Skip to content

LUTECE-2184 : Add CSRF protection to portlet creation and modification #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

LUTECE-2184 : Add CSRF protection to portlet creation and modification #136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c007aa
LUTECE-2184 : Add a CSRF token to portlet creation and modification
rzara Apr 17, 2019
6796ddf
LUTECE-2184 : Move AliasPorletJspBean over to using setPortletCommonData
rzara Dec 3, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/java/fr/paris/lutece/portal/business/portlet/AliasPortlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,12 @@ public int getAliasId( )
@Override
public boolean isContentGeneratedByXmlAndXsl( )
{
if ( getAliasId( ) == 0 )
{
// alias Id not yet set. We don't yet know how we're generated
// saying false means we don't yet need a styleId
return false;
}
Portlet portletParent = PortletHome.findByPrimaryKey( getAliasId( ) );
return portletParent.isContentGeneratedByXmlAndXsl( );
}
Expand Down
51 changes: 9 additions & 42 deletions src/java/fr/paris/lutece/portal/web/portlet/AliasPortletJspBean.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,7 @@ public class AliasPortletJspBean extends PortletJspBean
// Right
public static final String RIGHT_MANAGE_ADMIN_SITE = "CORE_ADMIN_SITE";
private static final long serialVersionUID = 1894295808070813451L;
private static final String PARAM_PORTLET_NAME = "portlet_name";
private static final String PARAM_ORDER = "order";
private static final String PARAM_COLUMN = "column";
private static final String PARAM_ALIAS_ID = "alias_id";
private static final String PARAM_ACCEPT_ALIAS = "accept_alias";
private static final String MARK_ALIAS_PORTLETS_LIST = "alias_portlets_list";
private static final String MARK_ALIAS_PORTLET = "alias_portlet";
private static final String LABEL_ALIAS_PORTLET_NAME = "portal.site.portlet_alias.portlet.name.label";
Expand All @@ -87,33 +83,14 @@ public String doCreate( HttpServletRequest request )
{
return AdminMessageService.getMessageUrl( request, Messages.MANDATORY_FIELDS, AdminMessage.TYPE_STOP );
}

// Gets the parameters of the alias portlet posted in the request
String strName = request.getParameter( PARAM_PORTLET_NAME );

// mandatory field
if ( ( strName == null ) || strName.trim( ).equals( "" ) )
String strError = setPortletCommonData( request, aliasPortlet );
if ( strError != null )
{
return AdminMessageService.getMessageUrl( request, Messages.MANDATORY_FIELDS, AdminMessage.TYPE_STOP );
return strError;
}

String strOrder = request.getParameter( PARAM_ORDER );
int nOrder = Integer.parseInt( strOrder );
String strColumn = request.getParameter( PARAM_COLUMN );
int nColumn = Integer.parseInt( strColumn );
String strAcceptAlias = request.getParameter( PARAM_ACCEPT_ALIAS );
int nAcceptAlias = Integer.parseInt( strAcceptAlias );
aliasPortlet.setName( strName );
aliasPortlet.setOrder( nOrder );
aliasPortlet.setColumn( nColumn );
aliasPortlet.setAcceptAlias( nAcceptAlias );

String strPageId = request.getParameter( PARAMETER_PAGE_ID );
int nPageId = Integer.parseInt( strPageId );
int nAliasId = Integer.parseInt( strAliasId );
aliasPortlet.setPageId( nPageId );
aliasPortlet.setAliasId( nAliasId );

// gets the style of the parent portlet
Portlet portlet = PortletHome.findByPrimaryKey( nAliasId );
aliasPortlet.setStyleId( portlet.getStyleId( ) );
Expand All @@ -122,7 +99,7 @@ public String doCreate( HttpServletRequest request )
AliasPortletHome.getInstance( ).create( aliasPortlet );

// Displays the page with the new portlet
return getPageUrl( nPageId );
return getPageUrl( aliasPortlet.getPageId( ) );
}

/**
Expand All @@ -139,24 +116,14 @@ public String doModify( HttpServletRequest request )
String strPortletId = request.getParameter( PARAMETER_PORTLET_ID );
int nPortletId = Integer.parseInt( strPortletId );
AliasPortlet portlet = (AliasPortlet) AliasPortletHome.findByPrimaryKey( nPortletId );

// Gets the parameters of the alias portlet posted in the request
String strName = request.getParameter( PARAM_PORTLET_NAME );
String strOrder = request.getParameter( PARAM_ORDER );
int nOrder = Integer.parseInt( strOrder );
String strColumn = request.getParameter( PARAM_COLUMN );
int nColumn = Integer.parseInt( strColumn );

// mandatory field
if ( ( strName == null ) || strName.trim( ).equals( "" ) )
// detach from previous portlet. Allows to not care about style id
portlet.setAliasId( 0 );
String strError = setPortletCommonData( request, portlet );
if ( strError != null )
{
return AdminMessageService.getMessageUrl( request, Messages.MANDATORY_FIELDS, AdminMessage.TYPE_STOP );
return strError;
}

portlet.setName( strName );
portlet.setOrder( nOrder );
portlet.setColumn( nColumn );

