diff --git a/adm_program/installation/db_scripts/db.sql b/adm_program/installation/db_scripts/db.sql
index 47a69505f..b1e0a68cc 100644
--- a/adm_program/installation/db_scripts/db.sql
+++ b/adm_program/installation/db_scripts/db.sql
@@ -348,6 +348,7 @@ CREATE TABLE %PREFIX%_members
mem_id integer unsigned NOT NULL AUTO_INCREMENT,
mem_rol_id integer unsigned NOT NULL,
mem_usr_id integer unsigned NOT NULL,
+ mem_uuid varchar(36) NOT NULL,
mem_begin date NOT NULL,
mem_end date NOT NULL DEFAULT '9999-12-31',
mem_leader boolean NOT NULL DEFAULT '0',
@@ -365,6 +366,7 @@ DEFAULT character SET = utf8
COLLATE = utf8_unicode_ci;
CREATE INDEX %PREFIX%_idx_mem_rol_usr_id ON %PREFIX%_members (mem_rol_id, mem_usr_id);
+CREATE UNIQUE INDEX %PREFIX%_idx_mem_uuid ON %PREFIX%_members (mem_uuid);
/*==============================================================*/
/* Table: adm_menu */
diff --git a/adm_program/installation/db_scripts/update_4_1.xml b/adm_program/installation/db_scripts/update_4_1.xml
index 8ee47d728..975601d45 100644
--- a/adm_program/installation/db_scripts/update_4_1.xml
+++ b/adm_program/installation/db_scripts/update_4_1.xml
@@ -70,6 +70,7 @@
ALTER TABLE %PREFIX%_rooms ADD COLUMN room_uuid varchar(36)
ALTER TABLE %PREFIX%_user_fields ADD COLUMN usf_uuid varchar(36)
ALTER TABLE %PREFIX%_user_relation_types ADD COLUMN urt_uuid varchar(36)
+ ALTER TABLE %PREFIX%_members ADD COLUMN mem_uuid varchar(36)
ComponentUpdateSteps::updateStep41AddUuid
ALTER TABLE %PREFIX%_users MODIFY COLUMN usr_uuid varchar(36) NOT NULL
CREATE UNIQUE INDEX %PREFIX%_idx_usr_uuid ON %PREFIX%_users (usr_uuid)
@@ -109,5 +110,7 @@
CREATE UNIQUE INDEX %PREFIX%_idx_urt_uuid ON %PREFIX%_user_relation_types (urt_uuid)
ALTER TABLE %PREFIX%_roles MODIFY COLUMN rol_name varchar(100)
ALTER TABLE %PREFIX%_roles ALTER COLUMN rol_name TYPE varchar(100)
+ ALTER TABLE %PREFIX%_members MODIFY COLUMN mem_uuid varchar(36) NOT NULL
+ CREATE UNIQUE INDEX %PREFIX%_idx_mem_uuid ON %PREFIX%_members (mem_uuid)
stop
diff --git a/adm_program/modules/announcements/announcements_function.php b/adm_program/modules/announcements/announcements_function.php
index da8036565..745904e90 100644
--- a/adm_program/modules/announcements/announcements_function.php
+++ b/adm_program/modules/announcements/announcements_function.php
@@ -55,6 +55,22 @@
$_SESSION['announcements_request'] = $_POST;
+try
+{
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $e)
+{
+ if($getMode === 1) {
+ $e->showHtml();
+ }
+ else {
+ $e->showText();
+ }
+ // => EXIT
+}
+
if($getMode === 1)
{
if(strlen($_POST['ann_headline']) === 0)
@@ -79,9 +95,6 @@
try
{
- // check the CSRF token of the form against the session token
- SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-
// write POST parameters in announcement object
foreach($_POST as $key => $value) // TODO possible security issue
{
diff --git a/adm_program/modules/backup/backup_file_function.php b/adm_program/modules/backup/backup_file_function.php
index 130da1d0a..7eeac8c3c 100644
--- a/adm_program/modules/backup/backup_file_function.php
+++ b/adm_program/modules/backup/backup_file_function.php
@@ -1,7 +1,7 @@
show($gL10n->get('SYS_FILE_NOT_EXIST'));
@@ -43,11 +43,11 @@
switch($getJob)
{
case 'get_file':
- // Dateigroese ermitteln
+ // Determine file size
$fileSize = filesize($completePath);
$filename = FileSystemUtils::getSanitizedPathEntry($getFilename);
- // Passenden Datentyp erzeugen.
+ // Create suitable data type
header('Content-Type: application/octet-stream');
header('Content-Length: '.$fileSize);
header('Content-Disposition: attachment; filename="'.$filename.'"');
@@ -56,17 +56,26 @@
header('Cache-Control: private');
header('Pragma: public');
- // Datei ausgeben.
