse_verses_form.xml b/view/adminhtml/ui_component/jaroslawzielinski_torahverse_verses_form.xml
@@ -126,7 +126,7 @@
                 <item name="config" xsi:type="array">
                     <item name="source" xsi:type="string">verses</item>
                     <item name="default" xsi:type="number">0</item>
-                    <item name="previewUrl" xsi:type="string">torahverse/siglum/preview</item>
+                    <item name="previewUrl" xsi:type="string">jaroslawzielinski_torahverse/siglum/preview</item>
                 </item>
             </argument>
 
@@ -159,7 +159,7 @@
                         </br>
                         <textarea id="preview-result" disabled></textarea>
                     ]]></item>
-                    <item name="previewUrl" xsi:type="string">torahverse/siglum/preview</item>
+                    <item name="previewUrl" xsi:type="string">jaroslawzielinski_torahverse/siglum/preview</item>
                 </item>
             </argument>
 

diff --git a/view/adminhtml/web/js/form/element/siglum.js b/view/adminhtml/web/js/form/element/siglum.js
@@ -52,12 +52,13 @@ define([
                 resultId = self.resultSelector;
             if (undefined !== translationCode && undefined !== siglumCode &&
                 !SiglumData.compareToCurrent(translationCode, siglumCode)) {
+                let formKey = window.FORM_KEY;
                 $.ajax({
                     showLoader: false,
                     url: ajaxUrl,
                     data: {
                         isAjax: true,
-                        form_key: window.FORM_KEY,
+                        form_key: formKey,
                         translation: translationCode,
                         siglum: siglumCode
                     },

diff --git a/view/adminhtml/web/js/form/element/translation.js b/view/adminhtml/web/js/form/element/translation.js
@@ -52,12 +52,13 @@ define([
                 resultId = self.resultSelector;
             if (undefined !== translationCode && undefined !== siglumCode &&
                 !SiglumData.compareToCurrent(translationCode, siglumCode)) {
+                let formKey = window.FORM_KEY;
                 $.ajax({
                     showLoader: false,
                     url: ajaxUrl,
                     data: {
                         isAjax: true,
-                        form_key: window.FORM_KEY,
+                        form_key: formKey,
                         translation: translationCode,
                         siglum: siglumCode
                     },