Merge pull request #398 from oat-sa/feature/csrf-token-option

Feature/csrf token option
oat-sa · Mar 25, 2016 · 43b84ec · 43b84ec
2 parents f6dbc1a + b18b8c4
commit 43b84ec
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 7 deletions.
diff --git a/actions/class.Runner.php b/actions/class.Runner.php
@@ -114,21 +114,26 @@ protected function getServiceContext($check = true, $checkToken = true)
             $testCompilation = $this->getRequestParameter('testCompilation');
 
             if ($checkToken) {
-                $csrfToken = $this->getRequestParameter('X-Auth-Token');
-                if (!$this->getCsrf()->checkCsrfToken($csrfToken)) {
-                    \common_Logger::w("CSRF attempt! The token $csrfToken is no longer valid!");
-                    throw new \common_exception_Unauthorized();
+
+                $config = $this->runnerService->getTestConfig()->getConfigValue('security');
+                if(isset($config['csrfToken']) && $config['csrfToken'] == true){
+
+                    $csrfToken = $this->getRequestParameter('X-Auth-Token');
+                    if (!$this->getCsrf()->checkCsrfToken($csrfToken)) {
+                        \common_Logger::w("CSRF attempt! The token $csrfToken is no longer valid!");
+                        throw new \common_exception_Unauthorized();
+                    }
                 }
             }
 
             if ($this->hasRequestParameter('testServiceCallId')) {
                 $testExecution = $this->getRequestParameter('testServiceCallId');
             } else {
                 $testExecution = $this->getRequestParameter('serviceCallId');
-            }  
+            }
             $this->serviceContext = $this->runnerService->getServiceContext($testDefinition, $testCompilation, $testExecution, $check);
         }
-        
+
         return $this->serviceContext;
     }
 

diff --git a/config/default/testRunner.conf.php b/config/default/testRunner.conf.php
@@ -133,4 +133,11 @@
      * @type array
      */
     'plugins' => null,
+
+
+    /**
+     * Enable the cross site request forgery token
+     * @type boolean
+     */
+    'csrf-token' => true
 );
diff --git a/manifest.php b/manifest.php
@@ -33,7 +33,7 @@
     'label' => 'QTI test model',
 	'description' => 'TAO QTI test implementation',
     'license' => 'GPL-2.0',
-    'version' => '2.21.1',
+    'version' => '2.22.0',
 	'author' => 'Open Assessment Technologies',
     'requires' => array(
         'taoTests' => '>=2.13',

diff --git a/models/classes/runner/config/QtiRunnerConfig.php b/models/classes/runner/config/QtiRunnerConfig.php
@@ -66,6 +66,9 @@ public function getConfig()
                 'nextSection' => !empty($rawConfig['next-section']),
                 'resetTimerAfterResume' => !empty($rawConfig['reset-timer-after-resume']),
                 'plugins' => isset($rawConfig['plugins']) ? $rawConfig['plugins'] : null,
+                'security' => [ 
+                    'csrfToken' => isset($rawConfig['csrf-token']) ? $rawConfig['csrf-token'] : false,
+                ]
             ];
         }
         return $this->config;

diff --git a/scripts/update/Updater.php b/scripts/update/Updater.php
@@ -269,5 +269,15 @@ public function update($initialVersion) {
         }
 
         $this->skip('2.20.0','2.21.1');
+
+        if ($this->isVersion('2.21.1')) {
+            $extension = \common_ext_ExtensionsManager::singleton()->getExtensionById('taoQtiTest');
+            $config = $extension->getConfig('testRunner');
+            $extension->setConfig('testRunner', array_merge($config, array(
+                'csrf-token' => true
+            )));
+
+            $this->setVersion('2.22.0');
+        }
     }
 }