Allow to disable encryption of params

arrilot · arrilot · commit 82b95fffc38b · 2017-11-06T03:41:04.000+03:00
diff --git a/README.md b/README.md
@@ -214,9 +214,12 @@ In some situations it can be very beneficial to load widget content with AJAX.
 Fortunately, this can be achieved very easily!
 All you need to do is to change facade or blade directive - `Widget::` => `AsyncWidget::`, `@widget` => `@asyncWidget`
 
-> Note: Widget params are encrypted and sent via ajax call. Expect them to be json_encoded and json_decoded afterwards.
+Widget params are encrypted (by default) and sent via ajax call under the hood. So expect them to be `json_encoded()` and `json_decoded()` afterwards.
 
-> Note: Since version 3.1 you no longer need `jquery` to make ajax calls. However you can set `use_jquery_for_ajax_calls` to `true` in the config file if you want to.
+> Note: You can turn encryption off for a given widget by setting `public $encryptParams = false;` on it. However, this action makes widget params publicly accessible, so please make sure you do not leave any vulnerabilities.
+For example, if you pass something like user_id through widget params and turn encryption off, you do need to add one more access check inside the widget.
+
+> Note: You can set `use_jquery_for_ajax_calls` to `true` in the config file to use it for ajax calls if you want to.
 
 By default nothing is shown until ajax call is finished.
 
diff --git a/src/AbstractWidget.php b/src/AbstractWidget.php
@@ -20,6 +20,14 @@ abstract class AbstractWidget
      */
     public $cacheTime = false;
 
+    /**
+     * Should widget params be encrypted before sending them to /arrilot/load-widget?
+     * Turning encryption off can help with making custom reloads from javascript, but makes widget params publicly accessible.
+     *
+     * @var bool
+     */
+    public $encryptParams = true;
+
     /**
      * The configuration array.
      *
diff --git a/src/Controllers/WidgetController.php b/src/Controllers/WidgetController.php
@@ -22,9 +22,14 @@ public function showWidget(Request $request)
 
         $factory = app()->make('arrilot.widget');
         $widgetName = $request->input('name', '');
-        $widgetParams = $factory->decryptWidgetParams($request->input('params', ''));
 
-        return call_user_func_array([$factory, $widgetName], $widgetParams);
+        $widgetParams = $request->input('skip_encryption', '')
+            ? $request->input('params', '')
+            : $factory->decryptWidgetParams($request->input('params', ''));
+
+        $decodedParams = json_decode($widgetParams, true);
+
+        return call_user_func_array([$factory, $widgetName], $decodedParams ?: []);
     }
 
     /**
@@ -36,5 +41,8 @@ protected function prepareGlobals(Request $request)
     {
         WidgetId::set($request->input('id', 1) - 1);
         AbstractWidgetFactory::$skipWidgetContainer = true;
+        if ($request->input('skip_encryption', '')) {
+            AbstractWidgetFactory::$allowOnlyWidgetsWithDisabledEncryption = true;
+        }
     }
 }
diff --git a/src/Factories/AbstractWidgetFactory.php b/src/Factories/AbstractWidgetFactory.php
@@ -4,6 +4,7 @@
 
 use Arrilot\Widgets\AbstractWidget;
 use Arrilot\Widgets\Contracts\ApplicationWrapperContract;
+use Arrilot\Widgets\Misc\EncryptException;
 use Arrilot\Widgets\Misc\InvalidWidgetClassException;
 use Arrilot\Widgets\Misc\ViewExpressionTrait;
 use Arrilot\Widgets\WidgetId;
@@ -68,6 +69,13 @@ abstract class AbstractWidgetFactory
      */
     public static $skipWidgetContainer = false;
 
+    /**
+     * The flag for not wrapping content in a special container.
+     *
+     * @var bool
+     */
+    public static $allowOnlyWidgetsWithDisabledEncryption = false;
+
     /**
      * Constructor.
      *
@@ -101,6 +109,7 @@ public function __call($widgetName, array $params = [])
      * @param $params
      *
      * @throws InvalidWidgetClassException
+     * @throws EncryptException
      */
     protected function instantiateWidget(array $params = [])
     {
@@ -117,10 +126,14 @@ protected function instantiateWidget(array $params = [])
         $widgetClass = class_exists($fqcn) ? $fqcn : $this->widgetName;
 
         if (!is_subclass_of($widgetClass, 'Arrilot\Widgets\AbstractWidget')) {
-            throw new InvalidWidgetClassException('Class "'.$widgetClass.'" must extend "Arrilot\Widgets\AbstractWidget" class');
+            throw new InvalidWidgetClassException('Class "'.$widgetClass.'" must exist and extend "Arrilot\Widgets\AbstractWidget" class');
         }
 
         $this->widget = new $widgetClass($this->widgetConfig);
+
+        if (static::$allowOnlyWidgetsWithDisabledEncryption && $this->widget->encryptParams) {
+            throw new EncryptException('Widget "'.$widgetClass.'" was not called properly');
+        }
     }
 