+ // get file output
readfile($completePath);
break;
case 'delete':
- // Backupdatei loeschen
+ // Delete backup file
+
try
{
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+
FileSystemUtils::deleteFileIfExists($completePath);
echo 'done';
}
+ catch(AdmException $e)
+ {
+ $e->showText();
+ // => EXIT
+ }
catch (\RuntimeException $exception)
{
$gLogger->error('Could not delete file!', array('filePath' => $completePath));
diff --git a/adm_program/modules/categories/categories.php b/adm_program/modules/categories/categories.php
index 4b8f6c38b..373988c7a 100644
--- a/adm_program/modules/categories/categories.php
+++ b/adm_program/modules/categories/categories.php
@@ -194,10 +194,12 @@
if($category->getValue('cat_system') == 0 || $getType !== 'USF')
{
$htmlMoveRow = ''.
+ \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/categories/categories_function.php', array('type' => $getType, 'mode' => 4, 'cat_uuid' => $categoryUuid, 'sequence' => TableCategory::MOVE_UP)) . '\',
+ \''.$gCurrentSession->getCsrfToken().'\')">'.
'
'.
+ \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/categories/categories_function.php', array('type' => $getType, 'mode' => 4, 'cat_uuid' => $categoryUuid, 'sequence' => TableCategory::MOVE_DOWN)) . '\',
+ \''.$gCurrentSession->getCsrfToken().'\')">'.
'';
}
diff --git a/adm_program/modules/categories/categories_function.php b/adm_program/modules/categories/categories_function.php
index 40235baf5..c3c09c93c 100644
--- a/adm_program/modules/categories/categories_function.php
+++ b/adm_program/modules/categories/categories_function.php
@@ -28,7 +28,6 @@
$getCatUuid = admFuncVariableIsValid($_GET, 'cat_uuid', 'string');
$getType = admFuncVariableIsValid($_GET, 'type', 'string', array('requireValue' => true, 'validValues' => array('ROL', 'LNK', 'USF', 'ANN', 'DAT', 'AWA')));
$getMode = admFuncVariableIsValid($_GET, 'mode', 'int', array('requireValue' => true));
-$getTitle = admFuncVariableIsValid($_GET, 'title', 'string', array('defaultValue' => $gL10n->get('SYS_CATEGORY')));
// set text strings for the different modules
switch ($getType)
@@ -58,6 +57,22 @@
$component = '';
}
+try
+{
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception)
+{
+ if($getMode === 1) {
+ $exception->showHtml();
+ }
+ else {
+ $exception->showText();
+ }
+ // => EXIT
+}
+
// check if the current user has the right to
if(!Component::isAdministrable($component))
{
@@ -99,17 +114,6 @@
$_SESSION['categories_request'] = $_POST;
- try
- {
- // check the CSRF token of the form against the session token
- SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
- }
- catch(AdmException $exception)
- {
- $exception->showHtml();
- // => EXIT
- }
-
if((!array_key_exists('cat_name', $_POST) || $_POST['cat_name'] === '') && $category->getValue('cat_system') == 0)
{
$gMessage->show($gL10n->get('SYS_FIELD_EMPTY', array($gL10n->get('SYS_NAME'))));
@@ -268,6 +272,7 @@
if($category->delete())
{
echo 'done';
+ exit();
}
}
catch(AdmException $e)
@@ -281,6 +286,11 @@
// Kategoriereihenfolge aktualisieren
$getSequence = admFuncVariableIsValid($_GET, 'sequence', 'string', array('validValues' => array(TableCategory::MOVE_UP, TableCategory::MOVE_DOWN)));
- $category->moveSequence($getSequence);
+ if($category->moveSequence($getSequence)) {
+ echo 'done';
+ }
+ else {
+ echo 'Sequence could not be changed.';
+ }
exit();
}
diff --git a/adm_program/modules/dates/dates_function.php b/adm_program/modules/dates/dates_function.php
index f23f82edb..0dfac4bc1 100644
--- a/adm_program/modules/dates/dates_function.php
+++ b/adm_program/modules/dates/dates_function.php
@@ -10,11 +10,10 @@
* Parameters:
*
* dat_id - ID of the event that should be edited
- * mode : 1 - Create a new event
+ * mode : 1 - Create or edit an event
* 2 - Delete the event
* 3 - User attends to the event
* 4 - User cancel the event
- * 5 - Edit an existing event
* 6 - Export event in ical format
* 7 - User may participate in the event
* user_uuid : UUID of the user membership to an event should be edited
@@ -70,7 +69,7 @@
$user->readDataByUuid($getUserUuid);
}
-if (in_array($getMode, array(1, 2, 5), true))
