refs #2917 Restrict excessively long URLs in modal windows.

orchidsoftware · Nov 1, 2024 · 5c8dd63 · 5c8dd63
1 parent 130620a
commit 5c8dd63
Show file tree

Hide file tree

Showing 14 changed files with 95 additions and 32 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## 14.42.0 - 2024-11-01
+
+### Changed
+- Restrict excessively long URLs in modal windows [#2917](https://github.com/orchidsoftware/platform/issues/2917)
+
+## 14.41.0 - 2024-10-29
+
+### Added
+- Template for grid columns on `Group` [#2913](https://github.com/orchidsoftware/platform/pull/2913)
+
 ## 14.40.0 - 2024-10-28
 
 ### Changed

diff --git a/public/css/orchid.rtl.css b/public/css/orchid.rtl.css
diff --git a/public/css/orchid.rtl.css.map b/public/css/orchid.rtl.css.map
diff --git a/public/js/orchid.js b/public/js/orchid.js
diff --git a/public/js/orchid.js.map b/public/js/orchid.js.map
diff --git a/public/mix-manifest.json b/public/mix-manifest.json
diff --git a/resources/js/controllers/modal_controller.js b/resources/js/controllers/modal_controller.js
@@ -12,6 +12,9 @@ export default class extends ApplicationController {
             type: String,
             default: ''
         },
+        parameters: {
+            type: Object,
+        },
         open: {
             type: Boolean,
             default: false
@@ -112,7 +115,7 @@ export default class extends ApplicationController {
         }
 
         // Load deferred data if URL is specified and no validation errors are present
-        if (this.urlValue && !options.validateError) {
+        if (Object.keys(this.parametersValue).length !== 0 && !options.validateError) {
             this.asyncLoadData(JSON.parse(options.params));
         }
 
@@ -153,7 +156,8 @@ export default class extends ApplicationController {
 
         // Load data via stream and update modal state
         this.loadStream(`${this.urlValue}?${query}`, {
-            '_state': document.getElementById('screen-state')?.value || null
+            '_state': document.getElementById('screen-state')?.value || null,
+            ...this.parametersValue
         })
             .then(() => this.element.classList.remove('modal-loading'));
     }

diff --git a/resources/views/layouts/modal.blade.php b/resources/views/layouts/modal.blade.php
@@ -4,8 +4,11 @@
          role="dialog"
          aria-labelledby="screen-modal-{{$key}}"
          data-controller="modal"
-         data-modal-slug-value="{{$templateSlug}}"
-         data-modal-url-value="{{$deferredRoute}}"
+         data-modal-slug-value="{{ $templateSlug }}"
+         data-modal-url-value="{{ $deferredRoute }}"
+         @if(!empty($deferrerParams))
+            data-modal-parameters-value='@json($deferrerParams)'
+         @endif
          data-modal-open-value="{{ var_export($open) }}"
         {{$staticBackdrop ? "data-bs-backdrop=static" : ''}}
     >
@@ -62,7 +65,7 @@
                 <div class="modal-body layout-wrapper">
                     <x-orchid-stream target="{{$templateSlug}}">
                         <div id="{{ $templateSlug }}">
-                            @if(!empty($deferredRoute) == \Orchid\Support\Facades\Dashboard::isPartialRequest())
+                            @if(!empty($deferrerParams) == \Orchid\Support\Facades\Dashboard::isPartialRequest())
                                 @foreach($manyForms as $formKey => $modal)
                                     @foreach($modal as $item)
                                         {!! $item ?? '' !!}

diff --git a/routes/dashboard.php b/routes/dashboard.php
@@ -23,7 +23,7 @@
         ->push(__('Search'))
         ->push($query));
 
-Route::post('async/{screen}/{method?}/{template?}', [AsyncController::class, 'load'])
+Route::post('async', [AsyncController::class, 'load'])
     ->name('async');
 
 Route::post('listener/{screen}/{layout}', [AsyncController::class, 'listener'])

diff --git a/src/Platform/Dashboard.php b/src/Platform/Dashboard.php
@@ -23,7 +23,7 @@ class Dashboard
      *
      * @deprecated Use `Dashboard::version()` instead.
      */
-    public const VERSION = '14.41.0';
+    public const VERSION = '14.42.0';
 
     /**
      * @deprecated

diff --git a/src/Platform/Http/Controllers/AsyncController.php b/src/Platform/Http/Controllers/AsyncController.php
@@ -15,14 +15,25 @@ class AsyncController extends Controller
      *
      * @return mixed
      */
-    public function load(string $screen, string $method, string $layout)
+    public function load(Request $request)
     {
-        $screen = Crypt::decryptString($screen);
+        $request->validate([
+            '_call' => 'required|string',
+            '_screen' => 'required|string',
+            '_template' => 'required|string',
+        ]);
+
+        $screen = Crypt::decryptString(
+            $request->input('_screen')
+        );
 
