1.修正流量包到期后不自动置无效

2.CSRF防跨站优化
3.工单防XSS
4.session时长延迟到3小时
5.商品可以排序

app/Console/Commands/AutoDecGoodsTraffic.php

@@ -25,7 +25,7 @@ class AutoDecGoodsTraffic extends Command
     {
         $jobStartTime = microtime(true);
 
-        $orderList = Order::query()->with(['user', 'goods'])->where('status', 2)->where('is_expire', 0)->where('expire_at', '>=', date('Y-m-d H:i:s'))->get();
+        $orderList = Order::query()->with(['user', 'goods'])->where('status', 2)->where('is_expire', 0)->where('expire_at', '<=', date('Y-m-d H:i:s'))->get();
         if (!$orderList->isEmpty()) {
             $config = $this->systemConfig();
 

app/Exceptions/Handler.php

@@ -5,6 +5,7 @@ namespace App\Exceptions;
 use Exception;
 use Illuminate\Auth\AuthenticationException;
 use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler;
+use Illuminate\Session\TokenMismatchException;
 
 class Handler extends ExceptionHandler
 {
@@ -24,10 +25,10 @@ class Handler extends ExceptionHandler
 
     /**
      * Report or log an exception.
-     *
      * This is a great spot to send exceptions to Sentry, Bugsnag, etc.
      *
-     * @param  \Exception  $exception
+     * @param  \Exception $exception
+     *
      * @return void
      */
     public function report(Exception $exception)
@@ -38,25 +39,32 @@ class Handler extends ExceptionHandler
     /**
      * Render an exception into an HTTP response.
      *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Exception  $exception
+     * @param  \Illuminate\Http\Request $request
+     * @param  \Exception               $exception
+     *
      * @return \Illuminate\Http\Response
      */
     public function render($request, Exception $exception)
     {
         if (\Config::get('app.debug')) {
             \Log::info("请求导致异常的地址：" . $request->fullUrl());
+
             return parent::render($request, $exception);
-        } else {
-            return \Response::view('404');
         }
+
+        if ($exception instanceof TokenMismatchException) {
+            return \Response::json(['status' => 'fail', 'data' => '', 'message' => trans('404.csrf_title')]);
+        }
+
+        return \Response::view('404');
     }
 
     /**
      * Convert an authentication exception into an unauthenticated response.
      *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Illuminate\Auth\AuthenticationException  $exception
+     * @param  \Illuminate\Http\Request                 $request
+     * @param  \Illuminate\Auth\AuthenticationException $exception
+     *
      * @return \Illuminate\Http\Response
      */
     protected function unauthenticated($request, AuthenticationException $exception)

app/Http/Controllers/AdminController.php

@@ -319,6 +319,7 @@ class AdminController extends Controller
             $enable_time = $request->get('enable_time');
             $expire_time = $request->get('expire_time');
             $remark = clean($request->get('remark'));
+            $remark = str_replace("eval", "", str_replace("atob", "", $remark));
             $level = $request->get('level');
             $is_admin = $request->get('is_admin');
 

app/Http/Controllers/ShopController.php

@@ -39,10 +39,11 @@ class ShopController extends Controller
             $name = $request->get('name');
             $desc = $request->get('desc', '');
             $traffic = $request->get('traffic');
-            $price = $request->get('price', 0);
-            $score = $request->get('score', 0);
-            $type = $request->get('type', 1);
-            $days = $request->get('days', 90);
+            $price = intval($request->get('price', 0));
+            $score = intval($request->get('score', 0));
+            $type = intval($request->get('type', 1));
+            $days = intval($request->get('days', 90));
+            $sort = intval($request->get('sort', 0));
             $labels = $request->get('labels');
             $status = $request->get('status');
 
@@ -94,6 +95,7 @@ class ShopController extends Controller
                 $goods->score = $score;
                 $goods->type = $type;
                 $goods->days = $days;
+                $goods->sort = $sort;
                 $goods->is_del = 0;
                 $goods->status = $status;
                 $goods->save();
@@ -139,6 +141,7 @@ class ShopController extends Controller
             $desc = $request->get('desc');
             $price = $request->get('price', 0);
             $labels = $request->get('labels');
+            $sort = intval($request->get('sort'));
             $status = $request->get('status');
 
