Refactor code structure for improved readability and maintainability

2025-09-28 18:27:48 +02:00
parent 17d69ac9df
commit d903f9fc55
13 changed files with 228 additions and 101 deletions
--- a/admin/templates/articles/article-edit.php
+++ b/admin/templates/articles/article-edit.php
@@ -4,6 +4,17 @@
 <?
 global $db;

+$upload_token = bin2hex( random_bytes(24) );
+$_SESSION['upload_tokens'][$upload_token] = [
+  'user_id' => $this -> user['id'],
+  'expires' => time() + 60*20
+];
+
+$_SESSION['rfm_akey'] = bin2hex(random_bytes(16));
+$_SESSION['rfm_akey_expires'] = time() + 20*60;
+$_SESSION['can_use_rfm'] = true;
+$rfmAkeyJS = $_SESSION['rfm_akey'];
+
 ob_start();
 ?>
  <div id="settings-tabs">
@@ -95,7 +106,11 @@ ob_start();
                    $( function() {
                      $( '#text_<?= $lg['id'];?>, #entry_<?= $lg['id'];?>, #table_of_contents_<?= $lg['id'];?>' ).ckeditor( {
                        toolbar : 'MyToolbar',
-                        height:'250'
+                        height:'250',
+                        filebrowserBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
                      });
                    });
                  </script>
@@ -401,6 +416,9 @@ echo $grid -> draw();

    $( "#images-uploader" ).pluploadQueue(
    {
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
      runtimes: 'html5,flash,html4',
      init:
      {
@@ -453,6 +471,9 @@ echo $grid -> draw();

    $( "#files-uploader" ).pluploadQueue(
    {
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
      runtimes: 'html5,flash,html4',
      init:
      {
--- a/admin/templates/shop-product/product-edit.php
+++ b/admin/templates/shop-product/product-edit.php
@@ -4,6 +4,17 @@
 <?
 global $db;

+$upload_token = bin2hex( random_bytes(24) );
+$_SESSION['upload_tokens'][$upload_token] = [
+  'user_id' => $this -> user['id'],
+  'expires' => time() + 60*20
+];
+
+$_SESSION['rfm_akey'] = bin2hex(random_bytes(16));
+$_SESSION['rfm_akey_expires'] = time() + 20*60;
+$_SESSION['can_use_rfm'] = true;
+$rfmAkeyJS = $_SESSION['rfm_akey'];
+
 ob_start();
 ?>

@@ -119,7 +130,11 @@ ob_start();
                    $(function() {
                      $('#short_description_<?= $lg['id']; ?>, #description_<?= $lg['id']; ?>').ckeditor({
                        toolbar: 'MyToolbar',
-                        height: '250'
+                        height: '250',
+                        filebrowserBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
                      });
                    });
                  </script>
@@ -208,7 +223,11 @@ ob_start();
                    $(function() {
                      $('#tab_description_1_<?= $lg['id']; ?>, #tab_description_2_<?= $lg['id']; ?>').ckeditor({
                        toolbar: 'MyToolbar',
-                        height: '250'
+                        height: '250',
+                        filebrowserBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
                      });
                    });
                  </script>
@@ -826,6 +845,9 @@ echo $grid->draw();
    });

    $("#images-uploader").pluploadQueue({
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
      runtimes: 'html5,flash,html4',
      init: {
        Refresh: function(up) {
@@ -874,6 +896,9 @@ echo $grid->draw();
    });

    $("#files-uploader").pluploadQueue({
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
      runtimes: 'html5,flash,html4',
      init: {
        Refresh: function(up) {
--- a/autoload/admin/controls/class.Articles.php
+++ b/autoload/admin/controls/class.Articles.php
@@ -39,19 +39,24 @@ class Articles
    exit;
  }

-  public static function article_edit()
-  {
+  public static function article_edit() {
+    global $user;
+
+    if ( !$user ) {
+      header( 'Location: /admin/' );
+      exit;
+    }
+
    \admin\factory\Articles::delete_nonassigned_images();
    \admin\factory\Articles::delete_nonassigned_files();

