Skip to content

Instantly share code, notes, and snippets.

@davidalger

davidalger/Magento_CE_1.7.0.2_v1-CSRF_Patch.diff

Created July 6, 2013 03:50
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save davidalger/5938568 to your computer and use it in GitHub Desktop.
Save davidalger/5938568 to your computer and use it in GitHub Desktop.
Download ZIP
For details on this, please refer to this post on Magento SE: http://magento.stackexchange.com/a/3332/128 — DISCLAIMER: I have NOT TESTED this patch. The patch provided here is provided with NO WARRANTY and may or may not fully resolve the vulnerabilities referenced in the CE 1.8 release notes. As an untested patch, there is also no guarantee th…
Raw
Magento_CE_1.7.0.2_v1-CSRF_Patch.diff
Date: Fri, 5 Jul 2013 22:41:03 -0500
Subject: [PATCH] Magento_CE_1.7.0.2_v1-CSRF_Patch
---
.../core/Mage/Catalog/Block/Product/Abstract.php | 85 ++++-
app/code/core/Mage/Catalog/Block/Product/View.php | 10 +-
.../core/Mage/Catalog/Helper/Product/Compare.php | 28 +-
app/code/core/Mage/Checkout/Helper/Cart.php | 26 +-
.../Mage/Checkout/controllers/CartController.php | 69 ++--
.../Checkout/controllers/OnepageController.php | 70 +++-
app/code/core/Mage/Core/Helper/Url.php | 29 +-
app/code/core/Mage/Core/Model/Url.php | 38 +-
.../Customer/controllers/AccountController.php | 421 ++++++++++++++-------
app/code/core/Mage/Wishlist/Helper/Data.php | 57 ++-
.../Mage/Wishlist/controllers/IndexController.php | 66 ++--
.../default/template/catalog/product/view.phtml | 1 +
.../template/checkout/onepage/review/info.phtml | 2 +-
.../default/template/sales/reorder/sidebar.phtml | 1 +
.../base/default/template/tag/customer/view.phtml | 4 +-
15 files changed, 643 insertions(+), 264 deletions(-)
diff --git a/app/code/core/Mage/Catalog/Block/Product/Abstract.php b/app/code/core/Mage/Catalog/Block/Product/Abstract.php
index a4728a5..7275a1e 100644
--- a/app/code/core/Mage/Catalog/Block/Product/Abstract.php
+++ b/app/code/core/Mage/Catalog/Block/Product/Abstract.php
@@ -34,6 +34,11 @@
*/
abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Template
{
+ /**
+ * Price block array
+ *
+ * @var array
+ */
protected $_priceBlock = array();
/**
@@ -43,10 +48,25 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
*/
protected $_block = 'catalog/product_price';
+ /**
+ * Price template
+ *
+ * @var string
+ */
protected $_priceBlockDefaultTemplate = 'catalog/product/price.phtml';
+ /**
+ * Tier price template
+ *
+ * @var string
+ */
protected $_tierPriceDefaultTemplate = 'catalog/product/view/tierprices.phtml';
+ /**
+ * Price types
+ *
+ * @var array
+ */
protected $_priceBlockTypes = array();
/**
@@ -56,6 +76,11 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
*/
protected $_useLinkForAsLowAs = true;
+ /**
+ * Review block instance
+ *
+ * @var null|Mage_Review_Block_Helper
+ */
protected $_reviewsHelperBlock;
/**
@@ -89,18 +114,33 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
*/
public function getAddToCartUrl($product, $additional = array())
{
- if ($product->getTypeInstance(true)->hasRequiredOptions($product)) {
- if (!isset($additional['_escape'])) {
- $additional['_escape'] = true;
- }
- if (!isset($additional['_query'])) {
- $additional['_query'] = array();
- }
- $additional['_query']['options'] = 'cart';
-
- return $this->getProductUrl($product, $additional);
+ if (!$product->getTypeInstance(true)->hasRequiredOptions($product)) {
+ return $this->helper('checkout/cart')->getAddUrl($product, $additional);
}
- return $this->helper('checkout/cart')->getAddUrl($product, $additional);
+ $additional = array_merge(
+ $additional,
+ array(Mage_Core_Model_Url::FORM_KEY => $this->_getSingletonModel('core/session')->getFormKey())
+ );
+ if (!isset($additional['_escape'])) {
+ $additional['_escape'] = true;
+ }
+ if (!isset($additional['_query'])) {
+ $additional['_query'] = array();
+ }
+ $additional['_query']['options'] = 'cart';
+ return $this->getProductUrl($product, $additional);
+ }
+
+ /**
+ * Return model instance
+ *
+ * @param string $className
+ * @param array $arguments
+ * @return Mage_Core_Model_Abstract
+ */
+ protected function _getSingletonModel($className, $arguments = array())
+ {
+ return Mage::getSingleton($className, $arguments);
}
/**
@@ -126,7 +166,7 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
}
/**
- * Enter description here...
+ * Return link to Add to Wishlist
*
* @param Mage_Catalog_Model_Product $product
* @return string
@@ -155,6 +195,12 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
return null;
}
+ /**
+ * Return price block
+ *
+ * @param string $productTypeId
+ * @return mixed
+ */
protected function _getPriceBlock($productTypeId)
{
if (!isset($this->_priceBlock[$productTypeId])) {
@@ -169,6 +215,12 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
return $this->_priceBlock[$productTypeId];
}
+ /**
+ * Return Block template
+ *
+ * @param string $productTypeId
+ * @return string
+ */
protected function _getPriceBlockTemplate($productTypeId)
{
if (isset($this->_priceBlockTypes[$productTypeId])) {
@@ -304,6 +356,11 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
return $this->getData('product');
}
+ /**
+ * Return tier price template
+ *
+ * @return mixed|string
+ */
public function getTierPriceTemplate()
{
if (!$this->hasData('tier_price_template')) {
@@ -419,13 +476,13 @@ abstract class Mage_Catalog_Block_Product_Abstract extends Mage_Core_Block_Templ
*
* @return string
*/
- public function getImageLabel($product=null, $mediaAttributeCode='image')
+ public function getImageLabel($product = null, $mediaAttributeCode = 'image')
{
if (is_null($product)) {
$product = $this->getProduct();
}
- $label = $product->getData($mediaAttributeCode.'_label');
+ $label = $product->getData($mediaAttributeCode . '_label');
if (empty($label)) {
$label = $product->getName();
}
diff --git a/app/code/core/Mage/Catalog/Block/Product/View.php b/app/code/core/Mage/Catalog/Block/Product/View.php
index f641f24..bc81fd7 100644
--- a/app/code/core/Mage/Catalog/Block/Product/View.php
+++ b/app/code/core/Mage/Catalog/Block/Product/View.php
@@ -61,7 +61,7 @@ class Mage_Catalog_Block_Product_View extends Mage_Catalog_Block_Product_Abstrac
$currentCategory = Mage::registry('current_category');
if ($keyword) {
$headBlock->setKeywords($keyword);
- } elseif($currentCategory) {
+ } elseif ($currentCategory) {
$headBlock->setKeywords($product->getName());
}
$description = $product->getMetaDescription();
@@ -71,7 +71,7 @@ class Mage_Catalog_Block_Product_View extends Mage_Catalog_Block_Product_Abstrac
$headBlock->setDescription(Mage::helper('core/string')->substr($product->getDescription(), 0, 255));
}
if ($this->helper('catalog/product')->canUseCanonicalTag()) {
- $params = array('_ignore_category'=>true);
+ $params = array('_ignore_category' => true);
$headBlock->addLinkRel('canonical', $product->getUrlModel()->getUrl($product, $params));
}
}
@@ -117,7 +117,7 @@ class Mage_Catalog_Block_Product_View extends Mage_Catalog_Block_Product_Abstrac
return $this->getCustomAddToCartUrl();
}
- if ($this->getRequest()->getParam('wishlist_next')){
+ if ($this->getRequest()->getParam('wishlist_next')) {
$additional['wishlist_next'] = 1;
}
@@ -191,9 +191,9 @@ class Mage_Catalog_Block_Product_View extends Mage_Catalog_Block_Product_Abstrac
);
$responseObject = new Varien_Object();
- Mage::dispatchEvent('catalog_product_view_config', array('response_object'=>$responseObject));
+ Mage::dispatchEvent('catalog_product_view_config', array('response_object' => $responseObject));
if (is_array($responseObject->getAdditionalOptions())) {
- foreach ($responseObject->getAdditionalOptions() as $option=>$value) {
+ foreach ($responseObject->getAdditionalOptions() as $option => $value) {
$config[$option] = $value;
}
}
diff --git a/app/code/core/Mage/Catalog/Helper/Product/Compare.php b/app/code/core/Mage/Catalog/Helper/Product/Compare.php
index d38d2ba..2535144 100644
--- a/app/code/core/Mage/Catalog/Helper/Product/Compare.php
+++ b/app/code/core/Mage/Catalog/Helper/Product/Compare.php
@@ -79,17 +79,17 @@ class Mage_Catalog_Helper_Product_Compare extends Mage_Core_Helper_Url
*/
public function getListUrl()
{