     /**
@@ -159,26 +172,24 @@ protected function wrapContentInContainer($content)
     /**
      * Encrypt widget params to be transported via HTTP.
      *
-     * @param array $params
+     * @param string $params
      *
      * @return string
      */
     public function encryptWidgetParams($params)
     {
-        return $this->app->make('encrypter')->encrypt(json_encode($params));
+        return $this->app->make('encrypter')->encrypt($params);
     }
 
     /**
      * Decrypt widget params that were transported via HTTP.
      *
      * @param string $params
      *
-     * @return array
+     * @return string
      */
     public function decryptWidgetParams($params)
     {
-        $params = json_decode($this->app->make('encrypter')->decrypt($params), true);
-
-        return $params ? $params : [];
+        return $this->app->make('encrypter')->decrypt($params);
     }
 }
diff --git a/src/Factories/AsyncWidgetFactory.php b/src/Factories/AsyncWidgetFactory.php
@@ -14,7 +14,7 @@ public function run()
         $this->instantiateWidget(func_get_args());
 
         $placeholder = call_user_func([$this->widget, 'placeholder']);
-        $loader = $this->javascriptFactory->getLoader();
+        $loader = $this->javascriptFactory->getLoader($this->widget->encryptParams);
         $content = $this->wrapContentInContainer($placeholder.$loader);
 
         return $this->convertToViewExpression($content);
diff --git a/src/Factories/JavascriptFactory.php b/src/Factories/JavascriptFactory.php
@@ -31,31 +31,34 @@ public function __construct(AbstractWidgetFactory $widgetFactory)
     /**
      * Construct javascript code to load the widget.
      *
+     * @param bool $encryptParams
+     *
      * @return string
      */
-    public function getLoader()
+    public function getLoader($encryptParams = true)
     {
         return
             '<script type="text/javascript">'.
-                $this->constructAjaxCall().
+                $this->constructAjaxCall($encryptParams).
             '</script>';
     }
 
     /**
      * Construct javascript code to reload the widget.
      *
      * @param float|int $timeout
+     * @param bool $encryptParams
      *
      * @return string
      */
-    public function getReloader($timeout)
+    public function getReloader($timeout, $encryptParams = true)
     {
         $timeout = $timeout * 1000;
 
         return
             '<script type="text/javascript">'.
                 'setTimeout( function() {'.
-                    $this->constructAjaxCall().
+                    $this->constructAjaxCall($encryptParams).
                 '}, '.$timeout.')'.
             '</script>';
     }
@@ -83,15 +86,21 @@ protected function useJquery()
     /**
      * Construct ajax call for loaders.
      *
+     * @param bool $encryptParams
+     *
      * @return string
      */
-    protected function constructAjaxCall()
+    protected function constructAjaxCall($encryptParams = true)
     {
+        $encodedParams = json_encode($this->widgetFactory->widgetFullParams);
         $queryParams = [
             'id'     => WidgetId::get(),
             'name'   => $this->widgetFactory->widgetName,
-            'params' => $this->widgetFactory->encryptWidgetParams($this->widgetFactory->widgetFullParams),
+            'params' => $encryptParams ? $this->widgetFactory->encryptWidgetParams($encodedParams) : $encodedParams,
         ];
+        if (!$encryptParams) {
+            $queryParams['skip_encryption'] = 1;
+        }
 
         $url = $this->ajaxLink.'?'.http_build_query($queryParams);
 
diff --git a/src/Factories/WidgetFactory.php b/src/Factories/WidgetFactory.php
@@ -17,7 +17,7 @@ public function run()
         $content = $this->getContentFromCache($args);
 
         if ($timeout = (float) $this->getReloadTimeout()) {
-            $content .= $this->javascriptFactory->getReloader($timeout);
+            $content .= $this->javascriptFactory->getReloader($timeout, $this->widget->encryptParams);
             $content = $this->wrapContentInContainer($content);
         }
 
diff --git a/src/Misc/EncryptException.php b/src/Misc/EncryptException.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace Arrilot\Widgets\Misc;
+
+use Exception;
+
+class EncryptException extends Exception
+{
+
+}

