Browse Source

Add CSRF protection, restyle delete version button

Jordi Boggiano 12 years ago
parent
commit
fd74e5dcc5

+ 6 - 1
src/Packagist/WebBundle/Controller/WebController.php

@@ -497,6 +497,7 @@ class WebController extends Controller
         }
         if ($deleteForm = $this->createDeletePackageForm($package)) {
             $data['deleteForm'] = $deleteForm->createView();
+            $data['deleteVersionCsrfToken'] = $this->get('form.csrf_provider')->generateCsrfToken('delete_version');
         }
 
         return $data;
@@ -542,7 +543,11 @@ class WebController extends Controller
         $version = $repo->getFullVersion($versionId);
         $package = $version->getPackage();
 
-        if (!$package->getMaintainers()->contains($this->getUser()) && !$this->get('security.context')->isGranted('ROLE_EDIT_PACKAGES')) {
+        if (!$package->getMaintainers()->contains($this->getUser()) && !$this->get('security.context')->isGranted('ROLE_DELETE_PACKAGES')) {
+            throw new AccessDeniedException;
+        }
+
+        if (!$this->get('form.csrf_provider')->isCsrfTokenValid('delete_version', $req->request->get('_token'))) {
             throw new AccessDeniedException;
         }
 

+ 17 - 0
src/Packagist/WebBundle/Resources/public/css/main.css

@@ -641,6 +641,23 @@ form ul {
   padding: 8px;
   background-image: none;
 }
+.package .action.delete input, .package .action.delete-version input {
+  background: #a61c1c;
+  background: -moz-linear-gradient(top, #a61c1c 0%, #b84949 100%);
+  background: -webkit-linear-gradient(top, #a61c1c 0%, #b84949 100%);
+  background: -o-linear-gradient(top, #a61c1c 0%, #b84949 100%);
+  background: -ms-linear-gradient(top, #a61c1c 0%, #b84949 100%);
+  background: linear-gradient(top, #a61c1c 0%, #b84949 100%);
+}
+.package .action.delete-version {
+  float: none;
+  display: inline-block;
+  height: 20px;
+}
+.package .action.delete-version input {
+  font-size: 10px;
+  padding: 3px;
+}
 .package .action input.loading {
   background-position: 10px center;
   background-image: url("../img/loader.gif");

+ 11 - 1
src/Packagist/WebBundle/Resources/public/js/view.js

@@ -64,12 +64,22 @@
         $.ajax(options).complete(function () { $(this).removeClass('loading'); });
         $(this).addClass('loading');
     });
-    $('.package .force-delete').submit(function (e) {
+    $('.package .delete').submit(function (e) {
         e.preventDefault();
         if (confirm('Are you sure?')) {
             e.target.submit();
         }
     });
+    $('.package .delete-version').click(function (e) {
+        e.stopImmediatePropagation();
+    });
+    $('.package .delete-version').submit(function (e) {
+        e.preventDefault();
+        e.stopImmediatePropagation();
+        if (confirm('Are you sure?')) {
+            e.target.submit();
+        }
+    });
     $('.package').on('click', '.requireme input', function (e) {
         this.select();
     });

+ 0 - 7
src/Packagist/WebBundle/Resources/views/Web/versionDetails.html.twig

@@ -2,13 +2,6 @@
 
 <p class="requireme">require: <input type="text" readonly="readonly" value="{{ "\"#{version.package.vendor}/#{version.package.packageName}\": \"#{version.hasVersionAlias() ? version.requireVersionAlias : version.requireVersion}\"" }}" /></p>
 
-{% if is_granted('ROLE_EDIT_PACKAGES') or version.package.maintainers.contains(app.user) %}
-<form class="action" action="{{ path("delete_version", {"versionId": version.id}) }}" method="post">
-    <input type="hidden" name="_method" value="DELETE" />
-    <input type="submit" value="Delete">
-</form>
-{% endif %}
-
 <h2 class="authors">Author{{ version.authors|length > 1 ? 's' : '' }}</h2>
 <ul>
     {% for author in version.authors %}

+ 11 - 2
src/Packagist/WebBundle/Resources/views/Web/viewPackage.html.twig

@@ -9,7 +9,7 @@
 {% endblock %}
 
 {% block scripts %}
-    <script src="{{ asset('bundles/packagistweb/js/view.js?v=10')}}"></script>
+    <script src="{{ asset('bundles/packagistweb/js/view.js?v=11')}}"></script>
 {% endblock %}
 
 {% block content %}
@@ -28,7 +28,7 @@
                 </form>
             {% endif %}
             {% if deleteForm is defined %}
-                <form class="force-delete action" action="{{ path('delete_package', {name: package.name}) }}" method="POST">
+                <form class="delete action" action="{{ path('delete_package', {name: package.name}) }}" method="POST">
                     <input type="hidden" name="_method" value="DELETE" />
                     {{ form_widget(deleteForm._token) }}
                     <input type="submit" value="Delete" />
@@ -128,6 +128,15 @@
                                     {% if version.isDevelopment %}
                                     <span class="source-reference">reference: {{ version.source.reference|prettify_source_reference }}</span>
                                     {% endif %}
+
+                                    {% if deleteForm is defined %}
+                                    <form class="action delete-version" action="{{ path("delete_version", {"versionId": version.id}) }}" method="post">
+                                        <input type="hidden" name="_method" value="DELETE" />
+                                        <input type="hidden" name="_token" value="{{ deleteVersionCsrfToken }}" />
+                                        <input type="submit" value="Delete">
+                                    </form>
+                                    {% endif %}
+
                                     <span class="release-date">{{ version.releasedAt|date("Y-m-d H:i") }} UTC</span>
                                     <span class="license{% if not version.license %} unknown{% endif %}">{{ version.license ? version.license|join(', ') : 'Unknown License' }}</span>
                                 </h1>

+ 1 - 1
src/Packagist/WebBundle/Resources/views/layout.html.twig

@@ -13,7 +13,7 @@
         <link rel="shortcut icon" href="{{ asset('favicon.ico') }}" />
         <link rel="apple-touch-icon" href="{{ asset('apple-touch-icon.png') }}" />
 
-        <link rel="stylesheet" href="{{ asset('bundles/packagistweb/css/main.css?v=12') }}" />
+        <link rel="stylesheet" href="{{ asset('bundles/packagistweb/css/main.css?v=13') }}" />
         <link rel="stylesheet" href="{{ asset('css/humane/jackedup.css?v=3') }}" />
         <link rel="stylesheet" href="{{ asset('css/fontawesome/font-awesome.css') }}" />
         <!--[if lt IE 8]>