diff options
author | Frédéric Guillot <fred@kanboard.net> | 2014-11-29 17:18:23 -0500 |
---|---|---|
committer | Frédéric Guillot <fred@kanboard.net> | 2014-11-29 17:18:23 -0500 |
commit | e72327d4b1fd92675372a118052f1c9847f882dc (patch) | |
tree | 8147a3ae0c6304769b8da747626467f032d1f171 /app | |
parent | 7d36747de634f7101bdaeed38e634adbc5f11b02 (diff) |
Improve session handler and add Ajax session check
Diffstat (limited to 'app')
-rw-r--r-- | app/Auth/RememberMe.php | 8 | ||||
-rw-r--r-- | app/Controller/App.php | 10 | ||||
-rw-r--r-- | app/Controller/Base.php | 7 | ||||
-rw-r--r-- | app/Controller/Board.php | 8 | ||||
-rw-r--r-- | app/Core/Session.php | 12 | ||||
-rw-r--r-- | app/Model/Acl.php | 2 | ||||
-rw-r--r-- | app/Template/layout.php | 2 | ||||
-rw-r--r-- | app/constants.php | 3 |
8 files changed, 30 insertions, 22 deletions
diff --git a/app/Auth/RememberMe.php b/app/Auth/RememberMe.php index 2585e96c..cb8a9b44 100644 --- a/app/Auth/RememberMe.php +++ b/app/Auth/RememberMe.php @@ -95,7 +95,7 @@ class RememberMe extends Base // Update the sequence $this->writeCookie( $record['token'], - $this->update($record['token'], $record['sequence']), + $this->update($record['token']), $record['expiration'] ); @@ -136,7 +136,7 @@ class RememberMe extends Base // Update the sequence $this->writeCookie( $record['token'], - $this->update($record['token'], $record['sequence']), + $this->update($record['token']), $record['expiration'] ); } @@ -237,17 +237,15 @@ class RememberMe extends Base * * @access public * @param string $token Session token - * @param string $sequence Sequence token * @return string */ - public function update($token, $sequence) + public function update($token) { $new_sequence = Security::generateToken(); $this->db ->table(self::TABLE) ->eq('token', $token) - ->eq('sequence', $sequence) ->update(array('sequence' => $new_sequence)); return $new_sequence; diff --git a/app/Controller/App.php b/app/Controller/App.php index 9ac9d012..c88fd928 100644 --- a/app/Controller/App.php +++ b/app/Controller/App.php @@ -15,6 +15,16 @@ use Helper; class App extends Base { /** + * Check if the user is connected + * + * @access public + */ + public function status() + { + $this->response->text('OK'); + } + + /** * Dashboard for the current user * * @access public diff --git a/app/Controller/Base.php b/app/Controller/Base.php index c1753c97..92a3d068 100644 --- a/app/Controller/Base.php +++ b/app/Controller/Base.php @@ -140,7 +140,7 @@ abstract class Base public function beforeAction($controller, $action) { // Start the session - $this->session->open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH); + $this->session->open(BASE_URL_DIRECTORY); // HTTP secure headers $this->response->csp(array('style-src' => "'self' 'unsafe-inline'")); @@ -161,6 +161,11 @@ abstract class Base // Authentication if (! $this->authentication->isAuthenticated($controller, $action)) { + + if ($this->request->isAjax()) { + $this->response->text('Not Authorized', 401); + } + $this->response->redirect('?controller=user&action=login&redirect_query='.urlencode($this->request->getQueryString())); } diff --git a/app/Controller/Board.php b/app/Controller/Board.php index f04e847f..7d498f81 100644 --- a/app/Controller/Board.php +++ b/app/Controller/Board.php @@ -342,7 +342,7 @@ class Board extends Base if ($project_id > 0 && $this->request->isAjax()) { if (! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) { - $this->response->status(401); + $this->response->text('Forbidden', 403); } $values = $this->request->getJson(); @@ -366,7 +366,7 @@ class Board extends Base } } else { - $this->response->status(401); + $this->response->status(403); } } @@ -383,7 +383,7 @@ class Board extends Base $timestamp = $this->request->getIntegerParam('timestamp'); if ($project_id > 0 && ! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) { - $this->response->text('Not Authorized', 401); + $this->response->text('Forbidden', 403); } if ($this->project->isModifiedSince($project_id, $timestamp)) { @@ -402,7 +402,7 @@ class Board extends Base } } else { - $this->response->status(401); + $this->response->status(403); } } diff --git a/app/Core/Session.php b/app/Core/Session.php index e50c36b3..3305eca3 100644 --- a/app/Core/Session.php +++ b/app/Core/Session.php @@ -36,14 +36,9 @@ class Session * * @access public * @param string $base_path Cookie path - * @param string $save_path Custom session save path */ - public function open($base_path = '/', $save_path = '') + public function open($base_path = '/') { - if ($save_path !== '') { - session_save_path($save_path); - } - // HttpOnly and secure flags for session cookie session_set_cookie_params( self::SESSION_LIFETIME, @@ -56,12 +51,15 @@ class Session // Avoid session id in the URL ini_set('session.use_only_cookies', '1'); + // Enable strict mode + ini_set('session.use_strict_mode', '1'); + // Ensure session ID integrity ini_set('session.entropy_file', '/dev/urandom'); ini_set('session.entropy_length', '32'); ini_set('session.hash_bits_per_character', 6); - // If session was autostarted with session.auto_start = 1 in php.ini destroy it, otherwise we cannot login + // If session was autostarted with session.auto_start = 1 in php.ini destroy it if (isset($_SESSION)) { session_destroy(); } diff --git a/app/Model/Acl.php b/app/Model/Acl.php index 4a5032d3..4a07d116 100644 --- a/app/Model/Acl.php +++ b/app/Model/Acl.php @@ -31,7 +31,7 @@ class Acl extends Base * @var array */ private $user_actions = array( - 'app' => array('index', 'preview'), + 'app' => array('index', 'preview', 'status'), 'project' => array('index', 'show', 'exporttasks', 'exportdaily', 'share', 'edit', 'update', 'users', 'remove', 'duplicate', 'disable', 'enable', 'activity', 'search', 'tasks', 'create', 'save'), 'board' => array('index', 'show', 'save', 'check', 'changeassignee', 'updateassignee', 'changecategory', 'updatecategory', 'movecolumn', 'edit', 'update', 'add', 'confirm', 'remove', 'subtasks', 'togglesubtask', 'attachments', 'comments', 'description'), 'user' => array('edit', 'forbidden', 'logout', 'show', 'external', 'unlinkgoogle', 'unlinkgithub', 'sessions', 'removesession', 'last', 'notifications', 'password'), diff --git a/app/Template/layout.php b/app/Template/layout.php index 31a4c407..562d26e1 100644 --- a/app/Template/layout.php +++ b/app/Template/layout.php @@ -24,7 +24,7 @@ <title><?= isset($title) ? Helper\escape($title) : 'Kanboard' ?></title> </head> - <body> + <body data-status-url="<?= Helper\u('app', 'status') ?>" data-login-url="<?= Helper\u('user', 'login') ?>"> <?php if (isset($no_layout) && $no_layout): ?> <?= $content_for_layout ?> <?php else: ?> diff --git a/app/constants.php b/app/constants.php index 93075892..aa417d88 100644 --- a/app/constants.php +++ b/app/constants.php @@ -1,8 +1,5 @@ <?php -// Custom session save path -defined('SESSION_SAVE_PATH') or define('SESSION_SAVE_PATH', ''); - // Application version defined('APP_VERSION') or define('APP_VERSION', 'master'); |