fix: corrected and improved permission checks

Author: thorsten

phpmyfaq/admin/assets/src/api/tags.test.ts

@@ -12,7 +12,7 @@ describe('Tags API', () => {
         { id: '1', name: 'Tag1' },
         { id: '2', name: 'Tag2' },
       ];
-      global.fetch = vi.fn(() =>
+      globalThis.fetch = vi.fn(() =>
         Promise.resolve({
           ok: true,
           json: () => Promise.resolve(mockResponse),
@@ -23,7 +23,7 @@ describe('Tags API', () => {
       const result = await fetchTags(searchString);
 
       expect(result).toEqual(mockResponse);
-      expect(global.fetch).toHaveBeenCalledWith('./api/content/tags?search=Tag', {
+      expect(globalThis.fetch).toHaveBeenCalledWith('./api/content/tags?search=Tag', {
         method: 'GET',
         cache: 'no-cache',
         headers: {
@@ -36,7 +36,7 @@ describe('Tags API', () => {
 
     it('should throw an error if fetch fails', async () => {
       const mockError = new Error('Fetch failed');
-      global.fetch = vi.fn(() => Promise.reject(mockError));
+      globalThis.fetch = vi.fn(() => Promise.reject(mockError));
 
       const searchString = 'Tag';
 
@@ -47,34 +47,37 @@ describe('Tags API', () => {
   describe('deleteTag', () => {
     it('should delete tag and return JSON response if successful', async () => {
       const mockResponse = { success: true, message: 'Tag deleted' };
-      global.fetch = vi.fn(() =>
+      globalThis.fetch = vi.fn(() =>
         Promise.resolve({
           ok: true,
           json: () => Promise.resolve(mockResponse),
         } as Response)
       );
 
       const tagId = '1';
-      await deleteTag(tagId);
+      const csrfToken = 'test-csrf';
+      await deleteTag(tagId, csrfToken);
 
-      expect(global.fetch).toHaveBeenCalledWith('./api/content/tags/1', {
+      expect(globalThis.fetch).toHaveBeenCalledWith('./api/content/tags/1', {
         method: 'DELETE',
         cache: 'no-cache',
         headers: {
           'Content-Type': 'application/json',
         },
+        body: JSON.stringify({ csrfToken: 'test-csrf' }),
         redirect: 'follow',
         referrerPolicy: 'no-referrer',
       });
     });
 
     it('should throw an error if fetch fails', async () => {
       const mockError = new Error('Fetch failed');
-      global.fetch = vi.fn(() => Promise.reject(mockError));
+      globalThis.fetch = vi.fn(() => Promise.reject(mockError));
 
       const tagId = '1';
+      const csrfToken = 'test-csrf';
 
-      await expect(deleteTag(tagId)).rejects.toThrow(mockError);
+      await expect(deleteTag(tagId, csrfToken)).rejects.toThrow(mockError);
     });
   });
 });

phpmyfaq/admin/assets/src/api/tags.ts

@@ -32,13 +32,14 @@ export const fetchTags = async (searchString: string): Promise<TagResponse[]> =>
   return await response.json();
 };
 
-export const deleteTag = async (tagId: string): Promise<{ success?: string; error?: string }> => {
+export const deleteTag = async (tagId: string, csrfToken: string): Promise<{ success?: string; error?: string }> => {
   const response = await fetch(`./api/content/tags/${tagId}`, {
     method: 'DELETE',
     cache: 'no-cache',
     headers: {
       'Content-Type': 'application/json',
     },
+    body: JSON.stringify({ csrfToken: csrfToken }),
     redirect: 'follow',
     referrerPolicy: 'no-referrer',
   });

phpmyfaq/admin/assets/src/content/tags.ts

@@ -62,8 +62,9 @@ export const handleTags = (): void => {
       element.addEventListener('click', async (event: Event) => {
         const target = event.target as HTMLElement;
         const tagId = target.getAttribute('data-pmf-id') as string;
+        const csrfToken = (document.querySelector('input[name=pmf-csrf-token]') as HTMLInputElement).value;
 
-        const response = await deleteTag(tagId);
+        const response = await deleteTag(tagId, csrfToken);
         if (response.success) {
           pushNotification(response.success);
           const row = document.getElementById(`pmf-row-tag-id-${tagId}`) as HTMLElement;

phpmyfaq/assets/templates/admin/configuration/instances.edit.twig

@@ -9,6 +9,7 @@
     </h1>
   </div>
   <form action="./instance/update" method="post" accept-charset="utf-8">
+    <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateInstance }}"/>
     <input type="hidden" name="id" value="{{ instance.id }}"/>
     <div class="row mb-2">
       <label for="url" class="col-lg-2 col-form-label">{{ ad_instance_url }}:</label>

phpmyfaq/assets/templates/admin/user/group.twig

@@ -46,6 +46,7 @@
           <i class="bi bi-info-circle" aria-hidden="true"></i> {{ 'ad_group_details' | translate }}
         </h5>
         <form action="./group/update" method="post">
+          <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateGroup }}">
           <input id="update_group_id" type="hidden" name="group_id" value="0">
           <div class="card-body">
             <div class="row mb-2">
@@ -91,6 +92,7 @@
 
