RPJosh
/
memories
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

admin: add token to prevent too many actions 

Signed-off-by: Varun Patil <varunpatil@ucla.edu>
pull/579/head
Varun Patil 2023-04-16 20:05:29 -07:00
parent 526559b672
commit 2531854552
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/Controller/OtherController.php
View File

@ -107,12 +107,15 @@ class OtherController extends GenericApiController
* @AdminRequired * @AdminRequired
* *
* @NoCSRFRequired * @NoCSRFRequired
*
* @UseSession
*/ */
public function getSystemStatus(): Http\Response public function getSystemStatus(): Http\Response
{ {
return Util::guardEx(function () { return Util::guardEx(function () {
$config = \OC::$server->get(\OCP\IConfig::class); $config = \OC::$server->get(\OCP\IConfig::class);
$index = \OC::$server->get(\OCA\Memories\Service\Index::class); $index = \OC::$server->get(\OCA\Memories\Service\Index::class);
$session = \OC::$server->get(\OCP\ISession::class);
// Build status array // Build status array
$status = []; $status = [];
@ -184,15 +187,27 @@ class OtherController extends GenericApiController
$status['vaapi_dev'] = 'ok'; $status['vaapi_dev'] = 'ok';
} }
// Action token
$status['action_token'] = $this->actionToken(true);
return new JSONResponse($status, Http::STATUS_OK); return new JSONResponse($status, Http::STATUS_OK);
}); });
} }
/** /**
* @AdminRequired * @AdminRequired
*
* @UseSession
*/ */
public function placesSetup(): Http\Response public function placesSetup(?string $actiontoken): Http\Response
{ {
if (!$actiontoken || $this->actionToken() !== $actiontoken) {
return new JSONResponse(['error' => 'Invalid action token. Refresh the memories admin page.'], Http::STATUS_BAD_REQUEST);
}
// Reset action token
$this->actionToken(true);
try { try {
// Set PHP timeout to infinite // Set PHP timeout to infinite
set_time_limit(0); set_time_limit(0);
@ -248,4 +263,17 @@ class OtherController extends GenericApiController
return 'ok'; return 'ok';
} }
private function actionToken(bool $set = false): string
{
$session = \OC::$server->get(\OCP\ISession::class);
if (!$set) {
return $session->get('memories_action_token');
}
$token = bin2hex(random_bytes(32));
$session->set('memories_action_token', $token);
return $token ?? '';
}
} }

7
src/Admin.vue
View File

@ -248,6 +248,7 @@
target="_blank" target="_blank"
> >
<input name="requesttoken" type="hidden" :value="requestToken" /> <input name="requesttoken" type="hidden" :value="requestToken" />
<input name="actiontoken" type="hidden" :value="actionToken" />
<NcButton nativeType="submit" type="warning"> <NcButton nativeType="submit" type="warning">
{{ t("memories", "Download planet database") }} {{ t("memories", "Download planet database") }}
</NcButton> </NcButton>
@ -584,6 +585,8 @@ type IStatus = {
ffprobe: BinaryStatus; ffprobe: BinaryStatus;
govod: BinaryStatus; govod: BinaryStatus;
vaapi_dev: "ok" | "not_found" | "not_readable"; vaapi_dev: "ok" | "not_found" | "not_readable";
action_token: string;
}; };
export default defineComponent({ export default defineComponent({
@ -775,6 +778,10 @@ export default defineComponent({
return (<any>axios.defaults.headers).requesttoken; return (<any>axios.defaults.headers).requesttoken;
}, },
actionToken() {
return this.status?.action_token || "";
},
gisStatus() { gisStatus() {
if (typeof this.status.gis_type !== "number") { if (typeof this.status.gis_type !== "number") {
return this.status.gis_type; return this.status.gis_type;