- $itemIds = array();
- foreach ($this->getItemCollection() as $item) {
- $itemIds[] = $item->getId();
- }
+ $itemIds = array();
+ foreach ($this->getItemCollection() as $item) {
+ $itemIds[] = $item->getId();
+ }
- $params = array(
- 'items'=>implode(',', $itemIds),
+ $params = array(
+ 'items' => implode(',', $itemIds),
Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $this->getEncodedUrl()
- );
+ );
- return $this->_getUrl('catalog/product_compare', $params);
+ return $this->_getUrl('catalog/product_compare', $params);
}
/**
@@ -128,7 +128,8 @@ class Mage_Catalog_Helper_Product_Compare extends Mage_Core_Helper_Url
$beforeCompareUrl = Mage::getSingleton('catalog/session')->getBeforeCompareUrl();
$params = array(
- 'product'=>$product->getId(),
+ 'product' => $product->getId(),
+ Mage_Core_Model_Url::FORM_KEY => $this->_getSingletonModel('core/session')->getFormKey(),
Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $this->getEncodedUrl($beforeCompareUrl)
);
@@ -143,10 +144,11 @@ class Mage_Catalog_Helper_Product_Compare extends Mage_Core_Helper_Url
*/
public function getAddToCartUrl($product)
{
- $beforeCompareUrl = Mage::getSingleton('catalog/session')->getBeforeCompareUrl();
+ $beforeCompareUrl = $this->_getSingletonModel('catalog/session')->getBeforeCompareUrl();
$params = array(
- 'product'=>$product->getId(),
- Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $this->getEncodedUrl($beforeCompareUrl)
+ 'product' => $product->getId(),
+ Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $this->getEncodedUrl($beforeCompareUrl),
+ Mage_Core_Model_Url::FORM_KEY => $this->_getSingletonModel('core/session')->getFormKey()
);
return $this->_getUrl('checkout/cart/add', $params);
@@ -161,7 +163,7 @@ class Mage_Catalog_Helper_Product_Compare extends Mage_Core_Helper_Url
public function getRemoveUrl($item)
{
$params = array(
- 'product'=>$item->getId(),
+ 'product' => $item->getId(),
Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $this->getEncodedUrl()
);
return $this->_getUrl('catalog/product_compare/remove', $params);
diff --git a/app/code/core/Mage/Checkout/Helper/Cart.php b/app/code/core/Mage/Checkout/Helper/Cart.php
index 33ba781..38c333d 100644
--- a/app/code/core/Mage/Checkout/Helper/Cart.php
+++ b/app/code/core/Mage/Checkout/Helper/Cart.php
@@ -31,6 +31,9 @@
*/
class Mage_Checkout_Helper_Cart extends Mage_Core_Helper_Url
{
+ /**
+ * Redirect to Cart path
+ */
const XML_PATH_REDIRECT_TO_CART = 'checkout/cart/redirect_to_cart';
/**
@@ -47,16 +50,16 @@ class Mage_Checkout_Helper_Cart extends Mage_Core_Helper_Url
* Retrieve url for add product to cart
*
* @param Mage_Catalog_Model_Product $product
+ * @param array $additional
* @return string
*/
public function getAddUrl($product, $additional = array())
{
- $continueUrl = Mage::helper('core')->urlEncode($this->getCurrentUrl());
- $urlParamName = Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED;
-
$routeParams = array(
- $urlParamName => $continueUrl,
- 'product' => $product->getEntityId()
+ Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $this->_getHelperInstance('core')
+ ->urlEncode($this->getCurrentUrl()),
+ 'product' => $product->getEntityId(),
+ Mage_Core_Model_Url::FORM_KEY => $this->_getSingletonModel('core/session')->getFormKey()
);
if (!empty($additional)) {
@@ -77,6 +80,17 @@ class Mage_Checkout_Helper_Cart extends Mage_Core_Helper_Url
}
/**
+ * Return helper instance
+ *
+ * @param string $helperName
+ * @return Mage_Core_Helper_Abstract
+ */
+ protected function _getHelperInstance($helperName)
+ {
+ return Mage::helper($helperName);
+ }
+
+ /**
* Retrieve url for remove product from cart
*
* @param Mage_Sales_Quote_Item $item
@@ -85,7 +99,7 @@ class Mage_Checkout_Helper_Cart extends Mage_Core_Helper_Url
public function getRemoveUrl($item)
{
$params = array(
- 'id'=>$item->getId(),
+ 'id' => $item->getId(),
Mage_Core_Controller_Front_Action::PARAM_NAME_BASE64_URL => $this->getCurrentBase64Url()
);
return $this->_getUrl('checkout/cart/delete', $params);
diff --git a/app/code/core/Mage/Checkout/controllers/CartController.php b/app/code/core/Mage/Checkout/controllers/CartController.php
index 8745dd6..252e80f 100644
--- a/app/code/core/Mage/Checkout/controllers/CartController.php
+++ b/app/code/core/Mage/Checkout/controllers/CartController.php
@@ -70,6 +70,7 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
* Set back redirect url to response
*
* @return Mage_Checkout_CartController
+ * @throws Mage_Exception
*/
protected function _goBack()
{
@@ -166,9 +167,15 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
/**
* Add product to shopping cart action
+ *
+ * @return void
*/
public function addAction()
{
+ if (!$this->_validateFormKey()) {
+ $this->_goBack();
+ return;
+ }
$cart = $this->_getCart();
$params = $this->getRequest()->getParams();
try {
@@ -207,7 +214,7 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
);
if (!$this->_getSession()->getNoCartRedirect(true)) {
- if (!$cart->getQuote()->getHasError()){
+ if (!$cart->getQuote()->getHasError()) {
$message = $this->__('%s was added to your shopping cart.', Mage::helper('core')->escapeHtml($product->getName()));
$this->_getSession()->addSuccess($message);
}
@@ -236,34 +243,41 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
}
}
+ /**
+ * Add products in group to shopping cart action
+ */
public function addgroupAction()
{
$orderItemIds = $this->getRequest()->getParam('order_items', array());
- if (is_array($orderItemIds)) {
- $itemsCollection = Mage::getModel('sales/order_item')
- ->getCollection()
- ->addIdFilter($orderItemIds)
- ->load();
- /* @var $itemsCollection Mage_Sales_Model_Mysql4_Order_Item_Collection */
- $cart = $this->_getCart();
- foreach ($itemsCollection as $item) {
- try {
- $cart->addOrderItem($item, 1);
- } catch (Mage_Core_Exception $e) {
- if ($this->_getSession()->getUseNotice(true)) {
- $this->_getSession()->addNotice($e->getMessage());
- } else {
- $this->_getSession()->addError($e->getMessage());
- }
- } catch (Exception $e) {
- $this->_getSession()->addException($e, $this->__('Cannot add the item to shopping cart.'));
- Mage::logException($e);
- $this->_goBack();
+
+ if (!is_array($orderItemIds) || !$this->_validateFormKey()) {
+ $this->_goBack();
+ return;
+ }
+
+ $itemsCollection = Mage::getModel('sales/order_item')
+ ->getCollection()
+ ->addIdFilter($orderItemIds)
+ ->load();
+ /* @var $itemsCollection Mage_Sales_Model_Mysql4_Order_Item_Collection */
+ $cart = $this->_getCart();
+ foreach ($itemsCollection as $item) {
+ try {
+ $cart->addOrderItem($item, 1);
+ } catch (Mage_Core_Exception $e) {
+ if ($this->_getSession()->getUseNotice(true)) {
+ $this->_getSession()->addNotice($e->getMessage());
+ } else {
+ $this->_getSession()->addError($e->getMessage());
}
+ } catch (Exception $e) {
+ $this->_getSession()->addException($e, $this->__('Cannot add the item to shopping cart.'));
+ Mage::logException($e);
+ $this->_goBack();
}
- $cart->save();
- $this->_getSession()->setCartWasUpdated(true);
}
+ $cart->save();
+ $this->_getSession()->setCartWasUpdated(true);
$this->_goBack();
}
@@ -347,8 +361,8 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
array('item' => $item, 'request' => $this->getRequest(), 'response' => $this->getResponse())
);
if (!$this->_getSession()->getNoCartRedirect(true)) {
- if (!$cart->getQuote()->getHasError()){
- $message = $this->__('%s was updated in your shopping cart.', Mage::helper('core')->htmlEscape($item->getProduct()->getName()));
+ if (!$cart->getQuote()->getHasError()) {
+ $message = $this->__('%s was updated in your shopping cart.', Mage::helper('core')->escapeHtml($item->getProduct()->getName()));
$this->_getSession()->addSuccess($message);
}
$this->_goBack();
@@ -487,6 +501,11 @@ class Mage_Checkout_CartController extends Mage_Core_Controller_Front_Action
$this->_goBack();
}
+ /**
+ * Estimate update action
+ *
+ * @return null
+ */
public function estimateUpdatePostAction()
{
$code = (string) $this->getRequest()->getParam('estimate_method');
diff --git a/app/code/core/Mage/Checkout/controllers/OnepageController.php b/app/code/core/Mage/Checkout/controllers/OnepageController.php
index e90b59e..3e4a381 100644