+if (in_array($getMode, array(1, 2), true))
{
if ($getDateUuid !== '')
{
@@ -92,9 +91,10 @@
}
}
-if($getMode === 1 || $getMode === 5) // Create a new event or edit an existing event
+if($getMode === 1) // Create a new event or edit an existing event
{
$_SESSION['dates_request'] = $_POST;
+ $dateIsNew = $date->isNewRecord();
try
{
@@ -446,7 +446,7 @@
{
$notification = new Email();
- if($getMode === 1)
+ if($dateIsNew)
{
$message = $gL10n->get('DAT_EMAIL_NOTIFICATION_MESSAGE_PART1', array($gCurrentOrganization->getValue('org_longname'), $_POST['dat_headline'], $date->getDateTimePeriod(), $calendar))
.$gL10n->get('DAT_EMAIL_NOTIFICATION_MESSAGE_PART2', array($ort, $raum, $participants, $gCurrentUser->getValue('FIRST_NAME').' '.$gCurrentUser->getValue('LAST_NAME')))
@@ -583,6 +583,15 @@
}
elseif($getMode === 2)
{
+ try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+ }
+ catch(AdmException $exception) {
+ $exception->showText();
+ // => EXIT
+ }
+
// delete current announcements, right checks were done before
$date->delete();
diff --git a/adm_program/modules/dates/dates_new.php b/adm_program/modules/dates/dates_new.php
index 1b42ce226..9a5f7a41f 100644
--- a/adm_program/modules/dates/dates_new.php
+++ b/adm_program/modules/dates/dates_new.php
@@ -40,17 +40,14 @@
if($getCopy)
{
$headline = $gL10n->get('SYS_COPY_VAR', array($getHeadline));
- $mode = 5;
}
elseif($getDateUuid !== '')
{
$headline = $gL10n->get('SYS_EDIT_VAR', array($getHeadline));
- $mode = 5;
}
else
{
$headline = $gL10n->get('SYS_CREATE_VAR', array($getHeadline));
- $mode = 1;
}
$gNavigation->addUrl(CURRENT_URL, $headline);
@@ -250,7 +247,7 @@ function setLocationCountry() {
);
// show form
-$form = new HtmlForm('dates_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/dates/dates_function.php', array('dat_uuid' => $getDateUuid, 'mode' => $mode, 'copy' => $getCopy)), $page);
+$form = new HtmlForm('dates_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/dates/dates_function.php', array('dat_uuid' => $getDateUuid, 'mode' => 1, 'copy' => $getCopy)), $page);
$form->openGroupBox('gb_title_location', $gL10n->get('SYS_TITLE').' & '.$gL10n->get('DAT_LOCATION'));
$form->addInput(
diff --git a/adm_program/modules/documents-files/documents_files_function.php b/adm_program/modules/documents-files/documents_files_function.php
index 57d432f1f..3253bec3c 100644
--- a/adm_program/modules/documents-files/documents_files_function.php
+++ b/adm_program/modules/documents-files/documents_files_function.php
@@ -68,15 +68,16 @@
}
// check the CSRF token of the form against the session token
-if(in_array($getMode, array(3, 4, 7)))
-{
- try
- {
+if(in_array($getMode, array(2, 3, 4, 5, 7))) {
+ try {
SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
}
- catch(AdmException $exception)
- {
- $exception->showHtml();
+ catch(AdmException $exception) {
+ if($getMode === 2 || $getMode === 5) {
+ $exception->showText();
+ } else {
+ $exception->showHtml();
+ }
// => EXIT
}
}
diff --git a/adm_program/modules/groups-roles/groups_roles_function.php b/adm_program/modules/groups-roles/groups_roles_function.php
index 02638e20a..015cca721 100644
--- a/adm_program/modules/groups-roles/groups_roles_function.php
+++ b/adm_program/modules/groups-roles/groups_roles_function.php
@@ -17,7 +17,6 @@
* 3 - set role inaktive
* 4 - delete role
* 5 - set role active
- * 9 - return if role has former members ? Return: 1 und 0
*
*****************************************************************************/
@@ -30,20 +29,31 @@
// only members who are allowed to create and edit roles should have access to
// most of these functions
-if($getMode !== 9 && !$gCurrentUser->manageRoles())
+if(!$gCurrentUser->manageRoles())
{
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
// => EXIT
}
-// Rollenobjekt anlegen
+try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+} catch (AdmException $exception) {
+ if ($getMode === 2) {
+ $exception->showHtml();
+ } else {
+ $exception->showText();
+ }
+ // => EXIT
+}
+
$role = new TableRoles($gDb);
if($getRoleUuid !== '')
{
$role->readDataByUuid($getRoleUuid);
