added attribute #[Requires]

dg · dg · commit 8bb00eef9604 · 2024-04-07T02:59:57.000+02:00
diff --git a/src/Application/Attributes/CrossOrigin.php b/src/Application/Attributes/CrossOrigin.php
@@ -13,6 +13,6 @@
 
 
 #[Attribute(Attribute::TARGET_METHOD)]
-class CrossOrigin
+class CrossOrigin // replaced by Requires(sameOrigin: false)
 {
 }
diff --git a/src/Application/Attributes/Requires.php b/src/Application/Attributes/Requires.php
@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Nette\Application\Attributes;
+
+use Attribute;
+
+
+#[Attribute(Attribute::TARGET_METHOD | Attribute::TARGET_CLASS | Attribute::IS_REPEATABLE)]
+class Requires
+{
+	public ?array $methods = null;
+	public ?array $actions = null;
+
+
+	public function __construct(
+		string|array|null $methods = null,
+		string|array|null $actions = null,
+		public ?bool $forward = null,
+		public ?bool $sameOrigin = null,
+		public ?bool $ajax = null,
+	) {
+		$this->methods = $methods === null ? null : (array) $methods;
+		$this->actions = $actions === null ? null : (array) $actions;
+	}
+}
diff --git a/src/Application/UI/Presenter.php b/src/Application/UI/Presenter.php
@@ -16,6 +16,7 @@
 use Nette\Application\Responses;
 use Nette\Http;
 use Nette\Utils\Arrays;
+use Nette\Utils\Reflection;
 
 
 /**
@@ -288,14 +289,63 @@ protected function shutdown(Application\Response $response): void
 	 */
 	public function checkRequirements(\ReflectionClass|\ReflectionMethod $element): void
 	{
+		$attrs = array_map(
+			fn($ra) => $ra->newInstance(),
+			$element->getAttributes(Attributes\Requires::class, \ReflectionAttribute::IS_INSTANCEOF),
+		);
+
 		if (
 			$element instanceof \ReflectionMethod
 			&& str_starts_with($element->getName(), 'handle')
 			&& !ComponentReflection::parseAnnotation($element, 'crossOrigin')
-			&& !$element->getAttributes(Nette\Application\Attributes\CrossOrigin::class)
-			&& !$this->httpRequest->isSameSite()
+			&& !$element->getAttributes(Attributes\CrossOrigin::class)
+			&& !Arrays::some($attrs, fn($attr) => $attr->sameOrigin === false)
 		) {
-			$this->detectedCsrf();
+			$attrs[] = new Attributes\Requires(sameOrigin: true);
+		}
+
+		foreach ($attrs as $attribute) {
+			if ($attribute->methods !== null) {
+				if ($element instanceof \ReflectionClass) { // presenter class
+					$this->allowedMethods = [];
+				}
+				$attribute->methods = array_map(strtoupper(...), $attribute->methods);
+				if (!in_array($method = $this->httpRequest->getMethod(), $attribute->methods, strict: true)) {
+					$this->httpResponse->setHeader('Allow', implode(',', $attribute->methods));
+					$this->error("Method $method is not allowed by " . Reflection::toString($element), $this->httpResponse::S405_MethodNotAllowed);
+				}
+			}
+
+			if ($attribute->actions === ['*']) {
+				if (!$element instanceof \ReflectionClass) { // presenter class
+					throw new Nette\InvalidStateException("Option 'actions=*' used by " . Reflection::toString($element) . ' is allowed only on classes.');
+				}
+				if (!$this->getReflection()->hasCallableMethod(static::formatActionMethod($this->action))) {
+					$this->error("Action '$this->action' is not allowed by " . Reflection::toString($element), $this->httpResponse::S403_Forbidden);
+				}
+			} elseif ($attribute->actions !== null) {
+				if (
+					$element instanceof \ReflectionMethod
+					&& !$element->getDeclaringClass()->isSubclassOf(self::class)
+				) {
+					throw new Nette\InvalidStateException("Option 'actions' used by " . Reflection::toString($element) . ' is allowed only in presenter.');
+				}
+				if (!in_array($this->action, $attribute->actions, strict: true)) {
+					$this->error("Action '$this->action' is not allowed by " . Reflection::toString($element), $this->httpResponse::S403_Forbidden);
+				}
+			}
+
+			if ($attribute->forward && !$this->request->isMethod($this->request::FORWARD)) {
+				$this->error('Forwarded request is required by ' . Reflection::toString($element), $this->httpResponse::S403_Forbidden);
+			}
+
+			if ($attribute->sameOrigin && !$this->httpRequest->isSameSite()) {
+				$this->getPresenter()->detectedCsrf();
+			}
+
+			if ($attribute->ajax && !$this->httpRequest->isAjax()) {
+				$this->error('AJAX request is required by ' . Reflection::toString($element), $this->httpResponse::S403_Forbidden);
+			}
 		}
 	}
 
