Evolution #756: Sécuriser les urls playlist

src/Muzich/CoreBundle/Extension/MyTwigExtension.php

@@ -5,16 +5,19 @@ namespace Muzich\CoreBundle\Extension;
 use Symfony\Bundle\FrameworkBundle\Translation\Translator;
 use Muzich\CoreBundle\Entity\Event;
 use Symfony\Component\Form\FormView;
+use Symfony\Component\DependencyInjection\Container;
 
 class MyTwigExtension extends \Twig_Extension {
 
   private $translator;
+  private $container;
   protected $params = array();
 
-  public function __construct(Translator $translator, $params)
+  public function __construct(Translator $translator, $params, Container $container)
   {
     $this->translator = $translator;
     $this->params = $params;
+    $this->container = $container;
   }
   
   public function getFilters()
@@ -33,7 +36,9 @@ class MyTwigExtension extends \Twig_Extension {
     return array(
       'date_or_relative_date'  => new \Twig_Function_Method($this, 'date_or_relative_date'),
       'event_const'            => new \Twig_Function_Method($this, 'event_const'),
-      'css_list_length_class'  => new \Twig_Function_Method($this, 'getCssLengthClassForList')
+      'css_list_length_class'  => new \Twig_Function_Method($this, 'getCssLengthClassForList'),
+      'token'                  => new \Twig_Function_Method($this, 'token'),
+      'path_token'             => new \Twig_Function_Method($this, 'path_token')
     );
   }
   
@@ -192,6 +197,17 @@ class MyTwigExtension extends \Twig_Extension {
     }
   }
   
+  public function token($intention = '')
+  {
+    return $this->container->get('form.csrf_provider')->generateCsrfToken($intention);
+  }
+  
+  public function path_token($route, $parameters = array(), $intention = '', $absolute = false)
+  {
+    $parameters = array_merge($parameters, array('token' => $this->token($intention)));
+    return $this->container->get('router')->generate($route, $parameters, $absolute);
+  }
+  
   public function form_has_errors(FormView $form)
   {
     $form_vars = $form->getVars();

src/Muzich/CoreBundle/Tests/lib/Security/ContextTestCases.php

@@ -266,7 +266,8 @@ class ContextTestCases
       $this->test->generateUrl('playlists_add_element', array(
         'playlist_id' => $playlist_id,
         'element_id'  => $element_id,
-        '_locale'     => 'fr'
+        '_locale'     => 'fr',
+        'token'       => $this->test->getToken()
       ))
     );
   }
@@ -293,7 +294,8 @@ class ContextTestCases
       'GET',
       $this->test->generateUrl('playlist_update_order', array(
         'playlist_id' => $playlist_id,
-        '_locale'     => 'fr'
+        '_locale'     => 'fr',
+        'token'       => $this->test->getToken()
       )),
       array(
         'elements' => $elements_ids
@@ -318,7 +320,8 @@ class ContextTestCases
       $this->test->generateUrl('playlist_remove_element', array(
         'playlist_id' => $playlist_id,
         'element_id'  => $element_id,
-        '_locale'     => 'fr'
+        '_locale'     => 'fr',
+        'token'       => $this->test->getToken()
       ))
     );
   }
@@ -330,7 +333,8 @@ class ContextTestCases
       $this->test->generateUrl('playlists_add_element_and_copy', array(
         'playlist_id' => $playlist_id,
         'element_id'  => $element_id,
-        '_locale'     => 'fr'
+        '_locale'     => 'fr',
+        'token'       => $this->test->getToken()
       ))
     );
   }
@@ -385,7 +389,8 @@ class ContextTestCases
         $this->test->generateUrl('playlists_add_element_and_copy', array(
           'playlist_id' => 0,
           'element_id'  => 0,
-          '_locale'     => 'fr'
+          '_locale'     => 'fr',
+          'token'       => $this->test->getToken()
         ))
       ), 
       $success, 
@@ -410,7 +415,8 @@ class ContextTestCases
       'GET', 
       $this->test->generateUrl('playlist_delete', array(
           'playlist_id' => $playlist_id,
-          '_locale'     => 'fr'
+          '_locale'     => 'fr',
+          'token'       => $this->test->getToken()
         )), 
       array(), 
       array(), 
@@ -433,7 +439,8 @@ class ContextTestCases
   {
     $this->test->goToPage($this->test->generateUrl('playlist_unpick', array(
       'playlist_id' => $playlist_id,
-      '_locale'     => 'fr'
+      '_locale'     => 'fr',
+      'token'       => $this->test->getToken()
     )));
   }
   
