Osm Admin: Fixing Progress Messages And Preventing Unsafe Operations
2 years ago ∙ 1 minute read
Progress messages stopped working, and I fixed that. Then, I implemented a safety measure that prevent accidental deletion (or other operations) on all objects.
Contents:
Messages
The nice progress messages that I developed in v0.1, doesn't work in v0.2.
The message HTML markup was added using a Blade @around directive:
@around({{ $footer ?? '' }})And this line is not there anymore, and message HTML markup is not added anymore. Fixed it by changing to:
@around(@include('std-pages::footer'))Preventing Unsafe Operations
While it's OK to show all products on the GET / page, it's irresponsible to allow editing all products with just GET /edit and POST /, and it's plain dangerous to allow deleting all products with just DELETE /.
Let's require additional ?all flag in the URL on all dangerous routes.
Let's mark safe routes with new #[Safe] attribute, and call new assertSafe() method in every route to check that there are either URL filters or ?all flag:
// Routes\Admin\EditPage
public function run(): Response
{
$this->assertSafe($this->form_view->query);
...
}
// Routes\Route
protected function assertSafe(Query $query): void {
if ($this->safe) {
return;
}
if (!empty($query->filters)) {
return;
}
if (($this->http->query['all'] ?? null) === true) {
return;
}
throw new UnsafeOperation(__(
"Specify a filter in the URL query parameters, or confirm an operation on all objects using `?all` flag."));
}The UnsafeOperation operation exception sends 403 Forbidden response:
class UnsafeOperation extends Http
{
public function response(): Response
{
global $osm_app; /* @var App $osm_app */
return $osm_app->http->responses->forbidden($this->getMessage());
}
}