Proximity/staffmanager
1
0
Fork 0
forked from miguel456/rbrecruiter
Code Issues Pull Requests Projects Releases Wiki Activity

Code review

Browse Source 
This commit fixes some superficial instances of Broken Access Control 
(https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control).
There may be some more instances of this, as authorization was only done 
after most of the controllers were done (big mistake).

Some refactoring was also performed, where Route Model Binding with DI 
(dependency injection) was used whenever possible, to increase 
testability of the codebase.
Some reused code was also moved to Helper classes as to enforce DRY; 
There may be some lines of code that are still copy-pasted from other 
parts of the codebase for reuse.

Non-breaking refactoring changes were made, but the app as a whole still 
needs full manual testing, and customised responses to HTTP 500 
responses. Some errors are also not handled gracefully and this wasn't 
checked in this commit.
This commit is contained in:
Miguel Nogueira
2020-07-16 21:21:28 +01:00
parent 9e2d571298
commit 5f1f92a9ce
30 changed files with 310 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
app/Http/Controllers/ApplicationController.php
View File

@@ -18,8 +18,11 @@ use Illuminate\Support\Facades\Validator;
use Illuminate\Support\Facades\App;
use Illuminate\Support\Facades\Log;
use ContextAwareValidator;
class ApplicationController extends Controller
{
private function canVote($votes)
{
$allvotes = collect([]);
@@ -45,11 +48,8 @@ class ApplicationController extends Controller
}
public function showUserApp(Request $request, $applicationID)
public function showUserApp(Request $request, Application $application)
{
// TODO: Inject it instead (do this where there is no injection, not just here)
$application = Application::find($applicationID);
$this->authorize('view', $application);
if (!is_null($application))
@@ -78,6 +78,8 @@ class ApplicationController extends Controller
public function showAllApps()
{
$this->authorize('viewAny', Application::class);
return view('dashboard.appmanagement.all')
->with('applications', Application::paginate(6));
}
@@ -186,36 +188,16 @@ class ApplicationController extends Controller
Log::info('Processing new application!');
$formStructure = json_decode($vacancy->first()->forms->formStructure, true);
$responseStructure = [];
$excludedNames = [
'_token',
];
$validator = [];
foreach($request->all() as $fieldName => $value)
{
if(!in_array($fieldName, $excludedNames))
{
$validator[$fieldName] = 'required|string';
$responseStructure['responses'][$fieldName]['type'] = $formStructure['fields'][$fieldName]['type'] ?? 'Unavailable';
$responseStructure['responses'][$fieldName]['title'] = $formStructure['fields'][$fieldName]['title'];
$responseStructure['responses'][$fieldName]['response'] = $value;
}
}
$responseValidation = ContextAwareValidator::getResponseValidator($request->all(), $formStructure);
Log::info('Built response & validator structure!');
$validation = Validator::make($request->all(), $validator);
if (!$validation->fails())
if (!$responseValidation->get('validator')->fails())
{
$response = Response::create([
'responseFormID' => $vacancy->first()->forms->id,
'associatedVacancyID' => $vacancy->first()->id, // Since a form can be used by multiple vacancies, we can only know which specific vacancy this response ties to by using a vacancy ID
'responseData' => json_encode($responseStructure)
'responseData' => $responseValidation->get('responseStructure')
]);
Log::info('Registered form response for user ' . Auth::user()->name . ' for vacancy ' . $vacancy->first()->vacancyName);
@@ -249,35 +231,27 @@ class ApplicationController extends Controller
return redirect()->back();
}
public function updateApplicationStatus(Request $request, $applicationID, $newStatus)
public function updateApplicationStatus(Request $request, $application, $newStatus)
{
$application = Application::find($applicationID);
$this->authorize('update', Application::class);
if (!is_null($application))
switch ($newStatus)
{
switch ($newStatus)
{
case 'deny':
case 'deny':
event(new ApplicationDeniedEvent($application));
break;
event(new ApplicationDeniedEvent($application));
break;
case 'interview':
Log::info('User ' . Auth::user()->name . ' has moved application ID ' . $application->id . 'to interview stage');
$request->session()->flash('success', 'Application moved to interview stage! (:');
$application->setStatus('STAGE_INTERVIEW');
case 'interview':
Log::info('User ' . Auth::user()->name . ' has moved application ID ' . $application->id . 'to interview stage');
$request->session()->flash('success', 'Application moved to interview stage! (:');
$application->setStatus('STAGE_INTERVIEW');
$application->user->notify(new ApplicationMoved());
break;
$application->user->notify(new ApplicationMoved());
break;
default:
$request->session()->flash('error', 'There are no suitable statuses to update to. Do not mess with the URL.');
}
}
else
{
$request->session()->flash('The application you\'re trying to update does not exist.');
default:
$request->session()->flash('error', 'There are no suitable statuses to update to. Do not mess with the URL.');
}
return redirect()->back();
@@ -291,7 +265,7 @@ class ApplicationController extends Controller
$request->session()->flash('success', 'Application deleted. Comments, appointments and responses have also been deleted.');
return redirect()->back();
}
}

