diff --git a/src/app/config/config.yml b/src/app/config/config.yml index 4da98c9c2e..b4bef4c776 100644 --- a/src/app/config/config.yml +++ b/src/app/config/config.yml @@ -26,8 +26,9 @@ framework: trusted_proxies: ~ session: name: "%zikula.session.name%" - handler_id: zikula_core.bridge.http_foundation.doctrine_session_handler - storage_id: zikula_core.bridge.http_foundation.zikula_session_storage + handler_id: "%zikula.session.handler_id%" + storage_id: "%zikula.session.storage_id%" + save_path: "%zikula.session.save_path%" cookie_httponly: false # must be false for ajax tokens to work but increases chance of XSS attack fragments: ~ diff --git a/src/app/config/dynamic/default.yml b/src/app/config/dynamic/default.yml index 7310e4329f..6a9265e909 100644 --- a/src/app/config/dynamic/default.yml +++ b/src/app/config/dynamic/default.yml @@ -18,6 +18,9 @@ swiftmailer: disable_delivery: false parameters: zikula.session.name: _zsid + zikula.session.handler_id: 'session.handler.native_file' #default symfony value + zikula.session.storage_id: 'zikula_core.bridge.http_foundation.zikula_session_storage_file' #'session.storage.native' default symfony value + zikula.session.save_path: '%kernel.cache_dir%/sessions' #default symfony value # multisites configuration does nothing unless the Multisites module is installed and configured properly. multisites: enabled: false diff --git a/src/app/config/parameters.yml b/src/app/config/parameters.yml index b953c6fb86..f094b661d2 100644 --- a/src/app/config/parameters.yml +++ b/src/app/config/parameters.yml @@ -31,7 +31,6 @@ parameters: secret: ThisTokenIsNotSoSecretChangeIt url_secret: ~ - zikula.session.name: _zsid assets_version: ~ #e.g. 'v1' zikula_asset_manager.combine: true zikula_asset_manager.lifetime: "1 day" diff --git a/src/docs/Core-2.0/Session.md b/src/docs/Core-2.0/Session.md new file mode 100644 index 0000000000..976142c990 --- /dev/null +++ b/src/docs/Core-2.0/Session.md @@ -0,0 +1,17 @@ +Session Information +=================== + +Sessions can be stored in the Database or in the Filesystem. This choice as well as a few configuration options +can be set in the ZikulaSecurityModule: + +The following configuration options are converted to a dynamic config and stored in `/src/app/config/dynamic/generated.yml` + - zikula.session.name: _zsid + - zikula.session.handler_id: + 'session.handler.native_file' #default + or + 'zikula_core.bridge.http_foundation.doctrine_session_handler' + - zikula.session.storage_id: + 'zikula_core.bridge.http_foundation.zikula_session_storage_doctrine' #default + or + 'zikula_core.bridge.http_foundation.zikula_session_storage_file' + - zikula.session.save_path: '%kernel.cache_dir%/sessions' #default symfony value diff --git a/src/lib/Zikula/Bundle/CoreBundle/Resources/config/session.yml b/src/lib/Zikula/Bundle/CoreBundle/Resources/config/session.yml index cb24817df4..62bc305ffa 100644 --- a/src/lib/Zikula/Bundle/CoreBundle/Resources/config/session.yml +++ b/src/lib/Zikula/Bundle/CoreBundle/Resources/config/session.yml @@ -7,10 +7,9 @@ services: - "@zikula_extensions_module.api.variable" - "%installed%" calls: - - [setStorage, ["@zikula_core.bridge.http_foundation.zikula_session_storage"]] + - [setStorage, ["@zikula_core.bridge.http_foundation.zikula_session_storage_doctrine"]] - - zikula_core.bridge.http_foundation.zikula_session_storage: + zikula_core.bridge.http_foundation.zikula_session_storage_doctrine: class: Zikula\Bridge\HttpFoundation\ZikulaSessionStorage arguments: - "@zikula_extensions_module.api.variable" @@ -19,3 +18,13 @@ services: - "@=null" calls: - [setSaveHandler, ["@zikula_core.bridge.http_foundation.doctrine_session_handler"]] + + zikula_core.bridge.http_foundation.zikula_session_storage_file: + class: Zikula\Bridge\HttpFoundation\ZikulaSessionStorage + arguments: + - "@zikula_extensions_module.api.variable" + - "%session.storage.options%" + - "@=null" + - "@=null" + calls: + - [setSaveHandler, ["@session.handler.native_file"]] diff --git a/src/lib/Zikula/Bundle/CoreInstallerBundle/Controller/AjaxInstallController.php b/src/lib/Zikula/Bundle/CoreInstallerBundle/Controller/AjaxInstallController.php index 4b36d59c72..a95d7d49e6 100644 --- a/src/lib/Zikula/Bundle/CoreInstallerBundle/Controller/AjaxInstallController.php +++ b/src/lib/Zikula/Bundle/CoreInstallerBundle/Controller/AjaxInstallController.php @@ -178,19 +178,13 @@ private function updateAdmin() { $entityManager = $this->container->get('doctrine')->getManager(); $params = $this->decodeParameters($this->yamlManager->getParameters()); - - // prepare the data - $username = mb_strtolower($params['username']); - - $nowUTC = new \DateTime(null, new \DateTimeZone('UTC')); - /** @var \Zikula\UsersModule\Entity\UserEntity $userEntity */ $userEntity = $entityManager->find('ZikulaUsersModule:UserEntity', 2); $userEntity->setUname($params['username']); $userEntity->setEmail($params['email']); $userEntity->setActivated(1); - $userEntity->setUser_Regdate($nowUTC); - $userEntity->setLastlogin($nowUTC); + $userEntity->setUser_Regdate(new \DateTime()); + $userEntity->setLastlogin(new \DateTime()); $entityManager->persist($userEntity); $mapping = new AuthenticationMappingEntity(); diff --git a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/CreateAdminType.php b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/CreateAdminType.php index d40ca0c742..4c1c5c5315 100644 --- a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/CreateAdminType.php +++ b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/CreateAdminType.php @@ -79,11 +79,7 @@ public function getBlockPrefix() public function configureOptions(OptionsResolver $resolver) { $resolver->setDefaults([ - 'csrf_protection' => false, 'translator' => new IdentityTranslator() -// 'csrf_field_name' => '_token', -// // a unique key to help generate the secret token -// 'intention' => '_zk_bdcreds', ]); } } diff --git a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/DbCredsType.php b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/DbCredsType.php index f58d6333bd..a80b8d806b 100644 --- a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/DbCredsType.php +++ b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/DbCredsType.php @@ -119,11 +119,7 @@ public function configureOptions(OptionsResolver $resolver) { $resolver->setDefaults([ 'constraints' => new ValidPdoConnection(), - 'csrf_protection' => false, 'translator' => new IdentityTranslator() -// 'csrf_field_name' => '_token', -// // a unique key to help generate the secret token -// 'intention' => '_zk_bdcreds', ]); } } diff --git a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LocaleType.php b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LocaleType.php index 6d6970c4d7..387e3ce971 100644 --- a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LocaleType.php +++ b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LocaleType.php @@ -42,13 +42,9 @@ public function getBlockPrefix() public function configureOptions(OptionsResolver $resolver) { $resolver->setDefaults([ - 'csrf_protection' => false, 'choices' => ['English' => 'en'], 'choice' => 'en', 'translator' => new IdentityTranslator() -// 'csrf_field_name' => '_token', -// // a unique key to help generate the secret token -// 'intention' => '_zk_bdcreds', ]); } } diff --git a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LoginType.php b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LoginType.php index 7bf6251553..ed8c340ab5 100644 --- a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LoginType.php +++ b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/LoginType.php @@ -55,11 +55,7 @@ public function configureOptions(OptionsResolver $resolver) { $resolver->setDefaults([ 'constraints' => new AuthenticateAdminLogin(), - 'csrf_protection' => false, 'translator' => new IdentityTranslator() -// 'csrf_field_name' => '_token', -// // a unique key to help generate the secret token -// 'intention' => '_zk_bdcreds', ]); } } diff --git a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/RequestContextType.php b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/RequestContextType.php index 424df7d134..11924bd345 100644 --- a/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/RequestContextType.php +++ b/src/lib/Zikula/Bundle/CoreInstallerBundle/Form/Type/RequestContextType.php @@ -61,11 +61,7 @@ public function getBlockPrefix() public function configureOptions(OptionsResolver $resolver) { $resolver->setDefaults([ - 'csrf_protection' => false, 'translator' => new IdentityTranslator() -// 'csrf_field_name' => '_token', -// // a unique key to help generate the