Update packages (#396)

 - nette/application updated from v3.2.5 to v3.2.6 patch
   See changes: nette/[email protected]
   Release notes: https://github.com/nette/application/releases/tag/v3.2.6

 - nette/php-generator updated from v4.1.5 to v4.1.6 patch
   See changes: nette/[email protected]
   Release notes: https://github.com/nette/php-generator/releases/tag/v4.1.6

 - phpstan/phpdoc-parser updated from 1.30.0 to 1.32.0 minor
   See changes: phpstan/[email protected]
   Release notes: https://github.com/phpstan/phpdoc-parser/releases/tag/1.32.0

 - phpstan/phpstan updated from 1.12.2 to 1.12.5 patch
   See changes: phpstan/[email protected]
   Release notes: https://github.com/phpstan/phpstan/releases/tag/1.12.5

 - phpstan/phpstan-deprecation-rules updated from 1.2.0 to 1.2.1 patch
   See changes: phpstan/[email protected]
   Release notes: https://github.com/phpstan/phpstan-deprecation-rules/releases/tag/1.2.1

 - psalm/phar updated from 5.25.0 to 5.26.1 minor
   See changes: psalm/[email protected]
   Release notes: https://github.com/psalm/phar/releases/tag/5.26.1

 - psr/log updated from 3.0.1 to 3.0.2 patch
   See changes: php-fig/[email protected]
   Release notes: https://github.com/php-fig/log/releases/tag/3.0.2

 - roave/security-advisories updated from dev-latest@f654794 to dev-latest@5bd374d
   See changes: Roave/SecurityAdvisories@f654794...5bd374d

 - spaze/phpcs-phar updated from 3.10.2 to 3.10.3 patch
   See changes: spaze/[email protected]
   Release notes: https://github.com/spaze/phpcs-phar/releases/tag/3.10.3

 - symfony/cache updated from v7.1.4 to v7.1.5 patch
   See changes: symfony/[email protected]
   Release notes: https://github.com/symfony/cache/releases/tag/v7.1.5

 - symfony/filesystem updated from v7.1.2 to v7.1.5 patch
   See changes: symfony/[email protected]
   Release notes: https://github.com/symfony/filesystem/releases/tag/v7.1.5

 - symfony/translation updated from v7.1.3 to v7.1.5 patch
   See changes: symfony/[email protected]
   Release notes: https://github.com/symfony/translation/releases/tag/v7.1.5

site/app/Form/PostFormFactory.php

@@ -128,16 +128,16 @@ public function create(callable $onSuccessAdd, callable $onSuccessEdit, DefaultT
  $caption = $this->translator->translate('messages.label.preview');
  $previewButton = $form->addSubmit('preview', $caption);
  $previewButton->setHtmlAttribute('data-loading-value', 'Moment…')
- ->setHtmlAttribute('data-original-value', $caption)
-  ->onClick[] = function () use ($form, $post, $template, $sendTemplate): void {
-  $this->blogPostPreview->sendPreview(
-  function () use ($form, $post): BlogPost {
-  return $this->buildPost($form->getFormValues(), $post?->getId());
-  },
-  $template,
-  $sendTemplate,
-  );
-  };
+ ->setHtmlAttribute('data-original-value', $caption);
+ $previewButton->onClick[] = function () use ($form, $post, $template, $sendTemplate): void {
+ $this->blogPostPreview->sendPreview(
+ function () use ($form, $post): BlogPost {
+ return $this->buildPost($form->getFormValues(), $post?->getId());
+ },
+ $template,
+ $sendTemplate,
+ );
+ };
 
  $form->onValidate[] = function (UiForm $form) use ($previewButton, $post, $previewKeyInput): void {
  if ($form->isSubmitted() !== $previewButton) {

site/tests/Http/FetchMetadata/ResourceIsolationPolicyTest.phpt

@@ -1,17 +1,22 @@
 <?php
+/** @noinspection PhpDocMissingThrowsInspection */
 /** @noinspection PhpUnhandledExceptionInspection */
 declare(strict_types = 1);
 
 namespace MichalSpacekCz\Http\FetchMetadata;
 
