summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorFrédéric Guillot <fred@kanboard.net>2014-11-29 17:18:23 -0500
committerFrédéric Guillot <fred@kanboard.net>2014-11-29 17:18:23 -0500
commite72327d4b1fd92675372a118052f1c9847f882dc (patch)
tree8147a3ae0c6304769b8da747626467f032d1f171 /app
parent7d36747de634f7101bdaeed38e634adbc5f11b02 (diff)
Improve session handler and add Ajax session check
Diffstat (limited to 'app')
-rw-r--r--app/Auth/RememberMe.php8
-rw-r--r--app/Controller/App.php10
-rw-r--r--app/Controller/Base.php7
-rw-r--r--app/Controller/Board.php8
-rw-r--r--app/Core/Session.php12
-rw-r--r--app/Model/Acl.php2
-rw-r--r--app/Template/layout.php2
-rw-r--r--app/constants.php3
8 files changed, 30 insertions, 22 deletions
diff --git a/app/Auth/RememberMe.php b/app/Auth/RememberMe.php
index 2585e96c..cb8a9b44 100644
--- a/app/Auth/RememberMe.php
+++ b/app/Auth/RememberMe.php
@@ -95,7 +95,7 @@ class RememberMe extends Base
// Update the sequence
$this->writeCookie(
$record['token'],
- $this->update($record['token'], $record['sequence']),
+ $this->update($record['token']),
$record['expiration']
);
@@ -136,7 +136,7 @@ class RememberMe extends Base
// Update the sequence
$this->writeCookie(
$record['token'],
- $this->update($record['token'], $record['sequence']),
+ $this->update($record['token']),
$record['expiration']
);
}
@@ -237,17 +237,15 @@ class RememberMe extends Base
*
* @access public
* @param string $token Session token
- * @param string $sequence Sequence token
* @return string
*/
- public function update($token, $sequence)
+ public function update($token)
{
$new_sequence = Security::generateToken();
$this->db
->table(self::TABLE)
->eq('token', $token)
- ->eq('sequence', $sequence)
->update(array('sequence' => $new_sequence));
return $new_sequence;
diff --git a/app/Controller/App.php b/app/Controller/App.php
index 9ac9d012..c88fd928 100644
--- a/app/Controller/App.php
+++ b/app/Controller/App.php
@@ -15,6 +15,16 @@ use Helper;
class App extends Base
{
/**
+ * Check if the user is connected
+ *
+ * @access public
+ */
+ public function status()
+ {
+ $this->response->text('OK');
+ }
+
+ /**
* Dashboard for the current user
*
* @access public
diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index c1753c97..92a3d068 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -140,7 +140,7 @@ abstract class Base
public function beforeAction($controller, $action)
{
// Start the session
- $this->session->open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);
+ $this->session->open(BASE_URL_DIRECTORY);
// HTTP secure headers
$this->response->csp(array('style-src' => "'self' 'unsafe-inline'"));
@@ -161,6 +161,11 @@ abstract class Base
// Authentication
if (! $this->authentication->isAuthenticated($controller, $action)) {
+
+ if ($this->request->isAjax()) {
+ $this->response->text('Not Authorized', 401);
+ }
+
$this->response->redirect('?controller=user&action=login&redirect_query='.urlencode($this->request->getQueryString()));
}
diff --git a/app/Controller/Board.php b/app/Controller/Board.php
index f04e847f..7d498f81 100644
--- a/app/Controller/Board.php
+++ b/app/Controller/Board.php
@@ -342,7 +342,7 @@ class Board extends Base
if ($project_id > 0 && $this->request->isAjax()) {
if (! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) {
- $this->response->status(401);
+ $this->response->text('Forbidden', 403);
}
$values = $this->request->getJson();
@@ -366,7 +366,7 @@ class Board extends Base
}
}
else {
- $this->response->status(401);
+ $this->response->status(403);
}
}
@@ -383,7 +383,7 @@ class Board extends Base
$timestamp = $this->request->getIntegerParam('timestamp');
if ($project_id > 0 && ! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) {
- $this->response->text('Not Authorized', 401);
+ $this->response->text('Forbidden', 403);
}
if ($this->project->isModifiedSince($project_id, $timestamp)) {
@@ -402,7 +402,7 @@ class Board extends Base
}
}
else {
- $this->response->status(401);
+ $this->response->status(403);
}
}
diff --git a/app/Core/Session.php b/app/Core/Session.php
index e50c36b3..3305eca3 100644
--- a/app/Core/Session.php
+++ b/app/Core/Session.php
@@ -36,14 +36,9 @@ class Session
*
* @access public
* @param string $base_path Cookie path
- * @param string $save_path Custom session save path
*/
- public function open($base_path = '/', $save_path = '')
+ public function open($base_path = '/')
{
- if ($save_path !== '') {
- session_save_path($save_path);
- }
-
// HttpOnly and secure flags for session cookie
session_set_cookie_params(
self::SESSION_LIFETIME,
@@ -56,12 +51,15 @@ class Session
// Avoid session id in the URL
ini_set('session.use_only_cookies', '1');
+ // Enable strict mode
+ ini_set('session.use_strict_mode', '1');
+
// Ensure session ID integrity
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.entropy_length', '32');
ini_set('session.hash_bits_per_character', 6);
- // If session was autostarted with session.auto_start = 1 in php.ini destroy it, otherwise we cannot login
+ // If session was autostarted with session.auto_start = 1 in php.ini destroy it
if (isset($_SESSION)) {
session_destroy();
}
diff --git a/app/Model/Acl.php b/app/Model/Acl.php
index 4a5032d3..4a07d116 100644
--- a/app/Model/Acl.php
+++ b/app/Model/Acl.php
@@ -31,7 +31,7 @@ class Acl extends Base
* @var array
*/
private $user_actions = array(
- 'app' => array('index', 'preview'),
+ 'app' => array('index', 'preview', 'status'),
'project' => array('index', 'show', 'exporttasks', 'exportdaily', 'share', 'edit', 'update', 'users', 'remove', 'duplicate', 'disable', 'enable', 'activity', 'search', 'tasks', 'create', 'save'),
'board' => array('index', 'show', 'save', 'check', 'changeassignee', 'updateassignee', 'changecategory', 'updatecategory', 'movecolumn', 'edit', 'update', 'add', 'confirm', 'remove', 'subtasks', 'togglesubtask', 'attachments', 'comments', 'description'),
'user' => array('edit', 'forbidden', 'logout', 'show', 'external', 'unlinkgoogle', 'unlinkgithub', 'sessions', 'removesession', 'last', 'notifications', 'password'),
diff --git a/app/Template/layout.php b/app/Template/layout.php
index 31a4c407..562d26e1 100644
--- a/app/Template/layout.php
+++ b/app/Template/layout.php
@@ -24,7 +24,7 @@
<title><?= isset($title) ? Helper\escape($title) : 'Kanboard' ?></title>
</head>
- <body>
+ <body data-status-url="<?= Helper\u('app', 'status') ?>" data-login-url="<?= Helper\u('user', 'login') ?>">
<?php if (isset($no_layout) && $no_layout): ?>
<?= $content_for_layout ?>
<?php else: ?>
diff --git a/app/constants.php b/app/constants.php
index 93075892..aa417d88 100644
--- a/app/constants.php
+++ b/app/constants.php
@@ -1,8 +1,5 @@
<?php
-// Custom session save path
-defined('SESSION_SAVE_PATH') or define('SESSION_SAVE_PATH', '');
-
// Application version
defined('APP_VERSION') or define('APP_VERSION', 'master');