@@ -453,7 +460,8 @@ class ContextTestCases
       'GET',
       $this->test->generateUrl('playlist_pick', array(
         'playlist_id' => $playlist_id,
-        '_locale'     => 'fr'
+        '_locale'     => 'fr',
+        'token'       => $this->test->getToken()
       ))
     );
   }

src/Muzich/CoreBundle/lib/Controller.php

@@ -685,4 +685,12 @@ class Controller extends BaseController
     return $this->createForm(new PlaylistForm(), $this->getPlaylistManager()->getNewPlaylist($this->getUserOrNullIfVisitor()));
   }
   
+  protected function tokenIsCorrect($intention = '')
+  {
+    if ($this->getRequest()->get('token') != $this->container->get('form.csrf_provider')->generateCsrfToken($intention))
+      return false;
+    
+    return true;
+  }
+  
 }

src/Muzich/CoreBundle/lib/FunctionalTest.php

@@ -551,6 +551,7 @@ class FunctionalTest extends WebTestCase
   public function jsonResponseIsSuccess($json_response)
   {
     $response = json_decode($json_response, true);
+    $this->assertFalse(is_null($response));
     $this->assertTrue(array_key_exists('status', $response));
     $this->assertEquals('success', $response['status']);
   }
@@ -568,4 +569,9 @@ class FunctionalTest extends WebTestCase
     $this->crawler = new Crawler($response['data']);
   }
   
+  public function getToken($intention = '')
+  {
+    return $this->getContainer()->get('form.csrf_provider')->generateCsrfToken($intention);
+  }
+  
 }

src/Muzich/PlaylistBundle/Controller/EditController.php

@@ -16,7 +16,7 @@ class EditController extends Controller
       return $this->jsonResponseError($uncondition);
     
     $playlist_manager = $this->getPlaylistManager();
-    if (!($playlist = $playlist_manager->findOwnedPlaylistWithId($playlist_id, $this->getUser())) || !$request->get('elements'))
+    if (!$this->tokenIsCorrect() || !($playlist = $playlist_manager->findOwnedPlaylistWithId($playlist_id, $this->getUser())) || !$request->get('elements'))
       return $this->jsonNotFoundResponse();
     
     $playlist_manager->updatePlaylistElementsOrder($playlist, $request->get('elements'));
@@ -30,7 +30,7 @@ class EditController extends Controller
       return $this->jsonResponseError($uncondition);
     
     $playlist_manager = $this->getPlaylistManager();
-    if (!($playlist = $playlist_manager->findOwnedPlaylistWithId($playlist_id, $this->getUser())))
+    if (!$this->tokenIsCorrect() || !($playlist = $playlist_manager->findOwnedPlaylistWithId($playlist_id, $this->getUser())))
       return $this->jsonNotFoundResponse();
     
     $playlist_manager->removePlaylistElementWithId($playlist, $element_id);
@@ -44,7 +44,7 @@ class EditController extends Controller
       return $this->jsonResponseError($uncondition);
     
     $playlist_manager = $this->getPlaylistManager();
-    if (!($playlist = $playlist_manager->findOwnedPlaylistWithId($playlist_id, $this->getUser()))
+    if (!$this->tokenIsCorrect() || !($playlist = $playlist_manager->findOwnedPlaylistWithId($playlist_id, $this->getUser()))
         || !($element = $this->getElementWithId($element_id)))
       return $this->jsonNotFoundResponse();
     
@@ -83,7 +83,7 @@ class EditController extends Controller
     if (($uncondition = $this->userHaveNonConditionToMakeAction(SecurityContext::ACTION_PLAYLIST_COPY)) !== false)
       return $this->jsonResponseError($uncondition);
     
-    if (!($element = $this->getElementWithId($element_id)))
+    if (!$this->tokenIsCorrect() || !($element = $this->getElementWithId($element_id)))
       return $this->jsonNotFoundResponse();
     
     if (!($playlist = $this->getPlaylistManager()->findOneAccessiblePlaylistWithId($playlist_id, $this->getUser())))
@@ -102,7 +102,7 @@ class EditController extends Controller
     if (($uncondition = $this->userHaveNonConditionToMakeAction(SecurityContext::ACTION_PLAYLIST_DELETE)) !== false)
       throw $this->createNotFoundException();
     
