fix: scope csrf fields and block past dates
This commit is contained in:
+10
-4
@@ -58,14 +58,14 @@ final class AppContext
|
||||
public function csrfField(string $intent): string
|
||||
{
|
||||
$issued = $this->csrf->issue($intent);
|
||||
return '<input type="hidden" name="csrf_ts" value="' . self::e((string)$issued['ts']) . '">' .
|
||||
'<input type="hidden" name="csrf_sid" value="' . self::e($issued['sid']) . '">' .
|
||||
'<input type="hidden" name="csrf_token" value="' . self::e($issued['token']) . '">';
|
||||
return '<input type="hidden" name="gar_csrf_ts" value="' . self::e((string)$issued['ts']) . '">' .
|
||||
'<input type="hidden" name="gar_csrf_sid" value="' . self::e($issued['sid']) . '">' .
|
||||
'<input type="hidden" name="gar_csrf_token" value="' . self::e($issued['token']) . '">';
|
||||
}
|
||||
|
||||
public function requireCsrf(string $intent): void
|
||||
{
|
||||
if (!$this->csrf->validate($intent, $this->post('csrf_ts'), $this->post('csrf_token'), 3600, $this->post('csrf_sid'))) {
|
||||
if (!$this->csrf->validate($intent, $this->post('gar_csrf_ts'), $this->post('gar_csrf_token'), 3600, $this->post('gar_csrf_sid'))) {
|
||||
throw new RuntimeException('Nieprawidłowy lub wygasły token CSRF.');
|
||||
}
|
||||
}
|
||||
@@ -158,6 +158,7 @@ final class AppContext
|
||||
}
|
||||
function renderMonth(calendar, year, month) {
|
||||
var selected = calendar.getAttribute('data-selected-date') || '';
|
||||
var minDate = calendar.getAttribute('data-min-date') || '';
|
||||
var tbody = calendar.querySelector('[data-calendar-days]');
|
||||
var label = calendar.querySelector('[data-calendar-month-label]');
|
||||
if (!tbody || !label) { return; }
|
||||
@@ -174,6 +175,11 @@ final class AppContext
|
||||
continue;
|
||||
}
|
||||
var value = year + '-' + pad(month) + '-' + pad(day);
|
||||
if (minDate && value < minDate) {
|
||||
html += '<td><span class="br-cal-day-disabled">' + day + '</span></td>';
|
||||
day++;
|
||||
continue;
|
||||
}
|
||||
var cls = value === selected ? ' is-selected' : '';
|
||||
html += '<td><button type="button" class="br-cal-day' + cls + '" data-date-target="' + calendar.getAttribute('data-calendar-name') + '_date" data-date-label="' + calendar.getAttribute('data-calendar-name') + '_label" data-date-value="' + value + '">' + day + '</button></td>';
|
||||
day++;
|
||||
|
||||
@@ -39,6 +39,9 @@ final class RuleValidator
|
||||
$tz = new DateTimeZone($settings->timezone());
|
||||
[$startTs, $startValue] = self::parseScheduleValue((string)($input['start_value'] ?? ''), $mode, $tz, true);
|
||||
[$endTs, $endValue] = self::parseScheduleValue((string)($input['end_value'] ?? ''), $mode, $tz, false);
|
||||
if (substr($startValue, 0, 10) < (new DateTimeImmutable('today', $tz))->format('Y-m-d')) {
|
||||
throw new InvalidArgumentException('Data rozpoczęcia nie może być wcześniejsza niż aktualna data.');
|
||||
}
|
||||
if ($endTs <= $startTs) {
|
||||
throw new InvalidArgumentException('Data zakończenia musi być późniejsza niż data rozpoczęcia.');
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user