         /** @var Screen $screen */
         $screen = app($screen);
 
-        return $screen->asyncBuild($method, $layout);
+        return $screen->asyncBuild(
+            $request->input('_call'),
+            $request->input('_template')
+        );
     }
 
     /**

diff --git a/src/Screen/Layouts/Modal.php b/src/Screen/Layouts/Modal.php
@@ -89,7 +89,8 @@ public function getSlug(): string
     public function build(Repository $repository)
     {
         $this->variables = array_merge($this->variables, [
-            'deferredRoute' => $this->getDataLoadingUrl(),
+            'deferredRoute' => route('platform.async'),
+            'deferrerParams' => $this->getDeferrerDataLoadingParameters(),
         ]);
 
         return $this->buildAsDeep($repository);
@@ -240,24 +241,24 @@ public function deferred(string $method): self
     }
 
     /**
-     * Return the URL for loading data from the browser.
+     * Return the deferrer parameters for loading data from the browser.
      */
-    protected function getDataLoadingUrl(): ?string
+    protected function getDeferrerDataLoadingParameters(): array
     {
         $screen = Dashboard::getCurrentScreen();
 
         if (! $screen) {
-            return null;
+            return [];
         }
 
         if (empty($this->dataLoadingMethod)) {
-            return null;
+            return [];
         }
 
-        return route('platform.async', [
-            'screen'   => Crypt::encryptString(get_class($screen)),
-            'method'   => $this->dataLoadingMethod,
-            'template' => $this->getSlug(),
-        ]);
+        return [
+            '_screen' => Crypt::encryptString(get_class($screen)),
+            '_call' => $this->dataLoadingMethod,
+            '_template' => $this->getSlug(),
+        ];
     }
 }
diff --git a/src/Screen/Screen.php b/src/Screen/Screen.php
@@ -120,7 +120,11 @@ public function asyncBuild(string $method, string $slug)
     {
         Dashboard::setCurrentScreen($this, true);
 
-        abort_unless(method_exists($this, $method), 404, "Async method: {$method} not found");
+        abort_unless(
+            static::getAvailableMethods()->contains($method),
+            Response::HTTP_BAD_REQUEST,
+            "Async method '{$method}' is unavailable."
+        );
 
         abort_unless($this->checkAccess(request()), static::unaccessed());
 

diff --git a/tests/Feature/Platform/AsyncScreenTest.php b/tests/Feature/Platform/AsyncScreenTest.php
@@ -4,6 +4,7 @@
 
 namespace Orchid\Tests\Feature\Platform;
 
+use Illuminate\Http\Response;
 use Illuminate\Support\Facades\Crypt;
 use Illuminate\Support\Str;
 use Orchid\Tests\App\Layouts\DependentSumListener;
@@ -12,6 +13,10 @@
 
 class AsyncScreenTest extends TestFeatureCase
 {
+    /**
+     * Test that the asynchronous dependent listener screen returns
+     * the correct calculation result.
+     */
     public function testAsyncDependentListenerScreen(): void
     {
         $response = $this
@@ -30,22 +35,47 @@ public function testAsyncDependentListenerScreen(): void
         $this->assertStringContainsString('The result of adding', $response->getContent());
     }
 
+    /**
+     * Test that an asynchronous request to a non-existing method
+     * returns a 400 Bad Request status.
+     */
     public function testAsyncMethodNotFoundScreen(): void
     {
         /** @var DependentSumListener $layout */
         $layout = $this->app->make(DependentSumListener::class);
 
+        $response = $this
+            ->actingAs($this->createAdminUser())
+            ->post(route('platform.async'), [
+                '_screen'   => Crypt::encryptString(DependentListenerScreen::class),
+                '_call'   => Str::random(),
+                '_template' => $layout->getSlug(),
+            ]);
+
+        $response->assertStatus(Response::HTTP_BAD_REQUEST);
+    }
+
+    /**
+     * Test that attempting to call a denied method asynchronously
+     * returns a 400 Bad Request status.
+     */
+    public function testAsyncDeniedMethodScreen(): void
+    {
+        /** @var DependentSumListener $layout */
+        $layout = $this->app->make(DependentSumListener::class);
+
         $response = $this
             ->actingAs($this->createAdminUser())
             ->post(route('platform.async', [
-                'screen'   => Crypt::encryptString(DependentListenerScreen::class),
-                'method'   => Str::random(),
-                'template' => $layout->getSlug(),
-            ]), [
                 'first'  => 2,
                 'second' => 3,
+            ]), [
+                '_screen'   => Crypt::encryptString(DependentListenerScreen::class),
+                '_call'   => 'validate',
+                '_template' => $layout->getSlug(),
             ]);
 
-        $response->assertNotFound();
+        $response
+            ->assertStatus(Response::HTTP_BAD_REQUEST);
     }
 }