Merge pull request #74 from JaroslawZielinski/feature/torahverse-input

Add CSRF check in foms... and Update Readme after changes
JaroslawZielinski · May 12, 2023 · 643e273 · 643e273
2 parents f7840d9 + 7578f24
commit 643e273
Show file tree

Hide file tree

Showing 11 changed files with 44 additions and 10 deletions.
diff --git a/Block/Search.php b/Block/Search.php
@@ -14,6 +14,7 @@ class Search extends Template
      * @var TranslationOptions
      */
     private $translationOptions;
+
     /**
      * @inheritDoc
      */

diff --git a/Block/Siglum/Info.php b/Block/Siglum/Info.php
@@ -6,29 +6,27 @@
 
 use JaroslawZielinski\Torah\Translations\Resources;
 use JaroslawZielinski\TorahVerse\Model\Config;
-use Magento\Backend\Block\Template\Context;
 use Magento\Directory\Helper\Data as DirectoryHelper;
 use Magento\Framework\Json\Helper\Data as JsonHelper;
 use Magento\Framework\View\Element\Template;
+use Magento\Framework\View\Element\Template\Context;
 
 class Info extends Template
 {
     /**
      * @var Config
      */
     private $config;
+
     /**
      * @inheritDoc
      */
     public function __construct(
         Config $config,
-        Context $context,
-        array $data = [],
-        ?JsonHelper $jsonHelper = null,
-        ?DirectoryHelper $directoryHelper = null
+        Context $context, array $data = []
     ) {
         $this->config = $config;
-        parent::__construct($context, $data, $jsonHelper, $directoryHelper);
+        parent::__construct($context, $data);
     }
 
     /**

diff --git a/Controller/Ajax.php b/Controller/Ajax.php
@@ -10,9 +10,14 @@
 use Magento\Framework\Controller\Result\JsonFactory;
 use Magento\Framework\App\Request\Http;
 use Magento\Framework\App\RequestInterface;
+use Magento\Framework\Data\Form\FormKey;
 
 abstract class Ajax extends Action
 {
+    /**
+     * @var FormKey
+     */
+    private $formKey;
     /**
      * @var JsonFactory
      */
@@ -22,9 +27,11 @@ abstract class Ajax extends Action
      * @inheritDoc
      */
     public function __construct(
+        FormKey $formKey,
         JsonFactory $resultJsonFactory,
         Context $context
     ) {
+        $this->formKey = $formKey;
         $this->resultJsonFactory = $resultJsonFactory;
         parent::__construct($context);
     }
@@ -38,6 +45,14 @@ public function ajax(array $data): Json
             return $result->setData([
                 'status' => 'ERROR',
                 'message' => __('It is not an ajax.'),
+                'result' => __('It is not an ajax.')
+            ]);
+        }
+        if ($request->getParam('form_key', '') !== $this->formKey->getFormKey()) {
+            return $result->setData([
+                'status' => 'ERROR',
+                'message' => __('CSRF attack possible.'),
+                'result' => __('Form is broken.')
             ]);
         }
         return $result->setData($data);

diff --git a/Controller/Siglum/Preview.php b/Controller/Siglum/Preview.php
@@ -14,6 +14,7 @@
 use JaroslawZielinski\Torah\Bible\TorahValidator;
 use Psr\Log\LoggerInterface;
 use JaroslawZielinski\TorahVerse\Model\Config;
+use Magento\Framework\Data\Form\FormKey;
 
 class Preview extends Ajax
 {
@@ -32,12 +33,13 @@ class Preview extends Ajax
     public function __construct(
         Config $config,
         LoggerInterface $logger,
+        FormKey $formKey,
         JsonFactory $resultJsonFactory,
         Context $context
     ) {
         $this->config = $config;
         $this->logger = $logger;
-        parent::__construct($resultJsonFactory, $context);
+        parent::__construct($formKey, $resultJsonFactory, $context);
     }
 
     /**

diff --git a/README.md b/README.md
@@ -78,7 +78,7 @@ Possible operations: **Add New Verse**, **Delete**, **Group Assign**, **Edit**
 ![Quotes grid](docs/tv_slider_11.png)
 Possible operations: **Add New Quote**, **Delete**, **Group Assign**, **Edit**
 ![Quotes grid](docs/tv_slider_12.png)
-# Configuration
+# Configuration - Torah Verse
 ## General Settings
 ### Enable
 Enable module / Disable module and disable menu.
@@ -177,13 +177,27 @@ You may override following settings (from **General Settings**):
 Array for sliders (code, slider configuration). You may add/edit/delete as many configurations as
 you want.
 ![Groups grid](docs/tv_slider_13.png)
+# Configuration - Torah
 ## Language Settings
 ### Language
 You have two available languages: English and Polish. This settings changes the language of description in Torah siglum.
 ### Translate Preset
 You may also update Groups/Verses/Quotes Presets in given language version. Remember to Save before clicking the button
 unless you prefer the language written in button's label.
 ![Groups grid](docs/tv_slider_14.png)
+## Torah Input
+### Division
+You may choose division of books in Torah Input (e.g **Old Testament\New Testament**). Default value is 
+**Tanakh/Nevi'im ketuvim/Brithadasha**. This feature will be used in the future.
+### Torah Verse Search enabled
+Default value is **No**. If set to **Yes** it appears in menu in **Search** group as **Verse Search** where Torah input
+ is presented. In the future the input will be customized (you will choose all of the options by just clicking it,
+  without typing anything). The Torah input is also used in Admin Panel in Verse Grid (_Add New Verse/Edit_ action)
+![Groups grid](docs/tv_slider_15.png)
+
+after clicking it will be opened in new tab (notice little square put next to the link) as a front page:
+
+![Groups grid](docs/tv_slider_17.png)
 # Frontend
 ## Example uses
 ![Groups grid](docs/tv_slider_04.png)

diff --git a/docs/tv_slider_02.png b/docs/tv_slider_02.png
diff --git a/docs/tv_slider_14.png b/docs/tv_slider_14.png
diff --git a/docs/tv_slider_15.png b/docs/tv_slider_15.png
diff --git a/docs/tv_slider_16.png b/docs/tv_slider_16.png
diff --git a/docs/tv_slider_17.png b/docs/tv_slider_17.png
diff --git a/view/frontend/templates/search.phtml b/view/frontend/templates/search.phtml
@@ -8,6 +8,9 @@
             <span><?= __('Torahverse Search'); ?></span>
         </legend>
         <br>
+
+        <input name="form_key" type="hidden" value="">
+
         <div class="field required">
             <label for="translation" class="label">
                 <span><?= __('Translation'); ?></span>
@@ -73,14 +76,15 @@
             event.preventDefault();
             let validation = dataForm.validation('isValid');
             if (validation) {
-                let translationCode = $('#translation').val(),
+                let formKey = $('input[name="form_key"]').val(),
+                    translationCode = $('#translation').val(),
                     siglumCode = $('#siglum').val();
                 $.ajax({
                     showLoader: false,
                     url: ajaxUrl,
                     data: {
                         isAjax: true,
-                        form_key: window.FORM_KEY,
+                        form_key: formKey,
                         translation: translationCode,
                         siglum: siglumCode
                     },