Resolved merge conflicts for merging cc-5709-airtime-analyzer into saas.

2014-10-10 19:57:22 +00:00 · 2014-10-10 19:57:22 +00:00 · 9fb35c448e
commit 9fb35c448e
parent 0196aa21f5 081ca0a6a4
24 changed files with 165 additions and 106 deletions
--- a/airtime_mvc/application/controllers/LoginController.php
+++ b/airtime_mvc/application/controllers/LoginController.php
@ -61,6 +61,7 @@ class LoginController extends Zend_Controller_Action
                
                $result = $auth->authenticate($authAdapter);
                if ($result->isValid()) {
+                    Zend_Session::regenerateId();
                    //all info about this user from the login table omit only the password
                    $userInfo = $authAdapter->getResultRowObject(null, 'password');

@ -81,6 +82,7 @@ class LoginController extends Zend_Controller_Action
                    $auth = Zend_Auth::getInstance();
                    $result = $auth->authenticate($authAdapter);
                    if ($result->isValid()) {
+                        Zend_Session::regenerateId();
                        //set the user locale in case user changed it in when logging in
                        Application_Model_Preference::SetUserLocale($locale);
                        
--- a/airtime_mvc/application/controllers/PluploadController.php
+++ b/airtime_mvc/application/controllers/PluploadController.php
@ -30,6 +30,33 @@ class PluploadController extends Zend_Controller_Action
        if (Application_Model_Systemstatus::isDiskOverQuota()) {
            $this->view->quotaLimitReached = true;
        }
+
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_namespace->setExpirationSeconds(5*60*60);
+        $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+
+        $csrf_element = new Zend_Form_Element_Hidden('csrf');
+        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
+        $csrf_form = new Zend_Form();
+        $csrf_form->addElement($csrf_element);
+        $this->view->form = $csrf_form;
+    }
+
+    public function uploadAction()
+    {
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $this->_getParam('csrf_token');
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
+            $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
+            $tempFileName = basename($tempFilePath);
+         
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        }else{
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+        }
    }

    public function recentUploadsAction()
--- a/airtime_mvc/application/controllers/PreferenceController.php
+++ b/airtime_mvc/application/controllers/PreferenceController.php
@ -171,6 +171,10 @@ class PreferenceController extends Zend_Controller_Action
        $num_of_stream = intval(Application_Model_Preference::GetNumOfStreams());
        $form = new Application_Form_StreamSetting();

+        $form->addElement('hash', 'csrf', array(
+           'salt' => 'unique'
+        ));
+
        $form->setSetting($setting);
        $form->startFrom();

--- a/airtime_mvc/application/forms/AddUser.php
+++ b/airtime_mvc/application/forms/AddUser.php
@ -21,6 +21,10 @@ class Application_Form_AddUser extends Zend_Form
        $hidden->setDecorators(array('ViewHelper'));
        $this->addElement($hidden);

+        $this->addElement('hash', 'csrf', array(
+           'salt' => 'unique'
+        ));
+
        $login = new Zend_Form_Element_Text('login');
        $login->setLabel(_('Username:'));
        $login->setAttrib('class', 'input_text');
--- a/airtime_mvc/application/forms/EditUser.php
+++ b/airtime_mvc/application/forms/EditUser.php
@ -22,6 +22,10 @@ class Application_Form_EditUser extends Zend_Form
        $this->setDecorators(array(
                array('ViewScript', array('viewScript' => 'form/edit-user.phtml', "currentUser" => $currentUser->getLogin()))));
        $this->setAttrib('id', 'current-user-form');
+
+        $this->addElement('hash', 'csrf', array(
+           'salt' => 'unique'
+        ));
        
        $hidden = new Zend_Form_Element_Hidden('cu_user_id');
        $hidden->setDecorators(array('ViewHelper'));
--- a/airtime_mvc/application/forms/Login.php
+++ b/airtime_mvc/application/forms/Login.php
@ -10,6 +10,10 @@ class Application_Form_Login extends Zend_Form
        // Set the method for the display form to POST
        $this->setMethod('post');

