mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-04 01:01:41 +09:00
133 lines
4.7 KiB
PHP
133 lines
4.7 KiB
PHP
<?php
|
|
|
|
namespace Rhymix\Modules\Admin\Controllers\SystemConfig;
|
|
|
|
use Context;
|
|
use Rhymix\Framework\Config;
|
|
use Rhymix\Framework\Exception;
|
|
use Rhymix\Framework\Filters\IpFilter;
|
|
use Rhymix\Framework\Filters\MediaFilter;
|
|
use Rhymix\Modules\Admin\Controllers\Base;
|
|
|
|
class Security extends Base
|
|
{
|
|
/**
|
|
* Display Security Settings page
|
|
*/
|
|
public function dispAdminConfigSecurity()
|
|
{
|
|
// Load embed filter.
|
|
context::set('mediafilter_whitelist', implode(PHP_EOL, MediaFilter::getWhitelist()));
|
|
context::set('mediafilter_classes', implode(PHP_EOL, Config::get('mediafilter.classes') ?: array()));
|
|
|
|
// Load robot user agents.
|
|
$robot_user_agents = Config::get('security.robot_user_agents') ?: array();
|
|
Context::set('robot_user_agents', implode(PHP_EOL, $robot_user_agents));
|
|
|
|
// Admin IP access control
|
|
$allowed_ip = Config::get('admin.allow');
|
|
Context::set('admin_allowed_ip', implode(PHP_EOL, $allowed_ip));
|
|
$denied_ip = Config::get('admin.deny');
|
|
Context::set('admin_denied_ip', implode(PHP_EOL, $denied_ip));
|
|
Context::set('remote_addr', RX_CLIENT_IP);
|
|
|
|
// Session and cookie security settings
|
|
Context::set('use_samesite', Config::get('session.samesite'));
|
|
Context::set('use_session_keys', Config::get('session.use_keys'));
|
|
Context::set('use_session_ssl', Config::get('session.use_ssl'));
|
|
Context::set('use_cookies_ssl', Config::get('session.use_ssl_cookies'));
|
|
Context::set('check_csrf_token', Config::get('security.check_csrf_token'));
|
|
Context::set('use_nofollow', Config::get('security.nofollow'));
|
|
|
|
$this->setTemplateFile('config_security');
|
|
}
|
|
|
|
/**
|
|
* Update security configuration.
|
|
*/
|
|
public function procAdminUpdateSecurity()
|
|
{
|
|
$vars = Context::getRequestVars();
|
|
|
|
// Media Filter iframe/embed whitelist
|
|
$whitelist = $vars->mediafilter_whitelist;
|
|
$whitelist = array_filter(array_map('trim', preg_split('/[\r\n]/', $whitelist)), function($item) {
|
|
return $item !== '';
|
|
});
|
|
$whitelist = array_unique(array_map(function($item) {
|
|
return MediaFilter::formatPrefix($item);
|
|
}, $whitelist));
|
|
natcasesort($whitelist);
|
|
Config::set('mediafilter.whitelist', array_values($whitelist));
|
|
Config::set('mediafilter.iframe', []);
|
|
Config::set('mediafilter.object', []);
|
|
|
|
// HTML classes
|
|
$classes = $vars->mediafilter_classes;
|
|
$classes = array_filter(array_map('trim', preg_split('/[\r\n]/', $classes)), function($item) {
|
|
return preg_match('/^[a-zA-Z0-9_-]+$/u', $item);
|
|
});
|
|
natcasesort($classes);
|
|
Config::set('mediafilter.classes', array_values($classes));
|
|
|
|
// Robot user agents
|
|
$robot_user_agents = $vars->robot_user_agents;
|
|
$robot_user_agents = array_filter(array_map('trim', preg_split('/[\r\n]/', $robot_user_agents)), function($item) {
|
|
return $item !== '';
|
|
});
|
|
Config::set('security.robot_user_agents', array_values($robot_user_agents));
|
|
|
|
// Remove old embed filter
|
|
$config = Config::getAll();
|
|
unset($config['embedfilter']);
|
|
Config::setAll($config);
|
|
|
|
// Admin IP access control
|
|
$allowed_ip = array_map('trim', preg_split('/[\r\n]/', $vars->admin_allowed_ip));
|
|
$allowed_ip = array_unique(array_filter($allowed_ip, function($item) {
|
|
return $item !== '';
|
|
}));
|
|
if (!IpFilter::validateRanges($allowed_ip)) {
|
|
throw new Exception('msg_invalid_ip');
|
|
}
|
|
|
|
$denied_ip = array_map('trim', preg_split('/[\r\n]/', $vars->admin_denied_ip));
|
|
$denied_ip = array_unique(array_filter($denied_ip, function($item) {
|
|
return $item !== '';
|
|
}));
|
|
if (!IpFilter::validateRanges($denied_ip)) {
|
|
throw new Exception('msg_invalid_ip');
|
|
}
|
|
|
|
$oMemberAdminModel = getAdminModel('member');
|
|
if (!$oMemberAdminModel->getMemberAdminIPCheck($allowed_ip, $denied_ip))
|
|
{
|
|
throw new Exception('msg_current_ip_will_be_denied');
|
|
}
|
|
|
|
$site_module_info = Context::get('site_module_info');
|
|
$vars->use_samesite = preg_replace('/[^a-zA-Z]/', '', $vars->use_samesite);
|
|
if ($vars->use_samesite === 'None' && ($vars->use_session_ssl !== 'Y' || $site_module_info->security !== 'always'))
|
|
{
|
|
$vars->use_samesite = '';
|
|
}
|
|
|
|
Config::set('admin.allow', array_values($allowed_ip));
|
|
Config::set('admin.deny', array_values($denied_ip));
|
|
Config::set('session.samesite', $vars->use_samesite);
|
|
Config::set('session.use_keys', $vars->use_session_keys === 'Y');
|
|
Config::set('session.use_ssl', $vars->use_session_ssl === 'Y');
|
|
Config::set('session.use_ssl_cookies', $vars->use_cookies_ssl === 'Y');
|
|
Config::set('security.check_csrf_token', $vars->check_csrf_token === 'Y');
|
|
Config::set('security.nofollow', $vars->use_nofollow === 'Y');
|
|
|
|
// Save
|
|
if (!Config::save())
|
|
{
|
|
throw new Exception('msg_failed_to_save_config');
|
|
}
|
|
|
|
$this->setMessage('success_updated');
|
|
$this->setRedirectUrl(Context::get('success_return_url') ?: getNotEncodedUrl('', 'module', 'admin', 'act', 'dispAdminConfigSecurity'));
|
|
}
|
|
}
|