     <div class="col-lg-4" id="groupMemberships">
       <form id="group_membership" name="group_membership" method="post" action="./group/update/members">
+        <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateGroupMembers }}">
         <input id="update_member_group_id" type="hidden" name="group_id" value="0">
         <div class="card shadow mb-4">
           <h5 class="card-header py-3">
@@ -170,6 +172,7 @@
 
       <div id="groupRights" class="card shadow mb-4">
         <form id="rightsForm" action="./group/update/permissions" method="post">
+          <input type="hidden" name="pmf-csrf-token" value="{{ csrfTokenUpdateGroupPermissions }}">
           <input id="rights_group_id" type="hidden" name="group_id" value="0">
           <h5 class="card-header py-3" id="user_rights_legend">
             <i aria-hidden="true" class="bi bi-lock"></i> {{ 'ad_group_rights' | translate }}

phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php

@@ -161,7 +161,7 @@ protected function isSecured(): void
     /**
      * @throws UnauthorizedHttpException
      */
-    protected function userIsAuthenticated(): void
+    public function userIsAuthenticated(): void
     {
         if (!$this->currentUser->isLoggedIn()) {
             throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/CategoryController.php

@@ -94,7 +94,7 @@ public function delete(Request $request): JsonResponse
     #[Route(path: 'admin/api/category/permissions', name: 'admin.api.category.permissions', methods: ['GET'])]
     public function permissions(Request $request): JsonResponse
     {
-        $this->userIsAuthenticated();
+        $this->userHasPermission(PermissionType::CATEGORY_EDIT);
 
         $categoryPermission = $this->container->get(id: 'phpmyfaq.category.permission');
 
@@ -119,7 +119,7 @@ public function permissions(Request $request): JsonResponse
     #[Route(path: 'admin/api/category/translations', name: 'admin.api.category.translations', methods: ['GET'])]
     public function translations(Request $request): JsonResponse
     {
-        $this->userIsAuthenticated();
+        $this->userHasPermission(PermissionType::CATEGORY_EDIT);
 
         $category = new Category($this->configuration, [], false);
 

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/MarkdownController.php

@@ -25,6 +25,7 @@
 use League\CommonMark\Extension\GithubFlavoredMarkdownExtension;
 use League\CommonMark\MarkdownConverter;
 use phpMyFAQ\Controller\AbstractController;
+use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Filter;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -39,6 +40,8 @@ final class MarkdownController extends AbstractController
     #[Route(path: 'admin/api/content/markdown')]
     public function renderMarkdown(Request $request): JsonResponse
     {
+        $this->userHasPermission(PermissionType::FAQ_EDIT);
+
         $data = json_decode($request->getContent());
 
         $answer = Filter::filterVar($data->text, FILTER_SANITIZE_SPECIAL_CHARS);

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/StatisticsController.php

@@ -40,7 +40,7 @@ final class StatisticsController extends AbstractController
     #[Route(path: './admin/api/statistics/admin-log', methods: ['DELETE'])]
     public function deleteAdminLog(Request $request): JsonResponse
     {
-        $this->userHasPermission(PermissionType::STATISTICS_VIEWLOGS);
+        $this->userHasPermission(PermissionType::STATISTICS_ADMINLOG);
 
         $data = json_decode($request->getContent(), false, 512, JSON_THROW_ON_ERROR);
 

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/TagController.php

@@ -116,6 +116,12 @@ public function delete(Request $request): JsonResponse
     {
         $this->userHasPermission(PermissionType::FAQ_EDIT);
 
+        $data = json_decode($request->getContent());
+
+        if (!Token::getInstance($this->container->get(id: 'session'))->verifyToken('tags', $data->csrfToken ?? '')) {
+            return $this->json(['error' => Translation::get(key: 'msgNoPermission')], Response::HTTP_UNAUTHORIZED);
+        }
+
         $tagId = (int) Filter::filterVar($request->attributes->get('tagId'), FILTER_VALIDATE_INT);
 
         if ($this->container->get(id: 'phpmyfaq.tags')->delete($tagId)) {