80
app/Http/Controllers/AppointmentController.php
View File

@@ -24,84 +24,56 @@ class AppointmentController extends Controller
];
public function saveAppointment(Request $request, $applicationID)
public function saveAppointment(Request $request, Application $application)
{
// Unrelated TODO: change if's in application page to a switch statement, & have the row encompass it
$this->authorize('create', Appointment::class);
$appointmentDate = Carbon::parse($request->appointmentDateTime);
$app = Application::find($applicationID);
if (!is_null($app))
{
// make sure this is a valid date by parsing it first
$appointmentDate = Carbon::parse($request->appointmentDateTime);
$appointment = Appointment::create([
'appointmentDescription' => $request->appointmentDescription,
'appointmentDate' => $appointmentDate->toDateTimeString(),
'applicationID' => $application->id,
'appointmentLocation' => (in_array($request->appointmentLocation, $this->allowedPlatforms)) ? $request->appointmentLocation : 'DISCORD',
]);
$application->setStatus('STAGE_INTERVIEW_SCHEDULED');
$appointment = Appointment::create([
'appointmentDescription' => $request->appointmentDescription,
'appointmentDate' => $appointmentDate->toDateTimeString(),
'applicationID' => $applicationID,
'appointmentLocation' => (in_array($request->appointmentLocation, $this->allowedPlatforms)) ? $request->appointmentLocation : 'DISCORD',
]);
$app->setStatus('STAGE_INTERVIEW_SCHEDULED');
Log::info('User ' . Auth::user()->name . ' has scheduled an appointment with ' . $application->user->name . ' for application ID' . $application->id, [
'datetime' => $appointmentDate->toDateTimeString(),
'scheduled' => now()
]);
$application->user->notify(new AppointmentScheduled($appointment));
$request->session()->flash('success', 'Appointment successfully scheduled @ ' . $appointmentDate->toDateTimeString());
Log::info('User ' . Auth::user()->name . ' has scheduled an appointment with ' . $app->user->name . ' for application ID' . $app->id, [
'datetime' => $appointmentDate->toDateTimeString(),
'scheduled' => now()
]);
$app->user->notify(new AppointmentScheduled($appointment));
$request->session()->flash('success', 'Appointment successfully scheduled @ ' . $appointmentDate->toDateTimeString());
}
else
{
$request->session()->flash('error', 'Cant\'t schedule an appointment for an application that doesn\'t exist.');
}
return redirect()->back();
}
public function updateAppointment(Request $request, $applicationID, $status)
public function updateAppointment(Request $request, Application $application, $status)
{
$this->authorize('update', $application->appointment);
$application = Application::find($applicationID);
$validStatuses = [
'SCHEDULED',
'CONCLUDED'
];
$this->authorize('update', $application->appointment);
// NOTE: This is a little confusing, refactor
$application->appointment->appointmentStatus = (in_array($status, $validStatuses)) ? strtoupper($status) : 'SCHEDULED';
$application->appointment->save();
$application->setStatus('STAGE_PEERAPPROVAL');
$application->user->notify(new ApplicationMoved());
if (!is_null($application))
{
// NOTE: This is a little confusing, refactor
$application->appointment->appointmentStatus = (in_array($status, $validStatuses)) ? strtoupper($status) : 'SCHEDULED';
$application->appointment->save();
$application->setStatus('STAGE_PEERAPPROVAL');
$application->user->notify(new ApplicationMoved());
$request->session()->flash('success', 'Interview finished! Staff members can now vote on it.');
}
else
{
$request->session()->flash('error', 'The application you\'re trying to update doesn\'t exist or have an appointment.');
}
$request->session()->flash('success', 'Interview finished! Staff members can now vote on it.');
return redirect()->back();
}
// also updates
public function saveNotes(SaveNotesRequest $request, $applicationID)
public function saveNotes(SaveNotesRequest $request, $application)
{
$application = Application::find($applicationID);
if (!is_null($application))
{
$application->appointment->meetingNotes = $request->noteText;
@@ -111,7 +83,7 @@ class AppointmentController extends Controller
}
else
{
$request->session()->flash('error', 'Sanity check failed: There\'s no appointment to save notes to!');
$request->session()->flash('error', 'There\'s no appointment to save notes to!');
}
return redirect()->back();