-    if (!($playlist = $this->getPlaylistManager()->findOwnedPlaylistWithId($playlist_id, $this->getUser())))
+    if (!$this->tokenIsCorrect() || !($playlist = $this->getPlaylistManager()->findOwnedPlaylistWithId($playlist_id, $this->getUser())))
       throw $this->createNotFoundException();
     
     $this->getPlaylistManager()->deletePlaylist($playlist);
@@ -118,7 +118,7 @@ class EditController extends Controller
     
     $playlist_manager = $this->getPlaylistManager();
     
-    if (!($playlist = $playlist_manager->findPlaylistWithId($playlist_id, $this->getUser())))
+    if (!$this->tokenIsCorrect() || !($playlist = $playlist_manager->findPlaylistWithId($playlist_id, $this->getUser())))
       throw $this->createNotFoundException();
     
     $playlist_manager->removePickedPlaylistToUser($this->getUser(), $playlist);
@@ -132,7 +132,7 @@ class EditController extends Controller
     if (($uncondition = $this->userHaveNonConditionToMakeAction(SecurityContext::ACTION_PLAYLIST_PICK)) !== false)
       return $this->jsonResponseError($uncondition);
     
-    if (!($playlist = $this->getPlaylistManager()->findOneAccessiblePlaylistWithId($playlist_id)))
+    if (!$this->tokenIsCorrect() || !($playlist = $this->getPlaylistManager()->findOneAccessiblePlaylistWithId($playlist_id)))
       return $this->jsonNotFoundResponse();
     
     $this->getPlaylistManager()->addPickedPlaylistToUser($this->getUser(), $playlist);

src/Muzich/PlaylistBundle/Resources/config/routing.yml

@@ -7,15 +7,15 @@ playlist:
   defaults: { _controller: MuzichPlaylistBundle:Show:show }
 
 playlist_delete:
-  pattern: /playlist/delete/{playlist_id}
+  pattern: /playlist/delete/{playlist_id}/{token}
   defaults: { _controller: MuzichPlaylistBundle:Edit:delete }
 
 playlist_unpick:
-  pattern: /playlist/unpick/{playlist_id}
+  pattern: /playlist/unpick/{playlist_id}/{token}
   defaults: { _controller: MuzichPlaylistBundle:Edit:unpick }
 
 playlist_pick:
-  pattern: /playlist/pick/{playlist_id}
+  pattern: /playlist/pick/{playlist_id}/{token}
   defaults: { _controller: MuzichPlaylistBundle:Edit:pick }
 
 playlist_datas_for_autoplay:
@@ -23,11 +23,11 @@ playlist_datas_for_autoplay:
   defaults: { _controller: MuzichPlaylistBundle:Show:getAutoplayData, offset: null }
 
 playlist_update_order:
-  pattern: /ajax/playlist/order/update/{playlist_id}
+  pattern: /ajax/playlist/order/update/{playlist_id}/{token}
   defaults: { _controller: MuzichPlaylistBundle:Edit:updateOrder }
 
 playlist_remove_element:
-  pattern: /ajax/playlist/element/remove/{playlist_id}/{element_id}
+  pattern: /ajax/playlist/element/remove/{playlist_id}/{element_id}/{token}
   defaults: { _controller: MuzichPlaylistBundle:Edit:removeElement }
 
 playlists_add_element_prompt:
@@ -35,11 +35,11 @@ playlists_add_element_prompt:
   defaults: { _controller: MuzichPlaylistBundle:Show:getAddElementPrompt }
 
 playlists_add_element:
-  pattern: /ajax/playlist/element/add/{playlist_id}/{element_id}
+  pattern: /ajax/playlist/element/add/{playlist_id}/{element_id}/{token}
   defaults: { _controller: MuzichPlaylistBundle:Edit:addElement }
   
 playlists_add_element_and_copy:
-  pattern: /ajax/playlist/element/add-and-copy/{playlist_id}/{element_id}
+  pattern: /ajax/playlist/element/add-and-copy/{playlist_id}/{element_id}/{token}
   defaults: { _controller: MuzichPlaylistBundle:Edit:addElementAndCopy }
 
