From a6d4380f4506309d894f7a80833bca8489b45021 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rapha=C3=ABl=20Gertz?= Date: Wed, 9 Dec 2020 21:22:55 +0100 Subject: [PATCH 1/1] Block unsupported session timing for non admin Prevent surbscribing to past date Catch method not allowed method on referer redirect Add guest restriction to one session per month per slot --- Controller/ApplicationController.php | 51 +++++++++++++++++++++++----- 1 file changed, 43 insertions(+), 8 deletions(-) diff --git a/Controller/ApplicationController.php b/Controller/ApplicationController.php index 3690b94..8a9a8b4 100644 --- a/Controller/ApplicationController.php +++ b/Controller/ApplicationController.php @@ -5,6 +5,8 @@ namespace Rapsys\AirBundle\Controller; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\RequestContext; use Symfony\Component\Form\FormError; +use Symfony\Component\Routing\Exception\MethodNotAllowedException; +use Symfony\Component\Routing\Exception\ResourceNotFoundException; use Rapsys\AirBundle\Entity\Slot; use Rapsys\AirBundle\Entity\User; use Rapsys\AirBundle\Entity\Session; @@ -26,6 +28,11 @@ class ApplicationController extends DefaultController { //Prevent non-guest to access here $this->denyAccessUnlessGranted('ROLE_GUEST', null, $this->translator->trans('Unable to access this page without role %role%!', ['%role%' => $this->translator->trans('Guest')])); + //Reject non post requests + if (!$request->isMethod('POST')) { + throw new \RuntimeException('Request method MUST be POST'); + } + //Create ApplicationType form $form = $this->createForm('Rapsys\AirBundle\Form\ApplicationType', null, [ //Set the action @@ -41,24 +48,19 @@ class ApplicationController extends DefaultController { 'slot' => $this->getDoctrine()->getRepository(Slot::class)->findOneById(3) ]); - //Reject non post requests - if (!$request->isMethod('POST')) { - throw new \RuntimeException('Request method MUST be POST'); - } - //Refill the fields in case of invalid form $form->handleRequest($request); //Handle invalid form if (!$form->isValid()) { //Set section - $section = $this->translator->trans('Application Add'); + $section = $this->translator->trans('Application add'); //Set title $title = $section.' - '.$this->translator->trans($this->config['site']['title']); //Render the view - return $this->render('@RapsysAir/application/add.html.twig', ['title' => $title, 'section' => $section, 'form' => $form]+$this->context); + return $this->render('@RapsysAir/application/add.html.twig', ['title' => $title, 'section' => $section, 'form' => $form->createView()]+$this->context); } //Get doctrine @@ -70,6 +72,15 @@ class ApplicationController extends DefaultController { //Get data $data = $form->getData(); + //Count session at location in last month for guest + if (!$this->isGranted('ROLE_REGULAR') && !empty($session = $doctrine->getRepository(Session::class)->findOneWithinLastMonthByLocationUser($data['location']->getId(), $this->getUser()->getId()))) { + //Add warning in flash message + $this->addFlash('warning', $this->translator->trans('Monthly application %location% already exists', ['%location%' => $this->translator->trans('at '.$data['location'])])); + + //Redirect to cleanup the form + return $this->redirectToRoute('rapsys_air_session_view', ['id' => $session['id']]); + } + //Protect session fetching try { //Fetch session @@ -283,6 +294,30 @@ class ApplicationController extends DefaultController { } else { //Add error in flash message $this->addFlash('error', $this->translator->trans('Session on %date% %location% %slot% not yet supported', ['%location%' => $this->translator->trans('at '.$data['location']), '%slot%' => $this->translator->trans('the '.strtolower($data['slot'])), '%date%' => $data['date']->format('Y-m-d')])); + + //Set section + $section = $this->translator->trans('Application add'); + + //Set title + $title = $section.' - '.$this->translator->trans($this->config['site']['title']); + + //Render the view + return $this->render('@RapsysAir/application/add.html.twig', ['title' => $title, 'section' => $section, 'form' => $form->createView()]+$this->context); + } + + //Check if admin + if (!$this->isGranted('ROLE_ADMIN') && $session->getStart() < new \DateTime('00:00:00')) { + //Add error in flash message + $this->addFlash('error', $this->translator->trans('Session in the past on %date% %location% %slot% not yet supported', ['%location%' => $this->translator->trans('at '.$data['location']), '%slot%' => $this->translator->trans('the '.strtolower($data['slot'])), '%date%' => $data['date']->format('Y-m-d')])); + + //Set section + $section = $this->translator->trans('Application add'); + + //Set title + $title = $section.' - '.$this->translator->trans($this->config['site']['title']); + + //Render the view + return $this->render('@RapsysAir/application/add.html.twig', ['title' => $title, 'section' => $section, 'form' => $form->createView()]+$this->context); } //Queue session save @@ -375,7 +410,7 @@ class ApplicationController extends DefaultController { //Generate url return $this->redirectToRoute($name, ['session' => $session->getId()]+$route); //No route matched - } catch(ResourceNotFoundException $e) { + } catch(MethodNotAllowedException|ResourceNotFoundException $e) { //Unset referer to fallback to default route unset($referer); } -- 2.41.1