[6.x] Elevated Sessions

config/users.php

@@ -167,6 +167,19 @@
         'redirect' => env('STATAMIC_IMPERSONATE_REDIRECT', null),
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Elevated Sessions
+    |--------------------------------------------------------------------------
+    |
+    | Before performing certain actions, users may be asked to confirm their
+    | password. This is called an elevated session. Here you can configure
+    | the duration of elevated sessions, in minutes.
+    |
+    */
+
+    'elevated_session_duration' => 15,
+
     /*
     |--------------------------------------------------------------------------
     | Default Sorting

resources/js/components/data-list/Action.vue

@@ -49,8 +49,11 @@
 
 <script>
 import PublishFields from '../publish/Fields.vue';
+import HasElevatedSession from '@statamic/mixins/HasElevatedSession.js';
 
 export default {
+    mixins: [HasElevatedSession],
+
     components: {
         PublishFields,
     },
@@ -129,11 +132,24 @@ export default {
                 return;
             }
 
-            this.running = true;
-            this.$emit('selected', this.action, this.values, this.onDone);
+            if (this.action.requiresElevatedSession) {
+                this.requireElevatedSession().then(() => this.performAction());
+                return;
+            }
+
+            this.performAction();
         },
 
         confirm() {
+            if (this.action.requiresElevatedSession) {
+                this.requireElevatedSession().then(() => this.performAction());
+                return;
+            }
+
+            this.performAction();
+        },
+
+        performAction() {
             this.running = true;
             this.$emit('selected', this.action, this.values, this.onDone);
         },

resources/js/components/roles/PublishForm.vue

@@ -54,6 +54,8 @@
 </template>
 
 <script>
+import HasElevatedSession from '@statamic/mixins/HasElevatedSession.js';
+
 const checked = function (permissions) {
     return permissions.reduce((carry, permission) => {
         if (!permission.checked) return carry;
@@ -62,6 +64,8 @@ const checked = function (permissions) {
 };
 
 export default {
+    mixins: [HasElevatedSession],
+
     props: {
         initialTitle: String,
         initialHandle: String,
@@ -119,6 +123,10 @@ export default {
         },
 
         save() {
+            this.requireElevatedSession().then(() => this.performSaveAction());
+        },
+
+        performSaveAction() {
             this.clearErrors();
 
             this.$axios[this.method](this.action, this.payload)

resources/js/components/users/ChangePassword.vue

@@ -41,7 +41,11 @@
 </template>
 
 <script>
+import HasElevatedSession from '@statamic/mixins/HasElevatedSession.js';
+
 export default {
+    mixins: [HasElevatedSession],
+
     props: {
         saveUrl: String,
         requiresCurrentPassword: Boolean,
@@ -76,6 +80,10 @@ export default {
         },
 
         save() {
+            this.requireElevatedSession().then(() => this.performSaveRequest());
+        },
+
+        performSaveRequest() {
             this.clearErrors();
             this.saving = true;
 

resources/js/mixins/HasElevatedSession.js

@@ -0,0 +1,29 @@
+export default {
+    methods: {
+        async requireElevatedSession() {
+            const response = await this.$axios.get(cp_url('elevated-session'));
+
+            if (response.data.elevated) return;
+
+            const password = await this.askForPassword();
+
+            if (!password) throw new Error('User cancelled');
+
+            try {
+                await this.$axios.post(cp_url('elevated-session'), { password });
+            } catch (error) {
+                this.$toast.error(error.response.data.message);
+                throw error;
+            }
+        },
+
+        async askForPassword() {
+            // TODO: This should be an actual modal at some point.
+            return new Promise((resolve) => {
+                const password = prompt('You need to enter your password to continue.');
+
+                resolve(password);
+            });
+        },
+    },
+};

routes/cp.php

@@ -18,6 +18,7 @@
 use Statamic\Http\Controllers\CP\Assets\SvgController;
 use Statamic\Http\Controllers\CP\Assets\ThumbnailController;
 use Statamic\Http\Controllers\CP\Auth\CsrfTokenController;
+use Statamic\Http\Controllers\CP\Auth\ElevatedSessionController;
 use Statamic\Http\Controllers\CP\Auth\ExtendSessionController;
 use Statamic\Http\Controllers\CP\Auth\ForgotPasswordController;
 use Statamic\Http\Controllers\CP\Auth\ImpersonationController;
@@ -367,6 +368,9 @@
     Route::post('slug', SlugController::class);
     Route::get('session-timeout', SessionTimeoutController::class)->name('session.timeout');
 
+    Route::get('elevated-session', [ElevatedSessionController::class, 'index'])->name('elevated-session.status');
+    Route::post('elevated-session', [ElevatedSessionController::class, 'store'])->name('elevated-session.store');
+
     Route::view('/playground', 'statamic::playground')->name('playground');
 
