diff --git a/app/Http/Controllers/AppFunctionsController.php b/app/Http/Controllers/AppFunctionsController.php index f045a78b..8b347803 100644 --- a/app/Http/Controllers/AppFunctionsController.php +++ b/app/Http/Controllers/AppFunctionsController.php @@ -26,27 +26,10 @@ class AppFunctionsController extends Controller * * @var array */ - private $whitelist = [ - 'section_features', - 'footer_content', - 'get_started_description', - 'get_started_title', - 'pricing_description', - 'pricing_title', - 'feature_description_3', - 'feature_title_3', - 'feature_description_2', - 'feature_title_2', - 'feature_description_1', - 'feature_title_1', - 'features_description', - 'features_title', - 'header_description', - 'header_title', - 'section_get_started', - 'section_pricing_content', - 'section_feature_boxes', - 'allow_homepage', + private $blacklist = [ + 'contact_email', + 'purchase_code', + 'license', ]; /** @@ -61,7 +44,7 @@ class AppFunctionsController extends Controller \DB::getPdo(); // Get setup status - $setup_status = $this->get_setup_status(); + $setup_status = get_setup_status(); // Get app pages $pages = Page::all(); @@ -109,7 +92,7 @@ class AppFunctionsController extends Controller } $metadata = [ - 'is_protected' => $shared->protected, + 'is_protected' => $shared->is_protected, 'url' => url('/shared', ['token' => $token]), 'user' => $user->name, 'name' => $file->name, @@ -128,11 +111,11 @@ class AppFunctionsController extends Controller $metadata = [ 'is_protected' => $shared->protected, - 'url' => url('/shared', ['token' => $token]), - 'user' => $user->name, - 'name' => $folder->name, - 'size' => $folder->items, - 'thumbnail' => null, + 'url' => url('/shared', ['token' => $token]), + 'user' => $user->name, + 'name' => $folder->name, + 'size' => $folder->items, + 'thumbnail' => null, ]; } @@ -142,18 +125,6 @@ class AppFunctionsController extends Controller ->with('metadata', $metadata); } - /** - * Check if setup wizard was passed - * - * @return string - */ - private function get_setup_status(): string - { - $setup_success = get_setting('setup_wizard_success'); - - return boolval($setup_success) ? 'setup-done' : 'setup-disclaimer'; - } - /** * Send contact message from pages * @@ -188,24 +159,27 @@ class AppFunctionsController extends Controller * @param Request $request * @return mixed */ - public function get_settings(Request $request) + public function get_setting_columns(Request $request) { - $column = $request->get('column'); + if (strpos($request->column, '|') !== false) { - if (strpos($column, '|') !== false) { + $columns = collect(explode('|', $request->column)) + ->each(function ($column) { + if (in_array($column, $this->blacklist)) { + abort(401); + } + }); - $columns = collect(explode('|', $column)); - - $columns->each(function ($column) { - if (!in_array($column, $this->whitelist)) abort(401); - }); - - return Setting::whereIn('name', $columns)->pluck('value', 'name'); + return Setting::whereIn('name', $columns) + ->pluck('value', 'name'); } - if (!in_array($column, $this->whitelist)) abort(401); + if (in_array($request->column, $this->blacklist)) { + abort(401); + } - return Setting::where('name', $column)->pluck('value', 'name'); + return Setting::where('name', $request->column) + ->pluck('value', 'name'); } /** @@ -217,7 +191,7 @@ class AppFunctionsController extends Controller return Demo::response_204(); } - if (! app()->runningUnitTests()) { + if (!app()->runningUnitTests()) { Artisan::call('cache:clear'); Artisan::call('config:clear'); Artisan::call('config:cache'); diff --git a/app/Http/Helpers/helpers.php b/app/Http/Helpers/helpers.php index d03c87e7..627d4bab 100644 --- a/app/Http/Helpers/helpers.php +++ b/app/Http/Helpers/helpers.php @@ -50,6 +50,18 @@ function get_settings_in_json() ); } +/** + * Check if setup wizard was passed + * + * @return string + */ +function get_setup_status() +{ + $setup_success = get_setting('setup_wizard_success'); + + return boolval($setup_success) ? 'setup-done' : 'setup-disclaimer'; +} + /** * Create paragraph from text * diff --git a/routes/api.php b/routes/api.php index effff462..147da120 100644 --- a/routes/api.php +++ b/routes/api.php @@ -14,7 +14,7 @@ use App\Http\Controllers\Sharing\FileSharingController; // Pages Route::post('/contact', [AppFunctionsController::class, 'contact_form']); Route::get('/page/{page}', [AppFunctionsController::class, 'get_page']); -Route::get('/content', [AppFunctionsController::class, 'get_settings']); +Route::get('/content', [AppFunctionsController::class, 'get_setting_columns']); // Stripe Route::get('/pricing', [PricingController::class, 'index']); diff --git a/tests/Feature/App/AppTest.php b/tests/Feature/App/AppTest.php index 247c3805..3b6aea66 100644 --- a/tests/Feature/App/AppTest.php +++ b/tests/Feature/App/AppTest.php @@ -4,12 +4,8 @@ namespace Tests\Feature\App; use App\Http\Mail\SendContactMessage; use App\Models\Setting; -use App\Notifications\SharedSendViaEmail; use App\Services\SetupService; use Illuminate\Foundation\Testing\DatabaseMigrations; -use Illuminate\Foundation\Testing\RefreshDatabase; -use Illuminate\Foundation\Testing\WithFaker; -use Illuminate\Support\Facades\Notification; use Mail; use Tests\TestCase; @@ -70,4 +66,41 @@ class AppTest extends TestCase Mail::assertSent(SendContactMessage::class); } + + /** + * @test + */ + public function it_get_settings() + { + Setting::create([ + 'name' => 'get_started_title', + 'value' => 'Hello World!', + ]); + + Setting::create([ + 'name' => 'pricing_description', + 'value' => 'Give me a money!', + ]); + + $this->getJson('/api/content?column=get_started_title|pricing_description') + ->assertStatus(200) + ->assertExactJson([ + "get_started_title" => "Hello World!", + "pricing_description" => "Give me a money!", + ]); + } + + /** + * @test + */ + public function it_try_get_secured_settings_via_public_api() + { + Setting::create([ + 'name' => 'purchase_code', + 'value' => '15a53561-d387-4e0a-8de1-5d1bff34c1ed', + ]); + + $this->getJson('/api/content?column=purchase_code') + ->assertStatus(401); + } }