classes/plugin/Router.php

<?php

/**
 * @package    Grav\Plugin\Admin
 *
 * @copyright  Copyright (c) 2015 - 2024 Trilby Media, LLC. All rights reserved.
 * @license    MIT License; see LICENSE file for details.
 */

namespace Grav\Plugin\Admin;

use Grav\Common\Grav;
use Grav\Common\Processors\ProcessorBase;
use Grav\Framework\Route\Route;
use Grav\Plugin\Admin\Routers\LoginRouter;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;

class Router extends ProcessorBase
{
    public $id = 'admin_router';
    public $title = 'Admin Panel';

    /** @var Admin */
    protected $admin;

    public function __construct(Grav $container, Admin $admin)
    {
        parent::__construct($container);

        $this->admin = $admin;
    }

    /**
     * Handle routing to the dashboard, group and build objects.
     *
     * @param ServerRequestInterface $request
     * @param RequestHandlerInterface $handler
     * @return ResponseInterface
     */
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
    {
        $this->startTimer();

        $context = $request->getAttributes();
        $query = $request->getQueryParams();

        /** @var Route $route */
        $route = $context['route'];
        $normalized = mb_strtolower(trim($route->getRoute(), '/'));
        $parts = explode('/', $normalized);
        array_shift($parts); // Admin path
        $routeStr = implode('/', $parts);
        $view = array_shift($parts);
        $path = implode('/', $parts);
        $task = $this->container['task'] ?? $query['task'] ?? null;
        $action = $this->container['action'] ?? $query['action'] ?? null;

        $params = ['view' => $view, 'route' => $routeStr, 'path' => $path, 'parts' => $parts, 'task' => $task, 'action' => $action];
        $request = $request->withAttribute('admin', $params);

        // Run login controller if user isn't fully logged in or asks to logout.
        $user = $this->admin->user;
        if (!$user->authorized || !$user->authorize('admin.login')) {
            $params = (new LoginRouter())->matchServerRequest($request);
            $request = $request->withAttribute('admin', $params + $request->getAttribute('admin'));
        }

        $this->admin->request = $request;

        $response = $handler->handle($request);

        $this->stopTimer();

        // Never allow admin pages to be rendered in <frame>, <iframe>, <embed> or <object> for improved security.
        return $response->withHeader('X-Frame-Options', 'DENY');
    }
}
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`<?php`

copyright dates 2023-01-02 11:17:40 -07:00			`/**`
			`* @package Grav\Plugin\Admin`
			`*`
update copyright date 2024-01-05 11:50:46 +00:00			`* @copyright Copyright (c) 2015 - 2024 Trilby Media, LLC. All rights reserved.`
copyright dates 2023-01-02 11:17:40 -07:00			`* @license MIT License; see LICENSE file for details.`
			`*/`

WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`namespace Grav\Plugin\Admin;`

Greatly improve login related actions for Admin * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it 2021-03-26 14:39:37 +02:00			`use Grav\Common\Grav;`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`use Grav\Common\Processors\ProcessorBase;`
			`use Grav\Framework\Route\Route;`
Greatly improve login related actions for Admin * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it 2021-03-26 14:39:37 +02:00			`use Grav\Plugin\Admin\Routers\LoginRouter;`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`use Psr\Http\Message\ResponseInterface;`
			`use Psr\Http\Message\ServerRequestInterface;`
			`use Psr\Http\Server\RequestHandlerInterface;`

			`class Router extends ProcessorBase`
			`{`
			`public $id = 'admin_router';`
			`public $title = 'Admin Panel';`

Greatly improve login related actions for Admin * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it 2021-03-26 14:39:37 +02:00			`/** @var Admin */`
			`protected $admin;`

			`public function __construct(Grav $container, Admin $admin)`
			`{`
			`parent::__construct($container);`

			`$this->admin = $admin;`
			`}`

WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`/**`
			`* Handle routing to the dashboard, group and build objects.`
			`*`
			`* @param ServerRequestInterface $request`
			`* @param RequestHandlerInterface $handler`
			`* @return ResponseInterface`
			`*/`
			`public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface`
			`{`
			`$this->startTimer();`

			`$context = $request->getAttributes();`
Include query param `task` into task checks 2021-03-26 18:15:42 +02:00			`$query = $request->getQueryParams();`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00
			`/** @var Route $route */`
			`$route = $context['route'];`
			`$normalized = mb_strtolower(trim($route->getRoute(), '/'));`
			`$parts = explode('/', $normalized);`
Greatly improve login related actions for Admin * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it 2021-03-26 14:39:37 +02:00			`array_shift($parts); // Admin path`
			`$routeStr = implode('/', $parts);`
			`$view = array_shift($parts);`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`$path = implode('/', $parts);`
Include query param `task` into task checks 2021-03-26 18:15:42 +02:00			`$task = $this->container['task'] ?? $query['task'] ?? null;`
			`$action = $this->container['action'] ?? $query['action'] ?? null;`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00
Greatly improve login related actions for Admin * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it 2021-03-26 14:39:37 +02:00			`$params = ['view' => $view, 'route' => $routeStr, 'path' => $path, 'parts' => $parts, 'task' => $task, 'action' => $action];`
			`$request = $request->withAttribute('admin', $params);`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00
Greatly improve login related actions for Admin * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it 2021-03-26 14:39:37 +02:00			`// Run login controller if user isn't fully logged in or asks to logout.`
			`$user = $this->admin->user;`
			`if (!$user->authorized \|\| !$user->authorize('admin.login')) {`
			`$params = (new LoginRouter())->matchServerRequest($request);`
			`$request = $request->withAttribute('admin', $params + $request->getAttribute('admin'));`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`}`

Greatly improve login related actions for Admin * Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it 2021-03-26 14:39:37 +02:00			`$this->admin->request = $request;`

			`$response = $handler->handle($request);`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00
			`$this->stopTimer();`

Post merge conflicts 2020-12-01 09:51:43 +02:00			`// Never allow admin pages to be rendered in <frame>, <iframe>, <embed> or <object> for improved security.`
Fixed `X-Frame-Options` to be `DENY` in all admin pages to prevent a clickjacking attack 2021-09-01 13:17:21 +03:00			`return $response->withHeader('X-Frame-Options', 'DENY');`
WIP: Added new controller for admin 2019-06-18 12:08:57 +03:00			`}`
			`}`