Original file line number	Diff line number	Diff line change
`@@ -22,9 +22,14 @@ public function showWidget(Request $request)`
`22`	`22`
`23`	`23`	`$factory = app()->make('arrilot.widget');`
`24`	`24`	`$widgetName = $request->input('name', '');`
`25`		`- $widgetParams = $factory->decryptWidgetParams($request->input('params', ''));`
`26`	`25`
`27`		`- return call_user_func_array([$factory, $widgetName], $widgetParams);`
	`26`	`+ $widgetParams = $request->input('skip_encryption', '')`
	`27`	`+ ? $request->input('params', '')`
	`28`	`+ : $factory->decryptWidgetParams($request->input('params', ''));`
	`29`	`+`
	`30`	`+ $decodedParams = json_decode($widgetParams, true);`
	`31`	`+`
	`32`	`+ return call_user_func_array([$factory, $widgetName], $decodedParams ?: []);`
`28`	`33`	`}`
`29`	`34`
`30`	`35`	`/**`
`@@ -36,5 +41,8 @@ protected function prepareGlobals(Request $request)`
`36`	`41`	`{`
`37`	`42`	`WidgetId::set($request->input('id', 1) - 1);`
`38`	`43`	`AbstractWidgetFactory::$skipWidgetContainer = true;`
	`44`	`+ if ($request->input('skip_encryption', '')) {`
	`45`	`+ AbstractWidgetFactory::$allowOnlyWidgetsWithDisabledEncryption = true;`
	`46`	`+ }`
`39`	`47`	`}`
`40`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`
`5`	`5`	`use Arrilot\Widgets\AbstractWidget;`
`6`	`6`	`use Arrilot\Widgets\Contracts\ApplicationWrapperContract;`
	`7`	`+use Arrilot\Widgets\Misc\EncryptException;`
`7`	`8`	`use Arrilot\Widgets\Misc\InvalidWidgetClassException;`
`8`	`9`	`use Arrilot\Widgets\Misc\ViewExpressionTrait;`
`9`	`10`	`use Arrilot\Widgets\WidgetId;`
`@@ -68,6 +69,13 @@ abstract class AbstractWidgetFactory`
`68`	`69`	`*/`
`69`	`70`	`public static $skipWidgetContainer = false;`
`70`	`71`
	`72`	`+ /**`
	`73`	`+ * The flag for not wrapping content in a special container.`
	`74`	`+ *`
	`75`	`+ * @var bool`
	`76`	`+ */`
	`77`	`+ public static $allowOnlyWidgetsWithDisabledEncryption = false;`
	`78`	`+`
`71`	`79`	`/**`
`72`	`80`	`* Constructor.`
`73`	`81`	`*`
`@@ -101,6 +109,7 @@ public function __call($widgetName, array $params = [])`
`101`	`109`	`* @param $params`
`102`	`110`	`*`
`103`	`111`	`* @throws InvalidWidgetClassException`
	`112`	`+ * @throws EncryptException`
`104`	`113`	`*/`
`105`	`114`	`protected function instantiateWidget(array $params = [])`
`106`	`115`	`{`
`@@ -117,10 +126,14 @@ protected function instantiateWidget(array $params = [])`
`117`	`126`	`$widgetClass = class_exists($fqcn) ? $fqcn : $this->widgetName;`
`118`	`127`
`119`	`128`	`if (!is_subclass_of($widgetClass, 'Arrilot\Widgets\AbstractWidget')) {`
`120`		`- throw new InvalidWidgetClassException('Class "'.$widgetClass.'" must extend "Arrilot\Widgets\AbstractWidget" class');`
	`129`	`+ throw new InvalidWidgetClassException('Class "'.$widgetClass.'" must exist and extend "Arrilot\Widgets\AbstractWidget" class');`
`121`	`130`	`}`
`122`	`131`
`123`	`132`	`$this->widget = new $widgetClass($this->widgetConfig);`
	`133`	`+`
	`134`	`+ if (static::$allowOnlyWidgetsWithDisabledEncryption && $this->widget->encryptParams) {`
	`135`	`+ throw new EncryptException('Widget "'.$widgetClass.'" was not called properly');`
	`136`	`+ }`
`124`	`137`	`}`
`125`	`138`
`126`	`139`	`/**`
`@@ -159,26 +172,24 @@ protected function wrapContentInContainer($content)`
`159`	`172`	`/**`
`160`	`173`	`* Encrypt widget params to be transported via HTTP.`
`161`	`174`	`*`
`162`		`- * @param array $params`
	`175`	`+ * @param string $params`
`163`	`176`	`*`
`164`	`177`	`* @return string`
`165`	`178`	`*/`
`166`	`179`	`public function encryptWidgetParams($params)`
`167`	`180`	`{`
`168`		`- return $this->app->make('encrypter')->encrypt(json_encode($params));`
	`181`	`+ return $this->app->make('encrypter')->encrypt($params);`
`169`	`182`	`}`
`170`	`183`
`171`	`184`	`/**`
`172`	`185`	`* Decrypt widget params that were transported via HTTP.`
`173`	`186`	`*`
`174`	`187`	`* @param string $params`
`175`	`188`	`*`
`176`		`- * @return array`
	`189`	`+ * @return string`
`177`	`190`	`*/`
`178`	`191`	`public function decryptWidgetParams($params)`
`179`	`192`	`{`
`180`		`- $params = json_decode($this->app->make('encrypter')->decrypt($params), true);`
`181`		`-`
`182`		`- return $params ? $params : [];`
	`193`	`+ return $this->app->make('encrypter')->decrypt($params);`
`183`	`194`	`}`
`184`	`195`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ public function run()`
`17`	`17`	`$content = $this->getContentFromCache($args);`
`18`	`18`
`19`	`19`	`if ($timeout = (float) $this->getReloadTimeout()) {`
`20`		`- $content .= $this->javascriptFactory->getReloader($timeout);`
	`20`	`+ $content .= $this->javascriptFactory->getReloader($timeout, $this->widget->encryptParams);`
`21`	`21`	`$content = $this->wrapContentInContainer($content);`
`22`	`22`	`}`
`23`	`23`