--- a/app/code/core/Mage/Checkout/controllers/OnepageController.php
+++ b/app/code/core/Mage/Checkout/controllers/OnepageController.php
@@ -24,16 +24,27 @@
* @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
*/
-
+/**
+ * Class Onepage controller
+ */
class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
{
+ /**
+ * Functions for concrete method
+ *
+ * @var array
+ */
protected $_sectionUpdateFunctions = array(
'payment-method' => '_getPaymentMethodsHtml',
'shipping-method' => '_getShippingMethodsHtml',
'review' => '_getReviewHtml',
);
- /** @var Mage_Sales_Model_Order */
+ /**
+ * Order instance
+ *
+ * @var Mage_Sales_Model_Order
+ */
protected $_order;
/**
@@ -50,7 +61,7 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
$checkoutSessionQuote->removeAllAddresses();
}
- if(!$this->_canShowForUnregisteredUsers()){
+ if (!$this->_canShowForUnregisteredUsers()) {
$this->norouteAction();
$this->setFlag('',self::FLAG_NO_DISPATCH,true);
return;
@@ -59,6 +70,11 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
return $this;
}
+ /**
+ * Send headers in case if session is expired
+ *
+ * @return Mage_Checkout_OnepageController
+ */
protected function _ajaxRedirectResponse()
{
$this->getResponse()
@@ -123,6 +139,12 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
return $output;
}
+ /**
+ * Return block content from the 'checkout_onepage_additional'
+ * This is the additional content for shipping method
+ *
+ * @return string
+ */
protected function _getAdditionalHtml()
{
$layout = $this->getLayout();
@@ -180,7 +202,7 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
return;
}
Mage::getSingleton('checkout/session')->setCartWasUpdated(false);
- Mage::getSingleton('customer/session')->setBeforeAuthUrl(Mage::getUrl('*/*/*', array('_secure'=>true)));
+ Mage::getSingleton('customer/session')->setBeforeAuthUrl(Mage::getUrl('*/*/*', array('_secure' => true)));
$this->getOnepage()->initCheckout();
$this->loadLayout();
$this->_initLayoutMessages('customer/session');
@@ -200,6 +222,9 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
$this->renderLayout();
}
+ /**
+ * Shipping action
+ */
public function shippingMethodAction()
{
if ($this->_expireAjax()) {
@@ -209,6 +234,9 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
$this->renderLayout();
}
+ /**
+ * Review action
+ */
public function reviewAction()
{
if ($this->_expireAjax()) {
@@ -244,6 +272,9 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
$this->renderLayout();
}
+ /**
+ * Failure action
+ */
public function failureAction()
{
$lastQuoteId = $this->getOnepage()->getCheckout()->getLastQuoteId();
@@ -259,6 +290,9 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
}
+ /**
+ * Additional action
+ */
public function getAdditionalAction()
{
$this->getResponse()->setBody($this->_getAdditionalHtml());
@@ -383,10 +417,10 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
/*
$result will have erro data if shipping method is empty
*/
- if(!$result) {
+ if (!$result) {
Mage::dispatchEvent('checkout_controller_onepage_save_shipping_method',
- array('request'=>$this->getRequest(),
- 'quote'=>$this->getOnepage()->getQuote()));
+ array('request' => $this->getRequest(),
+ 'quote' => $this->getOnepage()->getQuote()));
$this->getOnepage()->getQuote()->collectTotals();
$this->getResponse()->setBody(Mage::helper('core')->jsonEncode($result));
@@ -452,7 +486,8 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
/**
* Get Order by quoteId
*
- * @return Mage_Sales_Model_Order
+ * @return Mage_Core_Model_Abstract|Mage_Sales_Model_Order
+ * @throws Mage_Payment_Model_Info_Exception
*/
protected function _getOrder()
{
@@ -489,15 +524,21 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
*/
public function saveOrderAction()
{
+ if (!$this->_validateFormKey()) {
+ return $this->_redirect('*/*');
+ }
+
if ($this->_expireAjax()) {
return;
}
$result = array();
try {
- if ($requiredAgreements = Mage::helper('checkout')->getRequiredAgreementIds()) {
+ $requiredAgreements = Mage::helper('checkout')->getRequiredAgreementIds();
+ if ($requiredAgreements) {
$postedAgreements = array_keys($this->getRequest()->getPost('agreement', array()));
- if ($diff = array_diff($requiredAgreements, $postedAgreements)) {
+ $diff = array_diff($requiredAgreements, $postedAgreements);
+ if ($diff) {
$result['success'] = false;
$result['error'] = true;
$result['error_messages'] = $this->__('Please agree to all the terms and conditions before placing the order.');
@@ -515,7 +556,7 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
$result['error'] = false;
} catch (Mage_Payment_Model_Info_Exception $e) {
$message = $e->getMessage();
- if( !empty($message) ) {
+ if ( !empty($message) ) {
$result['error_messages'] = $message;
}
$result['goto_section'] = 'payment';
@@ -530,12 +571,13 @@ class Mage_Checkout_OnepageController extends Mage_Checkout_Controller_Action
$result['error'] = true;
$result['error_messages'] = $e->getMessage();
- if ($gotoSection = $this->getOnepage()->getCheckout()->getGotoSection()) {
+ $gotoSection = $this->getOnepage()->getCheckout()->getGotoSection();
+ if ($gotoSection) {
$result['goto_section'] = $gotoSection;
$this->getOnepage()->getCheckout()->setGotoSection(null);
}
-
- if ($updateSection = $this->getOnepage()->getCheckout()->getUpdateSection()) {
+ $updateSection = $this->getOnepage()->getCheckout()->getUpdateSection();
+ if ($updateSection) {
if (isset($this->_sectionUpdateFunctions[$updateSection])) {
$updateSectionFunction = $this->_sectionUpdateFunctions[$updateSection];
$result['update_section'] = array(
diff --git a/app/code/core/Mage/Core/Helper/Url.php b/app/code/core/Mage/Core/Helper/Url.php
index 2fd8608..0181a25 100644
--- a/app/code/core/Mage/Core/Helper/Url.php
+++ b/app/code/core/Mage/Core/Helper/Url.php
@@ -65,7 +65,13 @@ class Mage_Core_Helper_Url extends Mage_Core_Helper_Abstract
return $this->urlEncode($this->getCurrentUrl());
}
- public function getEncodedUrl($url=null)
+ /**
+ * Return encoded url
+ *
+ * @param null|string $url
+ * @return string
+ */
+ public function getEncodedUrl($url = null)
{
if (!$url) {
$url = $this->getCurrentUrl();
@@ -83,6 +89,12 @@ class Mage_Core_Helper_Url extends Mage_Core_Helper_Abstract
return Mage::getBaseUrl();
}
+ /**
+ * Formatting string
+ *
+ * @param string $string
+ * @return string
+ */
protected function _prepareString($string)
{
$string = preg_replace('#[^0-9a-z]+#i', '-', $string);
@@ -104,7 +116,7 @@ class Mage_Core_Helper_Url extends Mage_Core_Helper_Abstract
$startDelimiter = (false === strpos($url,'?'))? '?' : '&';
$arrQueryParams = array();
- foreach($param as $key=>$value) {
+ foreach ($param as $key => $value) {
if (is_numeric($key) || is_object($value)) {
continue;
}
@@ -128,6 +140,7 @@ class Mage_Core_Helper_Url extends Mage_Core_Helper_Abstract
*
* @param string $url
* @param string $paramKey
+ * @param boolean $caseSensitive
* @return string
*/
public function removeRequestParam($url, $paramKey, $caseSensitive = false)
@@ -143,4 +156,16 @@ class Mage_Core_Helper_Url extends Mage_Core_Helper_Abstract
}
return $url;
}
+
+ /**
+ * Return singleton model instance
+ *
+ * @param string $name
+ * @param array $arguments
+ * @return Mage_Core_Model_Abstract
+ */
+ protected function _getSingletonModel($name, $arguments = array())
+ {
+ return Mage::getSingleton($name, $arguments);
+ }
}
diff --git a/app/code/core/Mage/Core/Model/Url.php b/app/code/core/Mage/Core/Model/Url.php
index c87bf48..28086af 100644
--- a/app/code/core/Mage/Core/Model/Url.php
+++ b/app/code/core/Mage/Core/Model/Url.php
@@ -89,14 +89,31 @@ class Mage_Core_Model_Url extends Varien_Object
const DEFAULT_ACTION_NAME = 'index';
/**
- * Configuration paths
+ * XML base url path unsecure
*/
const XML_PATH_UNSECURE_URL = 'web/unsecure/base_url';
+
+ /**
+ * XML base url path secure
+ */
const XML_PATH_SECURE_URL = 'web/secure/base_url';
+
+ /**
+ * XML path for using in adminhtml
+ */
const XML_PATH_SECURE_IN_ADMIN = 'default/web/secure/use_in_adminhtml';
+
+ /**
+ * XML path for using in frontend
+ */
const XML_PATH_SECURE_IN_FRONT = 'web/secure/use_in_frontend';
/**
+ * Param name for form key functionality
+ */
+ const FORM_KEY = 'form_key';
