fix: corrected and improved permission checks

Author: thorsten

phpmyfaq/admin/assets/src/api/tags.test.ts

@@ -55,14 +55,16 @@ describe('Tags API', () => {
       );
 
       const tagId = '1';
-      await deleteTag(tagId);
+      const csrfToken = 'test-csrf';
+      await deleteTag(tagId, csrfToken);
 
       expect(global.fetch).toHaveBeenCalledWith('./api/content/tags/1', {
         method: 'DELETE',
         cache: 'no-cache',
         headers: {
           'Content-Type': 'application/json',
         },
+        body: JSON.stringify({ csrfToken: 'test-csrf' }),
         redirect: 'follow',
         referrerPolicy: 'no-referrer',
       });
@@ -73,8 +75,9 @@ describe('Tags API', () => {
       global.fetch = vi.fn(() => Promise.reject(mockError));
 
       const tagId = '1';
+      const csrfToken = 'test-csrf';
 
-      await expect(deleteTag(tagId)).rejects.toThrow(mockError);
+      await expect(deleteTag(tagId, csrfToken)).rejects.toThrow(mockError);
     });
   });
 });

phpmyfaq/admin/assets/src/api/tags.ts

@@ -27,13 +27,14 @@ export const fetchTags = async (searchString: string): Promise<unknown> => {
   });
 };
 
-export const deleteTag = async (tagId: string): Promise<unknown> => {
+export const deleteTag = async (tagId: string, csrfToken: string): Promise<unknown> => {
   return await fetchJson(`./api/content/tags/${tagId}`, {
     method: 'DELETE',
     cache: 'no-cache',
     headers: {
       'Content-Type': 'application/json',
     },
+    body: JSON.stringify({ csrfToken: csrfToken }),
     redirect: 'follow',
     referrerPolicy: 'no-referrer',
   });

phpmyfaq/admin/assets/src/content/tags.test.ts

@@ -85,6 +85,7 @@ describe('handleTags', () => {
   describe('delete button', () => {
     const setupDeleteDom = () => {
       document.body.innerHTML = `
+        <input name="pmf-csrf-token" value="test-csrf" />
         <table>
           <tbody>
             <tr id="pmf-row-tag-id-1">
@@ -112,7 +113,7 @@ describe('handleTags', () => {
 
       await new Promise((resolve) => setTimeout(resolve, 10));
 
-      expect(deleteTag).toHaveBeenCalledWith('1');
+      expect(deleteTag).toHaveBeenCalledWith('1', 'test-csrf');
       expect(pushNotification).toHaveBeenCalledWith('Tag deleted successfully');
 
       const row = document.getElementById('pmf-row-tag-id-1');
@@ -133,7 +134,7 @@ describe('handleTags', () => {
 
       await new Promise((resolve) => setTimeout(resolve, 10));
 
-      expect(deleteTag).toHaveBeenCalledWith('1');
+      expect(deleteTag).toHaveBeenCalledWith('1', 'test-csrf');
       expect(consoleErrorSpy).toHaveBeenCalledWith('Network response was not ok:', 'Tag deletion failed');
 
       // Row should still be present

phpmyfaq/admin/assets/src/content/tags.ts

@@ -73,8 +73,9 @@ export const handleTags = (): void => {
       element.addEventListener('click', async (event: Event) => {
         const target = event.target as HTMLElement;
         const tagId = target.getAttribute('data-pmf-id') as string;
+        const csrfToken = (document.querySelector('input[name=pmf-csrf-token]') as HTMLInputElement).value;
 
-        const response = (await deleteTag(tagId)) as DeleteTagResponse;
+        const response = (await deleteTag(tagId, csrfToken)) as DeleteTagResponse;
         if (response.success) {
           pushNotification(response.success);
           const row = document.getElementById(`pmf-row-tag-id-${tagId}`) as HTMLElement;

phpmyfaq/assets/templates/admin/configuration/instances.edit.twig

@@ -9,6 +9,7 @@
     </h1>
   </div>
   <form action="./instance/update" method="post" accept-charset="utf-8">
+    <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateInstance }}"/>
     <input type="hidden" name="id" value="{{ instance.id }}"/>
     <div class="row mb-2">
       <label for="url" class="col-lg-2 col-form-label">{{ ad_instance_url }}:</label>

phpmyfaq/assets/templates/admin/user/group.twig

@@ -46,6 +46,7 @@
           <i class="bi bi-info-circle" aria-hidden="true"></i> {{ 'ad_group_details' | translate }}
         </h5>
         <form action="./group/update" method="post">
+          <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateGroup }}">
           <input id="update_group_id" type="hidden" name="group_id" value="0">
           <div class="card-body">
             <div class="row mb-2">
@@ -91,6 +92,7 @@
 