- // Pruefung, ob die Rolle zur aktuellen Organisation gehoert
+ // Check if the role belongs to the current organization
if((int) $role->getValue('cat_org_id') !== (int) $gCurrentOrganization->getValue('org_id') && $role->getValue('cat_org_id') > 0)
{
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
@@ -58,17 +68,6 @@
{
// create or edit role
- try
- {
- // check the CSRF token of the form against the session token
- SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
- }
- catch(AdmException $exception)
- {
- $exception->showHtml();
- // => EXIT
- }
-
if(!array_key_exists('rol_name', $_POST) || $_POST['rol_name'] === '')
{
// not all fields are filled
@@ -333,12 +332,9 @@
// event roles should not set inactive
// all other roles could now set inactive
if($role->getValue('cat_name_intern') !== 'EVENTS'
- && $role->setInactive())
- {
+ && $role->setInactive()) {
echo 'done';
- }
- else
- {
+ } else {
echo $gL10n->get('SYS_NO_RIGHTS');
}
exit();
@@ -346,16 +342,13 @@
elseif($getMode === 4)
{
// delete role from database
- try
- {
- if($role->delete())
- {
+ try {
+ if($role->delete()) {
echo 'done';
}
}
- catch(AdmException $e)
- {
- $e->showHtml();
+ catch(AdmException $e) {
+ $e->showText();
// => EXIT
}
exit();
@@ -365,25 +358,10 @@
// event roles should not set active
// all other roles could now set active
if($role->getValue('cat_name_intern') !== 'EVENTS'
- && $role->setActive())
- {
+ && $role->setActive()) {
echo 'done';
- }
- else
- {
+ } else {
$gL10n->get('SYS_NO_RIGHTS');
}
exit();
}
-elseif($getMode === 9)
-{
- if($role->hasFormerMembers())
- {
- echo '1';
- }
- else
- {
- echo '0';
- }
- exit();
-}
diff --git a/adm_program/modules/guestbook/guestbook_function.php b/adm_program/modules/guestbook/guestbook_function.php
index 9a1a75965..50f95494e 100644
--- a/adm_program/modules/guestbook/guestbook_function.php
+++ b/adm_program/modules/guestbook/guestbook_function.php
@@ -43,6 +43,21 @@
require(__DIR__ . '/../../system/login_valid.php');
}
+// check the CSRF token of the form against the session token
+if(in_array($getMode, array(1, 2, 3, 4, 5, 8))) {
+ try {
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+ }
+ catch(AdmException $exception) {
+ if($getMode === 2 || $getMode === 5) {
+ $exception->showText();
+ } else {
+ $exception->showHtml();
+ }
+ // => EXIT
+ }
+}
+
// Erst einmal pruefen ob die noetigen Berechtigungen vorhanden sind
if ($getMode === 4)
{
@@ -114,17 +129,6 @@
{
$_SESSION['guestbook_entry_request'] = $_POST;
- try
- {
- // check the CSRF token of the form against the session token
- SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
- }
- catch(AdmException $exception)
- {
- $exception->showHtml();
- // => EXIT
- }
-
if ($getMode === 1)
{
// if login and new entry then fill name with login user
@@ -316,17 +320,6 @@
{
$_SESSION['guestbook_comment_request'] = $_POST;
- try
- {
- // check the CSRF token of the form against the session token
- SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
- }
- catch(AdmException $exception)
- {
- $exception->showHtml();
- // => EXIT
- }
-
if ($getMode === 4)
{
// if login then fill name with login user
diff --git a/adm_program/modules/links/links_function.php b/adm_program/modules/links/links_function.php
index 518fb877a..0aeebc5e8 100644
--- a/adm_program/modules/links/links_function.php
+++ b/adm_program/modules/links/links_function.php
@@ -10,9 +10,8 @@
* Parameters:
*
* link_uuid - UUID of the weblink that should be edited
- * mode - 1 : Create new link
+ * mode - 1 : Create or edit a weblink
* 2 : Delete link
- * 3 : Edit link
***********************************************************************************************
*/
require_once(__DIR__ . '/../../system/common.php');
@@ -22,6 +21,19 @@
$getLinkUuid = admFuncVariableIsValid($_GET, 'link_uuid','string');
$getMode = admFuncVariableIsValid($_GET, 'mode', 'int', array('requireValue' => true));
+try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception) {
+ if($getMode === 1) {
+ $exception->showHtml();
+ } else {
+ $exception->showText();
+ }
+ // => EXIT
+}
+
// check if the module is enabled for use