+use DateTime;
 use MichalSpacekCz\Test\Application\ApplicationPresenter;
+use MichalSpacekCz\Test\Articles\ArticlesMock;
 use MichalSpacekCz\Test\Http\Request;
 use MichalSpacekCz\Test\Http\Response;
 use MichalSpacekCz\Test\NullLogger;
 use MichalSpacekCz\Test\PrivateProperty;
 use MichalSpacekCz\Test\TestCaseRunner;
 use Nette\Application\Application;
+use Nette\Application\IPresenter;
 use Nette\Application\Request as NetteRequest;
+use Nette\Application\UI\Presenter;
 use Nette\Http\IRequest;
 use Nette\Http\IResponse;
 use Nette\Utils\Helpers;
@@ -35,6 +40,7 @@ class ResourceIsolationPolicyTest extends TestCase
  private readonly NullLogger $logger,
  private readonly FetchMetadata $fetchMetadata,
  private readonly ApplicationPresenter $applicationPresenter,
+ private readonly ArticlesMock $articles,
  ) {
  }
 
@@ -43,6 +49,11 @@ class ResourceIsolationPolicyTest extends TestCase
  protected function setUp(): void
  {
  $this->httpResponse->setCode(IResponse::S200_OK);
+ $this->application->onPresenter[] = function (Application $application, IPresenter $presenter): void {
+ if ($presenter instanceof Presenter) {
+ $presenter->autoCanonicalize = false;
+ }
+ };
  }
 
 
@@ -118,20 +129,68 @@ class ResourceIsolationPolicyTest extends TestCase
  }
 
 
- private function installPolicy(bool $readOnly): void
+ public function testCrossSiteNavigationsEnforcingPolicy(): void
  {
- $this->httpRequest->setMethod(IRequest::Get);
+ $this->httpRequest->setHeader(FetchMetadataHeader::Site->value, 'cross-site');
+ $this->httpRequest->setHeader(FetchMetadataHeader::Mode->value, 'navigate');
+
+ $this->installPolicy(false, IRequest::Post);
+ $content = $this->callPresenterAction();
+ Assert::notContains('messages.homepage.aboutme', $content);
+ Assert::contains('messages.forbidden.crossSite', $content);
+ Assert::same(IResponse::S403_Forbidden, $this->httpResponse->getCode());
+
+ $this->installPolicy(false);
+ $content = $this->callPresenterAction();
+ Assert::contains('messages.homepage.aboutme', $content);
+ Assert::notContains('messages.forbidden.crossSite', $content);
+ Assert::same(IResponse::S403_Forbidden, $this->httpResponse->getCode());
+
+ $this->httpRequest->setHeader(FetchMetadataHeader::Dest->value, 'object');
+ $content = $this->callPresenterAction();
+ Assert::notContains('messages.homepage.aboutme', $content);
+ Assert::contains('messages.forbidden.crossSite', $content);
+ Assert::same(IResponse::S403_Forbidden, $this->httpResponse->getCode());
+
+ $this->httpRequest->setHeader(FetchMetadataHeader::Dest->value, 'embed');
+ $content = $this->callPresenterAction();
+ Assert::notContains('messages.homepage.aboutme', $content);
+ Assert::contains('messages.forbidden.crossSite', $content);
+ Assert::same(IResponse::S403_Forbidden, $this->httpResponse->getCode());
+ }
+
+
+ public function testCallableCrossSiteEnforcingPolicy(): void
+ {
+ $this->installPolicy(false);
+ $this->httpRequest->setHeader(FetchMetadataHeader::Site->value, 'cross-site');
+ $this->articles->addBlogPost(1, new DateTime(), 'blog post');
+
+ $content = $this->callPresenterAction('Www:Exports', [Presenter::ActionKey => 'articles']);
+ Assert::contains('Title blog post', $content);
+ Assert::notContains('messages.forbidden.crossSite', $content);
+ Assert::same(IResponse::S200_OK, $this->httpResponse->getCode());
+ }
+
+
+ private function installPolicy(bool $readOnly, string $httpMethod = IRequest::Get): void
+ {
+ $this->httpRequest->setMethod($httpMethod);
  $presenter = $this->applicationPresenter->createUiPresenter(self::PRESENTER_NAME, 'Foo', 'bar');
  PrivateProperty::setValue($this->application, 'presenter', $presenter);
  $resourceIsolationPolicy = new ResourceIsolationPolicy($this->fetchMetadata, $this->httpRequest, $this->application, $readOnly);
  $resourceIsolationPolicy->install();
  }
 
