-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathSubmitController.php
85 lines (69 loc) · 3.11 KB
/
SubmitController.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
namespace eLife\Journal\Controller;
use eLife\Patterns\ViewModel\ContentHeader;
use GuzzleHttp\Psr7\Uri;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\KernelInterface;
final class SubmitController extends Controller
{
public function redirectAction(Request $request) : Response
{
if (!$this->isGranted('FEATURE_XPUB')) {
throw new NotFoundHttpException('Not allowed to see xPub');
}
$user = $this->get('security.token_storage')->getToken()->getUser();
// if a return url is specified, check that its from a trusted host
$returnUrl = $request->query->get('return_url', null);
if (is_null($returnUrl)) {
// remove this case once libero reviewer is live and xpub retired
$returnUrl = $this->getParameter('submit_url');
} else {
$allowedRedirects = $this->getParameter('submit_url_redirects');
$isAllowed = false;
$uri = new Uri($returnUrl);
foreach ($allowedRedirects as $allowed) {
if (preg_match('/'.$allowed.'/', $uri->getHost())) {
$isAllowed = true;
break;
}
}
if (!$isAllowed) {
throw new BadRequestHttpException();
}
}
if (!$this->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
$path = [
'_forwarded' => $request->attributes,
'_controller' => 'AppBundle:Auth:redirect',
];
$subRequest = $request->duplicate(null, null, $path);
$subRequest->headers->set('Referer', $request->getUri());
$subRequest->getSession()->set('journal.submit', true);
return $this->get('kernel')->handle($subRequest, KernelInterface::SUB_REQUEST);
}
$jwt = $this->get('elife.journal.security.xpub.token_generator')->generate($user, $request->getSession()->remove('journal.submit') ?? false);
// remove this case once libero reviewer is live and xpub retired, only return token in query afterwards
$redirectUrl = "{$returnUrl}#{$jwt}";
// return in query arg if specified
$tokenInQueryArg = $request->query->get('token_in_query', false);
if ($tokenInQueryArg) {
$redirectUrl = Uri::withQueryValue(new Uri($returnUrl), 'token', $jwt);
}
return new RedirectResponse($redirectUrl);
}
public function submitAction(Request $request) : Response
{
$arguments = $this->defaultPageArguments($request);
$arguments['title'] = 'Submit your research';
$arguments['contentHeader'] = new ContentHeader(
'Submit your research',
null,
'Submit your research'
);
return new Response($this->get('templating')->render('::submit-your-research.html.twig', $arguments));
}
}