Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IBX-7044: Added dynamic route to settings submit form #72

Open
wants to merge 8 commits into
base: 4.6
Choose a base branch
from
Open

IBX-7044: Added dynamic route to settings submit form #72

wants to merge 8 commits into from

Conversation

Gengar-i
Copy link
Contributor

@Gengar-i Gengar-i commented Feb 14, 2024
edited
Loading

Question Answer
Tickets IBX-7044
Bug fix? yes
New feature? no
BC breaks? no
Tests pass? yes
Doc needed? no
License GPL-2.0

Suggestion of solution.
Added dynamic route to settings submit form
I know passing url breaks security and it suppose to be done differently.

Checklist:

  • Implement tests
  • Coding standards ($ composer fix-cs)

@Gengar-i Gengar-i requested a review from a team February 14, 2024 14:04
ViniTou
ViniTou reviewed Feb 19, 2024
View reviewed changes
src/bundle/Controller/UserSettingsController.php Outdated
@@ -112,6 +112,19 @@ public function updateAction(Request $request, UpdateView $view)
]);
}

if ($request->query->has('route')) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where this route param is populated?

Also, I guess return url being part of form make more sense.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/ibexa/page-builder/pull/339/files#diff-8781e1f4fb2943dbbdf833e8a9e268ef9032bc749ad3bc25609bed0816b3e4cdR1379

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest, at least, to change route name parameter as it really confusing. How abour return_route_name?
Not sure about it, but what about generating that whole URL in js, and just pass it here instead of route with params?
@dew326

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think both solutions are valid. If you think it will be cleaner that way I'm ok with that change.

@ViniTou ViniTou requested a review from a team February 19, 2024 07:21
@Gengar-i Gengar-i requested a review from ViniTou March 1, 2024 12:41
@Gengar-i Gengar-i force-pushed the ibx-7044-redirect-after-settings-update branch from 51617d9 to 6f36183 Compare March 13, 2024 11:15
@Gengar-i Gengar-i changed the base branch from main to 4.6 March 15, 2024 09:04
@Gengar-i Gengar-i force-pushed the ibx-7044-redirect-after-settings-update branch from a072b77 to 6f36183 Compare March 18, 2024 09:35
@Gengar-i Gengar-i requested a review from dew326 March 18, 2024 09:35
@Gengar-i
Copy link
Contributor Author

@alongosz Pointed possible danger while sending whole url to backend. So I stay with solution while passing route with parameters, which is safer solution.

@Gengar-i Gengar-i requested a review from alongosz March 18, 2024 09:44
@alongosz
Copy link
Member

@alongosz Pointed possible danger while sending whole url to backend. So I stay with solution while passing route with parameters, which is safer solution.

The point there was rather to sanitize input and/or attach path & query part to the current request. Now we might have different bug. What would happen if you pass existing route name different than expected, which has different parameters?

@Gengar-i Gengar-i requested a review from a team April 4, 2024 10:15
@Steveb-p
Copy link
Contributor

Steveb-p commented Apr 9, 2024

@alongosz Pointed possible danger while sending whole url to backend. So I stay with solution while passing route with parameters, which is safer solution.

The point there was rather to sanitize input and/or attach path & query part to the current request. Now we might have different bug. What would happen if you pass existing route name different than expected, which has different parameters?

I agree with Alongosz here, @Gengar-i. Route has to be checked before redirection - that it exists and can be created with those route parameters. You could fall back to a default redirect if they do not.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Apr 9, 2024

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@micszo
Copy link
Contributor

micszo commented Jul 9, 2024

@webhdx @dew326 do we consider review here sufficient? first PR (aui) was already sent to the next stage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Steveb-p Steveb-p Steveb-p left review comments

@webhdx webhdx webhdx approved these changes

@ViniTou ViniTou Awaiting requested review from ViniTou

@dew326 dew326 Awaiting requested review from dew326

@alongosz alongosz Awaiting requested review from alongosz

Assignees

@mikadamczyk mikadamczyk

@ViniTou ViniTou

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@Gengar-i @alongosz @Steveb-p @micszo @webhdx @dew326 @ViniTou @mikadamczyk