Greatly improve login related actions for Admin

* Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it
2026-05-07 10:47:09 +02:00 · 2021-03-26 14:39:37 +02:00
parent e14e72958f
commit aa4f80eec1
22 changed files with 1930 additions and 663 deletions
--- a/classes/plugin/AdminFormFactory.php
+++ b/classes/plugin/AdminFormFactory.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Grav\Plugin\Admin;
+
+use Grav\Common\Grav;
+use Grav\Common\Page\Interfaces\PageInterface;
+use Grav\Common\Page\Page;
+use Grav\Framework\Form\Interfaces\FormFactoryInterface;
+use Grav\Framework\Form\Interfaces\FormInterface;
+
+/**
+ * Class FlexFormFactory
+ * @package Grav\Plugin\FlexObjects
+ */
+class AdminFormFactory implements FormFactoryInterface
+{
+    /**
+     * @param Page $page
+     * @param string $name
+     * @param array $form
+     * @return FormInterface|null
+     */
+    public function createPageForm(Page $page, string $name, array $form): ?FormInterface
+    {
+        return $this->createFormForPage($page, $name, $form);
+    }
+
+    /**
+     * @param PageInterface $page
+     * @param string $name
+     * @param array $form
+     * @return FormInterface|null
+     */
+    public function createFormForPage(PageInterface $page, string $name, array $form): ?FormInterface
+    {
+        /** @var Admin|null $admin */
+        $admin = Grav::instance()['admin'] ?? null;
+        $object = $admin->form ?? null;
+
+        return $object && $object->getName() === $name ? $object : null;
+    }
+}