String strIdAlias = request.getParameter( PARAM_ALIAS_ID );
int nIdAlias = Integer.parseInt( strIdAlias );
portlet.setAliasId( nIdAlias );
Expand Down
27 changes: 25 additions & 2 deletions src/java/fr/paris/lutece/portal/web/portlet/PortletJspBean.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@
import fr.paris.lutece.portal.business.portlet.PortletType;
import fr.paris.lutece.portal.business.portlet.PortletTypeHome;
import fr.paris.lutece.portal.business.role.RoleHome;
import fr.paris.lutece.portal.service.admin.AccessDeniedException;
import fr.paris.lutece.portal.service.message.AdminMessage;
import fr.paris.lutece.portal.service.message.AdminMessageService;
import fr.paris.lutece.portal.service.security.SecurityTokenService;
import fr.paris.lutece.portal.service.template.AppTemplateService;
import fr.paris.lutece.portal.service.util.AppException;
import fr.paris.lutece.portal.service.util.AppLogService;
import fr.paris.lutece.portal.service.util.AppPropertiesService;
import fr.paris.lutece.portal.web.admin.AdminFeaturesPageJspBean;
Expand All @@ -56,9 +59,12 @@

import javax.servlet.http.HttpServletRequest;

import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/**
* This class represents user interface Portlet. It is the base class of all user interface portlets. It is abstract and the implementation of the interface
* PortletJspBeanInterface is compulsary.
* PortletJspBeanInterface is compulsory.
*/
public abstract class PortletJspBean extends AdminFeaturesPageJspBean
{
Expand Down Expand Up @@ -240,7 +246,11 @@ protected String setPortletCommonData( HttpServletRequest request, Portlet portl

return AdminMessageService.getMessageUrl( request, MESSAGE_INVALID_PAGE_ID, AdminMessage.TYPE_STOP );
}

if ( !SecurityTokenService.getInstance( ).validate( request, TEMPLATE_CREATE_PORTLET ) )
{
// FIXME we wrap the AccessDeniedException so as to to break the API
throw new AppException( "Invalid security token", new AccessDeniedException( "Invalid security token" ) );
}
int nOrder = Integer.parseInt( strOrder );
int nColumn = Integer.parseInt( strColumn );
int nAcceptAlias = Integer.parseInt( strAcceptAlias );
Expand Down Expand Up @@ -321,6 +331,7 @@ protected HtmlTemplate getCreateTemplate( String strPageId, String strPortletTyp
model.put( MARK_PORTLET_COLUMNS_COMBO, getColumnsList( ) );
model.put( MARK_PORTLET_STYLES_COMBO, PortletHome.getStylesList( strPortletTypeId ) );
model.put( MARK_PORTLET_ROLES_COMBO, RoleHome.getRolesList( getUser( ) ) );
model.put( SecurityTokenService.MARK_TOKEN, SecurityTokenService.getInstance( ).getToken( getRequest( ), TEMPLATE_CREATE_PORTLET ) );

HtmlTemplate template = AppTemplateService.getTemplate( TEMPLATE_CREATE_PORTLET, locale, model );

Expand Down Expand Up @@ -362,6 +373,7 @@ protected HtmlTemplate getModifyTemplate( Portlet portlet, Map<String, Object> m
putCheckBox( model, MARK_NORMAL_CHECKED, portlet.hasDeviceDisplayFlag( Portlet.FLAG_DISPLAY_ON_NORMAL_DEVICE ) );
putCheckBox( model, MARK_LARGE_CHECKED, portlet.hasDeviceDisplayFlag( Portlet.FLAG_DISPLAY_ON_LARGE_DEVICE ) );
putCheckBox( model, MARK_XLARGE_CHECKED, portlet.hasDeviceDisplayFlag( Portlet.FLAG_DISPLAY_ON_XLARGE_DEVICE ) );
model.put( SecurityTokenService.MARK_TOKEN, SecurityTokenService.getInstance( ).getToken( getRequest( ), TEMPLATE_CREATE_PORTLET ) );

HtmlTemplate template = AppTemplateService.getTemplate( TEMPLATE_MODIFY_PORTLET, getLocale( ), model );

Expand Down Expand Up @@ -395,4 +407,15 @@ protected String getPageUrl( int nIdPage )
{
return JSP_ADMIN_SITE + "?" + PARAMETER_PAGE_ID + "=" + nIdPage;
}

/**
* Gets the current request
*
* @return the current request
*/
private HttpServletRequest getRequest( )
{
ServletRequestAttributes sra = ( ServletRequestAttributes ) RequestContextHolder.getRequestAttributes( );
return sra.getRequest( );
}
}
Loading