+        $this->addElement('hash', 'csrf', array(
+           'salt' => 'unique'
+        ));
+
        $this->setDecorators(array(
            array('ViewScript', array('viewScript' => 'form/login.phtml'))
        ));
--- a/airtime_mvc/application/forms/Preferences.php
+++ b/airtime_mvc/application/forms/Preferences.php
@ -13,6 +13,14 @@ class Application_Form_Preferences extends Zend_Form
        ));

        $general_pref = new Application_Form_GeneralPreferences();
+
+        $this->addElement('hash', 'csrf', array(
+           'salt' => 'unique',
+           'decorators' => array(
+                'ViewHelper'
+            )
+        ));
+
        $this->addSubForm($general_pref, 'preferences_general');

        $soundcloud_pref = new Application_Form_SoundcloudPreferences();
--- a/airtime_mvc/application/views/scripts/form/edit-user.phtml
+++ b/airtime_mvc/application/views/scripts/form/edit-user.phtml
@ -166,6 +166,7 @@
                </ul>
            <?php endif; ?> 
        </dd>
+        <?php echo $this->element->getElement('csrf') ?>
    </dl>
    <button type="submit" id="cu_save_user" class="btn btn-small right-floated"><?php echo _("Save")?></button>
 </form>
--- a/airtime_mvc/application/views/scripts/form/login.phtml
+++ b/airtime_mvc/application/views/scripts/form/login.phtml
@ -27,6 +27,8 @@
    <dd id="locale-element">
      <?php echo $this->element->getElement('locale') ?>
    </dd>
+
+    <?php echo $this->element->getElement('csrf') ?>
    
    <?php if (Application_Model_Preference::GetEnableSystemEmail()): ?>
        <dt id="reset-label" class="hidden">&nbsp;</dt>
--- a/airtime_mvc/application/views/scripts/form/preferences.phtml
+++ b/airtime_mvc/application/views/scripts/form/preferences.phtml
@ -1,5 +1,5 @@
 <form method="<?php echo $this->element->getMethod() ?>" enctype="multipart/form-data">
-
+    <?php echo $this->element->getElement('csrf') ?>
    <?php echo $this->element->getSubform('preferences_general') ?>

    <h3 class="collapsible-header" id="soundcloud-heading"><span class="arrow-icon"></span><? echo _("SoundCloud Settings") ?></h3>
--- a/airtime_mvc/application/views/scripts/plupload/index.phtml
+++ b/airtime_mvc/application/views/scripts/plupload/index.phtml
@ -2,6 +2,7 @@
 #plupload_files input[type="file"] {
    font-size: 200px !important;
 }
+<<<<<<< HEAD
 </style>
 <?php if ($this->quotaLimitReached) { ?>
    <div class="errors quota-reached">
@ -11,7 +12,8 @@
 }
 ?>
 <form id="plupload_form" <?php if ($this->quotaLimitReached) { ?> class="hidden" <?php } ?>>
-	<div id="plupload_files"></div>	
+    <?php echo $this->form->getElement('csrf') ?>
+    <div id="plupload_files"></div>	
 </form>
 <div id="plupload_error">
 	<table></table>
--- a/airtime_mvc/application/views/scripts/preference/stream-setting.phtml
+++ b/airtime_mvc/application/views/scripts/preference/stream-setting.phtml
@ -4,6 +4,7 @@
    <?php if($this->enable_stream_conf == "true"){?>
    <form method="post" id="stream_form" enctype="application/x-www-form-urlencoded">
    <button name="stream_save" id="stream_save" type="button" class="btn btn-small right-floated"><?php echo _("Save") ?></button>
+    <?php echo $this->form->getElement('csrf') ?>
    <div style="clear:both"></div>
    <?php }?>
  <?php echo $this->statusMsg;?>