diff --git a/tests/UI/Requires.actions.phpt b/tests/UI/Requires.actions.phpt
@@ -0,0 +1,38 @@
+<?php
+
+/**
+ * Test: #[Requires] option actions
+ */
+
+declare(strict_types=1);
+
+use Nette\Application;
+use Nette\Application\Attributes\Requires;
+use Nette\Http;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+require __DIR__ . '/functions.php';
+
+
+#[Requires(actions: ['second'])]
+class TestActionsPresenter extends Nette\Application\UI\Presenter
+{
+	public function actionSecond(): never
+	{
+		$this->terminate();
+	}
+}
+
+
+$presenter = createPresenter(TestActionsPresenter::class);
+
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get, ['action' => 'second'])),
+);
+
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get)),
+	Application\BadRequestException::class,
+	"Action 'default' is not allowed by TestActionsPresenter",
+);
diff --git a/tests/UI/Requires.ajax.phpt b/tests/UI/Requires.ajax.phpt
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * Test: #[Requires] option actions
+ */
+
+declare(strict_types=1);
+
+use Nette\Application;
+use Nette\Application\Attributes\Requires;
+use Nette\Http;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+require __DIR__ . '/functions.php';
+
+
+#[Requires(ajax: true)]
+class TestAjaxPresenter extends Nette\Application\UI\Presenter
+{
+	public function actionDefault(): never
+	{
+		$this->terminate();
+	}
+}
+
+
+$presenter = createPresenter(TestAjaxPresenter::class, headers: ['X-Requested-With' => 'XMLHttpRequest']);
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('Test', Http\Request::Get)),
+);
+
+
+$presenter = createPresenter(TestAjaxPresenter::class);
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('Test', Http\Request::Get)),
+	Application\BadRequestException::class,
+	'AJAX request is required by TestAjaxPresenter',
+);
diff --git a/tests/UI/Requires.forward.phpt b/tests/UI/Requires.forward.phpt
@@ -0,0 +1,37 @@
+<?php
+
+/**
+ * Test: #[Requires] option actions
+ */
+
+declare(strict_types=1);
+
+use Nette\Application;
+use Nette\Application\Attributes\Requires;
+use Nette\Http;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+require __DIR__ . '/functions.php';
+
+
+#[Requires(forward: true)]
+class TestForwardPresenter extends Nette\Application\UI\Presenter
+{
+	public function actionDefault(): never
+	{
+		$this->terminate();
+	}
+}
+
+
+$presenter = createPresenter(TestForwardPresenter::class);
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('', Application\Request::FORWARD)),
+);
+
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get)),
+	Application\BadRequestException::class,
+	'Forwarded request is required by TestForwardPresenter',
+);
diff --git a/tests/UI/Requires.locations.phpt b/tests/UI/Requires.locations.phpt
@@ -0,0 +1,104 @@
+<?php
+
+/**
+ * Test: Location of #[Requires]
+ */
+
+declare(strict_types=1);
+
+use Nette\Application;
+use Nette\Application\Attributes\Requires;
+use Nette\Http;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+require __DIR__ . '/functions.php';
+
+
+#[Requires(forward: true)]
+class TestClassPresenter extends Nette\Application\UI\Presenter
+{
+	public function actionDefault(): never
+	{
+		$this->terminate();
+	}
+}
+
+class TestMethodActionPresenter extends Nette\Application\UI\Presenter
+{
+	#[Requires(forward: true)]
+	public function actionDefault(): never
