1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-01 19:22:42 +01:00

Break AphrontWriteGuard dependency on AphrontRequest

Summary:
I want to move queryfx() and family to libphutil, for @chad and others (see T1283). We need to break a few dependencies to do this.

Since AphrontWriteGuard is independently useful, I broke the dependency between it and AphrontRequest rather than between Connection and WriteGuard. I'll move its implementation to libphutil in a future diff.

Test Plan: Loaded site, submitted CSRF form successfully, monkeyed with CSRF token, submitted CSRF form, got error.

Reviewers: btrahan, vrana

Reviewed By: vrana

CC: aran

Maniphest Tasks: T1283

Differential Revision: https://secure.phabricator.com/D3042
This commit is contained in:
epriestley 2012-07-23 15:17:59 -07:00
parent 8213a70f3d
commit d07934474e
2 changed files with 14 additions and 8 deletions

View file

@ -51,7 +51,7 @@ final class AphrontWriteGuard {
private static $instance; private static $instance;
private static $allowUnguardedWrites = false; private static $allowUnguardedWrites = false;
private $request; private $callback;
private $allowDepth = 0; private $allowDepth = 0;
@ -63,18 +63,23 @@ final class AphrontWriteGuard {
* active at a time. You must explicitly call @{method:dispose} when you are * active at a time. You must explicitly call @{method:dispose} when you are
* done with a write guard: * done with a write guard:
* *
* $guard = new AphrontWriteGuard(); * $guard = new AphrontWriteGuard($callback);
* // ... * // ...
* $guard->dispose(); * $guard->dispose();
* *
* Normally, you do not need to manage guards yourself -- the Aphront stack * Normally, you do not need to manage guards yourself -- the Aphront stack
* handles it for you. * handles it for you.
* *
* @param AphrontRequest Request to read CSRF token information from. * This class accepts a callback, which will be invoked when a write is
* attempted. The callback should validate the presence of a CSRF token in
* the request, or abort the request (e.g., by throwing an exception) if a
* valid token isn't present.
*
* @param callable CSRF callback.
* @return this * @return this
* @task manage * @task manage
*/ */
public function __construct(AphrontRequest $request) { public function __construct($callback) {
if (self::$instance) { if (self::$instance) {
throw new Exception( throw new Exception(
"An AphrontWriteGuard already exists. Dispose of the previous guard ". "An AphrontWriteGuard already exists. Dispose of the previous guard ".
@ -86,7 +91,7 @@ final class AphrontWriteGuard {
"unguarded writes unconditionally. This is not allowed and indicates ". "unguarded writes unconditionally. This is not allowed and indicates ".
"a serious error."); "a serious error.");
} }
$this->request = $request; $this->callback = $callback;
self::$instance = $this; self::$instance = $this;
} }
@ -154,9 +159,8 @@ final class AphrontWriteGuard {
} }
$instance = self::$instance; $instance = self::$instance;
if ($instance->allowDepth == 0) { if ($instance->allowDepth == 0) {
$instance->request->validateCSRF(); call_user_func($instance->callback);
} }
} }
@ -256,6 +260,8 @@ final class AphrontWriteGuard {
/** /**
* When the object is destroyed, make sure @{method:dispose} was called. * When the object is destroyed, make sure @{method:dispose} was called.
*
* @task internal
*/ */
public function __destruct() { public function __destruct() {
if (isset(self::$instance)) { if (isset(self::$instance)) {

View file

@ -145,7 +145,7 @@ $application->setPath($path);
$application->willBuildRequest(); $application->willBuildRequest();
$request = $application->buildRequest(); $request = $application->buildRequest();
$write_guard = new AphrontWriteGuard($request); $write_guard = new AphrontWriteGuard(array($request, 'validateCSRF'));
PhabricatorEventEngine::initialize(); PhabricatorEventEngine::initialize();
$application->setRequest($request); $application->setRequest($request);