+
+ /**
* Configuration data cache
*
* @var array
@@ -483,7 +500,7 @@ class Mage_Core_Model_Url extends Varien_Object
}
$routePath = $this->getActionPath();
if ($this->getRouteParams()) {
- foreach ($this->getRouteParams() as $key=>$value) {
+ foreach ($this->getRouteParams() as $key => $value) {
if (is_null($value) || false === $value || '' === $value || !is_scalar($value)) {
continue;
}
@@ -939,8 +956,8 @@ class Mage_Core_Model_Url extends Varien_Object
/**
* Build url by requested path and parameters
*
- * @param string|null $routePath
- * @param array|null $routeParams
+ * @param string|null $routePath
+ * @param array|null $routeParams
* @return string
*/
public function getUrl($routePath = null, $routeParams = null)
@@ -974,6 +991,7 @@ class Mage_Core_Model_Url extends Varien_Object
$noSid = (bool)$routeParams['_nosid'];
unset($routeParams['_nosid']);
}
+
$url = $this->getRouteUrl($routePath, $routeParams);
/**
* Apply query params, need call after getRouteUrl for rewrite _current values
@@ -1007,6 +1025,18 @@ class Mage_Core_Model_Url extends Varien_Object
}
/**
+ * Return singleton model instance
+ *
+ * @param string $name
+ * @param array $arguments
+ * @return Mage_Core_Model_Abstract
+ */
+ protected function _getSingletonModel($name, $arguments = array())
+ {
+ return Mage::getSingleton($name, $arguments);
+ }
+
+ /**
* Check and add session id to URL
*
* @param string $url
diff --git a/app/code/core/Mage/Customer/controllers/AccountController.php b/app/code/core/Mage/Customer/controllers/AccountController.php
index 98bac6a..6ee3163 100644
--- a/app/code/core/Mage/Customer/controllers/AccountController.php
+++ b/app/code/core/Mage/Customer/controllers/AccountController.php
@@ -153,8 +153,8 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
} catch (Mage_Core_Exception $e) {
switch ($e->getCode()) {
case Mage_Customer_Model_Customer::EXCEPTION_EMAIL_NOT_CONFIRMED:
- $value = Mage::helper('customer')->getEmailConfirmationUrl($login['username']);
- $message = Mage::helper('customer')->__('This account is not confirmed. <a href="%s">Click here</a> to resend confirmation email.', $value);
+ $value = $this->_getHelper('customer')->getEmailConfirmationUrl($login['username']);
+ $message = $this->_getHelper('customer')->__('This account is not confirmed. <a href="%s">Click here</a> to resend confirmation email.', $value);
break;
case Mage_Customer_Model_Customer::EXCEPTION_INVALID_EMAIL_OR_PASSWORD:
$message = $e->getMessage();
@@ -184,7 +184,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
if (!$session->getBeforeAuthUrl() || $session->getBeforeAuthUrl() == Mage::getBaseUrl()) {
// Set default URL to redirect customer to
- $session->setBeforeAuthUrl(Mage::helper('customer')->getAccountUrl());
+ $session->setBeforeAuthUrl($this->_getHelper('customer')->getAccountUrl());
// Redirect customer to the last page visited after logging in
if ($session->isLoggedIn()) {
if (!Mage::getStoreConfigFlag(
@@ -193,8 +193,8 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
$referer = $this->getRequest()->getParam(Mage_Customer_Helper_Data::REFERER_QUERY_PARAM_NAME);
if ($referer) {
// Rebuild referer URL to handle the case when SID was changed
- $referer = Mage::getModel('core/url')
- ->getRebuiltUrl(Mage::helper('core')->urlDecode($referer));
+ $referer = $this->_getModel('core/url')
+ ->getRebuiltUrl($this->_getHelper('core')->urlDecode($referer));
if ($this->_isUrlInternal($referer)) {
$session->setBeforeAuthUrl($referer);
}
@@ -203,10 +203,10 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
$session->setBeforeAuthUrl($session->getAfterAuthUrl(true));
}
} else {
- $session->setBeforeAuthUrl(Mage::helper('customer')->getLoginUrl());
+ $session->setBeforeAuthUrl($this->_getHelper('customer')->getLoginUrl());
}
- } else if ($session->getBeforeAuthUrl() == Mage::helper('customer')->getLogoutUrl()) {
- $session->setBeforeAuthUrl(Mage::helper('customer')->getDashboardUrl());
+ } else if ($session->getBeforeAuthUrl() == $this->_getHelper('customer')->getLogoutUrl()) {
+ $session->setBeforeAuthUrl($this->_getHelper('customer')->getDashboardUrl());
} else {
if (!$session->getAfterAuthUrl()) {
$session->setAfterAuthUrl($session->getBeforeAuthUrl());
@@ -258,126 +258,255 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
*/
public function createPostAction()
{
+ /** @var $session Mage_Customer_Model_Session */
$session = $this->_getSession();
if ($session->isLoggedIn()) {
$this->_redirect('*/*/');
return;
}
$session->setEscapeMessages(true); // prevent XSS injection in user input
- if ($this->getRequest()->isPost()) {
- $errors = array();
+ if (!$this->getRequest()->isPost()) {
+ $errUrl = $this->_getUrl('*/*/create', array('_secure' => true));
+ $this->_redirectError($errUrl);
+ return;
+ }
- if (!$customer = Mage::registry('current_customer')) {
- $customer = Mage::getModel('customer/customer')->setId(null);
+ $customer = $this->_getCustomer();
+
+ try {
+ $errors = $this->_getCustomerErrors($customer);
+
+ if (empty($errors)) {
+ $customer->save();
+ $this->_dispatchRegisterSuccess($customer);
+ $this->_successProcessRegistration($customer);
+ return;
+ } else {
+ $this->_addSessionError($errors);
+ }
+ } catch (Mage_Core_Exception $e) {
+ $session->setCustomerFormData($this->getRequest()->getPost());
+ if ($e->getCode() === Mage_Customer_Model_Customer::EXCEPTION_EMAIL_EXISTS) {
+ $url = $this->_getUrl('customer/account/forgotpassword');
+ $message = $this->__('There is already an account with this email address. If you are sure that it is your email address, <a href="%s">click here</a> to get your password and access your account.', $url);
+ $session->setEscapeMessages(false);
+ } else {
+ $message = $e->getMessage();
}
+ $session->addError($message);
+ } catch (Exception $e) {
+ $session->setCustomerFormData($this->getRequest()->getPost())
+ ->addException($e, $this->__('Cannot save the customer.'));
+ }
+ $url = $this->_getUrl('*/*/create', array('_secure' => true));
+ $this->_redirectError($url);
+ }
- /* @var $customerForm Mage_Customer_Model_Form */
- $customerForm = Mage::getModel('customer/form');
- $customerForm->setFormCode('customer_account_create')
- ->setEntity($customer);
+ /**
+ * Success Registration
+ *
+ * @param Mage_Customer_Model_Customer $customer
+ * @return Mage_Customer_AccountController
+ */
+ protected function _successProcessRegistration(Mage_Customer_Model_Customer $customer)
+ {
+ $session = $this->_getSession();
+ if ($customer->isConfirmationRequired()) {
+ /** @var $app Mage_Core_Model_App */
+ $app = $this->_getApp();
+ /** @var $store Mage_Core_Model_Store*/
+ $store = $app->getStore();
+ $customer->sendNewAccountEmail(
+ 'confirmation',
+ $session->getBeforeAuthUrl(),
+ $store->getId()
+ );
+ $customerHelper = $this->_getHelper('customer');
+ $session->addSuccess($this->__('Account confirmation is required. Please, check your email for the confirmation link. To resend the confirmation email please <a href="%s">click here</a>.',
+ $customerHelper->getEmailConfirmationUrl($customer->getEmail())));
+ $url = $this->_getUrl('*/*/index', array('_secure' => true));
+ } else {
+ $session->setCustomerAsLoggedIn($customer);
+ $session->renewSession();
+ $url = $this->_welcomeCustomer($customer);
+ }
+ $this->_redirectSuccess($url);
+ return $this;
+ }
- $customerData = $customerForm->extractData($this->getRequest());
+ /**
+ * Get Customer Model
+ *
+ * @return Mage_Customer_Model_Customer
+ */
+ protected function _getCustomer()
+ {
+ $customer = $this->_getFromRegistry('current_customer');
+ if (!$customer) {
+ $customer = $this->_getModel('customer/customer')->setId(null);
+ }
+ if ($this->getRequest()->getParam('is_subscribed', false)) {
+ $customer->setIsSubscribed(1);
+ }
+ /**
+ * Initialize customer group id
+ */
+ $customer->getGroupId();
- if ($this->getRequest()->getParam('is_subscribed', false)) {
- $customer->setIsSubscribed(1);
+ return $customer;
+ }
+
+ /**
+ * Add session error method
+ *
+ * @param string|array $errors
+ */
+ protected function _addSessionError($errors)
+ {
+ $session = $this->_getSession();
+ $session->setCustomerFormData($this->getRequest()->getPost());