+	{
+		$this->terminate();
+	}
+}
+
+class TestMethodRenderPresenter extends Nette\Application\UI\Presenter
+{
+	#[Requires(forward: true)]
+	public function renderDefault(): never
+	{
+		$this->terminate();
+	}
+}
+
+class TestMethodHandlePresenter extends Nette\Application\UI\Presenter
+{
+	#[Requires(forward: true)]
+	public function handleFoo(): never
+	{
+		$this->terminate();
+	}
+}
+
+
+// class-level attribute
+$presenter = createPresenter(TestClassPresenter::class);
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('', Application\Request::FORWARD)),
+);
+
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get)),
+	Application\BadRequestException::class,
+	'Forwarded request is required by TestClassPresenter',
+);
+
+
+// method action<name>()
+$presenter = createPresenter(TestMethodActionPresenter::class);
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('', Application\Request::FORWARD)),
+);
+
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get)),
+	Application\BadRequestException::class,
+	'Forwarded request is required by TestMethodActionPresenter::actionDefault()',
+);
+
+
+// method render<name>()
+$presenter = createPresenter(TestMethodRenderPresenter::class);
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('', Application\Request::FORWARD)),
+);
+
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get)),
+	Application\BadRequestException::class,
+	'Forwarded request is required by TestMethodRenderPresenter::renderDefault()',
+);
+
+
+// method handle<name>()
+$presenter = createPresenter(TestMethodHandlePresenter::class);
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('', Application\Request::FORWARD, ['do' => 'foo'])),
+);
+
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get, ['do' => 'foo'])),
+	Application\BadRequestException::class,
+	'Forwarded request is required by TestMethodHandlePresenter::handleFoo()',
+);
diff --git a/tests/UI/Requires.methods.phpt b/tests/UI/Requires.methods.phpt
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * Test: #[Requires] option actions
+ */
+
+declare(strict_types=1);
+
+use Nette\Application;
+use Nette\Application\Attributes\Requires;
+use Nette\Http;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+require __DIR__ . '/functions.php';
+
+
+#[Requires(methods: ['OPTIONS'])]
+class TestMethodsPresenter extends Nette\Application\UI\Presenter
+{
+	public function actionDefault(): never
+	{
+		$this->terminate();
+	}
+}
+
+
+$presenter = createPresenter(TestMethodsPresenter::class, method: 'OPTIONS');
+Assert::noError(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get)),
+);
+
+
+$presenter = createPresenter(TestMethodsPresenter::class);
+Assert::exception(
+	fn() => $presenter->run(new Application\Request('', Http\Request::Get)),
+	Application\BadRequestException::class,
+	'Method GET is not allowed by TestMethodsPresenter',
+);
diff --git a/tests/UI/Requires.sameSite.handle.phpt b/tests/UI/Requires.sameSite.handle.phpt
diff --git a/tests/UI/Requires.sameSite.phpt b/tests/UI/Requires.sameSite.phpt
diff --git a/tests/UI/functions.php b/tests/UI/functions.php

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,6 @@`
`13`	`13`
`14`	`14`
`15`	`15`	`#[Attribute(Attribute::TARGET_METHOD)]`
`16`		`-class CrossOrigin`
	`16`	`+class CrossOrigin // replaced by Requires(sameOrigin: false)`
`17`	`17`	`{`
`18`	`18`	`}`