if ((int) $gSettingsManager->get('enable_weblinks_module') === 0)
{
@@ -54,20 +66,10 @@
}
}
-$_SESSION['links_request'] = $_POST;
-
-if ($getMode === 1 || ($getMode === 3 && $getLinkUuid !== ''))
+if ($getMode === 1)
{
- try
- {
- // check the CSRF token of the form against the session token
- SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
- }
- catch(AdmException $exception)
- {
- $exception->showHtml();
- // => EXIT
- }
+ $_SESSION['links_request'] = $_POST;
+ $weblinkIsNew = $link->isNewRecord();
if(strlen(StringUtils::strStripTags($_POST['lnk_name'])) === 0)
{
@@ -96,7 +98,7 @@
try
{
- // POST Variablen in das Ankuendigungs-Objekt schreiben
+ // POST variables to the announcements object
foreach($_POST as $key => $value) // TODO possible security issue
{
if(str_starts_with($key, 'lnk_'))
@@ -110,13 +112,13 @@
$e->showHtml();
}
- // Link-Counter auf 0 setzen
- if ($getMode === 1)
+ // Set link counter to 0
+ if ($weblinkIsNew)
{
$link->setValue('lnk_counter', 0);
}
- // Daten in Datenbank schreiben
+ // save weblink data to database
$returnCode = $link->save();
if($returnCode === false)
@@ -125,9 +127,9 @@
// => EXIT
}
- if($returnCode === true && $getMode === 1)
+ if($returnCode === true && $weblinkIsNew)
{
- // Benachrichtigungs-Email für neue Einträge
+ // Notification email for new entries
$message = $gL10n->get('SYS_LINK_EMAIL_NOTIFICATION_MESSAGE', array($gCurrentOrganization->getValue('org_longname'), $_POST['lnk_url']. ' ('.$_POST['lnk_name'].')', $gCurrentUser->getValue('FIRST_NAME').' '.$gCurrentUser->getValue('LAST_NAME'), date($gSettingsManager->getString('system_date'))));
try
{
@@ -146,7 +148,7 @@
admRedirect($gNavigation->getUrl());
// => EXIT
}
-elseif ($getMode === 2 && $getLinkUuid !== '')
+elseif ($getMode === 2)
{
// delete current announcements, right checks were done before
$link->delete();
diff --git a/adm_program/modules/links/links_new.php b/adm_program/modules/links/links_new.php
index 9f750a7f3..0b4ba1e44 100644
--- a/adm_program/modules/links/links_new.php
+++ b/adm_program/modules/links/links_new.php
@@ -55,13 +55,12 @@
if(isset($_SESSION['links_request']))
{
- // durch fehlerhafte Eingabe ist der User zu diesem Formular zurueckgekehrt
- // nun die vorher eingegebenen Inhalte ins Objekt schreiben
+ // due to incorrect input the user has returned to this form
+ // now write the previously entered contents into the object
$link->setArray($_SESSION['links_request']);
unset($_SESSION['links_request']);
}
-// Html-Kopf ausgeben
if($getLinkUuid !== '')
{
$headline = $gL10n->get('SYS_EDIT_VAR', array($getHeadline));
@@ -77,18 +76,8 @@
// create html page object
$page = new HtmlPage('admidio-weblinks-edit', $headline);
-// Html des Modules ausgeben
-if($getLinkUuid !== '')
-{
- $modeEditOrCreate = '3';
-}
-else
-{
- $modeEditOrCreate = '1';
-}
-
// show form
-$form = new HtmlForm('weblinks_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/links/links_function.php', array('link_uuid' => $getLinkUuid, 'headline' => $getHeadline, 'mode' => $modeEditOrCreate)), $page);
+$form = new HtmlForm('weblinks_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/links/links_function.php', array('link_uuid' => $getLinkUuid, 'headline' => $getHeadline, 'mode' => 1)), $page);
$form->addInput(
'lnk_name', $gL10n->get('SYS_LINK_NAME'), SecurityUtils::encodeHTML($link->getValue('lnk_name')),
array('maxLength' => 250, 'property' => HtmlForm::FIELD_REQUIRED)
diff --git a/adm_program/modules/menu/menu.php b/adm_program/modules/menu/menu.php
index 0985862b4..61fcdb246 100644
--- a/adm_program/modules/menu/menu.php
+++ b/adm_program/modules/menu/menu.php
@@ -96,10 +96,12 @@
}
$htmlMoveRow = ''.
+ \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/menu/menu_function.php', array('mode' => 3, 'menu_uuid' => $menuRow['men_uuid'], 'sequence' => 'UP')) . '\',
+ \''.$gCurrentSession->getCsrfToken().'\')">'.
'
'.
+ \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/menu/menu_function.php', array('mode' => 3, 'menu_uuid' => $menuRow['men_uuid'], 'sequence' => 'DOWN')) . '\',
+ \''.$gCurrentSession->getCsrfToken().'\')">'.
