From 4077dac8c7e75f818ea43dc86a5cadae6ef248d2 Mon Sep 17 00:00:00 2001 From: LautaroCesso <59095036+LautaroCesso@users.noreply.github.com> Date: Wed, 19 Aug 2020 23:33:40 -0300 Subject: [PATCH 1/2] Remember me function for staffs (#866) * fix warning in checbox in form field. * Add remember me function for staffs. * Add staff instance in session cookie. * Add result data staff in get user data in auto login. * Fix remember me function for user. * Fix login test rb and add remember me function test in login rb. * Resolve github maxi comments. --- client/src/actions/session-actions.js | 4 +- client/src/app/admin/admin-login-page.js | 46 ++++++++++++++---- client/src/app/admin/admin-login-page.scss | 6 ++- client/src/core-components/form-field.js | 8 +++- client/src/lib-app/session-store.js | 5 +- client/src/reducers/session-reducer.js | 2 +- server/controllers/user/login.php | 20 +++++--- server/models/SessionCookie.php | 14 ++++++ tests/user/ban.rb | 1 + tests/user/login.rb | 54 +++++++++++++++++++--- 10 files changed, 130 insertions(+), 30 deletions(-) diff --git a/client/src/actions/session-actions.js b/client/src/actions/session-actions.js index ee8cc561..9bec3100 100644 --- a/client/src/actions/session-actions.js +++ b/client/src/actions/session-actions.js @@ -54,11 +54,11 @@ export default { data: { userId: rememberData.userId, rememberToken: rememberData.token, + staff: rememberData.isStaff, remember: 1, - isAutomatic: 1 } }).then((result) => { - store.dispatch(this.getUserData(result.data.userId, result.data.token)); + store.dispatch(this.getUserData(result.data.userId, result.data.token, result.data.staff)); return result; }) diff --git a/client/src/app/admin/admin-login-page.js b/client/src/app/admin/admin-login-page.js index 3042b2ea..835b4e18 100644 --- a/client/src/app/admin/admin-login-page.js +++ b/client/src/app/admin/admin-login-page.js @@ -49,11 +49,32 @@ class AdminLoginPage extends React.Component {
OpenSupports Admin Panel
-
-
- - - {i18n('LOG_IN')} +
+ +
+ + + +
+
+ {i18n('LOG_IN')} +
{this.renderRecoverStatus()} @@ -68,7 +89,7 @@ class AdminLoginPage extends React.Component { renderPasswordRecovery() { return ( -
+
); @@ -105,7 +126,7 @@ class AdminLoginPage extends React.Component { getLoginFormProps() { return { loading: this.props.session.pending, - className: 'admin-login-page__form', + className: 'admin-login-page__login-form-container__login-form', ref: 'loginForm', onSubmit: this.onLoginFormSubmit.bind(this), errors: this.getLoginFormErrors(), @@ -114,12 +135,17 @@ class AdminLoginPage extends React.Component { } getRecoverFormProps() { + const { + loadingRecover, + recoverFormErrors + } = this.state; + return { - loading: this.state.loadingRecover, - className: 'admin-login-page__form', + loading: loadingRecover, + className: 'admin-login-page__recovery-form-container__recovery-form', ref: 'recoverForm', onSubmit: this.onForgotPasswordSubmit.bind(this), - errors: this.state.recoverFormErrors, + errors: recoverFormErrors, onValidateErrors: this.onRecoverFormErrorsValidation.bind(this) }; } diff --git a/client/src/app/admin/admin-login-page.scss b/client/src/app/admin/admin-login-page.scss index 4f9f6b14..efbbcd4c 100644 --- a/client/src/app/admin/admin-login-page.scss +++ b/client/src/app/admin/admin-login-page.scss @@ -19,9 +19,13 @@ margin-bottom: 30px; } - &__login-form { + &__login-form-container { margin: 0 auto; display: inline-block; + + &__login-form__fields { + padding: 10px 0; + } } &__error { diff --git a/client/src/core-components/form-field.js b/client/src/core-components/form-field.js index 2be23fbe..c6ec13ef 100644 --- a/client/src/core-components/form-field.js +++ b/client/src/core-components/form-field.js @@ -194,8 +194,12 @@ class FormField extends React.Component { if(field === 'autocomplete') { props.values = value; } - - props.value = value; + + if(field === 'checkbox') { + props.value = !!value; + } else { + props.value = value; + } return props; } diff --git a/client/src/lib-app/session-store.js b/client/src/lib-app/session-store.js index 642a0983..8b731b22 100644 --- a/client/src/lib-app/session-store.js +++ b/client/src/lib-app/session-store.js @@ -48,9 +48,10 @@ class SessionStore { return JSON.parse(this.getItem('departments')); } - storeRememberData({token, userId, expiration}) { + storeRememberData({token, userId, expiration, isStaff}) { this.setItem('rememberData-token', token); this.setItem('rememberData-userId', userId); + this.setItem('rememberData-isStaff', isStaff); this.setItem('rememberData-expiration', expiration); } @@ -106,6 +107,7 @@ class SessionStore { return { token: this.getItem('rememberData-token'), userId: this.getItem('rememberData-userId'), + isStaff: this.getItem('rememberData-isStaff'), expiration: this.getItem('rememberData-expiration') }; } @@ -113,6 +115,7 @@ class SessionStore { clearRememberData() { this.removeItem('rememberData-token'); this.removeItem('rememberData-userId'); + this.removeItem('rememberData-isStaff'); this.removeItem('rememberData-expiration'); } diff --git a/client/src/reducers/session-reducer.js b/client/src/reducers/session-reducer.js index a329cebc..0b0be3d3 100644 --- a/client/src/reducers/session-reducer.js +++ b/client/src/reducers/session-reducer.js @@ -95,7 +95,7 @@ class SessionReducer extends Reducer { sessionStore.storeRememberData({ token: resultData.rememberToken, userId: resultData.userId, - staff: resultData.staff, + isStaff: resultData.staff ? 1 : 0, expiration: resultData.rememberExpiration }); } diff --git a/server/controllers/user/login.php b/server/controllers/user/login.php index b6006749..c5eba95d 100755 --- a/server/controllers/user/login.php +++ b/server/controllers/user/login.php @@ -61,6 +61,7 @@ class LoginController extends Controller { $this->createUserSession(); $this->createRememberToken(); + if(Controller::request('staff')) { $this->userInstance->lastLogin = Date::getCurrentDate(); $this->userInstance->store(); @@ -116,13 +117,18 @@ class LoginController extends Controller { $rememberToken = Controller::request('rememberToken'); $userInstance = new NullDataStore(); - if ($rememberToken) { + if($rememberToken) { $sessionCookie = SessionCookie::getDataStore($rememberToken, 'token'); $userId = Controller::request('userId'); + $isStaff = !!Controller::request('staff'); - if (!$sessionCookie->isNull() && $userId === $sessionCookie->user->id) { - $userInstance = $sessionCookie->user; - $sessionCookie->delete(); + if(!$sessionCookie->isNull()) { + $loggedInstance = $isStaff ? $sessionCookie->staff : $sessionCookie->user; + + if(($userId == $loggedInstance->id) && ($isStaff == $sessionCookie->isStaff)) { + $userInstance = $loggedInstance; + $sessionCookie->delete(); + } } } @@ -140,13 +146,15 @@ class LoginController extends Controller { private function createRememberToken() { $remember = Controller::request('remember'); - if (!Controller::request('staff') && $remember) { + if($remember) { $this->rememberToken = Hashing::generateRandomToken(); $this->rememberExpiration = Date::getNextDate(30); $sessionCookie = new SessionCookie(); $sessionCookie->setProperties(array( - 'user' => $this->userInstance, + 'isStaff' => !!Controller::request('staff'), + 'user' => $this->userInstance instanceof User ? $this->userInstance : null, + 'staff' => $this->userInstance instanceof Staff ? $this->userInstance : null, 'token' => $this->rememberToken, 'ip' => $_SERVER['REMOTE_ADDR'], 'creationDate' => Date::getCurrentDate(), diff --git a/server/models/SessionCookie.php b/server/models/SessionCookie.php index 94460333..b6dc9c82 100755 --- a/server/models/SessionCookie.php +++ b/server/models/SessionCookie.php @@ -1,10 +1,24 @@ Date: Wed, 19 Aug 2020 23:45:47 -0300 Subject: [PATCH 2/2] Fix security bug, Ticket Number data filtered. (#879) --- server/controllers/ticket/get.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/controllers/ticket/get.php b/server/controllers/ticket/get.php index 352999fc..3328a22e 100755 --- a/server/controllers/ticket/get.php +++ b/server/controllers/ticket/get.php @@ -37,7 +37,7 @@ class TicketGetController extends Controller { 'requestData' => [ 'ticketNumber' => [ 'validation' => DataValidator::validTicketNumber(), - 'error' => ERRORS::INVALID_TICKET + 'error' => ERRORS::NO_PERMISSION ] ] ];