mirror of
				https://github.com/invoiceninja/invoiceninja.git
				synced 2025-10-25 11:19:24 -04:00 
			
		
		
		
	Fixes for CSRF issues with client portal downloads
This commit is contained in:
		
							parent
							
								
									81d9e7a6ec
								
							
						
					
					
						commit
						e245d07a75
					
				| @ -30,6 +30,7 @@ use Illuminate\View\View; | ||||
| use Symfony\Component\HttpFoundation\BinaryFileResponse; | ||||
| use ZipStream\Option\Archive; | ||||
| use ZipStream\ZipStream; | ||||
| use Illuminate\Http\Request; | ||||
| 
 | ||||
| class QuoteController extends Controller | ||||
| { | ||||
| @ -58,17 +59,16 @@ class QuoteController extends Controller | ||||
|             'quote' => $quote, | ||||
|         ]; | ||||
| 
 | ||||
|         $invitation = $quote->invitations()->where('client_contact_id', auth()->user()->id)->first(); | ||||
| 
 | ||||
|             $invitation = $quote->invitations()->where('client_contact_id', auth()->user()->id)->first(); | ||||
|         if ($invitation && auth()->guard('contact') && ! request()->has('silent') && ! $invitation->viewed_date) { | ||||
| 
 | ||||
|             if ($invitation && auth()->guard('contact') && ! request()->has('silent') && ! $invitation->viewed_date) { | ||||
|             $invitation->markViewed(); | ||||
| 
 | ||||
|                 $invitation->markViewed(); | ||||
|             event(new InvitationWasViewed($quote, $invitation, $quote->company, Ninja::eventVars())); | ||||
|             event(new QuoteWasViewed($invitation, $invitation->company, Ninja::eventVars())); | ||||
|          | ||||
|                 event(new InvitationWasViewed($quote, $invitation, $quote->company, Ninja::eventVars())); | ||||
|                 event(new QuoteWasViewed($invitation, $invitation->company, Ninja::eventVars())); | ||||
|              | ||||
|             } | ||||
|         } | ||||
| 
 | ||||
|         if ($request->query('mode') === 'fullscreen') { | ||||
|             return render('quotes.show-fullscreen', $data); | ||||
| @ -82,7 +82,7 @@ class QuoteController extends Controller | ||||
|         $transformed_ids = $this->transformKeys($request->quotes); | ||||
| 
 | ||||
|         if ($request->action == 'download') { | ||||
|             return $this->downloadQuotePdf((array) $transformed_ids); | ||||
|             return $this->downloadQuotes((array) $transformed_ids); | ||||
|         } | ||||
| 
 | ||||
|         if ($request->action = 'approve') { | ||||
| @ -92,10 +92,32 @@ class QuoteController extends Controller | ||||
|         return back(); | ||||
|     } | ||||
| 
 | ||||
|     public function downloadQuotes($ids) | ||||
|     { | ||||
| 
 | ||||
|         $data['quotes'] = Quote::whereIn('id', $ids) | ||||
|                             ->whereClientId(auth()->user()->client->id) | ||||
|                             ->withTrashed() | ||||
|                             ->get(); | ||||
| 
 | ||||
|         if(count($data['quotes']) == 0) | ||||
|             return back()->with(['message' => ctrans('texts.no_items_selected')]); | ||||
| 
 | ||||
|         return $this->render('quotes.download', $data); | ||||
|     } | ||||
| 
 | ||||
|     public function download(Request $request) | ||||
|     { | ||||
|         $transformed_ids = $this->transformKeys($request->quotes); | ||||
|          | ||||
|         return $this->downloadQuotePdf((array) $transformed_ids); | ||||
|     } | ||||
| 
 | ||||
|     protected function downloadQuotePdf(array $ids) | ||||
|     { | ||||
|         $quotes = Quote::whereIn('id', $ids) | ||||
|             ->whereClientId(auth()->user()->client->id) | ||||
|             ->withTrashed() | ||||
|             ->get(); | ||||
| 
 | ||||
|         if (! $quotes || $quotes->count() == 0) { | ||||
| @ -136,6 +158,7 @@ class QuoteController extends Controller | ||||
|             ->where('client_id', auth('contact')->user()->client->id) | ||||
|             ->where('company_id', auth('contact')->user()->client->company_id) | ||||
|             ->where('status_id', Quote::STATUS_SENT) | ||||
|             ->withTrashed() | ||||
|             ->get(); | ||||
| 
 | ||||
|         if (!$quotes || $quotes->count() == 0) { | ||||
|  | ||||
							
								
								