             $goods = Goods::query()->where('id', $id)->first();
@@ -178,6 +181,7 @@ class ShopController extends Controller
                     'desc'   => $desc,
                     'logo'   => $logo,
                     'price'  => $price * 100,
+                    'sort'   => $sort,
                     'status' => $status
                 ];
 

app/Http/Controllers/TicketController.php

@@ -36,6 +36,7 @@ class TicketController extends Controller
 
         if ($request->method() == 'POST') {
             $content = clean($request->get('content'));
+            $content = str_replace("eval", "", str_replace("atob", "", $content));
 
             $obj = new TicketReply();
             $obj->ticket_id = $id;

app/Http/Controllers/UserController.php

@@ -324,7 +324,7 @@ class UserController extends Controller
     // 商品列表
     public function goodsList(Request $request)
     {
-        $goodsList = Goods::query()->where('status', 1)->where('is_del', 0)->orderBy('type', 'desc')->paginate(10)->appends($request->except('page'));
+        $goodsList = Goods::query()->where('status', 1)->where('is_del', 0)->orderBy('type', 'desc')->orderBy('sort', 'desc')->paginate(10)->appends($request->except('page'));
         foreach ($goodsList as $goods) {
             $goods->traffic = flowAutoShow($goods->traffic * 1048576);
         }
@@ -371,6 +371,7 @@ class UserController extends Controller
     {
         $title = $request->get('title');
         $content = clean($request->get('content'));
+        $content = str_replace("eval", "", str_replace("atob", "", $content));
 
         $user = Session::get('user');
 

config/session.php

@@ -29,7 +29,7 @@ return [
     |
     */
 
-    'lifetime' => 120,
+    'lifetime' => 180,
 
     'expire_on_close' => false,
 

resources/lang/en/404.php

@@ -3,5 +3,7 @@
 return [
     'title' => 'Page Not Found',
     'back'  => 'Back',
-    'tips'  => 'If BUG is found, please submit it to',
+    'tips'  => 'If BUG is found, Please contact us.',
+    'csrf_title' => 'Please Refresh The Web Page',
+    'csrf_back' => 'Back',
 ];

resources/lang/ja/404.php

@@ -3,5 +3,7 @@
 return [
     'title' => 'ページがありません',
     'back'  => '戻る',
-    'tips'  => 'BUGが見つかった場合は、提出してください。',
+    'tips'  => 'バグが見つかったら管理者に連絡してください',
+    'csrf_title' => 'Webページをリフレッシュしてください',
+    'csrf_back' => '戻る',
 ];

resources/lang/ko/404.php

@@ -3,5 +3,7 @@
 return [
     'title' => '페이지가 없습니다',
     'back'  => '돌아가기',
-    'tips'  => 'If BUG is found, please submit it to',
+    'tips'  => '만약 버그 관리자 것을 연락 주세요.',
+    'csrf_title' => '페이지 새로 고침',
+    'csrf_back' => '돌아가기',
 ];

resources/lang/zh-CN/404.php

@@ -4,4 +4,6 @@ return [
     'title' => '页面不存在',
     'back'  => '返 回',
     'tips'  => '如果发现BUG请提交到',
+    'csrf_title' => '请刷新页面重试',
+    'csrf_back' => '返 回',
 ];

resources/lang/zh-tw/404.php

@@ -4,4 +4,6 @@ return [
     'title' => '頁面不存在',
     'back'  => '返 回',
     'tips'  => '如果發現BUG請提交到',
+    'csrf_title' => '請刷新頁面重試',
+    'csrf_back' => '返 回',
 ];

