fix: can access any frontend routes from frontend links

SychO9 · Jun 7, 2022 · 82aea3d · 82aea3d
1 parent 0ee2125
commit 82aea3d
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 22 deletions.
diff --git a/extend.php b/extend.php
@@ -57,6 +57,9 @@
         ->default('sycho-private-facade.primary_color_bg', true)
         ->default('sycho-private-facade.force_redirect', true)
         ->default('sycho-private-facade.use_welcome_hero_text', true)
+        ->serializeToForum('sycho-private-facade.route_exclusions', 'sycho-private-facade.route_exclusions', function ($value) {
+            return PrivateFacadeMiddleware::getFrontendRouteExclusions($value);
+        })
         ->serializeToForum('sycho-private-facade.illustration_url', 'sycho-private-facade.illustration_path', ExposeIllustration::class)
         ->serializeToForum('sycho-private-facade.header_layout', 'sycho-private-facade.header_layout')
         ->serializeToForum('sycho-private-facade.primary_color_bg', 'sycho-private-facade.primary_color_bg', 'boolval')

diff --git a/js/src/forum/components/PrivateFacade.tsx b/js/src/forum/components/PrivateFacade.tsx
@@ -9,23 +9,23 @@ import Mithril from 'mithril';
 import Page, { IPageAttrs } from 'flarum/common/components/Page';
 import classList from 'flarum/common/utils/classList';
 
-type SubRoute = 'login' | 'signup';
+type SubRoute = 'sycho-private-facade.login' | 'sycho-private-facade.signup';
 type SubRouteDefinition = {
   label: string;
   component: any;
   next: SubRoute;
 };
 
 const routes: () => Record<SubRoute, SubRouteDefinition> = () => ({
-  login: {
+  'sycho-private-facade.login': {
     label: extractText(app.translator.trans('sycho-private-facade.forum.log_in_label')),
     component: LogInView,
-    next: 'signup',
+    next: 'sycho-private-facade.signup',
   },
-  signup: {
+  'sycho-private-facade.signup': {
     label: extractText(app.translator.trans('sycho-private-facade.forum.sign_up_label')),
     component: SignUpView,
-    next: 'login',
+    next: 'sycho-private-facade.login',
   },
 });
 
@@ -38,7 +38,7 @@ export default class PrivateFacade<T extends IPageAttrs> extends Page<T> {
 
     this.routes = routes();
     // @ts-ignore
-    this.currentRoute = this.routes[app.current.data.routeName as 'login' | 'signup'];
+    this.currentRoute = this.routes[app.current.data.routeName as 'sycho-private-facade.login' | 'sycho-private-facade.signup'];
 
     app.setTitle(this.currentRoute.label);
 
@@ -74,7 +74,7 @@ export default class PrivateFacade<T extends IPageAttrs> extends Page<T> {
                       className="Button Button--block PrivateFacade-Button--outline PrivateFacade-Button"
                       onclick={() => {
                         if (
-                          ['login', 'signup'].includes(app.history.getPrevious()?.name) &&
+                          ['sycho-private-facade.login', 'sycho-private-facade.signup'].includes(app.history.getPrevious()?.name) &&
                           app.history.getPrevious()?.name === this.currentRoute.next
                         ) {
                           app.history.back();

diff --git a/js/src/forum/index.tsx b/js/src/forum/index.tsx
@@ -6,20 +6,21 @@ import HeaderSecondary from 'flarum/forum/components/HeaderSecondary';
 import Mithril from 'mithril';
 import Navigation from 'flarum/common/components/Navigation';
 import LinkButton from 'flarum/common/components/LinkButton';
+import DefaultResolver from "flarum/common/resolvers/DefaultResolver";
 
 app.initializers.add('sycho/flarum-private-facade', () => {
-  app.routes.login = {
+  app.routes['sycho-private-facade.login'] = {
     path: '/login',
     component: PrivateFacade,
   };
 
-  app.routes.signup = {
+  app.routes['sycho-private-facade.signup'] = {
     path: '/signup',
     component: PrivateFacade,
   };
 