									
										108
									
								
								phpunit.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										108
									
								
								phpunit.yml
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,108 @@ | ||||
| on: | ||||
|   push: | ||||
|     branches: | ||||
|       - v5-develop | ||||
|   pull_request: | ||||
|     branches: | ||||
|       - v5-develop | ||||
| 
 | ||||
| name: phpunit | ||||
| jobs: | ||||
|   run: | ||||
|     runs-on: ${{ matrix.operating-system }} | ||||
|     strategy: | ||||
|       matrix: | ||||
|         operating-system: ['ubuntu-18.04', 'ubuntu-20.04'] | ||||
|         php-versions: ['7.3','7.4','8.0'] | ||||
|         phpunit-versions: ['latest'] | ||||
| 
 | ||||
|     env: | ||||
|       DB_DATABASE1: ninja | ||||
|       DB_USERNAME1: root | ||||
|       DB_PASSWORD1: ninja | ||||
|       DB_HOST1: '127.0.0.1' | ||||
|       DB_DATABASE: ninja | ||||
|       DB_USERNAME: root | ||||
|       DB_PASSWORD: ninja | ||||
|       DB_HOST: '127.0.0.1' | ||||
|       BROADCAST_DRIVER: log | ||||
|       CACHE_DRIVER: file | ||||
|       QUEUE_CONNECTION: sync | ||||
|       SESSION_DRIVER: file | ||||
|       NINJA_ENVIRONMENT: hosted | ||||
|       MULTI_DB_ENABLED: false | ||||
|       NINJA_LICENSE: 123456 | ||||
|       TRAVIS: true | ||||
|       MAIL_MAILER: log | ||||
| 
 | ||||
|     services: | ||||
|       mariadb: | ||||
|         image: mariadb:latest | ||||
|         ports: | ||||
|           - 32768:3306 | ||||
|         env: | ||||
|           MYSQL_ALLOW_EMPTY_PASSWORD: yes | ||||
|           MYSQL_USER: ninja | ||||
|           MYSQL_PASSWORD: ninja | ||||
|           MYSQL_DATABASE: ninja | ||||
|           MYSQL_ROOT_PASSWORD: ninja | ||||
|         options: --health-cmd="mysqladmin ping" --health-interval=5s --health-timeout=2s --health-retries=3 | ||||
| 
 | ||||
|     steps: | ||||
|     - name: Start mysql service | ||||
|       run: | | ||||
|         sudo systemctl start mysql.service | ||||
|     - name: Verify MariaDB connection | ||||
|       env: | ||||
|         DB_PORT: ${{ job.services.mariadb.ports[3306] }} | ||||
|         DB_PORT1: ${{ job.services.mariadb.ports[3306] }} | ||||
| 
 | ||||
|       run: | | ||||
|         while ! mysqladmin ping -h"127.0.0.1" -P"$DB_PORT" --silent; do | ||||
|           sleep 1 | ||||
|         done | ||||
|     - name: Setup PHP | ||||
|       uses: shivammathur/setup-php@v2 | ||||
|       with: | ||||
|         php-version: ${{ matrix.php-versions }} | ||||
|         extensions: mysql, mysqlnd, sqlite3, bcmath, gmp, gd, curl, zip, openssl, mbstring, xml | ||||
| 
 | ||||
|     - uses: actions/checkout@v1 | ||||
|       with: | ||||
|         ref: v5-develop | ||||
|         fetch-depth: 1 | ||||
| 
 | ||||
|     - name: Copy .env | ||||
|       run: | | ||||
|         cp .env.ci .env | ||||
|     - name: Install composer dependencies | ||||
|       run: | | ||||
|         composer config -g github-oauth.github.com ${{ secrets.GITHUB_TOKEN }} | ||||
|         composer install | ||||
|     - name: Prepare Laravel Application | ||||
|       run: | | ||||
|         php artisan key:generate | ||||
|         php artisan optimize | ||||
|         php artisan cache:clear | ||||
|         php artisan config:cache | ||||
|     - name: Create DB and schemas | ||||
|       run: | | ||||
|         mkdir -p database | ||||
|         touch database/database.sqlite | ||||
|     - name: Migrate Database | ||||
|       run: | | ||||
|         php artisan migrate:fresh --seed --force && php artisan db:seed --force | ||||
|     - name: Prepare JS/CSS assets | ||||
|       run: | | ||||
|         npm i | ||||
|         npm run production | ||||
|     - name: Run Testsuite | ||||
|       run: | | ||||
|         cat .env | ||||
|         vendor/bin/phpunit --testdox | ||||
|       env: | ||||
|         DB_PORT: ${{ job.services.mysql.ports[3306] }} | ||||
| 
 | ||||
|     - name: Run php-cs-fixer | ||||
|       run: | | ||||
|         vendor/bin/php-cs-fixer fix | ||||
							
								
								
