Mirrors/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2024-11-08 20:22:42 +01:00
Code Issues Releases Activity

Fixes for CSRF issues with client portal downloads

Browse Source
This commit is contained in:
David Bomba 2021-12-14 15:38:32 +11:00
parent 81d9e7a6ec
commit e245d07a75
5 changed files with 234 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
app/Http/Controllers/ClientPortal/QuoteController.php
View File

@ -30,6 +30,7 @@ use Illuminate\View\View;
use Symfony\Component\HttpFoundation\BinaryFileResponse;
use ZipStream\Option\Archive;
use ZipStream\ZipStream;
use Illuminate\Http\Request;
class QuoteController extends Controller
{
@ -58,17 +59,16 @@ class QuoteController extends Controller
'quote' => $quote,
];
$invitation = $quote->invitations()->where('client_contact_id', auth()->user()->id)->first();
$invitation = $quote->invitations()->where('client_contact_id', auth()->user()->id)->first();
if ($invitation && auth()->guard('contact') && ! request()->has('silent') && ! $invitation->viewed_date) {
if ($invitation && auth()->guard('contact') && ! request()->has('silent') && ! $invitation->viewed_date) {
$invitation->markViewed();
$invitation->markViewed();
event(new InvitationWasViewed($quote, $invitation, $quote->company, Ninja::eventVars()));
event(new QuoteWasViewed($invitation, $invitation->company, Ninja::eventVars()));
}
event(new InvitationWasViewed($quote, $invitation, $quote->company, Ninja::eventVars()));
event(new QuoteWasViewed($invitation, $invitation->company, Ninja::eventVars()));
}
if ($request->query('mode') === 'fullscreen') {
return render('quotes.show-fullscreen', $data);
@ -82,7 +82,7 @@ class QuoteController extends Controller
$transformed_ids = $this->transformKeys($request->quotes);
if ($request->action == 'download') {
return $this->downloadQuotePdf((array) $transformed_ids);
return $this->downloadQuotes((array) $transformed_ids);
}
if ($request->action = 'approve') {
@ -92,10 +92,32 @@ class QuoteController extends Controller
return back();
}
public function downloadQuotes($ids)
{
$data['quotes'] = Quote::whereIn('id', $ids)
->whereClientId(auth()->user()->client->id)
->withTrashed()
->get();
if(count($data['quotes']) == 0)
return back()->with(['message' => ctrans('texts.no_items_selected')]);
return $this->render('quotes.download', $data);
}
public function download(Request $request)
{
$transformed_ids = $this->transformKeys($request->quotes);
return $this->downloadQuotePdf((array) $transformed_ids);
}
protected function downloadQuotePdf(array $ids)
{
$quotes = Quote::whereIn('id', $ids)
->whereClientId(auth()->user()->client->id)
->withTrashed()
->get();
if (! $quotes || $quotes->count() == 0) {
@ -136,6 +158,7 @@ class QuoteController extends Controller
->where('client_id', auth('contact')->user()->client->id)
->where('company_id', auth('contact')->user()->client->company_id)
->where('status_id', Quote::STATUS_SENT)
->withTrashed()
->get();
if (!$quotes || $quotes->count() == 0) {

108
phpunit.yml Normal file
View File

@ -0,0 +1,108 @@
on:
push:
branches:
- v5-develop
pull_request:
branches:
- v5-develop
name: phpunit
jobs:
run:
runs-on: ${{ matrix.operating-system }}
strategy:
matrix:
operating-system: ['ubuntu-18.04', 'ubuntu-20.04']
php-versions: ['7.3','7.4','8.0']
phpunit-versions: ['latest']
env:
DB_DATABASE1: ninja
DB_USERNAME1: root
DB_PASSWORD1: ninja
DB_HOST1: '127.0.0.1'
DB_DATABASE: ninja
DB_USERNAME: root
DB_PASSWORD: ninja
DB_HOST: '127.0.0.1'
BROADCAST_DRIVER: log
CACHE_DRIVER: file
QUEUE_CONNECTION: sync
SESSION_DRIVER: file
NINJA_ENVIRONMENT: hosted
MULTI_DB_ENABLED: false
NINJA_LICENSE: 123456
TRAVIS: true
MAIL_MAILER: log
services:
mariadb:
image: mariadb:latest
ports:
- 32768:3306
env:
MYSQL_ALLOW_EMPTY_PASSWORD: yes
MYSQL_USER: ninja
MYSQL_PASSWORD: ninja
MYSQL_DATABASE: ninja
MYSQL_ROOT_PASSWORD: ninja
options: --health-cmd="mysqladmin ping" --health-interval=5s --health-timeout=2s --health-retries=3
steps:
- name: Start mysql service
run: |
sudo systemctl start mysql.service
- name: Verify MariaDB connection
env:
DB_PORT: ${{ job.services.mariadb.ports[3306] }}
DB_PORT1: ${{ job.services.mariadb.ports[3306] }}
run: |
while ! mysqladmin ping -h"127.0.0.1" -P"$DB_PORT" --silent; do
sleep 1
done
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php-versions }}
extensions: mysql, mysqlnd, sqlite3, bcmath, gmp, gd, curl, zip, openssl, mbstring, xml
- uses: actions/checkout@v1
with:
ref: v5-develop
fetch-depth: 1
- name: Copy .env
run: |
cp .env.ci .env
- name: Install composer dependencies
run: |
composer config -g github-oauth.github.com ${{ secrets.GITHUB_TOKEN }}
composer install
- name: Prepare Laravel Application
run: |
php artisan key:generate
php artisan optimize
php artisan cache:clear
php artisan config:cache
- name: Create DB and schemas
run: |
mkdir -p database
touch database/database.sqlite
- name: Migrate Database
run: |
php artisan migrate:fresh --seed --force && php artisan db:seed --force
- name: Prepare JS/CSS assets
run: |
npm i
npm run production
- name: Run Testsuite
run: |
cat .env
vendor/bin/phpunit --testdox
env:
DB_PORT: ${{ job.services.mysql.ports[3306] }}
- name: Run php-cs-fixer
run: |
vendor/bin/php-cs-fixer fix