secret token -// 'intention' => '_zk_bdcreds', ]); } } diff --git a/src/lib/Zikula/Bundle/CoreInstallerBundle/Stage/Install/CompleteStage.php b/src/lib/Zikula/Bundle/CoreInstallerBundle/Stage/Install/CompleteStage.php index 156a5595b9..05f459d60a 100644 --- a/src/lib/Zikula/Bundle/CoreInstallerBundle/Stage/Install/CompleteStage.php +++ b/src/lib/Zikula/Bundle/CoreInstallerBundle/Stage/Install/CompleteStage.php @@ -60,14 +60,19 @@ public function getTemplateParams() public function getResponse(Request $request) { + $router = $this->container->get('router'); if ($this->sendEmailToAdmin($request)) { $request->getSession()->getFlashBag()->add('success', $this->__('Congratulations! Zikula has been successfully installed.')); + $request->getSession()->getFlashBag()->add('info', $this->__f( + 'Session are currently configured to use the filesystem. It is recommended that you change this to use the database. Click %here% to configure.', + ['%here%' => '' . $this->__('Security Center') . ''] + )); - return new RedirectResponse($this->container->get('router')->generate('zikulaadminmodule_admin_adminpanel', [], RouterInterface::ABSOLUTE_URL)); + return new RedirectResponse($router->generate('zikulaadminmodule_admin_adminpanel', [], RouterInterface::ABSOLUTE_URL)); } else { $request->getSession()->getFlashBag()->add('warning', $this->__('Email settings are not yet configured. Please configure them below.')); - return new RedirectResponse($this->container->get('router')->generate('zikulamailermodule_config_config', [], RouterInterface::ABSOLUTE_URL)); + return new RedirectResponse($router->generate('zikulamailermodule_config_config', [], RouterInterface::ABSOLUTE_URL)); } } diff --git a/src/system/SecurityCenterModule/Constant.php b/src/system/SecurityCenterModule/Constant.php new file mode 100644 index 0000000000..15e7fa807e --- /dev/null +++ b/src/system/SecurityCenterModule/Constant.php @@ -0,0 +1,18 @@ +get('save')->isClicked()) { $formData = $form->getData(); - // Update module variables. $updateCheck = isset($formData['updatecheck']) ? $formData['updatecheck'] : 1; $this->setSystemVar('updatecheck', $updateCheck); @@ -128,12 +129,13 @@ public function configAction(Request $request) // check if sessionsavepath is a dir and if it is writable // if yes, we need to logout - $causeLogout = is_dir($sessionSavePath) ? is_writable($sessionSavePath) : false; - $storeTypeCanBeWritten = $causeLogout; + $storeTypeCanBeWritten = is_dir($sessionSavePath) ? is_writable($sessionSavePath) : false; + $causeLogout = $storeTypeCanBeWritten; - if ($causeLogout == false) { + if ($storeTypeCanBeWritten == false) { // an error occured - we do not change the way of storing session data $this->addFlash('error', $this->__('Error! Session path not writeable!')); + $sessionSavePath = ''; } } if ($storeTypeCanBeWritten == true) { @@ -180,9 +182,15 @@ public function configAction(Request $request) $causeLogout = true; } - // set the session name in custom_parameters.yml + // set the session information in /src/app/config/dynamic/generated.yml $configDumper = $this->get('zikula.dynamic_config_dumper'); $configDumper->setParameter('zikula.session.name', $newSessionName); + $sessionHandlerId = $sessionStoreToFile == Constant::SESSION_STORAGE_FILE ? 'session.handler.native_file' : 'zikula_core.bridge.http_foundation.doctrine_session_handler'; + $configDumper->setParameter('zikula.session.handler_id', $sessionHandlerId); + $sessionStorageId = $sessionStoreToFile == Constant::SESSION_STORAGE_FILE ? 'zikula_core.bridge.http_foundation.zikula_session_storage_file' : 'zikula_core.bridge.http_foundation.zikula_session_storage_doctrine'; + $configDumper->setParameter('zikula.session.storage_id', $sessionStorageId); // Symfony default is 'session.storage.native' + $zikulaSessionSavePath = empty($sessionSavePath) ? '%kernel.cache_dir%/sessions' : $sessionSavePath; + $configDumper->setParameter('zikula.session.save_path', $zikulaSessionSavePath); // set the session name in the current container $this->get('service_container')->setParameter('zikula.session.name', $newSessionName); diff --git a/src/system/SecurityCenterModule/Form/Type/ConfigType.php b/src/system/SecurityCenterModule/Form/Type/ConfigType.php index c5d1588796..915db136e7 100644 --- a/src/system/SecurityCenterModule/Form/Type/ConfigType.php +++ b/src/system/SecurityCenterModule/Form/Type/ConfigType.php @@ -14,6 +14,7 @@ use Symfony\Component\Form\AbstractType; use Symfony\Component\Form\FormBuilderInterface; use Symfony\Component\OptionsResolver\OptionsResolver; +use Zikula\SecurityCenterModule\Constant; /** * Configuration form type class. @@ -134,8 +135,8 @@ public function buildForm(FormBuilderInterface $builder, array $options) 'label' => $translator->__('Store sessions'), 'empty_data' => 0, 'choices' => [ - $translator->__('File') => 1, - $translator->__('Database (recommended)') => 0 + $translator->__('File') => Constant::SESSION_STORAGE_FILE, + $translator->__('Database (recommended)') => Constant::SESSION_STORAGE_DATABASE ], 'choices_as_values' => true, 'expanded' => true, @@ -146,7 +147,7 @@ public function buildForm(FormBuilderInterface $builder, array $options) 'label' => $translator->__('Path for saving session files'), 'empty_data' => '', 'required' => false, - 'alert' => [$translator->__("Notice: If you change 'Where to save sessions' to 'File' then you must enter a path in the 'Path for saving session files' box above. The path must be writeable.") => 'info'], + 'alert' => [$translator->__("Notice: If you change 'Where to save sessions' to 'File' then you must enter a path in the 'Path for saving session files' box above. The path must be writeable. Leave value empty for default location '%kernel.cache_dir%/sessions'") => 'info'], 'help' => $translator->__('More information: http://www.php.net/manual/en/session.configuration.php#ini.session.save-path') ]) ->add('gc_probability', 'Symfony\Component\Form\Extension\Core\Type\IntegerType', [ diff --git a/src/system/SecurityCenterModule/SecurityCenterModuleInstaller.php b/src/system/SecurityCenterModule/SecurityCenterModuleInstaller.php index 1f55cae3c9..a03dd50384 100644 --- a/src/system/SecurityCenterModule/SecurityCenterModuleInstaller.php +++ b/src/system/SecurityCenterModule/SecurityCenterModuleInstaller.php @@ -52,7 +52,7 @@ public function install() $this->setSystemVar('seclevel', 'Medium'); $this->setSystemVar('secmeddays', 7); $this->setSystemVar('secinactivemins', 20); - $this->setSystemVar('sessionstoretofile', 0); + $this->setSystemVar('sessionstoretofile', Constant::SESSION_STORAGE_FILE); $this->setSystemVar('sessionsavepath', ''); $this->setSystemVar('gc_probability', 100); $this->setSystemVar('sessioncsrftokenonetime', 1); // 1 means use same token for entire session @@ -242,6 +242,17 @@ public function upgrade($oldVersion) $this->setSystemVar('idsrulepath', 'system/SecurityCenterModule/Resources/config/phpids_zikula_default.xml'); } case '1.5.1': + // set the session information in /src/app/config/dynamic/generated.yml + $configDumper = $this->container->get('zikula.dynamic_config_dumper'); + $sessionStoreToFile = $this->container->get('zikula_extensions_module.api.variable')->getSystemVar('sessionstoretofile', Constant::SESSION_STORAGE_DATABASE); + $sessionHandlerId = $sessionStoreToFile == Constant::SESSION_STORAGE_FILE ? 'session.handler.native_file' : 'zikula_core.bridge.http_foundation.doctrine_session_handler'; + $configDumper->setParameter('zikula.session.handler_id', $sessionHandlerId); + $sessionStorageId = $sessionStoreToFile == Constant::SESSION_STORAGE_FILE ? 'zikula_core.bridge.http_foundation.zikula_session_storage_file' : 'zikula_core.bridge.http_foundation.zikula_session_storage_doctrine'; + $configDumper->setParameter('zikula.session.storage_id', $sessionStorageId); // Symfony default is 'session.storage.native' + $sessionSavePath = $this->container->get('zikula_extensions_module.api.variable')->getSystemVar('sessionsavepath', ''); + $zikulaSessionSavePath = empty($sessionSavePath) ? '%kernel.cache_dir%/sessions' : $sessionSavePath; + $configDumper->setParameter('zikula.session.save_path', $zikulaSessionSavePath); + case '1.5.2': // current version } diff --git a/src/system/SecurityCenterModule/composer.json b/src/system/SecurityCenterModule/composer.json index 66cbe3537a..9846f6fbfd 100644 --- a/src/system/SecurityCenterModule/composer.json +++ b/src/system/SecurityCenterModule/composer.json @@ -1,6 +1,6 @@ { "name": "zikula/securitycenter-module", - "version": "1.5.1", + "version": "1.5.2", "description": "Security administration", "type": "zikula-module", "license": "LGPL-3.0+",