   // @ts-ignore
-  const isPrivateFacadePage = (): boolean => ['login', 'signup'].includes(app.current.data.routeName);
+  const isPrivateFacadePage = (): boolean => ['sycho-private-facade.login', 'sycho-private-facade.signup'].includes(app.current.data.routeName);
 
   override(HeaderSecondary.prototype, 'view', (orig, ...args) => {
     if (isPrivateFacadePage() && ['show_only_logo', 'hide_secondary_items'].includes(app.forum.attribute('sycho-private-facade.header_layout'))) {
@@ -57,7 +58,7 @@ app.initializers.add('sycho/flarum-private-facade', () => {
     if (items.has('logIn')) {
       items.setContent(
         'logIn',
-        <LinkButton className="Button Button--link" href={app.route('login')}>
+        <LinkButton className="Button Button--link" href={app.route('sycho-private-facade.login')}>
           {app.translator.trans('core.forum.header.log_in_link')}
         </LinkButton>
       );
@@ -66,10 +67,18 @@ app.initializers.add('sycho/flarum-private-facade', () => {
     if (items.has('signUp')) {
       items.setContent(
         'signUp',
-        <LinkButton className="Button Button--link" href={app.route('signup')}>
+        <LinkButton className="Button Button--link" href={app.route('sycho-private-facade.signup')}>
           {app.translator.trans('core.forum.header.sign_up_link')}
         </LinkButton>
       );
     }
   });
+
+  override(DefaultResolver.prototype, 'onmatch', function (orig, args, requestedPath, route) {
+    if (!app.forum.attribute<string[]>('sycho-private-facade.route_exclusions').includes(this.routeName)) {
+      return m.route.SKIP;
+    }
+
+    return orig(args, requestedPath, route);
+  });
 });
diff --git a/src/PrivateFacadeMiddleware.php b/src/PrivateFacadeMiddleware.php
@@ -13,6 +13,16 @@
 
 class PrivateFacadeMiddleware implements MiddlewareInterface
 {
+    public const BACKEND_ROUTE_EXCLUSIONS = [
+        'login', 'register', 'sycho-private-facade.login', 'sycho-private-facade.signup',
+        'resetPassword', 'confirmEmail', 'savePassword', 'confirmEmail.submit',
+        // FoF-OAuth
+        'auth.twitter', 'fof-oauth',
+    ];
+    public const FRONTEND_ROUTE_EXCLUSIONS = [
+        'sycho-private-facade.login', 'sycho-private-facade.signup',
+    ];
+
     /**
      * @var SettingsRepositoryInterface
      */
@@ -34,16 +44,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         $actor = RequestUtil::getActor($request);
 
         $userExcludedRoutes = $this->settings->get('sycho-private-facade.route_exclusions') ?: '';
-        $extensionExcludedRoutes = [
-            'login', 'register', 'sycho-private-facade.login', 'sycho-private-facade.signup',
-            'resetPassword', 'confirmEmail', 'savePassword', 'confirmEmail.submit',
-            // FoF-OAuth
-            'auth.twitter', 'fof-oauth',
-        ];
-
-        if (! empty($userExcludedRoutes)) {
-            $extensionExcludedRoutes = array_merge($extensionExcludedRoutes, explode(', ', $userExcludedRoutes));
-        }
+        $extensionExcludedRoutes = self::getBackendRouteExclusions($userExcludedRoutes);
 
         $excludedRoute = in_array($request->getAttribute('routeName'), $extensionExcludedRoutes, true);
 
@@ -69,4 +70,23 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 
         return $handler->handle($request);
     }
+
+    public static function getBackendRouteExclusions(string $userExcludedRoutes): array
+    {
+        return self::getRouteExclusions($userExcludedRoutes, self::BACKEND_ROUTE_EXCLUSIONS);
+    }
+
+    public static function getFrontendRouteExclusions(string $userExcludedRoutes): array
+    {
+        return self::getRouteExclusions($userExcludedRoutes, self::FRONTEND_ROUTE_EXCLUSIONS);
+    }
+
+    protected static function getRouteExclusions(string $userExcludedRoutes, array $extensionExcludedRoutes): array
+    {
+        if (! empty($userExcludedRoutes)) {
+            $extensionExcludedRoutes = array_merge($extensionExcludedRoutes, explode(', ', $userExcludedRoutes));
+        }
+
+        return $extensionExcludedRoutes;
+    }
 }