 playlist_add_element_and_create:

src/Muzich/PlaylistBundle/Resources/views/Show/prompt.html.twig

@@ -12,12 +12,12 @@
         <li class="playlist">
           <a class="add_element_to_playlist"
             {% if playlist.owned(app.user) %}
-              href="{{ path('playlists_add_element', {
+              href="{{ path_token('playlists_add_element', {
                 'playlist_id' : playlist.id,
                 'element_id'  : element_id
               }) }}"
             {% else %}
-              href="{{ path('playlists_add_element_and_copy', {
+              href="{{ path_token('playlists_add_element_and_copy', {
                 'playlist_id' : playlist.id,
                 'element_id'  : element_id
               }) }}"

src/Muzich/PlaylistBundle/Resources/views/Show/show.html.twig

@@ -14,11 +14,11 @@
     {% if app.user %}
       {% if not playlist.owned(app.user) and viewed_user.id != app.user.id %}
         {% if not app.user.havePlaylistPicked(playlist) %}
-          <a class="playlist_pick" href="{{ path('playlist_pick', { 'playlist_id' : playlist.id }) }}" >
+          <a class="playlist_pick" href="{{ path_token('playlist_pick', { 'playlist_id' : playlist.id }) }}" >
             P
           </a>
         {% else %}
-          <a class="playlist_unpick" href="{{ path('playlist_unpick', { 'playlist_id' : playlist.id }) }}" >
+          <a class="playlist_unpick" href="{{ path_token('playlist_unpick', { 'playlist_id' : playlist.id }) }}" >
             uP
           </a>
         {% endif %}
@@ -32,7 +32,7 @@
     } %}
     
     {% if playlist.elements|length %}
-      <form action="{{ path('playlist_update_order', { 'playlist_id' : playlist.id }) }}" method="post">
+      <form action="{{ path_token('playlist_update_order', { 'playlist_id' : playlist.id }) }}" method="post">
         <ul class="playlist_elements">
           {% for element in playlist.elements %}
             <li class="playlist_element">
@@ -43,7 +43,7 @@
               <a class="open_element" href="{{ path('element_get_one', { 'element_id' : element.id }) }}" data-id="{{ element.id }}">
                 {{ element.name }}
               </a>
-              <a class="remove_element" href="{{ path('playlist_remove_element', { 'playlist_id' : playlist.id, 'element_id' : element.id }) }}">
+              <a class="remove_element" href="{{ path_token('playlist_remove_element', { 'playlist_id' : playlist.id, 'element_id' : element.id }) }}">
                 X
               </a>
             </li>

src/Muzich/PlaylistBundle/Resources/views/Show/user.html.twig

@@ -21,11 +21,11 @@
         {% if app.user %}
           {% if viewed_user.id == app.user.id %}
             {% if playlist.owned(app.user) %}
-              <a class="playlist_delete" href="{{ path('playlist_delete', { 'playlist_id' : playlist.id }) }}" >
+              <a class="playlist_delete" href="{{ path_token('playlist_delete', { 'playlist_id' : playlist.id }) }}" >
                 X
               </a>
             {% else %}
-              <a class="playlist_unpick" href="{{ path('playlist_unpick', { 'playlist_id' : playlist.id }) }}" >
+              <a class="playlist_unpick" href="{{ path_token('playlist_unpick', { 'playlist_id' : playlist.id }) }}" >
                 X
               </a>
             {% endif %}
@@ -35,11 +35,11 @@
         {% if app.user %}
           {% if not playlist.owned(app.user) and viewed_user.id != app.user.id %}
             {% if not app.user.havePlaylistPicked(playlist) %}
-              <a class="playlist_pick" href="{{ path('playlist_pick', { 'playlist_id' : playlist.id }) }}" >
+              <a class="playlist_pick" href="{{ path_token('playlist_pick', { 'playlist_id' : playlist.id }) }}" >
                 P
               </a>
             {% else %}
-              <a class="playlist_unpick" href="{{ path('playlist_unpick', { 'playlist_id' : playlist.id }) }}" >
+              <a class="playlist_unpick" href="{{ path_token('playlist_unpick', { 'playlist_id' : playlist.id }) }}" >
                 uP
               </a>
             {% endif %}