     Route::get('edit/{id}', EditRedirectController::class);

src/Actions/Action.php

@@ -119,6 +119,11 @@ public function bypassesDirtyWarning(): bool
         return false;
     }
 
+    public function requiresElevatedSession(): bool
+    {
+        return false;
+    }
+
     public function toArray()
     {
         return [
@@ -130,6 +135,7 @@ public function toArray()
             'warningText' => $this->warningText(),
             'dirtyWarningText' => $this->dirtyWarningText(),
             'bypassesDirtyWarning' => $this->bypassesDirtyWarning(),
+            'requiresElevatedSession' => $this->requiresElevatedSession(),
             'dangerous' => $this->dangerous,
             'fields' => $this->fields()->toPublishArray(),
             'values' => $this->fields()->preProcess()->values(),

src/Actions/CopyPasswordResetLink.php

@@ -30,6 +30,11 @@ public function authorize($authed, $user)
         return $authed->can('sendPasswordReset', $user);
     }
 
+    public function requiresElevatedSession(): bool
+    {
+        return true;
+    }
+
     public function confirmationText()
     {
         /** @translation */

src/Http/Controllers/CP/ActionController.php

@@ -35,6 +35,10 @@ public function run(Request $request)
 
         abort_unless($unauthorized->isEmpty(), 403, __('You are not authorized to run this action.'));
 
+        if ($action->requiresElevatedSession()) {
+            $this->requireElevatedSession();
+        }
+
         $values = $action->fields()->addValues($request->all())->process()->values()->all();
         $successful = true;
 

src/Http/Controllers/CP/Auth/ElevatedSessionController.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace Statamic\Http\Controllers\CP\Auth;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\ValidationException;
+
+class ElevatedSessionController
+{
+    public function index(Request $request)
+    {
+        $isElevated = session()->get("statamic_elevated_session_{$request->user()->id}") > now()->timestamp;
+        $timeRemaining = $isElevated ? Carbon::parse(session()->get("statamic_elevated_session_{$request->user()->id}"))->diffInSeconds(absolute: true) : 0;
+
+        return ['elevated' => $isElevated, 'time_remaining' => $timeRemaining];
+    }
+
+    public function store(Request $request)
+    {
+        $validated = $request->validate([
+            'password' => 'required',
+        ]);
+
+        if (! Hash::check($validated['password'], $request->user()->password())) {
+            throw ValidationException::withMessages([
+                'password' => [__('statamic::validation.current_password')],
+            ]);
+        }
+
+        session()->put(
+            "statamic_elevated_session_{$request->user()->id}",
+            now()->addMinutes(config('statamic.users.elevated_session_duration', 15))->timestamp
+        );
+
+        return $this->index($request);
+    }
+}

src/Http/Controllers/CP/CpController.php

@@ -107,4 +107,13 @@ public function authorizeProIf($condition)
             return $this->authorizePro();
         }
     }
+
+    public function requireElevatedSession($request): void
+    {
+        abort_if(
+            boolean: session()->get("statamic_elevated_session_{$request->user()->id}") < now()->timestamp,
+            code: 403,
+            message: __('Requires an elevated session.')
+        );
+    }
 }

src/Http/Controllers/CP/Users/PasswordController.php

@@ -10,9 +10,17 @@
 use Statamic\Exceptions\NotFoundHttpException;
 use Statamic\Facades\User;
 use Statamic\Http\Controllers\CP\CpController;
+use Statamic\Http\Middleware\CP\RequireElevatedSession;
 
 class PasswordController extends CpController
 {
+    public function __construct(Request $request)
+    {
+        parent::__construct($request);
+
+        $this->middleware(RequireElevatedSession::class);
+    }
+
     public function update(Request $request, $user)
     {
         throw_unless($user = User::find($user), new NotFoundHttpException);

src/Http/Controllers/CP/Users/RolesController.php

@@ -116,6 +116,8 @@ public function edit($role)
 
     public function update(Request $request, $role)
     {
+        $this->requireElevatedSession($request);
+
         $this->authorize('edit roles');
 
         if (! $role = Role::find($role)) {

src/Http/Middleware/CP/RequireElevatedSession.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace Statamic\Http\Middleware\CP;
+
+use Closure;
+
+class RequireElevatedSession
+{
+    public function handle($request, Closure $next)
+    {
+        $elevatedSessionIsActive = session()->get("statamic_elevated_session_{$request->user()->id}") > now()->timestamp;
+
+        if (! $elevatedSessionIsActive) {
+            return response()->json(['error' => __('Requires an elevated session.')], 403);
+        }
+
+        return $next($request);
+    }
+}