47
resources/views/portal/ninja2020/invoices/download.blade.php Normal file
View File

@ -0,0 +1,47 @@
@extends('portal.ninja2020.layout.app')
@section('meta_title', ctrans('texts.view_invoice'))
@push('head')
@endpush
@section('body')
<div class="container mx-auto">
<div class="grid grid-cols-6 gap-4">
<div class="flex float-right">
<form action="{{ route('client.invoices.download') }}" method="post" id="bulkActions">
@foreach($invoices as $invoice)
<input type="hidden" name="invoices[]" value="{{ $invoice->hashed_id }}">
@endforeach
@csrf
<button type="submit" onclick="setTimeout(() => this.disabled = true, 0); setTimeout(() => this.disabled = true, 5000); return true;" class="button button-primary bg-primary" name="action" value="download">{{ ctrans('texts.download') }}</button>
</form>
</div>
</div>
@foreach($invoices as $invoice)
<div>
<dl>
@if(!empty($invoice->number) && !is_null($invoice->number))
<div class="px-4 py-5 bg-white sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
<dt class="text-sm font-medium leading-5 text-gray-500">
{{ ctrans('texts.invoice_number') }}
</dt>
<dd class="mt-1 text-sm leading-5 text-gray-900 sm:mt-0 sm:col-span-2">
{{ $invoice->number }}
</dd>
</div>
@endif
</dl>
</div>
@endforeach
</div>
@endsection
@section('footer')
@endsection

46
resources/views/portal/ninja2020/quotes/download.blade.php Normal file
View File

@ -0,0 +1,46 @@
@extends('portal.ninja2020.layout.app')
@section('meta_title', ctrans('texts.view_quote'))
@push('head')
@endpush
@section('body')
<div class="container mx-auto">
<div class="grid grid-cols-6 gap-4">
<div class="flex float-right">
<form action="{{ route('client.quotes.download') }}" method="post" id="bulkActions">
@foreach($quotes as $quote)
<input type="hidden" name="quotes[]" value="{{ $quote->hashed_id }}">
@endforeach
@csrf
<button type="submit" onclick="setTimeout(() => this.disabled = true, 0); setTimeout(() => this.disabled = true, 5000); return true;" class="button button-primary bg-primary" name="action" value="download">{{ ctrans('texts.download') }}</button>
</form>
</div>
</div>
@foreach($quotes as $quote)
<div>
<dl>
@if(!empty($quote->number) && !is_null($quote->number))
<div class="px-4 py-5 bg-white sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6">
<dt class="text-sm font-medium leading-5 text-gray-500">
{{ ctrans('texts.quote_number') }}
</dt>
<dd class="mt-1 text-sm leading-5 text-gray-900 sm:mt-0 sm:col-span-2">
{{ $quote->number }}
</dd>
</div>
@endif
</dl>
</div>
@endforeach
</div>
@endsection
@section('footer')
@endsection

1
routes/client.php
View File

@ -67,6 +67,7 @@ Route::group(['middleware' => ['auth:contact', 'locale', 'check_client_existence
Route::get('quotes', 'ClientPortal\QuoteController@index')->name('quotes.index')->middleware('portal_enabled');
Route::get('quotes/{quote}', 'ClientPortal\QuoteController@show')->name('quote.show');
Route::get('quotes/{quote_invitation}', 'ClientPortal\QuoteController@show')->name('quote.show_invitation');
Route::post('quotes/download', 'ClientPortal\QuoteController@download')->name('quotes.download');
Route::get('credits', 'ClientPortal\CreditController@index')->name('credits.index');
Route::get('credits/{credit}', 'ClientPortal\CreditController@show')->name('credit.show');