6
app/Http/Controllers/BanController.php
View File

@@ -15,11 +15,7 @@ class BanController extends Controller
public function insert(BanUserRequest $request, User $user)
{
if ($user->is(Auth::user()))
{
$request->session()->flash('error', 'You can\'t ban yourself!');
return redirect()->back();
}
$this->authorize('create', Ban::class);
if (is_null($user->bans))
{

10
app/Http/Controllers/CommentController.php
View File

@@ -22,7 +22,7 @@ class CommentController extends Controller
public function insert(NewCommentRequest $request, Application $application)
{
$this->authorize('create', Comment::class);
$comment = Comment::create([
'authorID' => Auth::user()->id,
'applicationID' => $application->id,
@@ -32,14 +32,6 @@ class CommentController extends Controller
if ($comment)
{
foreach (User::all() as $user)
{
if ($user->isStaffMember())
{
$user->notify(new NewComment($comment, $application));
}
}
$request->session()->flash('success', 'Comment posted! (:');
}
else

29
app/Http/Controllers/ContactController.php
View File

@@ -4,11 +4,23 @@ namespace App\Http\Controllers;
use Illuminate\Http\Request;
use GuzzleHttp;
use App\Notifications\NewContact;
use Illuminate\Support\Facades\Http;
use App\User;
class ContactController extends Controller
{
protected $users;
public function __construct(User $users)
{
$this->users = $users;
}
public function create(Request $request)
{
$name = $request->name;
@@ -18,12 +30,14 @@ class ContactController extends Controller
$challenge = $request->input('captcha');
// TODO: now: add middleware for this verification, move to invisible captcha
$verifyrequest = Http::asForm()->post(config('recaptcha.verify.apiurl'), [
'secret' => config('recaptcha.keys.secret'),
'response' => $challenge,
'remoteip' => $_SERVER['REMOTE_ADDR']
'remoteip' => $request->ip()
]);
$response = json_decode($verifyrequest->getBody(), true);
if (!$response['success'])
@@ -32,7 +46,18 @@ class ContactController extends Controller
return redirect()->back();
}
// TODO: Send mail
foreach(User::all() as $user)
{
if ($user->hasRole('admin'))
{
$user->notify(new NewContact(collect([
'message' => $msg,
'ip' => $request->ip(),
'email' => $email
])));
}
}
$request->session()->flash('success', 'Message sent successfully! We usually respond within 48 hours.');
return redirect()->back();

14
app/Http/Controllers/DevToolsController.php
View File

@@ -6,16 +6,30 @@ use App\Application;
use App\Events\ApplicationApprovedEvent;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class DevToolsController extends Controller
{
// The use case for Laravel's gate and/or validation Requests is so tiny here that a full-blown policy would be overkill.
protected function isolatedAuthorise()
{
if (!Auth::user()->can('admin.developertools.use'))
{
abort(403, 'You\'re not authorized to access this page.');
}
}
public function index()
{
$this->isolatedAuthorise();
return view('dashboard.administration.devtools')
->with('applications', Application::where('applicationStatus', 'STAGE_PEERAPPROVAL')->get());
}
public function forceVoteCount(Request $request)
{
$this->isolatedAuthorise();
$application = Application::find($request->application);
if (!is_null($application))

