Move the security check code into a middleware

Author: williamdes

phpstan-baseline.neon

@@ -6,18 +6,6 @@ parameters:
 			count: 2
 			path: src/Console/Installer.php
 
-		-
-			message: '#^Property App\\Controller\\AppController\:\:\$readonly_whitelist type has no value type specified in iterable type array\.$#'
-			identifier: missingType.iterableValue
-			count: 1
-			path: src/Controller/AppController.php
-
-		-
-			message: '#^Property App\\Controller\\AppController\:\:\$whitelist type has no value type specified in iterable type array\.$#'
-			identifier: missingType.iterableValue
-			count: 1
-			path: src/Controller/AppController.php
-
 		-
 			message: '#^Method App\\Controller\\Component\\GithubApiComponent\:\:apiRequest\(\) has parameter \$data with no value type specified in iterable type array\.$#'
 			identifier: missingType.iterableValue

src/Application.php

@@ -18,6 +18,7 @@
 
 namespace App;
 
+use App\Middleware\AuthenticationMiddleware;
 use App\Middleware\CsrfProtectionMiddleware;
 use App\Middleware\HostHeaderMiddleware;
 use Cake\Core\Configure;
@@ -90,7 +91,10 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
 
             // Cross Site Request Forgery (CSRF) Protection Middleware
             // https://book.cakephp.org/5/en/security/csrf.html#cross-site-request-forgery-csrf-middleware
-            ->add(new CsrfProtectionMiddleware(['httponly' => true]));
+            ->add(new CsrfProtectionMiddleware(['httponly' => true]))
+
+            // Check for access controls
+            ->add(new AuthenticationMiddleware());
 
         return $middlewareQueue;
     }

src/Controller/AppController.php

@@ -25,12 +25,9 @@
 use App\Model\Table\NotificationsTable;
 use Cake\Controller\Controller;
 use Cake\Event\EventInterface;
-use Cake\Http\Response;
 use Cake\ORM\TableRegistry;
 use Cake\Routing\Router;
 
-use function in_array;
-
 /**
  * Application Controller.
  *
@@ -44,28 +41,8 @@ class AppController extends Controller
     protected NotificationsTable $Notifications;
     protected DevelopersTable $Developers;
 
-    /** @var array */
-    public $whitelist = [
-        'Developers',
-        'Pages',
-        'Incidents' => ['create'],
-        'Events',
-    ];
-
-    /** @var array */
-    public $readonly_whitelist = [
-        'Developers',
-        'Pages',
-        'Reports' => [
-            'index',
-            'view',
-            'data_tables',
-        ],
-        'Incidents' => ['view'],
-    ];
-
     /** @var string[] */
-    public $css_files = [
+    public array $css_files = [
         'jquery.dataTables',
         'jquery.dataTables_themeroller',
         'bootstrap.min',
@@ -76,7 +53,7 @@ class AppController extends Controller
     ];
 
     /** @var string[] */
-    public $js_files = [
+    public array $js_files = [
         'jquery',
         'jquery.dataTables.min',
         'bootstrap',
@@ -107,8 +84,6 @@ class AppController extends Controller
      * Initialization hook method.
      *
      * Use this method to add common initialization code like loading components.
-     *
-     * @return void Nothing
      */
     public function initialize(): void
     {
@@ -117,144 +92,32 @@ public function initialize(): void
         $this->Notifications = $this->fetchTable('Notifications');
         $this->Developers = $this->fetchTable('Developers');
 
-        /*  $this->loadComponent(
-                'Auth', [
-                    'loginAction' => [
-                        'controller' => 'Developer',
-                        'action' => 'login'
-                    ],
-                    'authError' => 'Did you really think you are allowed to see that?',
-                    'authenticate' => [
-                        'Form' => [
-                            'fields' => ['username' => 'email']
-                        ]
-                    ]
-                ]
-            );
-        */
+        $this->set('js_files', $this->js_files);
+        $this->set('css_files', $this->css_files);
+        $this->set('baseURL', Router::url('/', true));
     }
 
-    /**
-     * @return Response|void Returns a Response if a redirect is needed
-     */
     public function beforeFilter(EventInterface $event)
     {
         $controllerName = $this->request->getParam('controller');
         $this->set('current_controller', $controllerName);
 