'';
$htmlStandardMenu = ' ';
diff --git a/adm_program/modules/menu/menu_function.php b/adm_program/modules/menu/menu_function.php
index 4673e1c90..e79f3a01a 100644
--- a/adm_program/modules/menu/menu_function.php
+++ b/adm_program/modules/menu/menu_function.php
@@ -41,22 +41,24 @@
$menu->readDataByUuid($getMenuUuid);
}
+try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception) {
+ if($getMode === 1) {
+ $exception->showHtml();
+ } else {
+ $exception->showText();
+ }
+ // => EXIT
+}
+
// create menu or update it
if($getMode === 1)
{
$_SESSION['menu_request'] = $_POST;
- try
- {
- // check the CSRF token of the form against the session token
- SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
- }
- catch(AdmException $exception)
- {
- $exception->showHtml();
- // => EXIT
- }
-
$postIdParent = admFuncVariableIsValid($_POST, 'men_men_id_parent', 'int');
$postComId = admFuncVariableIsValid($_POST, 'men_com_id', 'int');
$postName = admFuncVariableIsValid($_POST, 'men_name', 'string', array('default' => ''));
@@ -152,10 +154,15 @@
{
echo 'done';
}
+ exit();
}
elseif($getMode === 3)
{
- // Update menu order
- $menu->moveSequence($getSequence);
+ // Update menu sequence
+ if($menu->moveSequence($getSequence)) {
+ echo 'done';
+ } else {
+ echo 'Sequence could not be changed.';
+ }
exit();
}
diff --git a/adm_program/modules/messages/messages.php b/adm_program/modules/messages/messages.php
index 802ce9614..17f017902 100644
--- a/adm_program/modules/messages/messages.php
+++ b/adm_program/modules/messages/messages.php
@@ -30,17 +30,24 @@
if ($getMsgUuid !== '')
{
+ try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+ }
+ catch(AdmException $exception) {
+ $exception->showText();
+ // => EXIT
+ }
+
$delMessage = new TableMessage($gDb);
$delMessage->readDataByUuid($getMsgUuid);
// Function to delete message
- $delete = $delMessage->delete();
- if ($delete)
- {
+ $returnCode = $delMessage->delete();
+
+ if ($returnCode) {
echo 'done';
- }
- else
- {
+ } else {
echo 'delete not OK';
}
exit();
diff --git a/adm_program/modules/photos/photo_album_function.php b/adm_program/modules/photos/photo_album_function.php
index e90865aa3..5d8c18081 100644
--- a/adm_program/modules/photos/photo_album_function.php
+++ b/adm_program/modules/photos/photo_album_function.php
@@ -37,7 +37,7 @@
// create photo album object
$photoAlbum = new TablePhotos($gDb);
-if ($getMode !== 'new' && $getPhotoUuid !== '')
+if ($getPhotoUuid !== '')
{
$photoAlbum->readDataByUuid($getPhotoUuid);
}
@@ -55,13 +55,11 @@
/********************Aenderungen oder Neueintraege kontrollieren***********************************/
if ($getMode === 'new' || $getMode === 'change')
{
- try
- {
+ try {
// check the CSRF token of the form against the session token
SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
}
- catch(AdmException $exception)
- {
+ catch(AdmException $exception) {
$exception->showHtml();
// => EXIT
}
@@ -213,6 +211,15 @@
// delete photo album
elseif ($getMode === 'delete')
{
+ try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+ }
+ catch(AdmException $exception) {
+ $exception->showText();
+ // => EXIT
+ }
+
if ($photoAlbum->delete())
{
echo 'done';
diff --git a/adm_program/modules/photos/photo_function.php b/adm_program/modules/photos/photo_function.php
index 81867bcf5..0bd499dec 100644
--- a/adm_program/modules/photos/photo_function.php
+++ b/adm_program/modules/photos/photo_function.php
@@ -47,8 +47,6 @@
*/
function deleteThumbnail(TablePhotos $photoAlbum, $picNr)
{
- global $gLogger;
-
// Ordnerpfad zusammensetzen
$photoPath = ADMIDIO_PATH . FOLDER_DATA . '/photos/'.$photoAlbum->getValue('pho_begin', 'Y-m-d') . '_' . (int) $photoAlbum->getValue('pho_id') . '/thumbnails/' . $picNr . '.jpg';
try
@@ -57,7 +55,7 @@ function deleteThumbnail(TablePhotos $photoAlbum, $picNr)
}
catch (\RuntimeException $exception)
{
- $gLogger->error('Could not delete file!', array('filePath' => $photoPath));
+ $GLOBALS['gLogger']->error('Could not delete file!', array('filePath' => $photoPath));
// TODO
}
}
@@ -69,9 +67,7 @@ function deleteThumbnail(TablePhotos $photoAlbum, $picNr)
*/
function deletePhoto(TablePhotos $photoAlbum, $picNr)
{
- global $gLogger;
-
- // Speicherort
+ // get album folder path
$albumPath = ADMIDIO_PATH . FOLDER_DATA . '/photos/' . $photoAlbum->getValue('pho_begin', 'Y-m-d') . '_' . (int) $photoAlbum->getValue('pho_id');
// delete photos
@@ -83,7 +79,7 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
}
catch (\RuntimeException $exception)
{
- $gLogger->error(
+ $GLOBALS['gLogger']->error(
'Could not delete file!',
array('filePaths' => array(
$albumPath.'/'.$picNr.'.jpg',