resources/views/csrf.blade.php

@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<!--[if IE 8]> <html lang="{{app()->getLocale()}}" class="ie8 no-js"> <![endif]-->
+<!--[if IE 9]> <html lang="{{app()->getLocale()}}" class="ie9 no-js"> <![endif]-->
+<!--[if !IE]><!-->
+<html lang="{{app()->getLocale()}}">
+<!--<![endif]-->
+<!-- BEGIN HEAD -->
+
+<head>
+    <meta charset="utf-8" />
+    <title>{{trans('404.csrf_title')}}</title>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta content="width=device-width, initial-scale=1" name="viewport" />
+    <meta content="" name="description" />
+    <meta content="" name="author" />
+    <!-- BEGIN GLOBAL MANDATORY STYLES -->
+    <link href="/assets/global/plugins/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css" />
+    <link href="/assets/global/plugins/simple-line-icons/simple-line-icons.min.css" rel="stylesheet" type="text/css" />
+    <link href="/assets/global/plugins/bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
+    <link href="/assets/global/plugins/bootstrap-switch/css/bootstrap-switch.min.css" rel="stylesheet" type="text/css" />
+    <!-- END GLOBAL MANDATORY STYLES -->
+    <!-- BEGIN THEME GLOBAL STYLES -->
+    <link href="/assets/global/css/components-rounded.min.css" rel="stylesheet" id="style_components" type="text/css" />
+    <link href="/assets/global/css/plugins.min.css" rel="stylesheet" type="text/css" />
+    <!-- END THEME GLOBAL STYLES -->
+    <!-- BEGIN PAGE LEVEL STYLES -->
+    <link href="/assets/pages/css/error.min.css" rel="stylesheet" type="text/css" />
+    <!-- END PAGE LEVEL STYLES -->
+    <!-- BEGIN THEME LAYOUT STYLES -->
+    <!-- END THEME LAYOUT STYLES -->
+    <link rel="shortcut icon" href="{{asset('favicon.ico')}}" /> </head>
+<!-- END HEAD -->
+
+<body class="page-500-full-page">
+<div class="row">
+    <div class="col-md-12 page-500">
+        <h3>{{trans('404.csrf_title')}}</h3>
+        <p><br></p>
+        <div class="number font-red"> <img src="{{asset('assets/images/404.gif')}}" /> </div>
+        <p><br></p>
+        <a href="{{url('/')}}" class="btn default"> {{trans('404.csrf_back')}} </a>
+    </div>
+</div>
+<!--[if lt IE 9]>
+<script src="/assets/global/plugins/respond.min.js"></script>
+<script src="/assets/global/plugins/excanvas.min.js"></script>
+<script src="/assets/global/plugins/ie8.fix.min.js"></script>
+<![endif]-->
+<!-- BEGIN CORE PLUGINS -->
+<script src="/assets/global/plugins/jquery.min.js" type="text/javascript"></script>
+<script src="/assets/global/plugins/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
+<script src="/assets/global/plugins/js.cookie.min.js" type="text/javascript"></script>
+<script src="/assets/global/plugins/jquery-slimscroll/jquery.slimscroll.min.js" type="text/javascript"></script>
+<script src="/assets/global/plugins/jquery.blockui.min.js" type="text/javascript"></script>
+<script src="/assets/global/plugins/bootstrap-switch/js/bootstrap-switch.min.js" type="text/javascript"></script>
+<!-- END CORE PLUGINS -->
+<!-- BEGIN THEME GLOBAL SCRIPTS -->
+<script src="/assets/global/scripts/app.min.js" type="text/javascript"></script>
+
+<!-- Global site tag (gtag.js) - Google Analytics -->
+<script async src="https://www.googletagmanager.com/gtag/js?id=UA-122312249-1"></script>
+<script>
+    window.dataLayer = window.dataLayer || [];
+    function gtag(){dataLayer.push(arguments);}
+    gtag('js', new Date());
+
+    gtag('config', 'UA-122312249-1');
+</script>
+
+<!-- END THEME GLOBAL SCRIPTS -->
+<!-- BEGIN THEME LAYOUT SCRIPTS -->
+<!-- END THEME LAYOUT SCRIPTS -->
+</body>
+
+</html>