10
app/Http/Controllers/FormController.php
View File

@@ -55,10 +55,8 @@ class FormController extends Controller
return redirect()->back();
}
public function destroy(Request $request, $id)
public function destroy(Request $request, Form $form)
{
$form = Form::find($id);
$this->authorize('delete', $form);
$deletable = true;
@@ -85,6 +83,8 @@ class FormController extends Controller
public function preview(Request $request, Form $form)
{
$this->authorize('viewAny', Form::class);
return view('dashboard.administration.formpreview')
->with('form', json_decode($form->formStructure, true))
->with('title', $form->formName)
@@ -93,6 +93,8 @@ class FormController extends Controller
public function edit(Request $request, Form $form)
{
$this->authorize('update', $form);
return view('dashboard.administration.editform')
->with('formStructure', json_decode($form->formStructure, true))
->with('title', $form->formName)
@@ -101,6 +103,8 @@ class FormController extends Controller
public function update(Request $request, Form $form)
{
$this->authorize('update', $form);
$contextValidation = ContextAwareValidator::getValidator($request->all(), true);
$this->authorize('update', $form);

14
app/Http/Controllers/ProfileController.php
View File

@@ -87,7 +87,6 @@ class ProfileController extends Controller
public function saveProfile(ProfileSave $request)
{
// TODO: Switch to route model binding
$profile = User::find(Auth::user()->id)->profile;
$social = [];
@@ -120,19 +119,6 @@ class ProfileController extends Controller
$request->session()->flash('success', 'Profile settings saved successfully.');
}
else
{
$gm = 'Guru Meditation #' . rand(0, 1000);
Log::alert('[GURU MEDITATION]: Could not find profile for authenticated user ' . Auth::user()->name . 'whilst trying to update it! Please verify that profiles are being created automatically during signup.',
[
'uuid' => Auth::user()->uuid,
'timestamp' => now(),
'route' => $request->route()->getName(),
'gmcode' => $gm // If this error is reported, the GM code, denoting a severe error, will help us find this entry in the logs
]);
$request->session()->flash('error', 'A technical error has occurred whilst trying to save your profile. Incident details have been recorded. Please report this incident to administrators with the following case number: ' . $gm);
}
return redirect()->back();

5
app/Http/Controllers/UserController.php
View File

@@ -189,6 +189,9 @@ class UserController extends Controller
public function delete(DeleteUserRequest $request, User $user)
{
$this->authorize('delete', $user);
if ($request->confirmPrompt == 'DELETE ACCOUNT')
{
$user->delete();
@@ -206,6 +209,8 @@ class UserController extends Controller
public function update(UpdateUserRequest $request, User $user)
{
$this->authorize('adminEdit', $user);
// Mass update would not be possible here without extra code, making route model binding useless
$user->email = $request->email;
$user->name = $request->name;

3
app/Http/Controllers/VacancyController.php
View File

@@ -64,10 +64,9 @@ class VacancyController extends Controller
}
public function updatePositionAvailability(Request $request, $status, $id)
public function updatePositionAvailability(Request $request, $status, Vacancy $vacancy)
{
$vacancy = Vacancy::find($id);
$this->authorize('update', $vacancy);
if (!is_null($vacancy))

30
app/Http/Controllers/VoteController.php
View File

@@ -13,33 +13,23 @@ use Illuminate\Support\Facades\Log;
class VoteController extends Controller
{
public function vote(VoteRequest $voteRequest, $applicationID)
public function vote(VoteRequest $voteRequest, Application $application)
{
$application = Application::find($applicationID);
$this->authorize('create', Vote::class);
if (!is_null($application))
{
$vote = Vote::create([
'userID' => Auth::user()->id,
'allowedVoteType' => $voteRequest->voteType,
]);
$vote = Vote::create([
'userID' => Auth::user()->id,
'allowedVoteType' => $voteRequest->voteType,
]);
$vote->application()->attach($applicationID);
$vote->application()->attach($applicationID);
Log::info('User ' . Auth::user()->name . ' has voted in applicant ' . $application->user->name . '\'s application', [
'voteType' => $voteRequest->voteType
]);
$voteRequest->session()->flash('success', 'Your vote has been registered! You will now be notified about the outcome of this application.');
}
else
{
$voteRequest->session()->flash('error', 'Can\t vote a non existant application!');
}
Log::info('User ' . Auth::user()->name . ' has voted in applicant ' . $application->user->name . '\'s application', [
'voteType' => $voteRequest->voteType
]);
$voteRequest->session()->flash('success', 'Your vote has been registered!');
// Cron job will run command that processes votes
return redirect()->back();
}
}