@@ -94,7 +90,7 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
// TODO
}
- // Umbenennen der Restbilder und Thumbnails loeschen
+ // Rename the remaining images and delete thumbnails
$newPicNr = $picNr;
$thumbnailDelete = false;
@@ -112,7 +108,7 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
}
catch (\RuntimeException $exception)
{
- $gLogger->error(
+ $GLOBALS['gLogger']->error(
'Could not move file!',
array(
'from' => array(
@@ -139,12 +135,12 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
if ($thumbnailDelete)
{
- // Alle Thumbnails ab dem geloeschten Bild loeschen
+ // Delete all thumbnails starting from the deleted image
deleteThumbnail($photoAlbum, $actPicNr);
}
}//for
- // Aendern der Datenbankeintaege
+ // change quantity of images within the album
$photoAlbum->setValue('pho_quantity', (int) $photoAlbum->getValue('pho_quantity') - 1);
$photoAlbum->save();
}
@@ -163,16 +159,14 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
// Rotate the photo by 90°
if ($getJob === 'rotate')
{
- // nur bei gueltigen Uebergaben weiterarbeiten
if ($getDirection !== '')
{
- // Thumbnail loeschen
deleteThumbnail($photoAlbum, $getPhotoNr);
- // Ordnerpfad zusammensetzen
+ // get album folder path with image file name
$photoPath = ADMIDIO_PATH . FOLDER_DATA . '/photos/' . $photoAlbum->getValue('pho_begin', 'Y-m-d') . '_' . (int) $photoAlbum->getValue('pho_id') . '/' . $getPhotoNr . '.jpg';
- // Bild drehen
+ // rotate image
$image = new Image($photoPath);
$image->rotate($getDirection);
$image->delete();
@@ -181,10 +175,19 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
// delete photo from filesystem and update photo album
elseif ($getJob === 'delete')
{
+ try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+ }
+ catch(AdmException $exception) {
+ $exception->showText();
+ // => EXIT
+ }
+
deletePhoto($photoAlbum, $getPhotoNr);
$_SESSION['photo_album'] = $photoAlbum;
- // Loeschen erfolgreich -> Rueckgabe fuer XMLHttpRequest
+ // Delete successful -> return for XMLHttpRequest
echo 'done';
}
diff --git a/adm_program/modules/profile-fields/profile_fields.php b/adm_program/modules/profile-fields/profile_fields.php
index 7561c9d71..d041e4dda 100644
--- a/adm_program/modules/profile-fields/profile_fields.php
+++ b/adm_program/modules/profile-fields/profile_fields.php
@@ -12,7 +12,7 @@
require_once(__DIR__ . '/../../system/common.php');
require(__DIR__ . '/../../system/login_valid.php');
-// nur berechtigte User duerfen die Profilfelder bearbeiten
+// only authorized users can edit the profile fields
if (!$gCurrentUser->isAdministrator())
{
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
@@ -201,10 +201,12 @@
$columnValues = array(
''.$userField->getValue('usf_name').'',
''.
+ \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile-fields/profile_fields_function.php', array('mode' => 4, 'usf_uuid' => $usfUuid, 'sequence' => TableUserField::MOVE_UP)) . '\',
+ \''.$gCurrentSession->getCsrfToken().'\')">'.
'
'.
+ \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile-fields/profile_fields_function.php', array('mode' => 4, 'usf_uuid' => $usfUuid, 'sequence' => TableUserField::MOVE_DOWN)) . '\',
+ \''.$gCurrentSession->getCsrfToken().'\')">'.
'
'.
'
diff --git a/adm_program/modules/profile-fields/profile_fields_function.php b/adm_program/modules/profile-fields/profile_fields_function.php
index 358f75e0a..e82051834 100644
--- a/adm_program/modules/profile-fields/profile_fields_function.php
+++ b/adm_program/modules/profile-fields/profile_fields_function.php
@@ -29,8 +29,20 @@
$getSequence = admFuncVariableIsValid($_GET, 'sequence', 'string', array('validValues' => array(TableUserField::MOVE_UP, TableUserField::MOVE_DOWN)));
$getOrder = admFuncVariableIsValid($_GET, 'order', 'array');
+try {
+ // check the CSRF token of the form against the session token
+ SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception) {
+ if($getMode === 1) {
+ $exception->showHtml();
+ } else {
+ $exception->showText();
+ }
+ // => EXIT
+}
-// nur berechtigte User duerfen die Profilfelder bearbeiten
+// only authorized users can edit the profile fields
if (!$gCurrentUser->isAdministrator())
{
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
@@ -237,7 +249,11 @@
$userField->setSequence($getOrder);
} else {
// move field up/down by one
- $userField->moveSequence($getSequence);
+ if($userField->moveSequence($getSequence)) {
+ echo 'done';
+ } else {
+ echo 'Sequence could not be changed.';
+ }
}
exit();
}
diff --git a/adm_program/modules/profile-fields/profile_fields_new.php b/adm_program/modules/profile-fields/profile_fields_new.php
index ba61af139..41b8dbce7 100644