resources/views/shop/addGoods.blade.php

@@ -105,6 +105,7 @@
                                             <input type="text" class="form-control" name="traffic" value="1024" id="traffic" placeholder="" required="">
                                             <span class="input-group-addon">MiB</span>
                                         </div>
+                                        <span class="help-block"> 提交后不可修改 </span>
                                     </div>
                                 </div>
                                 <div class="form-group">
@@ -134,7 +135,14 @@
                                             <input type="text" class="form-control" name="days" value="30" id="days" placeholder="" required="">
                                             <span class="input-group-addon">天</span>
                                         </div>
-                                        <span class="help-block"> 到期后会自动从总流量扣减对应的流量 </span>
+                                        <span class="help-block"> 到期后会自动从总流量扣减对应的流量，添加后不可修改 </span>
+                                    </div>
+                                </div>
+                                <div class="form-group">
+                                    <label for="sort" class="control-label col-md-3">排序</label>
+                                    <div class="col-md-6">
+                                        <input type="text" class="form-control" name="sort" value="1" id="sort" placeholder="">
+                                        <span class="help-block"> 值越大排越前 </span>
                                     </div>
                                 </div>
                                 <div class="form-group last">
@@ -179,8 +187,10 @@
     <script type="text/javascript">
         // 用户标签选择器
         $('#labels').select2({
+            theme: 'bootstrap',
             placeholder: '设置后当用户购买此商品则可见相同标签的节点',
-            allowClear: true
+            allowClear: true,
+            width:'100%'
         });
 
         // 有效期

resources/views/shop/editGoods.blade.php

@@ -141,6 +141,13 @@
                                         <span class="help-block"> 到期后会自动从总流量扣减对应的流量 </span>
                                     </div>
                                 </div>
+                                <div class="form-group">
+                                    <label for="sort" class="col-md-3 control-label">排序</label>
+                                    <div class="col-md-8">
+                                        <input type="text" class="form-control" name="sort" value="1" id="sort" placeholder="">
+                                        <span class="help-block"> 值越大排越前 </span>
+                                    </div>
+                                </div>
                                 <div class="form-group last">
                                     <label class="control-label col-md-3">状态</label>
                                     <div class="col-md-6">
@@ -184,8 +191,10 @@
     <script type="text/javascript">
         // 用户标签选择器
         $('#labels').select2({
+            theme: 'bootstrap',
             placeholder: '设置后当用户购买此商品则可见相同标签的节点',
-            allowClear: true
+            allowClear: true,
+            width:'100%'
         });
 
         // 有效期

resources/views/shop/goodsList.blade.php

@@ -40,6 +40,7 @@
                                     <th> 内含流量 </th>
                                     <th> 售价 </th>
                                     <!-- <th> 所需积分 </th> -->
+                                    <th> 排序 </th>
                                     <th> 状态 </th>
                                     <th style="text-align: center;"> 操作 </th>
                                 </tr>
@@ -59,6 +60,7 @@
                                             <td> {{$goods->traffic}} </td>
                                             <td> {{$goods->price}}元 </td>
                                             <!-- <td> {{$goods->score}} </td> -->
+                                            <td> {{$goods->sort}} </td>
                                             <td>
                                                 @if($goods->status)
                                                     <span class="label label-success">上架</span>

sql/db.sql

@@ -452,6 +452,7 @@ CREATE TABLE `goods` (
   `price` int(11) NOT NULL DEFAULT '0' COMMENT '商品售价，单位分',
   `desc` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT '' COMMENT '商品描述',
   `days` int(11) NOT NULL DEFAULT '30' COMMENT '有效期',
+  `sort` int(11) NOT NULL DEFAULT '0' COMMENT '排序',
   `is_del` tinyint(4) NOT NULL DEFAULT '0' COMMENT '是否已删除：0-否、1-是',
   `status` tinyint(4) NOT NULL DEFAULT '1' COMMENT '状态：0-下架、1-上架',
   `created_at` datetime DEFAULT NULL COMMENT '创建时间',

sql/update/20180801.sql

@@ -0,0 +1,2 @@
+-- 商品加排序
+ALTER TABLE `goods` ADD COLUMN `sort` int(11) NOT NULL DEFAULT '0' COMMENT '排序' AFTER `days`;