-    return \admin\view\Articles::article_edit(
-              \admin\factory\Articles::article_details(
-                \S::get( 'id' )
-              ),
-              \admin\factory\Pages::menus_list(),
-              \admin\factory\Languages::languages_list(),
-              \admin\factory\Layouts::layouts_list()
-            );
+    return \Tpl::view( 'articles/article-edit', [
+      'article'   => \admin\factory\Articles::article_details( (int)\S::get( 'id' ) ),
+      'menus'     => \admin\factory\Pages::menus_list(),
+      'languages' => \admin\factory\Languages::languages_list(),
+      'layouts'   => \admin\factory\Layouts::layouts_list(),
+      'user'      => $user
+    ] );
  }

  public static function view_list()
--- a/autoload/admin/controls/class.ShopProduct.php
+++ b/autoload/admin/controls/class.ShopProduct.php
@@ -229,22 +229,29 @@ class ShopProduct
  }

  // edycja produktu
-  public static function product_edit()
-  {
+  public static function product_edit() {
+    global $user;
+
+    if ( !$user ) {
+      header( 'Location: /admin/' );
+      exit;
+    }
+
    \admin\factory\ShopProduct::delete_nonassigned_images();
    \admin\factory\ShopProduct::delete_nonassigned_files();

    return \Tpl::view( 'shop-product/product-edit', [
-            'product' => \admin\factory\ShopProduct::product_details( (int) \S::get( 'id' ) ),
-            'languages' => \admin\factory\Languages::languages_list(),
-            'categories' => \admin\factory\ShopCategory::subcategories( null ),
-            'layouts' => \admin\factory\Layouts::layouts_list(),
-            'products' => \admin\factory\ShopProduct::products_list(),
-            'dlang' => \front\factory\Languages::default_language(),
-            'sets' => \shop\ProductSet::sets_list(),
-            'producers' => \admin\factory\ShopProducer::all(),
-            'units' => \admin\factory\Dictionaries::all_units()
-        ] );
+      'product'     => \admin\factory\ShopProduct::product_details( (int) \S::get( 'id' ) ),
+      'languages'   => \admin\factory\Languages::languages_list(),
+      'categories'  => \admin\factory\ShopCategory::subcategories( null ),
+      'layouts'     => \admin\factory\Layouts::layouts_list(),
+      'products'    => \admin\factory\ShopProduct::products_list(),
+      'dlang'       => \front\factory\Languages::default_language(),
+      'sets'        => \shop\ProductSet::sets_list(),
+      'producers'   => \admin\factory\ShopProducer::all(),
+      'units'       => \admin\factory\Dictionaries::all_units(),
+      'user'        => $user
+    ] );
  }

  // ajax_load_products ARCHIVE
--- a/autoload/admin/view/class.Articles.php
+++ b/autoload/admin/view/class.Articles.php
@@ -24,15 +24,5 @@ class Articles
    $tpl = new \Tpl;
    return $tpl -> render( 'articles/articles-list' );
  }
-  
-  public static function article_edit( $article, $menus, $languages, $layouts )
-  {
-    $tpl = new \Tpl;
-    $tpl -> article     = $article;
-    $tpl -> menus       = $menus;
-    $tpl -> languages   = $languages;
-    $tpl -> layouts     = $layouts;
-    return $tpl -> render( 'articles/article-edit' );
-  }
 }
 ?>
--- a/libraries/filemanager-9.14.2/dialog.php
+++ b/libraries/filemanager-9.14.2/dialog.php
@@ -1,4 +1,20 @@
 <?php
+session_start();
+$user = $_SESSION['user'];
+if ( !$user ) {
+  header('HTTP/1.1 403 Forbidden');
+  exit('Access denied');
+}
+
+$akey = $_GET['akey'] ?? $_POST['akey'] ?? '';
+if (
+  empty($_SESSION['rfm_akey']) ||
+  $akey !== $_SESSION['rfm_akey'] ||
+  (($_SESSION['rfm_akey_expires'] ?? 0) < time())
+) {
+  header('HTTP/1.1 403 Forbidden');
+  exit('Invalid key');
+}

 $time = time();

--- a/libraries/plupload/upload-articles-files.php
+++ b/libraries/plupload/upload-articles-files.php
@@ -4,6 +4,21 @@ require_once '../medoo/medoo.php';
 date_default_timezone_set( 'Europe/Warsaw' );
 session_start();