--- a/adm_program/modules/profile-fields/profile_fields_new.php
+++ b/adm_program/modules/profile-fields/profile_fields_new.php
@@ -18,7 +18,7 @@
// Initialize and check the parameters
$getUsfUuid = admFuncVariableIsValid($_GET, 'usf_uuid', 'string');
-// nur berechtigte User duerfen die Profilfelder bearbeiten
+// only authorized users can edit the profile fields
if (!$gCurrentUser->isAdministrator())
{
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
diff --git a/adm_program/modules/profile/profile.js b/adm_program/modules/profile/profile.js
index 115f6f66c..cfb4c10ca 100644
--- a/adm_program/modules/profile/profile.js
+++ b/adm_program/modules/profile/profile.js
@@ -26,7 +26,7 @@ function ProfileJS(gRootPath) {
$(".admMemberInfo").click(function() {
showHideMembershipInformation($(this));
});
- formSubmitEvent();
+ formSubmitEvent('#profile_roles_box_body');
}
});
};
@@ -37,7 +37,7 @@ function ProfileJS(gRootPath) {
dataType: "html",
success: function(responseText) {
$("#profile_former_roles_box_body").html(responseText);
- formSubmitEvent();
+ formSubmitEvent('#profile_former_roles_box_body');
}
}
);
@@ -49,7 +49,7 @@ function ProfileJS(gRootPath) {
dataType: "html",
success: function(responseText) {
$("#profile_future_roles_box_body").html(responseText);
- formSubmitEvent();
+ formSubmitEvent('#profile_future_roles_box_body');
}
}
);
@@ -74,11 +74,11 @@ function ProfileJS(gRootPath) {
return "leader-" + number;
}
- this.toggleDetailsOn = function (memberId) {
- $("#membership_period_" + memberId).css({"visibility": "visible", "display": "block"});
+ this.toggleDetailsOn = function (memberUuid) {
+ $("#membership_period_" + memberUuid).css({"visibility": "visible", "display": "block"});
};
- this.toggleDetailsOff = function (memberId) {
- $("#membership_period_" + memberId).css({"visibility": "hidden", "display": "none"});
+ this.toggleDetailsOff = function (memberUuid) {
+ $("#membership_period_" + memberUuid).css({"visibility": "hidden", "display": "none"});
};
}
diff --git a/adm_program/modules/profile/profile.php b/adm_program/modules/profile/profile.php
index 0a01e114a..cce224fb5 100644
--- a/adm_program/modules/profile/profile.php
+++ b/adm_program/modules/profile/profile.php
@@ -149,40 +149,42 @@ function callbackFutureRoles() {
}
}
- function formSubmitEvent() {
- $(".button-membership-period-form").click(function(event) {
- var memberId = $(this).attr("data-admidio");
- var dateStart = $("#membership_start_date_" + memberId).val();
- var dateEnd = $("#membership_end_date_" + memberId).val();
- var action = $("#membership_period_form_" + memberId).attr("action") + "&membership_start_date_" + memberId + "=" + dateStart + "&membership_end_date_" + memberId + "=" + dateEnd;
-
- var formAlert = $("#membership_period_form_" + memberId + " .form-alert");
+ function formSubmitEvent(rolesAreaId = "") {
+ $(rolesAreaId + " .admidio-form-membership-period").submit(function(event) {
+ var memberUuid = $(this).attr("data-admidio");
+ var formAlert = $("#membership_period_form_" + memberUuid + " .form-alert");
+
+ event.preventDefault(); // avoid to execute the actual submit of the form.
formAlert.hide();
- $.get({
- url: action,
- success: function(data) {
+ $.post({
+ url: $(this).attr("action"),
+ data: $(this).serialize(),
+ success: function(data)
+ {
if (data === "success") {
formAlert.attr("class", "alert alert-success form-alert");
formAlert.html("'.$gL10n->get('SYS_SAVE_DATA').'");
formAlert.fadeIn("slow");
- formAlert.animate({opacity: 1.0}, 2500);
+ formAlert.animate({opacity: 1.0}, 5000);
formAlert.fadeOut("slow");
- var membershipPeriod = $("#membership_period_" + memberId);
- membershipPeriod.animate({opacity: 1.0}, 2500);
+ var membershipPeriod = $("#membership_period_" + memberUuid);
+ membershipPeriod.animate({opacity: 1.0}, 5000);
membershipPeriod.fadeOut("slow");
profileJS.reloadRoleMemberships();
profileJS.reloadFormerRoleMemberships();
profileJS.reloadFutureRoleMemberships();
+ formSubmitEvent();
} else {
formAlert.attr("class", "alert alert-danger form-alert");
formAlert.fadeIn();
formAlert.html("" + data);
}
}
- });
+ });
+ return false;
});
}
');
@@ -201,6 +203,7 @@ function formSubmitEvent() {
todayHighlight: true,
autoclose: true
});
+
formSubmitEvent();',
true
);
@@ -709,11 +712,10 @@ function formSubmitEvent() {
// Roles block
// *******************************************************************************
- // Alle Rollen auflisten, die dem Mitglied zugeordnet sind
+ // List all roles assigned to the member
$roleStatement = getRolesFromDatabase($userId);
$countRole = $roleStatement->rowCount();
- // Ausgabe
$page->addHtml('