     <div class="col-lg-4" id="groupMemberships">
       <form id="group_membership" name="group_membership" method="post" action="./group/update/members">
+        <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateGroupMembers }}">
         <input id="update_member_group_id" type="hidden" name="group_id" value="0">
         <div class="card shadow mb-4">
           <h5 class="card-header py-3">
@@ -170,6 +172,7 @@
 
       <div id="groupRights" class="card shadow mb-4">
         <form id="rightsForm" action="./group/update/permissions" method="post">
+          <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateGroupPermissions }}">
           <input id="rights_group_id" type="hidden" name="group_id" value="0">
           <h5 class="card-header py-3" id="user_rights_legend">
             <i aria-hidden="true" class="bi bi-lock"></i> {{ 'ad_group_rights' | translate }}

phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php

@@ -255,7 +255,7 @@ private function isPublicAuthenticationPath(string $pathInfo): bool
     /**
      * @throws UnauthorizedHttpException
      */
-    protected function userIsAuthenticated(): void
+    public function userIsAuthenticated(): void
     {
         if (!$this->currentUser->isLoggedIn()) {
             throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/AdminLogController.php

@@ -41,7 +41,7 @@ final class AdminLogController extends AbstractAdministrationApiController
     #[Route(path: 'statistics/admin-log', name: 'admin.api.statistics.admin-log.delete', methods: ['DELETE'])]
     public function delete(Request $request): JsonResponse
     {
-        $this->userHasPermission(PermissionType::STATISTICS_VIEWLOGS);
+        $this->userHasPermission(PermissionType::STATISTICS_ADMINLOG);
 
         $data = json_decode($request->getContent(), associative: false, depth: 512, flags: JSON_THROW_ON_ERROR);
 

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/CategoryController.php

@@ -107,7 +107,7 @@ public function delete(Request $request): JsonResponse
     #[Route(path: 'category/permissions', name: 'admin.api.category.permissions', methods: ['GET'])]
     public function permissions(Request $request): JsonResponse
     {
-        $this->userIsAuthenticated();
+        $this->userHasPermission(PermissionType::CATEGORY_EDIT);
 
         $categoryData = $request->attributes->get('categories');
 
@@ -132,7 +132,7 @@ public function permissions(Request $request): JsonResponse
     #[Route(path: 'category/translations', name: 'admin.api.category.translations', methods: ['GET'])]
     public function translations(Request $request): JsonResponse
     {
-        $this->userIsAuthenticated();
+        $this->userHasPermission(PermissionType::CATEGORY_EDIT);
 
         $category = new Category($this->configuration, [], false);
 

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php

@@ -479,7 +479,7 @@ public function seoMetaTags(Request $request): Response
     )]
     public function translationProvider(Request $request): Response
     {
-        $this->userIsAuthenticated();
+        $this->userHasPermission(PermissionType::CONFIGURATION_EDIT);
 
         return new Response(AdminMenuBuilder::renderTranslationProviderOptions($request->attributes->get(
             key: 'current',
@@ -493,7 +493,7 @@ public function translationProvider(Request $request): Response
     )]
     public function mailProvider(Request $request): Response
     {
-        $this->userIsAuthenticated();
+        $this->userHasPermission(PermissionType::CONFIGURATION_EDIT);
 
         return new Response(AdminMenuBuilder::renderMailProviderOptions($request->attributes->get(key: 'current')));
     }
@@ -505,7 +505,7 @@ public function mailProvider(Request $request): Response
     )]
     public function cacheAdapter(Request $request): Response
     {
-        $this->userIsAuthenticated();
+        $this->userHasPermission(PermissionType::CONFIGURATION_EDIT);
 
         return new Response(AdminMenuBuilder::renderCacheAdapterOptions($request->attributes->get(key: 'current')));
     }