+$upload_token = $_REQUEST['upload_token'] ?? '';
+if ( !isset( $_SESSION['upload_tokens'][$upload_token] ) ) {
+  http_response_code(403);
+  echo json_encode( ['error' => 'Brak tokenu uploadu'] );
+  exit;
+}
+
+$tokenData = $_SESSION['upload_tokens'][$upload_token];
+if ( $tokenData['expires'] < time() ) {
+  unset( $_SESSION['upload_tokens'][$upload_token] );
+  http_response_code(403);
+  echo json_encode( ['error' => 'Token wygasł'] );
+  exit;
+}
+
 $mdb = new medoo( [
                    'database_type' => 'mysql',
                    'database_name' => $database['name'],
--- a/libraries/plupload/upload-articles-images.php
+++ b/libraries/plupload/upload-articles-images.php
@@ -4,6 +4,21 @@ require_once '../medoo/medoo.php';
 date_default_timezone_set( 'Europe/Warsaw' );
 session_start();

+$upload_token = $_REQUEST['upload_token'] ?? '';
+if ( !isset( $_SESSION['upload_tokens'][$upload_token] ) ) {
+  http_response_code(403);
+  echo json_encode( ['error' => 'Brak tokenu uploadu'] );
+  exit;
+}
+
+$tokenData = $_SESSION['upload_tokens'][$upload_token];
+if ( $tokenData['expires'] < time() ) {
+  unset( $_SESSION['upload_tokens'][$upload_token] );
+  http_response_code(403);
+  echo json_encode( ['error' => 'Token wygasł'] );
+  exit;
+}
+
 $mdb = new medoo( [
                    'database_type' => 'mysql',
                    'database_name' => $database['name'],
--- a/libraries/plupload/upload-product-files.php
+++ b/libraries/plupload/upload-product-files.php
@@ -4,6 +4,21 @@ require_once '../medoo/medoo.php';
 date_default_timezone_set( 'Europe/Warsaw' );
 session_start();

+$upload_token = $_REQUEST['upload_token'] ?? '';
+if ( !isset( $_SESSION['upload_tokens'][$upload_token] ) ) {
+  http_response_code(403);
+  echo json_encode( ['error' => 'Brak tokenu uploadu'] );
+  exit;
+}
+
+$tokenData = $_SESSION['upload_tokens'][$upload_token];
+if ( $tokenData['expires'] < time() ) {
+  unset( $_SESSION['upload_tokens'][$upload_token] );
+  http_response_code(403);
+  echo json_encode( ['error' => 'Token wygasł'] );
+  exit;
+}
+
 $mdb = new medoo( [
                    'database_type' => 'mysql',
                    'database_name' => $database['name'],
--- a/libraries/plupload/upload-product-images.php
+++ b/libraries/plupload/upload-product-images.php
@@ -4,6 +4,21 @@ require_once '../medoo/medoo.php';
 date_default_timezone_set( 'Europe/Warsaw' );
 session_start();

+$upload_token = $_REQUEST['upload_token'] ?? '';
+if ( !isset( $_SESSION['upload_tokens'][$upload_token] ) ) {
+  http_response_code(403);
+  echo json_encode( ['error' => 'Brak tokenu uploadu'] );
+  exit;
+}
+
+$tokenData = $_SESSION['upload_tokens'][$upload_token];
+if ( $tokenData['expires'] < time() ) {
+  unset( $_SESSION['upload_tokens'][$upload_token] );
+  http_response_code(403);
+  echo json_encode( ['error' => 'Token wygasł'] );
+  exit;
+}
+
 $mdb = new medoo( [
                    'database_type' => 'mysql',
                    'database_name' => $database['name'],
--- a/updates/0.20/ver_0.230.zip
+++ b/updates/0.20/ver_0.230.zip
--- a/updates/changelog.php
+++ b/updates/changelog.php
@@ -1,3 +1,6 @@
+<b>ver. 0.230</b><br />
+- FIX - poprawki bezpieczeństwa
+<hr>
 <b>ver. 0.229</b><br />
 - NEW - pola dodatkowe z opcją wymagane/niewymagane
 <hr>
--- a/updates/versions.php
+++ b/updates/versions.php
@@ -1,5 +1,5 @@
 <?
-$current_ver = 229;
+$current_ver = 230;

 for ($i = 1; $i <= $current_ver; $i++)
 {