+ if (is_array($errors)) {
+ foreach ($errors as $errorMessage) {
+ $session->addError($errorMessage);
}
+ } else {
+ $session->addError($this->__('Invalid customer data'));
+ }
+ }
- /**
- * Initialize customer group id
- */
- $customer->getGroupId();
-
- if ($this->getRequest()->getPost('create_address')) {
- /* @var $address Mage_Customer_Model_Address */
- $address = Mage::getModel('customer/address');
- /* @var $addressForm Mage_Customer_Model_Form */
- $addressForm = Mage::getModel('customer/form');
- $addressForm->setFormCode('customer_register_address')
- ->setEntity($address);
-
- $addressData = $addressForm->extractData($this->getRequest(), 'address', false);
- $addressErrors = $addressForm->validateData($addressData);
- if ($addressErrors === true) {
- $address->setId(null)
- ->setIsDefaultBilling($this->getRequest()->getParam('default_billing', false))
- ->setIsDefaultShipping($this->getRequest()->getParam('default_shipping', false));
- $addressForm->compactData($addressData);
- $customer->addAddress($address);
-
- $addressErrors = $address->validate();
- if (is_array($addressErrors)) {
- $errors = array_merge($errors, $addressErrors);
- }
- } else {
- $errors = array_merge($errors, $addressErrors);
- }
+ /**
+ * Validate customer data and return errors if they are
+ *
+ * @param Mage_Customer_Model_Customer $customer
+ * @return array|string
+ */
+ protected function _getCustomerErrors($customer)
+ {
+ $errors = array();
+ $request = $this->getRequest();
+ if ($request->getPost('create_address')) {
+ $errors = $this->_getErrorsOnCustomerAddress($customer);
+ }
+ $customerForm = $this->_getCustomerForm($customer);
+ $customerData = $customerForm->extractData($request);
+ $customerErrors = $customerForm->validateData($customerData);
+ if ($customerErrors !== true) {
+ $errors = array_merge($customerErrors, $errors);
+ } else {
+ $customerForm->compactData($customerData);
+ $customer->setPassword($request->getPost('password'));
+ $customer->setConfirmation($request->getPost('confirmation'));
+ $customerErrors = $customer->validate();
+ if (is_array($customerErrors)) {
+ $errors = array_merge($customerErrors, $errors);
}
+ }
+ return $errors;
+ }
- try {
- $customerErrors = $customerForm->validateData($customerData);
- if ($customerErrors !== true) {
- $errors = array_merge($customerErrors, $errors);
- } else {
- $customerForm->compactData($customerData);
- $customer->setPassword($this->getRequest()->getPost('password'));
- $customer->setConfirmation($this->getRequest()->getPost('confirmation'));
- $customerErrors = $customer->validate();
- if (is_array($customerErrors)) {
- $errors = array_merge($customerErrors, $errors);
- }
- }
+ /**
+ * Get Customer Form Initalized Model
+ *
+ * @param Mage_Customer_Model_Customer $customer
+ * @return Mage_Customer_Model_Form
+ */
+ protected function _getCustomerForm($customer)
+ {
+ /* @var $customerForm Mage_Customer_Model_Form */
+ $customerForm = $this->_getModel('customer/form');
+ $customerForm->setFormCode('customer_account_create');
+ $customerForm->setEntity($customer);
+ return $customerForm;
+ }
- $validationResult = count($errors) == 0;
+ /**
+ * Get Helper
+ *
+ * @param string $path
+ * @return Mage_Core_Helper_Abstract
+ */
+ protected function _getHelper($path)
+ {
+ return Mage::helper($path);
+ }
- if (true === $validationResult) {
- $customer->save();
+ /**
+ * Get App
+ *
+ * @return Mage_Core_Model_App
+ */
+ protected function _getApp()
+ {
+ return Mage::app();
+ }
- Mage::dispatchEvent('customer_register_success',
- array('account_controller' => $this, 'customer' => $customer)
- );
-
- if ($customer->isConfirmationRequired()) {
- $customer->sendNewAccountEmail(
- 'confirmation',
- $session->getBeforeAuthUrl(),
- Mage::app()->getStore()->getId()
- );
- $session->addSuccess($this->__('Account confirmation is required. Please, check your email for the confirmation link. To resend the confirmation email please <a href="%s">click here</a>.', Mage::helper('customer')->getEmailConfirmationUrl($customer->getEmail())));
- $this->_redirectSuccess(Mage::getUrl('*/*/index', array('_secure'=>true)));
- return;
- } else {
- $session->setCustomerAsLoggedIn($customer);
- $url = $this->_welcomeCustomer($customer);
- $this->_redirectSuccess($url);
- return;
- }
- } else {
- $session->setCustomerFormData($this->getRequest()->getPost());
- if (is_array($errors)) {
- foreach ($errors as $errorMessage) {
- $session->addError($errorMessage);
- }
- } else {
- $session->addError($this->__('Invalid customer data'));
- }
- }
- } catch (Mage_Core_Exception $e) {
- $session->setCustomerFormData($this->getRequest()->getPost());
- if ($e->getCode() === Mage_Customer_Model_Customer::EXCEPTION_EMAIL_EXISTS) {
- $url = Mage::getUrl('customer/account/forgotpassword');
- $message = $this->__('There is already an account with this email address. If you are sure that it is your email address, <a href="%s">click here</a> to get your password and access your account.', $url);
- $session->setEscapeMessages(false);
- } else {
- $message = $e->getMessage();
- }
- $session->addError($message);
- } catch (Exception $e) {
- $session->setCustomerFormData($this->getRequest()->getPost())
- ->addException($e, $this->__('Cannot save the customer.'));
- }
+ /**
+ * Dispatch Event
+ *
+ * @param Mage_Customer_Model_Customer $customer
+ */
+ protected function _dispatchRegisterSuccess($customer)
+ {
+ Mage::dispatchEvent('customer_register_success',
+ array('account_controller' => $this, 'customer' => $customer)
+ );
+ }
+
+ /**
+ * Get errors on provided customer address
+ *
+ * @param Mage_Customer_Model_Customer $customer
+ * @return array $errors
+ */
+ protected function _getErrorsOnCustomerAddress($customer)
+ {
+ $errors = array();
+ /* @var $address Mage_Customer_Model_Address */
+ $address = $this->_getModel('customer/address');
+ /* @var $addressForm Mage_Customer_Model_Form */
+ $addressForm = $this->_getModel('customer/form');
+ $addressForm->setFormCode('customer_register_address')
+ ->setEntity($address);
+
+ $addressData = $addressForm->extractData($this->getRequest(), 'address', false);
+ $addressErrors = $addressForm->validateData($addressData);
+ if (is_array($addressErrors)) {
+ $errors = $addressErrors;
+ }
+ $address->setId(null)
+ ->setIsDefaultBilling($this->getRequest()->getParam('default_billing', false))
+ ->setIsDefaultShipping($this->getRequest()->getParam('default_shipping', false));
+ $addressForm->compactData($addressData);
+ $customer->addAddress($address);
+
+ $addressErrors = $address->validate();
+ if (is_array($addressErrors)) {
+ $errors = array_merge($errors, $addressErrors);
}
+ return $errors;
+ }
- $this->_redirectError(Mage::getUrl('*/*/create', array('_secure' => true)));
+ /**
+ * Get model by path
+ *
+ * @param string $path
+ * @param array|null $arguments
+ * @return false|Mage_Core_Model_Abstract
+ */
+ public function _getModel($path, $arguments = array())
+ {
+ return Mage::getModel($path, $arguments);
+ }
+
+ /**
+ * Get model from registry by path
+ *
+ * @param string $path
+ * @return mixed
+ */
+ protected function _getFromRegistry($path)
+ {
+ return Mage::registry($path);
}
/**
@@ -395,14 +524,16 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
);
if ($this->_isVatValidationEnabled()) {
// Show corresponding VAT message to customer
- $configAddressType = Mage::helper('customer/address')->getTaxCalculationAddressType();
+ $configAddressType = $this->_getHelper('customer/address')->getTaxCalculationAddressType();
$userPrompt = '';
switch ($configAddressType) {
case Mage_Customer_Model_Address_Abstract::TYPE_SHIPPING:
- $userPrompt = $this->__('If you are a registered VAT customer, please click <a href="%s">here</a> to enter you shipping address for proper VAT calculation', Mage::getUrl('customer/address/edit'));
+ $userPrompt = $this->__('If you are a registered VAT customer, please click <a href="%s">here</a> to enter you shipping address for proper VAT calculation',
+ $this->_getUrl('customer/address/edit'));
break;
default:
- $userPrompt = $this->__('If you are a registered VAT customer, please click <a href="%s">here</a> to enter you billing address for proper VAT calculation', Mage::getUrl('customer/address/edit'));