 
- private function callPresenterAction(): string
+ /**
+ * @param array<string, string> $params
+ */
+ private function callPresenterAction(string $presenterName = self::PRESENTER_NAME, array $params = ['foo' => 'bar', 'waldo' => 'fred']): string
  {
- return Helpers::capture(function (): void {
- $this->application->processRequest(new NetteRequest(self::PRESENTER_NAME, params: ['foo' => 'bar', 'waldo' => 'fred']));
+ return Helpers::capture(function () use ($presenterName, $params): void {
+ $request = new NetteRequest($presenterName, $this->httpRequest->getMethod(), params: $params);
+ $this->application->processRequest($request);
  });
  }
 

site/vendor/composer/autoload_classmap.php

@@ -545,6 +545,7 @@
  'Nette\\OutOfRangeException' => $vendorDir . '/nette/utils/src/exceptions.php',
  'Nette\\PhpGenerator\\Attribute' => $vendorDir . '/nette/php-generator/src/PhpGenerator/Attribute.php',
  'Nette\\PhpGenerator\\ClassLike' => $vendorDir . '/nette/php-generator/src/PhpGenerator/ClassLike.php',
+ 'Nette\\PhpGenerator\\ClassManipulator' => $vendorDir . '/nette/php-generator/src/PhpGenerator/ClassManipulator.php',
  'Nette\\PhpGenerator\\ClassType' => $vendorDir . '/nette/php-generator/src/PhpGenerator/ClassType.php',
  'Nette\\PhpGenerator\\Closure' => $vendorDir . '/nette/php-generator/src/PhpGenerator/Closure.php',
  'Nette\\PhpGenerator\\Constant' => $vendorDir . '/nette/php-generator/src/PhpGenerator/Constant.php',

site/vendor/composer/autoload_static.php

@@ -753,6 +753,7 @@ class ComposerStaticInit247de957f14f643f393d210a332dd05b
  'Nette\\OutOfRangeException' => __DIR__ . '/..' . '/nette/utils/src/exceptions.php',
  'Nette\\PhpGenerator\\Attribute' => __DIR__ . '/..' . '/nette/php-generator/src/PhpGenerator/Attribute.php',
  'Nette\\PhpGenerator\\ClassLike' => __DIR__ . '/..' . '/nette/php-generator/src/PhpGenerator/ClassLike.php',
+ 'Nette\\PhpGenerator\\ClassManipulator' => __DIR__ . '/..' . '/nette/php-generator/src/PhpGenerator/ClassManipulator.php',
  'Nette\\PhpGenerator\\ClassType' => __DIR__ . '/..' . '/nette/php-generator/src/PhpGenerator/ClassType.php',
  'Nette\\PhpGenerator\\Closure' => __DIR__ . '/..' . '/nette/php-generator/src/PhpGenerator/Closure.php',
  'Nette\\PhpGenerator\\Constant' => __DIR__ . '/..' . '/nette/php-generator/src/PhpGenerator/Constant.php',