mirror of
https://github.com/getgrav/grav-plugin-admin.git
synced 2025-11-01 10:56:08 +01:00
aa4f80eec1
* Better isolate admin to prevent session related vulnerabilities * Removed support for custom login redirects for improved security * Shorten forgot password link lifetime from 7 days to 1 hour * Fixed login related pages being accessible from admin when user has logged in * Fixed admin user creation and password reset allowing unsafe passwords * Fixed missing validation when registering the first admin user * Fixed reset password email not to have session specific token in it
72 lines
2.3 KiB
PHP
72 lines
2.3 KiB
PHP
<?php
|
|
|
|
namespace Grav\Plugin\Admin;
|
|
|
|
use Grav\Common\Grav;
|
|
use Grav\Common\Processors\ProcessorBase;
|
|
use Grav\Framework\Route\Route;
|
|
use Grav\Plugin\Admin\Routers\LoginRouter;
|
|
use Psr\Http\Message\ResponseInterface;
|
|
use Psr\Http\Message\ServerRequestInterface;
|
|
use Psr\Http\Server\RequestHandlerInterface;
|
|
|
|
class Router extends ProcessorBase
|
|
{
|
|
public $id = 'admin_router';
|
|
public $title = 'Admin Panel';
|
|
|
|
/** @var Admin */
|
|
protected $admin;
|
|
|
|
public function __construct(Grav $container, Admin $admin)
|
|
{
|
|
parent::__construct($container);
|
|
|
|
$this->admin = $admin;
|
|
}
|
|
|
|
/**
|
|
* Handle routing to the dashboard, group and build objects.
|
|
*
|
|
* @param ServerRequestInterface $request
|
|
* @param RequestHandlerInterface $handler
|
|
* @return ResponseInterface
|
|
*/
|
|
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
|
|
{
|
|
$this->startTimer();
|
|
|
|
$context = $request->getAttributes();
|
|
|
|
/** @var Route $route */
|
|
$route = $context['route'];
|
|
$normalized = mb_strtolower(trim($route->getRoute(), '/'));
|
|
$parts = explode('/', $normalized);
|
|
array_shift($parts); // Admin path
|
|
$routeStr = implode('/', $parts);
|
|
$view = array_shift($parts);
|
|
$path = implode('/', $parts);
|
|
$task = $this->container['task'] ?? null;
|
|
$action = $this->container['action'] ?? null;
|
|
|
|
$params = ['view' => $view, 'route' => $routeStr, 'path' => $path, 'parts' => $parts, 'task' => $task, 'action' => $action];
|
|
$request = $request->withAttribute('admin', $params);
|
|
|
|
// Run login controller if user isn't fully logged in or asks to logout.
|
|
$user = $this->admin->user;
|
|
if (!$user->authorized || !$user->authorize('admin.login')) {
|
|
$params = (new LoginRouter())->matchServerRequest($request);
|
|
$request = $request->withAttribute('admin', $params + $request->getAttribute('admin'));
|
|
}
|
|
|
|
$this->admin->request = $request;
|
|
|
|
$response = $handler->handle($request);
|
|
|
|
$this->stopTimer();
|
|
|
|
// Never allow admin pages to be rendered in <frame>, <iframe>, <embed> or <object> for improved security.
|
|
return $response->withHeader('X-Frame-Options', 'NONE');
|
|
}
|
|
}
|