+ $userPrompt = $this->__('If you are a registered VAT customer, please click <a href="%s">here</a> to enter you billing address for proper VAT calculation',
+ $this->_getUrl('customer/address/edit'));
}
$this->_getSession()->addSuccess($userPrompt);
}
@@ -413,7 +544,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
Mage::app()->getStore()->getId()
);
- $successUrl = Mage::getUrl('*/*/index', array('_secure'=>true));
+ $successUrl = $this->_getUrl('*/*/index', array('_secure' => true));
if ($this->_getSession()->getBeforeAuthUrl()) {
$successUrl = $this->_getSession()->getBeforeAuthUrl(true);
}
@@ -425,7 +556,8 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
*/
public function confirmAction()
{
- if ($this->_getSession()->isLoggedIn()) {
+ $session = $this->_getSession();
+ if ($session->isLoggedIn()) {
$this->_redirect('*/*/');
return;
}
@@ -439,7 +571,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
// load customer by id (try/catch in case if it throws exceptions)
try {
- $customer = Mage::getModel('customer/customer')->load($id);
+ $customer = $this->_getModel('customer/customer')->load($id);
if ((!$customer) || (!$customer->getId())) {
throw new Exception('Failed to load customer by id.');
}
@@ -463,21 +595,22 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
throw new Exception($this->__('Failed to confirm customer account.'));
}
+ $session->renewSession();
// log in and send greeting email, then die happy
- $this->_getSession()->setCustomerAsLoggedIn($customer);
+ $session->setCustomerAsLoggedIn($customer);
$successUrl = $this->_welcomeCustomer($customer, true);
$this->_redirectSuccess($backUrl ? $backUrl : $successUrl);
return;
}
// die happy
- $this->_redirectSuccess(Mage::getUrl('*/*/index', array('_secure'=>true)));
+ $this->_redirectSuccess($this->_getUrl('*/*/index', array('_secure' => true)));
return;
}
catch (Exception $e) {
// die unhappy
$this->_getSession()->addError($e->getMessage());
- $this->_redirectError(Mage::getUrl('*/*/index', array('_secure'=>true)));
+ $this->_redirectError($this->_getUrl('*/*/index', array('_secure' => true)));
return;
}
}
@@ -487,7 +620,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
*/
public function confirmationAction()
{
- $customer = Mage::getModel('customer/customer');
+ $customer = $this->_getModel('customer/customer');
if ($this->_getSession()->isLoggedIn()) {
$this->_redirect('*/*/');
return;
@@ -508,10 +641,10 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
$this->_getSession()->addSuccess($this->__('This email does not require confirmation.'));
}
$this->_getSession()->setUsername($email);
- $this->_redirectSuccess(Mage::getUrl('*/*/index', array('_secure' => true)));
+ $this->_redirectSuccess($this->_getUrl('*/*/index', array('_secure' => true)));
} catch (Exception $e) {
$this->_getSession()->addException($e, $this->__('Wrong email.'));
- $this->_redirectError(Mage::getUrl('*/*/*', array('email' => $email, '_secure' => true)));
+ $this->_redirectError($this->_getUrl('*/*/*', array('email' => $email, '_secure' => true)));
}
return;
}
@@ -527,6 +660,18 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
}
/**
+ * Get Url method
+ *
+ * @param string $url
+ * @param array $params
+ * @return string
+ */
+ protected function _getUrl($url, $params = array())
+ {
+ return Mage::getUrl($url, $params);
+ }
+
+ /**
* Forgot customer password page
*/
public function forgotPasswordAction()
@@ -557,13 +702,13 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
}
/** @var $customer Mage_Customer_Model_Customer */
- $customer = Mage::getModel('customer/customer')
+ $customer = $this->_getModel('customer/customer')
->setWebsiteId(Mage::app()->getStore()->getWebsiteId())
->loadByEmail($email);
if ($customer->getId()) {
try {
- $newResetPasswordLinkToken = Mage::helper('customer')->generateResetPasswordLinkToken();
+ $newResetPasswordLinkToken = $this->_getHelper('customer')->generateResetPasswordLinkToken();
$customer->changeResetPasswordLinkToken($newResetPasswordLinkToken);
$customer->sendPasswordResetConfirmationEmail();
} catch (Exception $exception) {
@@ -573,7 +718,9 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
}
}
$this->_getSession()
- ->addSuccess(Mage::helper('customer')->__('If there is an account associated with %s you will receive an email with a link to reset your password.', Mage::helper('customer')->htmlEscape($email)));
+ ->addSuccess($this->_getHelper('customer')
+ ->__('If there is an account associated with %s you will receive an email with a link to reset your password.',
+ $this->_getHelper('customer')->escapeHtml($email)));
$this->_redirect('*/*/');
return;
} else {
@@ -602,16 +749,14 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
->setResetPasswordLinkToken($resetPasswordLinkToken);
$this->renderLayout();
} catch (Exception $exception) {
- $this->_getSession()->addError(Mage::helper('customer')->__('Your password reset link has expired.'));
+ $this->_getSession()->addError($this->_getHelper('customer')->__('Your password reset link has expired.'));
$this->_redirect('*/*/forgotpassword');
}
}
/**
* Reset forgotten password
- *
* Used to handle data recieved from reset forgotten password form
- *
*/
public function resetPasswordPostAction()
{
@@ -623,17 +768,17 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
try {
$this->_validateResetPasswordLinkToken($customerId, $resetPasswordLinkToken);
} catch (Exception $exception) {
- $this->_getSession()->addError(Mage::helper('customer')->__('Your password reset link has expired.'));
+ $this->_getSession()->addError($this->_getHelper('customer')->__('Your password reset link has expired.'));
$this->_redirect('*/*/');
return;
}
$errorMessages = array();
if (iconv_strlen($password) <= 0) {
- array_push($errorMessages, Mage::helper('customer')->__('New password field cannot be empty.'));
+ array_push($errorMessages, $this->_getHelper('customer')->__('New password field cannot be empty.'));
}
/** @var $customer Mage_Customer_Model_Customer */
- $customer = Mage::getModel('customer/customer')->load($customerId);
+ $customer = $this->_getModel('customer/customer')->load($customerId);
$customer->setPassword($password);
$customer->setConfirmation($passwordConfirmation);
@@ -660,7 +805,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
$customer->setRpTokenCreatedAt(null);
$customer->setConfirmation(null);
$customer->save();
- $this->_getSession()->addSuccess(Mage::helper('customer')->__('Your password has been updated.'));
+ $this->_getSession()->addSuccess($this->_getHelper('customer')->__('Your password has been updated.'));
$this->_redirect('*/*/login');
} catch (Exception $exception) {
$this->_getSession()->addException($exception, $this->__('Cannot save a new password.'));
@@ -687,18 +832,18 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
|| empty($customerId)
|| $customerId < 0
) {
- throw Mage::exception('Mage_Core', Mage::helper('customer')->__('Invalid password reset token.'));
+ throw Mage::exception('Mage_Core', $this->_getHelper('customer')->__('Invalid password reset token.'));
}
/** @var $customer Mage_Customer_Model_Customer */
- $customer = Mage::getModel('customer/customer')->load($customerId);
+ $customer = $this->_getModel('customer/customer')->load($customerId);
if (!$customer || !$customer->getId()) {
- throw Mage::exception('Mage_Core', Mage::helper('customer')->__('Wrong customer account specified.'));
+ throw Mage::exception('Mage_Core', $this->_getHelper('customer')->__('Wrong customer account specified.'));
}
$customerToken = $customer->getRpToken();
if (strcmp($customerToken, $resetPasswordLinkToken) != 0 || $customer->isResetPasswordLinkTokenExpired()) {
- throw Mage::exception('Mage_Core', Mage::helper('customer')->__('Your password reset link has expired.'));
+ throw Mage::exception('Mage_Core', $this->_getHelper('customer')->__('Your password reset link has expired.'));
}
}
@@ -720,7 +865,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
if (!empty($data)) {
$customer->addData($data);
}
- if ($this->getRequest()->getParam('changepass')==1){
