Remove one usage of Html::displayErrorAndDie in Session::checkCSRF()

glpi-project · Sep 23, 2024 · e42cde7 · e42cde7
1 parent 0a143ca
commit e42cde7
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 10 deletions.
diff --git a/src/Glpi/Exception/Access/InvalidCsrfException.php b/src/Glpi/Exception/Access/InvalidCsrfException.php
@@ -0,0 +1,58 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ *
+ * GLPI - Gestionnaire Libre de Parc Informatique
+ *
+ * http://glpi-project.org
+ *
+ * @copyright 2015-2024 Teclib' and contributors.
+ * @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * ---------------------------------------------------------------------
+ *
+ * LICENSE
+ *
+ * This file is part of GLPI.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * ---------------------------------------------------------------------
+ */
+
+namespace Glpi\Exception\Access;
+
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\StreamedResponse;
+
+class InvalidCsrfException extends AccessException
+{
+    public function asResponse(): Response
+    {
+        $message = __("The action you have requested is not allowed.");
+
+        $request = $this->getRequest();
+
+        // Output JSON if requested by client
+        if (str_contains($request->getAcceptableContentTypes()['HTTP_ACCEPT'] ?? '', 'application/json')) {
+            return new JsonResponse(['message' => $this->message], 403);
+        }
+
+        return new StreamedResponse(function () use ($message) {
+            \Html::displayError($message, true);
+        }, 403);
+    }
+}
diff --git a/src/Session.php b/src/Session.php
@@ -33,10 +33,10 @@
  * ---------------------------------------------------------------------
  */
 
-use Glpi\Application\View\TemplateRenderer;
 use Glpi\Cache\CacheManager;
 use Glpi\Cache\I18nCache;
 use Glpi\Event;
+use Glpi\Exception\Access\InvalidCsrfException;
 use Glpi\Exception\Access\RequiresHttpsException;
 use Glpi\Exception\Access\SessionExpiredException;
 use Glpi\Plugin\Hooks;
@@ -1782,15 +1782,7 @@ public static function checkCSRF($data)
             $user_id = self::getLoginUserID() ?? 'Anonymous';
             Toolbox::logInFile('access-errors', "CSRF check failed for User ID: $user_id at $requested_url\n");
 
-            $message = __("The action you have requested is not allowed.");
-
-            // Output JSON if requested by client
-            if (strpos($_SERVER['HTTP_ACCEPT'] ?? '', 'application/json') !== false) {
-                http_response_code(403);
-                die(json_encode(["message" => $message]));
-            }
-
-            Html::displayErrorAndDie($message, true);
+            throw new InvalidCsrfException();
         }
     }