From 67b836164997527b91452b19adbcb8aa3c5decf1 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sun, 15 May 2016 18:31:47 -0400
Subject: Refactoring: added controlled middleware and changed response class

---
 .../ApplicationAuthorizationMiddleware.php         | 27 +++++++++++
 app/Middleware/AuthenticationMiddleware.php        | 56 ++++++++++++++++++++++
 app/Middleware/BootstrapMiddleware.php             | 44 +++++++++++++++++
 app/Middleware/PostAuthenticationMiddleware.php    | 36 ++++++++++++++
 app/Middleware/ProjectAuthorizationMiddleware.php  | 34 +++++++++++++
 5 files changed, 197 insertions(+)
 create mode 100644 app/Middleware/ApplicationAuthorizationMiddleware.php
 create mode 100644 app/Middleware/AuthenticationMiddleware.php
 create mode 100644 app/Middleware/BootstrapMiddleware.php
 create mode 100644 app/Middleware/PostAuthenticationMiddleware.php
 create mode 100644 app/Middleware/ProjectAuthorizationMiddleware.php

(limited to 'app/Middleware')

diff --git a/app/Middleware/ApplicationAuthorizationMiddleware.php b/app/Middleware/ApplicationAuthorizationMiddleware.php
new file mode 100644
index 00000000..faca2d6a
--- /dev/null
+++ b/app/Middleware/ApplicationAuthorizationMiddleware.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace Kanboard\Middleware;
+
+use Kanboard\Core\Controller\AccessForbiddenException;
+use Kanboard\Core\Controller\BaseMiddleware;
+
+/**
+ * Class ApplicationAuthorizationMiddleware
+ *
+ * @package Kanboard\Middleware
+ * @author  Frederic Guillot
+ */
+class ApplicationAuthorizationMiddleware extends BaseMiddleware
+{
+    /**
+     * Execute middleware
+     */
+    public function execute()
+    {
+        if (! $this->helper->user->hasAccess($this->router->getController(), $this->router->getAction())) {
+            throw new AccessForbiddenException();
+        }
+
+        $this->next();
+    }
+}
diff --git a/app/Middleware/AuthenticationMiddleware.php b/app/Middleware/AuthenticationMiddleware.php
new file mode 100644
index 00000000..a31198a5
--- /dev/null
+++ b/app/Middleware/AuthenticationMiddleware.php
@@ -0,0 +1,56 @@
+<?php
+
+namespace Kanboard\Middleware;
+
+use Kanboard\Core\Controller\AccessForbiddenException;
+use Kanboard\Core\Controller\BaseMiddleware;
+use Kanboard\Core\Security\Role;
+
+/**
+ * Class AuthenticationMiddleware
+ *
+ * @package Kanboard\Middleware
+ * @author  Frederic Guillot
+ */
+class AuthenticationMiddleware extends BaseMiddleware
+{
+    /**
+     * Execute middleware
+     */
+    public function execute()
+    {
+        if (! $this->authenticationManager->checkCurrentSession()) {
+            throw AccessForbiddenException::getInstance()->withoutLayout();
+        }
+
+        if (! $this->isPublicAccess()) {
+            $this->handleAuthentication();
+        }
+
+        $this->next();
+    }
+
+    protected function handleAuthentication()
+    {
+        if (! $this->userSession->isLogged() && ! $this->authenticationManager->preAuthentication()) {
+            $this->setNextMiddleware(null);
+
+            if ($this->request->isAjax()) {
+                $this->response->text('Not Authorized', 401);
+            } else {
+                $this->sessionStorage->redirectAfterLogin = $this->request->getUri();
+                $this->response->redirect($this->helper->url->to('auth', 'login'));
+            }
+        }
+    }
+
+    private function isPublicAccess()
+    {
+        if ($this->applicationAuthorization->isAllowed($this->router->getController(), $this->router->getAction(), Role::APP_PUBLIC)) {
+            $this->setNextMiddleware(null);
+            return true;
+        }
+
+        return false;
+    }
+}
diff --git a/app/Middleware/BootstrapMiddleware.php b/app/Middleware/BootstrapMiddleware.php
new file mode 100644
index 00000000..c9de1de9
--- /dev/null
+++ b/app/Middleware/BootstrapMiddleware.php
@@ -0,0 +1,44 @@
+<?php
+
+namespace Kanboard\Middleware;
+
+use Kanboard\Core\Controller\BaseMiddleware;
+
+/**
+ * Class BootstrapMiddleware
+ *
+ * @package Kanboard\Middleware
+ * @author  Frederic Guillot
+ */
+class BootstrapMiddleware extends BaseMiddleware
+{
+    /**
+     * Execute middleware
+     */
+    public function execute()
+    {
+        $this->sessionManager->open();
+        $this->dispatcher->dispatch('app.bootstrap');
+        $this->sendHeaders();
+        $this->next();
+    }
+
+    /**
+     * Send HTTP headers
+     *
+     * @access private
+     */
+    private function sendHeaders()
+    {
+        $this->response->withContentSecurityPolicy($this->container['cspRules']);
+        $this->response->withSecurityHeaders();
+
+        if (ENABLE_XFRAME && $this->router->getAction() !== 'readonly') {
+            $this->response->withXframe();
+        }
+
+        if (ENABLE_HSTS) {
+            $this->response->withStrictTransportSecurity();
+        }
+    }
+}
diff --git a/app/Middleware/PostAuthenticationMiddleware.php b/app/Middleware/PostAuthenticationMiddleware.php
new file mode 100644
index 00000000..8287c10e
--- /dev/null
+++ b/app/Middleware/PostAuthenticationMiddleware.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace Kanboard\Middleware;
+
+use Kanboard\Core\Controller\BaseMiddleware;
+
+/**
+ * Class PostAuthenticationMiddleware
+ *
+ * @package Kanboard\Middleware
+ * @author  Frederic Guillot
+ */
+class PostAuthenticationMiddleware extends BaseMiddleware
+{
+    /**
+     * Execute middleware
+     */
+    public function execute()
+    {
+        $controller = strtolower($this->router->getController());
+        $action = strtolower($this->router->getAction());
+        $ignore = ($controller === 'twofactor' && in_array($action, array('code', 'check'))) || ($controller === 'auth' && $action === 'logout');
+
+        if ($ignore === false && $this->userSession->hasPostAuthentication() && ! $this->userSession->isPostAuthenticationValidated()) {
+            $this->setNextMiddleware(null);
+
+            if ($this->request->isAjax()) {
+                $this->response->text('Not Authorized', 401);
+            }
+
+            $this->response->redirect($this->helper->url->to('twofactor', 'code'));
+        }
+
+        $this->next();
+    }
+}
diff --git a/app/Middleware/ProjectAuthorizationMiddleware.php b/app/Middleware/ProjectAuthorizationMiddleware.php
new file mode 100644
index 00000000..6000ee0e
--- /dev/null
+++ b/app/Middleware/ProjectAuthorizationMiddleware.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace Kanboard\Middleware;
+
+use Kanboard\Core\Controller\AccessForbiddenException;
+use Kanboard\Core\Controller\BaseMiddleware;
+
+/**
+ * Class ProjectAuthorizationMiddleware
+ *
+ * @package Kanboard\Middleware
+ * @author  Frederic Guillot
+ */
+class ProjectAuthorizationMiddleware extends BaseMiddleware
+{
+    /**
+     * Execute middleware
+     */
+    public function execute()
+    {
+        $project_id = $this->request->getIntegerParam('project_id');
+        $task_id = $this->request->getIntegerParam('task_id');
+
+        if ($task_id > 0 && $project_id === 0) {
+            $project_id = $this->taskFinder->getProjectId($task_id);
+        }
+
+        if ($project_id > 0 && ! $this->helper->user->hasProjectAccess($this->router->getController(), $this->router->getAction(), $project_id)) {
+            throw new AccessForbiddenException();
+        }
+
+        $this->next();
+    }
+}
-- 
cgit v1.2.3