+ if ($this->getRequest()->getParam('changepass') == 1) {
$customer->setChangePassword(1);
}
@@ -743,7 +888,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
$customer = $this->_getSession()->getCustomer();
/** @var $customerForm Mage_Customer_Model_Form */
- $customerForm = Mage::getModel('customer/form');
+ $customerForm = $this->_getModel('customer/form');
$customerForm->setFormCode('customer_account_edit')
->setEntity($customer);
@@ -764,7 +909,7 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
$confPass = $this->getRequest()->getPost('confirmation');
$oldPass = $this->_getSession()->getCustomer()->getPasswordHash();
- if (Mage::helper('core/string')->strpos($oldPass, ':')) {
+ if ($this->_getHelper('core/string')->strpos($oldPass, ':')) {
list($_salt, $salt) = explode(':', $oldPass);
} else {
$salt = false;
@@ -842,6 +987,6 @@ class Mage_Customer_AccountController extends Mage_Core_Controller_Front_Action
*/
protected function _isVatValidationEnabled($store = null)
{
- return Mage::helper('customer/address')->isVatValidationEnabled($store);
+ return $this->_getHelper('customer/address')->isVatValidationEnabled($store);
}
}
diff --git a/app/code/core/Mage/Wishlist/Helper/Data.php b/app/code/core/Mage/Wishlist/Helper/Data.php
index 93a1e7f..0b31102 100644
--- a/app/code/core/Mage/Wishlist/Helper/Data.php
+++ b/app/code/core/Mage/Wishlist/Helper/Data.php
@@ -135,11 +135,9 @@ class Mage_Wishlist_Helper_Data extends Mage_Core_Helper_Abstract
if (is_null($this->_wishlist)) {
if (Mage::registry('shared_wishlist')) {
$this->_wishlist = Mage::registry('shared_wishlist');
- }
- elseif (Mage::registry('wishlist')) {
+ } else if (Mage::registry('wishlist')) {
$this->_wishlist = Mage::registry('wishlist');
- }
- else {
+ } else {
$this->_wishlist = Mage::getModel('wishlist/wishlist');
if ($this->getCustomer()) {
$this->_wishlist->loadByCustomer($this->getCustomer());
@@ -260,8 +258,7 @@ class Mage_Wishlist_Helper_Data extends Mage_Core_Helper_Abstract
if ($product) {
if ($product->isVisibleInSiteVisibility()) {
$storeId = $product->getStoreId();
- }
- else if ($product->hasUrlDataObject()) {
+ } else if ($product->hasUrlDataObject()) {
$storeId = $product->getUrlDataObject()->getStoreId();
}
}
@@ -360,12 +357,12 @@ class Mage_Wishlist_Helper_Data extends Mage_Core_Helper_Abstract
$productId = $item->getProductId();
}
- if ($productId) {
- $params['product'] = $productId;
- return $this->_getUrlStore($item)->getUrl('wishlist/index/add', $params);
+ if (!$productId) {
+ return false;
}
-
- return false;
+ $params['product'] = $productId;
+ $params[Mage_Core_Model_Url::FORM_KEY] = $this->_getSingletonModel('core/session')->getFormKey();
+ return $this->_getUrlStore($item)->getUrl('wishlist/index/add', $params);
}
/**
@@ -376,24 +373,46 @@ class Mage_Wishlist_Helper_Data extends Mage_Core_Helper_Abstract
*/
public function getAddToCartUrl($item)
{
- $urlParamName = Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED;
- $continueUrl = Mage::helper('core')->urlEncode(
- Mage::getUrl('*/*/*', array(
+ $continueUrl = $this->_getHelperInstance('core')->urlEncode(
+ $this->_getUrl('*/*/*', array(
'_current' => true,
'_use_rewrite' => true,
'_store_to_url' => true,
))
);
-
- $urlParamName = Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED;
$params = array(
'item' => is_string($item) ? $item : $item->getWishlistItemId(),
- $urlParamName => $continueUrl
+ Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $continueUrl,
+ Mage_Core_Model_Url::FORM_KEY => $this->_getSingletonModel('core/session')->getFormKey()
);
+
return $this->_getUrlStore($item)->getUrl('wishlist/index/cart', $params);
}
/**
+ * Return helper instance
+ *
+ * @param string $helperName
+ * @return Mage_Core_Helper_Abstract
+ */
+ protected function _getHelperInstance($helperName)
+ {
+ return Mage::helper($helperName);
+ }
+
+ /**
+ * Return model instance
+ *
+ * @param string $className
+ * @param array $arguments
+ * @return Mage_Core_Model_Abstract
+ */
+ protected function _getSingletonModel($className, $arguments = array())
+ {
+ return Mage::getSingleton($className, $arguments);
+ }
+
+ /**
* Retrieve URL for adding item to shoping cart from shared wishlist
*
* @param string|Mage_Catalog_Model_Product|Mage_Wishlist_Model_Item $item
@@ -407,10 +426,10 @@ class Mage_Wishlist_Helper_Data extends Mage_Core_Helper_Abstract
'_store_to_url' => true,
)));
- $urlParamName = Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED;
$params = array(
'item' => is_string($item) ? $item : $item->getWishlistItemId(),
- $urlParamName => $continueUrl
+ Mage_Core_Controller_Front_Action::PARAM_NAME_URL_ENCODED => $continueUrl,
+ Mage_Core_Model_Url::FORM_KEY => $this->_getSingletonModel('core/session')->getFormKey()
);
return $this->_getUrlStore($item)->getUrl('wishlist/shared/cart', $params);
}
diff --git a/app/code/core/Mage/Wishlist/controllers/IndexController.php b/app/code/core/Mage/Wishlist/controllers/IndexController.php
index c750064..469ee08 100644
--- a/app/code/core/Mage/Wishlist/controllers/IndexController.php
+++ b/app/code/core/Mage/Wishlist/controllers/IndexController.php
@@ -48,6 +48,11 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
*/
protected $_skipAuthentication = false;
+ /**
+ * Extend preDispatch
+ *
+ * @return Mage_Core_Controller_Front_Action|void
+ */
public function preDispatch()
{
parent::preDispatch();
@@ -152,9 +157,24 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
/**
* Adding new item
+ *
+ * @return Mage_Core_Controller_Varien_Action|void
*/
public function addAction()
{
+ if (!$this->_validateFormKey()) {
+ return $this->_redirect('*/*');
+ }
+ $this->_addItemToWishList();
+ }
+
+ /**
+ * Add the item to wish list
+ *
+ * @return Mage_Core_Controller_Varien_Action|void
+ */
+ protected function _addItemToWishList()
+ {
$wishlist = $this->_getWishlist();
if (!$wishlist) {
return $this->norouteAction();
@@ -162,7 +182,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
$session = Mage::getSingleton('customer/session');
- $productId = (int) $this->getRequest()->getParam('product');
+ $productId = (int)$this->getRequest()->getParam('product');
if (!$productId) {
$this->_redirect('*/');
return;
@@ -192,9 +212,9 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
Mage::dispatchEvent(
'wishlist_add_product',
array(
- 'wishlist' => $wishlist,
- 'product' => $product,
- 'item' => $result
+ 'wishlist' => $wishlist,
+ 'product' => $product,
+ 'item' => $result
)
);
@@ -212,10 +232,10 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
Mage::helper('wishlist')->calculate();
- $message = $this->__('%1$s has been added to your wishlist. Click <a href="%2$s">here</a> to continue shopping.', $product->getName(), Mage::helper('core')->escapeUrl($referer));
+ $message = $this->__('%1$s has been added to your wishlist. Click <a href="%2$s">here</a> to continue shopping.',
+ $product->getName(), Mage::helper('core')->escapeUrl($referer));
$session->addSuccess($message);
- }
- catch (Mage_Core_Exception $e) {
+ } catch (Mage_Core_Exception $e) {
$session->addError($this->__('An error occurred while adding item to wishlist: %s', $e->getMessage()));
}
catch (Exception $e) {
@@ -337,7 +357,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
}
$post = $this->getRequest()->getPost();
- if($post && isset($post['description']) && is_array($post['description'])) {
+ if ($post && isset($post['description']) && is_array($post['description'])) {
$updatedItems = 0;
foreach ($post['description'] as $itemId => $description) {
@@ -393,8 +413,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
try {
$wishlist->save();
Mage::helper('wishlist')->calculate();
- }
- catch (Exception $e) {
+ } catch (Exception $e) {
Mage::getSingleton('customer/session')->addError($this->__('Can\'t update wishlist'));
}
}
@@ -428,7 +447,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
Mage::getSingleton('customer/session')->addError(
$this->__('An error occurred while deleting the item from wishlist: %s', $e->getMessage())
);
- } catch(Exception $e) {
+ } catch (Exception $e) {
Mage::getSingleton('customer/session')->addError(
$this->__('An error occurred while deleting the item from wishlist.')