									
										47
									
								
								resources/views/portal/ninja2020/invoices/download.blade.php
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										47
									
								
								resources/views/portal/ninja2020/invoices/download.blade.php
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,47 @@ | ||||
| @extends('portal.ninja2020.layout.app') | ||||
| @section('meta_title', ctrans('texts.view_invoice')) | ||||
| 
 | ||||
| @push('head') | ||||
| 
 | ||||
| @endpush | ||||
| 
 | ||||
| @section('body') | ||||
| 
 | ||||
| 
 | ||||
|     <div class="container mx-auto"> | ||||
|         <div class="grid grid-cols-6 gap-4"> | ||||
|             <div class="flex float-right"> | ||||
|                 <form action="{{ route('client.invoices.download') }}" method="post" id="bulkActions"> | ||||
|                     @foreach($invoices as $invoice) | ||||
|                         <input type="hidden" name="invoices[]" value="{{ $invoice->hashed_id }}"> | ||||
|                     @endforeach | ||||
|                     @csrf | ||||
|                     <button type="submit" onclick="setTimeout(() => this.disabled = true, 0); setTimeout(() => this.disabled = true, 5000); return true;" class="button button-primary bg-primary" name="action" value="download">{{ ctrans('texts.download') }}</button> | ||||
|                 </form> | ||||
|             </div> | ||||
|         </div> | ||||
| 
 | ||||
|         @foreach($invoices as $invoice) | ||||
|         <div> | ||||
|             <dl> | ||||
|                 @if(!empty($invoice->number) && !is_null($invoice->number)) | ||||
|                 <div class="px-4 py-5 bg-white sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6"> | ||||
|                     <dt class="text-sm font-medium leading-5 text-gray-500"> | ||||
|                         {{ ctrans('texts.invoice_number') }} | ||||
|                     </dt> | ||||
|                     <dd class="mt-1 text-sm leading-5 text-gray-900 sm:mt-0 sm:col-span-2"> | ||||
|                         {{ $invoice->number }} | ||||
|                     </dd> | ||||
|                 </div> | ||||
|                 @endif | ||||
|             </dl> | ||||
|         </div> | ||||
|      | ||||
|     @endforeach | ||||
| 
 | ||||
|     </div> | ||||
| 
 | ||||
| @endsection | ||||
| 
 | ||||
| @section('footer') | ||||
| @endsection | ||||
							
								
								
									
										46
									
								
								resources/views/portal/ninja2020/quotes/download.blade.php
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										46
									
								
								resources/views/portal/ninja2020/quotes/download.blade.php
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,46 @@ | ||||
| @extends('portal.ninja2020.layout.app') | ||||
| @section('meta_title', ctrans('texts.view_quote')) | ||||
| 
 | ||||
| @push('head') | ||||
| 
 | ||||
| @endpush | ||||
| 
 | ||||
| @section('body') | ||||
| 
 | ||||
|     <div class="container mx-auto"> | ||||
|         <div class="grid grid-cols-6 gap-4"> | ||||
|             <div class="flex float-right"> | ||||
|                 <form action="{{ route('client.quotes.download') }}" method="post" id="bulkActions"> | ||||
|                     @foreach($quotes as $quote) | ||||
|                         <input type="hidden" name="quotes[]" value="{{ $quote->hashed_id }}"> | ||||
|                     @endforeach | ||||
|                     @csrf | ||||
|                     <button type="submit" onclick="setTimeout(() => this.disabled = true, 0); setTimeout(() => this.disabled = true, 5000); return true;" class="button button-primary bg-primary" name="action" value="download">{{ ctrans('texts.download') }}</button> | ||||
|                 </form> | ||||
|             </div> | ||||
|         </div> | ||||
| 
 | ||||
|         @foreach($quotes as $quote) | ||||
|         <div> | ||||
|             <dl> | ||||
|                 @if(!empty($quote->number) && !is_null($quote->number)) | ||||
|                 <div class="px-4 py-5 bg-white sm:grid sm:grid-cols-3 sm:gap-4 sm:px-6"> | ||||
|                     <dt class="text-sm font-medium leading-5 text-gray-500"> | ||||
|                         {{ ctrans('texts.quote_number') }} | ||||
|                     </dt> | ||||
|                     <dd class="mt-1 text-sm leading-5 text-gray-900 sm:mt-0 sm:col-span-2"> | ||||
|                         {{ $quote->number }} | ||||
|                     </dd> | ||||
|                 </div> | ||||
|                 @endif | ||||
|             </dl> | ||||
|         </div> | ||||
|      | ||||
|     @endforeach | ||||
| 
 | ||||
|     </div> | ||||
| 
 | ||||
| @endsection | ||||
| 
 | ||||
| @section('footer') | ||||
| @endsection | ||||
| @ -67,6 +67,7 @@ Route::group(['middleware' => ['auth:contact', 'locale', 'check_client_existence | ||||
|     Route::get('quotes', 'ClientPortal\QuoteController@index')->name('quotes.index')->middleware('portal_enabled'); | ||||
|     Route::get('quotes/{quote}', 'ClientPortal\QuoteController@show')->name('quote.show'); | ||||
|     Route::get('quotes/{quote_invitation}', 'ClientPortal\QuoteController@show')->name('quote.show_invitation'); | ||||
|     Route::post('quotes/download', 'ClientPortal\QuoteController@download')->name('quotes.download'); | ||||
| 
 | ||||
|     Route::get('credits', 'ClientPortal\CreditController@index')->name('credits.index'); | ||||
|     Route::get('credits/{credit}', 'ClientPortal\CreditController@show')->name('credit.show'); | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user