-        $devId = $this->request->getSession()->read('Developer.id');
-        if ($devId !== null) {
-            $response = $this->checkReadonlyAccess();
-            if ($response !== null) {
-                // This is a security check
-                // The response can be printed if you remove this line
-                return $response;
-            }
-        }
+        // Attributes where set in the Authentication Middleware
+        $currentDeveloper = $this->request->getAttribute('current_developer');
 
-        $current_developer = null;
-        if ($devId !== null) {
-            // Check if the user still exists in the database
-            $current_developer = TableRegistry::getTableLocator()->get('Developers')->
-                    findById($devId)->all()->first();
-        }
+        $notificationCount = 0;
 
-        $notif_count = 0;
-        if ($current_developer !== null) {
-            $notif_count = TableRegistry::getTableLocator()->get('Notifications')->find(
+        // The user is logged in
+        if ($currentDeveloper !== null) {
+            $this->set('read_only', $this->request->getSession()->read('read_only'));
+            $notificationCount = TableRegistry::getTableLocator()->get('Notifications')->find(
                 'all',
-                conditions: ['developer_id' => $current_developer['id']]
+                conditions: ['developer_id' => $currentDeveloper['id']]
             )->count();
-
-            $this->set('current_developer', $current_developer);
-            $this->set('developer_signed_in', true);
-
-            $read_only = false;
-            if ($this->request->getSession()->read('read_only')) {
-                $read_only = true;
-            }
-
-            $this->set('read_only', $read_only);
         } else {
-            $this->set('developer_signed_in', false);
             $this->set('read_only', true);
-            $response = $this->checkAccess();
-            if ($response !== null) {
-                // This is a security check
-                // The response can be printed if you remove this line
-                return $response;
-            }
         }
 
-        $this->set('notif_count', $notif_count);
-        $this->set('js_files', $this->js_files);
-        $this->set('css_files', $this->css_files);
-        $this->set('baseURL', Router::url('/', true));
-    }
-
-    protected function checkAccess(): ?Response
-    {
-        $controllerName = $this->request->getParam('controller');
-        $action = $this->request->getParam('action');
-
-        if (in_array($controllerName, $this->whitelist)) {
-            return null;
-        }
-
-        if (
-            isset($this->whitelist[$controllerName])
-            && in_array($action, $this->whitelist[$controllerName])
-        ) {
-            return null;
-        }
-
-        $flash_class = 'alert';
-        $this->Flash->set(
-            'You need to be signed in to do this',
-            ['params' => ['class' => $flash_class]]
-        );
-
-        // save the return url
-        $ret_url = Router::url($this->request->getRequestTarget(), true);
-        $this->request->getSession()->write('last_page', $ret_url);
-
-        return $this->redirect('/');
-    }
-
-    protected function checkReadonlyAccess(): ?Response
-    {
-        $controllerName = $this->request->getParam('controller');
-        $action = $this->request->getParam('action');
-        $read_only = $this->request->getSession()->read('read_only');
-
-        // If developer has commit access on phpmyadmin/phpmyadmin
-        if (! $read_only) {
-            return null;
-        }
-
-        if (in_array($controllerName, $this->readonly_whitelist)) {
-            return null;
-        }
-
-        if (
-            isset($this->readonly_whitelist[$controllerName])
-            && in_array($action, $this->readonly_whitelist[$controllerName])
-        ) {
-            return null;
-        }
-
-        $this->request->getSession()->destroy();
-        $this->request->getSession()->write('last_page', '');
-
-        $flash_class = 'alert';
-        $this->Flash->set(
-            'You need to have commit access on phpmyadmin/phpmyadmin '
-            . 'repository on Github.com to do this',
-            [
-                'params' => ['class' => $flash_class],
-            ]
-        );
-
-        return $this->redirect('/');
+        $this->set('notif_count', $notificationCount);
     }
 }

src/Controller/NotificationsController.php

@@ -76,8 +76,9 @@ public function index(): void
 
     public function data_tables(): Response
     {
+        $devId = $this->request->getSession()->read('Developer.id');
         $current_developer = TableRegistry::getTableLocator()->get('Developers')->
-                    findById($this->request->getSession()->read('Developer.id'))->all()->first();
+                    findById($devId)->all()->first();
 
         $aColumns = [
             'report_id' => 'Reports.id',