Browse Source

added field check for page edits to make sure unnecessary fields are not being added

tags/b2.2.3^2
Ro 1 month ago
parent
commit
934d29f4cf
2 changed files with 38 additions and 2 deletions
  1. +35
    -1
      brain/api/v1/PagesAPI.inc.php
  2. +3
    -1
      brain/data/Book.inc.php

+ 35
- 1
brain/api/v1/PagesAPI.inc.php View File

@@ -105,6 +105,7 @@ class PagesAPI
case "create":
case "write":
$body = $request->getParsedBody();
$passed = true;
if (!isset($body["form_token"])) {
$result = [
"message" => "No form token. Not good, sport.",
@@ -113,7 +114,40 @@ class PagesAPI
} else {
if ($body["form_token"] == Session::get("form_token")) {
//TODO: Verify form fields
$result = (new Book("../content/pages"))->editPage($task, $request);
$keys = [
"id",
"uuid",
"layout",
"current_title",
"content",
"title",
"created",
"slug",
"tags",
"menu",
"featured",
"published",
"form_token",
"feature_image",
];

foreach ($body as $key => $item) {
if (!in_array($key, $keys)) {
//found unnecessary key, so reject submission
$passed = false;
}
}
if ($passed) {
$result = (new Book("../content/pages"))->editPage(
$task,
$request
);
} else {
$result = [
"message" => "Form token, auth failed. Uh oh.",
"type" => "TASK_FORM_AUTH",
];
}
} else {
$result = [
"message" => "Form token, auth failed. Uh oh.",


+ 3
- 1
brain/data/Book.inc.php View File

@@ -148,7 +148,9 @@ class Book
"id" => $uuid,
];

//**just testing to see why indexing isn't working **
//TODO: When form submission is successful, make new form token
$form_token = md5(uniqid(microtime(), true));
Session::set("form_token", $form_token);

//once saved, update menu
$body["path"] = $path;


Loading…
Cancel
Save