);
@@ -447,6 +466,9 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
*/
public function cartAction()
{
+ if (!$this->_validateFormKey()) {
+ return $this->_redirect('*/*');
+ }
$itemId = (int) $this->getRequest()->getParam('item');
/* @var $item Mage_Wishlist_Model_Item */
@@ -536,7 +558,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
$cart = Mage::getSingleton('checkout/cart');
$session = Mage::getSingleton('checkout/session');
- try{
+ try {
$item = $cart->getQuote()->getItemById($itemId);
if (!$item) {
Mage::throwException(
@@ -632,7 +654,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
->createBlock('wishlist/share_email_rss')
->setWishlistId($wishlist->getId())
->toHtml();
- $message .=$rss_url;
+ $message .= $rss_url;
}
$wishlistBlock = $this->getLayout()->createBlock('wishlist/share_email_items')->toHtml();
@@ -641,19 +663,19 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
$emailModel = Mage::getModel('core/email_template');
$sharingCode = $wishlist->getSharingCode();
- foreach($emails as $email) {
+ foreach ($emails as $email) {
$emailModel->sendTransactional(
Mage::getStoreConfig('wishlist/email/email_template'),
Mage::getStoreConfig('wishlist/email/email_identity'),
$email,
null,
array(
- 'customer' => $customer,
- 'salable' => $wishlist->isSalable() ? 'yes' : '',
- 'items' => $wishlistBlock,
- 'addAllLink' => Mage::getUrl('*/shared/allcart', array('code' => $sharingCode)),
- 'viewOnSiteLink'=> Mage::getUrl('*/shared/index', array('code' => $sharingCode)),
- 'message' => $message
+ 'customer' => $customer,
+ 'salable' => $wishlist->isSalable() ? 'yes' : '',
+ 'items' => $wishlistBlock,
+ 'addAllLink' => Mage::getUrl('*/shared/allcart', array('code' => $sharingCode)),
+ 'viewOnSiteLink' => Mage::getUrl('*/shared/index', array('code' => $sharingCode)),
+ 'message' => $message
)
);
}
@@ -663,7 +685,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
$translate->setTranslateInline(true);
- Mage::dispatchEvent('wishlist_share', array('wishlist'=>$wishlist));
+ Mage::dispatchEvent('wishlist_share', array('wishlist' => $wishlist));
Mage::getSingleton('customer/session')->addSuccess(
$this->__('Your Wishlist has been shared.')
);
@@ -719,7 +741,7 @@ class Mage_Wishlist_IndexController extends Mage_Wishlist_Controller_Abstract
));
}
- } catch(Exception $e) {
+ } catch (Exception $e) {
$this->_forward('noRoute');
}
exit(0);
diff --git a/app/design/frontend/base/default/template/catalog/product/view.phtml b/app/design/frontend/base/default/template/catalog/product/view.phtml
index 5d9212f..fc34321 100644
--- a/app/design/frontend/base/default/template/catalog/product/view.phtml
+++ b/app/design/frontend/base/default/template/catalog/product/view.phtml
@@ -40,6 +40,7 @@
<div class="product-view">
<div class="product-essential">
<form action="<?php echo $this->getSubmitUrl($_product) ?>" method="post" id="product_addtocart_form"<?php if($_product->getOptions()): ?> enctype="multipart/form-data"<?php endif; ?>>
+ <?php echo $this->getBlockHtml('formkey') ?>
<div class="no-display">
<input type="hidden" name="product" value="<?php echo $_product->getId() ?>" />
<input type="hidden" name="related_product" id="related-products-field" value="" />
diff --git a/app/design/frontend/base/default/template/checkout/onepage/review/info.phtml b/app/design/frontend/base/default/template/checkout/onepage/review/info.phtml
index d98d00f..6336137 100644
--- a/app/design/frontend/base/default/template/checkout/onepage/review/info.phtml
+++ b/app/design/frontend/base/default/template/checkout/onepage/review/info.phtml
@@ -78,7 +78,7 @@
</div>
<script type="text/javascript">
//<![CDATA[
- review = new Review('<?php echo $this->getUrl('checkout/onepage/saveOrder') ?>', '<?php echo $this->getUrl('checkout/onepage/success') ?>', $('checkout-agreements'));
+ review = new Review('<?php echo $this->getUrl('checkout/onepage/saveOrder', array('form_key' => Mage::getSingleton('core/session')->getFormKey())) ?>', '<?php echo $this->getUrl('checkout/onepage/success') ?>', $('checkout-agreements'));
//]]>
</script>
</div>
diff --git a/app/design/frontend/base/default/template/sales/reorder/sidebar.phtml b/app/design/frontend/base/default/template/sales/reorder/sidebar.phtml
index 8d3490f..65c0329 100644
--- a/app/design/frontend/base/default/template/sales/reorder/sidebar.phtml
+++ b/app/design/frontend/base/default/template/sales/reorder/sidebar.phtml
@@ -38,6 +38,7 @@
<strong><span><?php echo $this->__('My Orders') ?></span></strong>
</div>
<form method="post" action="<?php echo $this->getFormActionUrl() ?>" id="reorder-validate-detail">
+ <?php echo $this->getBlockHtml('formkey'); ?>
<div class="block-content">
<p class="block-subtitle"><?php echo $this->__('Last Ordered Items') ?></p>
<ol id="cart-sidebar-reorder">
diff --git a/app/design/frontend/base/default/template/tag/customer/view.phtml b/app/design/frontend/base/default/template/tag/customer/view.phtml
index 23d7809..e8d2a3a 100644
--- a/app/design/frontend/base/default/template/tag/customer/view.phtml
+++ b/app/design/frontend/base/default/template/tag/customer/view.phtml
@@ -52,7 +52,9 @@
</td>
<td>
<?php if($_product->isSaleable()): ?>
- <button type="button" title="<?php echo $this->__('Add to Cart') ?>" class="button btn-cart" onclick="setLocation('<?php echo $this->getUrl('checkout/cart/add',array('product'=>$_product->getId())) ?>')"><span><span><?php echo $this->__('Add to Cart') ?></span></span></button>
+ <?php $params[Mage_Core_Model_Url::FORM_KEY] = Mage::getSingleton('core/session')->getFormKey() ?>
+ <?php $params['product'] = $_product->getId(); ?>
+ <button type="button" title="<?php echo $this->__('Add to Cart') ?>" class="button btn-cart" onclick="setLocation('<?php echo $this->getUrl('checkout/cart/add', $params) ?>')"><span><span><?php echo $this->__('Add to Cart') ?></span></span></button>
<?php endif; ?>
<?php if ($this->helper('wishlist')->isAllow()) : ?>
<ul class="add-to-links">
--
1.7.11.1
@davidalger
Copy link
Author

For details on this, please refer to this post on Magento SE: http://magento.stackexchange.com/a/3332/128

DISCLAIMER: I have NOT TESTED this patch. The patch provided here is provided with NO WARRANTY and may or may not fully resolve the vulnerabilities referenced in the CE 1.8 release notes. As an untested patch, there is also no guarantee that it functions in whole or part. I.e. use at your own risk, and take due diligence to test before deploying to a production environment. If you find issues with the patch, let me know and I'll update it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment