Helpdesk form: store direct access token in session once validated

glpi-project · Mar 6, 2025 · 1d8aa90 · 1d8aa90
1 parent 1bdc49a
commit 1d8aa90
Show file tree

Hide file tree

Showing 10 changed files with 27 additions and 31 deletions.
diff --git a/js/modules/Forms/Condition/Engine.js b/js/modules/Forms/Condition/Engine.js
@@ -107,13 +107,6 @@ export class GlpiFormConditionEngine
             form_data.append(`answers[${entry[0]}]`, entry[1]);
         }
 
-        // Included direct access token if needed.
-        // Not great to have to do this normally, TOOD: find a better way.
-        const url_params = new URLSearchParams(window.location.search);
-        if (url_params.has('token')) {
-            form_data.append('token', url_params.get('token'));
-        }
-
         // Send request
         const url = `${CFG_GLPI.root_doc}/Form/Condition/Engine`;
         const response = await fetch(url, {

diff --git a/phpunit/functional/Glpi/Form/AccessControl/ControlType/AllowListTest.php b/phpunit/functional/Glpi/Form/AccessControl/ControlType/AllowListTest.php
@@ -40,6 +40,7 @@
 use Glpi\Form\AccessControl\AccessVote;
 use Glpi\Form\AccessControl\ControlType\AllowList;
 use Glpi\Form\AccessControl\FormAccessParameters;
+use Glpi\Form\Form;
 use Glpi\Tests\FormBuilder;
 use Glpi\Tests\FormTesterTrait;
 use Glpi\Form\AccessControl\ControlType\AllowListConfig;
@@ -199,7 +200,7 @@ public function testCanAnswer(
         $allow_list = new AllowList();
         $this->assertEquals(
             $expected,
-            $allow_list->canAnswer($config, $parameters)
+            $allow_list->canAnswer(new Form(), $config, $parameters)
         );
     }
 

diff --git a/phpunit/functional/Glpi/Form/AccessControl/ControlType/DirectAccessTest.php b/phpunit/functional/Glpi/Form/AccessControl/ControlType/DirectAccessTest.php
@@ -39,6 +39,7 @@
 use Glpi\Form\AccessControl\AccessVote;
 use Glpi\Form\AccessControl\ControlType\DirectAccess;
 use Glpi\Form\AccessControl\FormAccessParameters;
+use Glpi\Form\Form;
 use Glpi\Tests\FormBuilder;
 use Glpi\Tests\FormTesterTrait;
 use Glpi\Form\AccessControl\ControlType\DirectAccessConfig;
@@ -251,7 +252,7 @@ public function testCanAnswer(
         $direct_access = new DirectAccess();
         $this->assertEquals(
             $expected,
-            $direct_access->canAnswer($config, $parameters)
+            $direct_access->canAnswer(new Form(), $config, $parameters)
         );
     }
 

diff --git a/src/Glpi/Controller/Form/RendererController.php b/src/Glpi/Controller/Form/RendererController.php
@@ -103,10 +103,6 @@ public function __invoke(Request $request): Response
             'my_tickets_url_param' => http_build_query($my_tickets_criteria),
             'visibility_engine_output' => $visibility_engine_output,
             'params' => $request->query->all(),
-
-            // Direct access token must be included in the form data as it will
-            // be checked in the submit answers controller.
-            'token' => $request->query->getString('token'),
         ]);
     }
 

diff --git a/src/Glpi/Controller/Form/Utils/CanCheckAccessPolicies.php b/src/Glpi/Controller/Form/Utils/CanCheckAccessPolicies.php
@@ -51,12 +51,7 @@ protected function checkFormAccessPolicies(Form $form, Request $request): void
             // Form administrators can bypass restrictions while previewing forms.
             $parameters = new FormAccessParameters(bypass_restriction: true);
         } else {
-            // URL parameters might be sent in GET or POST requests due to some
-            // technical limitations.
-            $url_parameters = $request->isMethod('POST')
-                ? $request->request->all()
-                : $request->query->all()
-            ;
+            $url_parameters = $request->query->all();
 
             // Load current user session info and URL parameters.
             $parameters = new FormAccessParameters(

diff --git a/src/Glpi/Form/AccessControl/ControlType/AllowList.php b/src/Glpi/Form/AccessControl/ControlType/AllowList.php
@@ -110,6 +110,7 @@ public function createConfigFromUserInput(array $input): AllowListConfig
 
     #[Override]
     public function canAnswer(
+        Form $form,
         JsonFieldInterface $config,
         FormAccessParameters $parameters
     ): AccessVote {

diff --git a/src/Glpi/Form/AccessControl/ControlType/ControlTypeInterface.php b/src/Glpi/Form/AccessControl/ControlType/ControlTypeInterface.php
@@ -101,13 +101,9 @@ public function createConfigFromUserInput(array $input): JsonFieldInterface;
 
     /**
      * Check if the current user can answer the given form.
-     *
-     * @param JsonFieldInterface $config
-     * @param FormAccessParameters $parameters
-     *
-     * @return AccessVote
      */
     public function canAnswer(
+        Form $form,
         JsonFieldInterface $config,
         FormAccessParameters $parameters
     ): AccessVote;

diff --git a/src/Glpi/Form/AccessControl/ControlType/DirectAccess.php b/src/Glpi/Form/AccessControl/ControlType/DirectAccess.php
@@ -130,6 +130,7 @@ public function createConfigFromUserInput(array $input): DirectAccessConfig
 
     #[Override]
     public function canAnswer(
+        Form $form,
         JsonFieldInterface $config,
         FormAccessParameters $parameters
     ): AccessVote {
@@ -141,7 +142,7 @@ public function canAnswer(
             return AccessVote::Abstain;
         }
 
-        if (!$this->validateToken($config, $parameters)) {
+        if (!$this->validateToken($form, $config, $parameters)) {
             return AccessVote::Abstain;
         };
 
@@ -160,12 +161,26 @@ private function validateSession(
     }
 
     private function validateToken(
+        Form $form,
         DirectAccessConfig $config,
         FormAccessParameters $parameters,
     ): bool {
+        // Note: it is easy to validate the token when an user is accesing the
+        // form for the first time through the /Form/Render/{id} page as the
+        // link will contain the token as a GET parameter.
+        // However, for any subsequent AJAX requests, the token is not present
+        // in the URL. Therefore, we must rely on the session to store the token
+        // and validate it on each request.
         $token = $parameters->getUrlParameters()['token'] ?? null;
         if ($token === null) {
-            return false;
+            $session_token = $_SESSION['helpdesk_form_access_control'][$form->getId()] ?? null;
+            if ($session_token === null) {
+                return false;
+            } else {
+                $token = $session_token;
+            }
+        } else {
+            $_SESSION['helpdesk_form_access_control'][$form->getId()] = $token;
         }
 
         return hash_equals($config->getToken(), $token);

diff --git a/src/Glpi/Form/AccessControl/FormAccessControlManager.php b/src/Glpi/Form/AccessControl/FormAccessControlManager.php
@@ -132,6 +132,7 @@ public function canAnswerForm(
         }
 
         return $this->validateAccessControlsPolicies(
+            $form,
             $access_controls_policies,
             $parameters
         );
@@ -203,6 +204,7 @@ private function addWarningIfFormHasNoActivePolicies(
     }
 
     private function validateAccessControlsPolicies(
+        Form $form,
         array $policies,
         FormAccessParameters $parameters
     ): bool {
@@ -212,6 +214,7 @@ private function validateAccessControlsPolicies(
         /** @var FormAccessControl[] $policies */
         foreach ($policies as $policiy) {
             $votes[] = $policiy->getStrategy()->canAnswer(
+                $form,
                 $policiy->getConfig(),
                 $parameters
             );

diff --git a/templates/pages/form_renderer.html.twig b/templates/pages/form_renderer.html.twig
@@ -265,11 +265,6 @@
                 </div>
             </div>
         </div>
-
-        {# Include direct access token if supplied #}
-        {% if token %}
-            <input type="hidden" name="token" value="{{ token }}" />
-        {% endif %}
     </form>
 
     <script>(async () => {