Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add CSRF tokens to lightbox and detail commenting and tagging actions
  • Loading branch information
collectiveaccess committed Oct 3, 2021
1 parent 90514fd commit 335159c
Show file tree
Hide file tree
Showing 11 changed files with 43 additions and 25 deletions.
4 changes: 4 additions & 0 deletions app/controllers/DetailController.php
Expand Up @@ -823,6 +823,10 @@ public function CommentForm(){
*
*/
public function SaveCommentTagging() {
if (!caValidateCSRFToken($this->request)) {
throw new ApplicationException(_t("Invalid CSRF token"));
}

# --- inline is passed to indicate form appears embedded in detail page, not in overlay
$vn_inline_form = $this->request->getParameter("inline", pInteger);
if(!$t_item = Datamodel::getInstance($this->request->getParameter("tablename", pString), true)) {
Expand Down
18 changes: 15 additions & 3 deletions app/controllers/LightboxController.php
Expand Up @@ -943,6 +943,9 @@ function ajaxListComments() {
*/
function ajaxAddComment() {
if($this->opb_is_login_redirect) { return; }
if (!caValidateCSRFToken($this->request)) {
throw new ApplicationException(_t("Invalid CSRF token"));
}

// when close is set to true, will make the form view disappear after saving form

Expand Down Expand Up @@ -1000,7 +1003,9 @@ function ajaxAddComment() {
*/
function ajaxDeleteComment() {
if($this->opb_is_login_redirect) { return; }

if (!caValidateCSRFToken($this->request)) {
throw new ApplicationException(_t("Invalid CSRF token"));
}
$va_errors = array();
$vs_message = null;
$vn_count = null;
Expand All @@ -1018,7 +1023,6 @@ function ajaxDeleteComment() {
if (($this->request->getUserID() != $t_comment->get("user_id")) && !$t_set->haveAccessToSet($this->request->getUserID(), __CA_SET_EDIT_ACCESS__)) {
$va_errors[] = _t('You do not have access to this comment');
} else {
$t_comment->setMode(ACCESS_WRITE);
$t_comment->delete(true);
if ($t_comment->numErrors()) {
$va_errors = $t_comment->getErrors();
Expand All @@ -1045,7 +1049,9 @@ function ajaxDeleteComment() {
*/
public function deleteLightbox() {
if($this->opb_is_login_redirect) { return; }

if (!caValidateCSRFToken($this->request)) {
throw new ApplicationException(_t("Invalid CSRF token"));
}
$va_errors = array();
$vs_message = $vn_set_id = $vs_set_name = null;

Expand Down Expand Up @@ -1100,6 +1106,9 @@ public function ajaxReorderItems() {
*/
public function ajaxDeleteItem() {
if($this->opb_is_login_redirect) { return; }
if (!caValidateCSRFToken($this->request)) {
throw new ApplicationException(_t("Invalid CSRF token"));
}

if($t_set = $this->_getSet(__CA_SET_EDIT_ACCESS__)){

Expand All @@ -1125,6 +1134,9 @@ public function ajaxDeleteItem() {
*/
public function ajaxAddItem($pa_options = null) {
if($this->opb_is_login_redirect) { return; }
if (!caValidateCSRFToken($this->request)) {
throw new ApplicationException(_t("Invalid CSRF token"));
}

global $g_ui_locale_id; // current locale_id for user
$va_errors = array();
Expand Down
2 changes: 1 addition & 1 deletion app/helpers/navigationHelpers.php
Expand Up @@ -420,7 +420,7 @@ function caFormTag($po_request, $ps_action, $ps_id, $ps_module_and_controller_pa
$vs_buf .= caHTMLHiddenInput('form_timestamp', array('value' => time()));
}
if (!caGetOption('noCSRFToken', $pa_options, false)) {
$vs_buf .= caHTMLHiddenInput('crsfToken', array('value' => caGenerateCSRFToken($po_request)));
$vs_buf .= caHTMLHiddenInput('csrfToken', array('value' => caGenerateCSRFToken($po_request)));
}

if (!caGetOption('disableUnsavedChangesWarning', $pa_options, false)) {
Expand Down
4 changes: 2 additions & 2 deletions app/helpers/utilityHelpers.php
Expand Up @@ -3611,7 +3611,7 @@ function caGenerateCSRFToken($po_request=null){
* Validate CSRF token using current session
*
* @param RequestHTTP $po_request Current request
* @param string $ps_token CSRF token to validate. If omitted token in the "crsfToken" parameter is extracted from current request.
* @param string $ps_token CSRF token to validate. If omitted token in the "csrfToken" parameter is extracted from current request.
* @param array $pa_options Options include:
* remove = remove validated token from active token list. [Default is true]
* exceptions = throw exception if token is invalid. [Default is true]
Expand All @@ -3621,7 +3621,7 @@ function caGenerateCSRFToken($po_request=null){
function caValidateCSRFToken($po_request, $ps_token=null, $pa_options=null){
$session_id = $po_request ? $po_request->getSessionID() : 'none';

if(!$ps_token) { $ps_token = $po_request->getParameter('crsfToken', pString); }
if(!$ps_token) { $ps_token = $po_request->getParameter('csrfToken', pString); }
if (!is_array($va_tokens = PersistentCache::fetch("csrf_tokens_{$session_id}", "csrf_tokens"))) { $va_tokens = []; }

if (isset($va_tokens[$ps_token])) {
Expand Down
2 changes: 1 addition & 1 deletion themes/default/views/Classroom/list_html.php
Expand Up @@ -203,7 +203,7 @@
jQuery('#confirm-delete .btn-delete').data('set_id', set_id);
}).find('.btn-delete').on('click', function(e) {
var set_id = jQuery(this).data('set_id');
jQuery.getJSON('<?php print caNavUrl($this->request, '*', '*', 'DeleteLightbox'); ?>', {'set_id': set_id }, function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '*', '*', 'DeleteLightbox'); ?>', {'set_id': set_id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> }, function(data) {
if(data.status == 'ok') {
jQuery("#crSetContainer" + set_id).parent().remove();
if (jQuery('.crSetContainer').length == 0) { jQuery('#crSetListPlaceholder').show(); } else { jQuery('#crSetListPlaceholder').hide(); }
Expand Down
12 changes: 6 additions & 6 deletions themes/default/views/Classroom/set_detail_html.php
Expand Up @@ -433,7 +433,7 @@
jQuery('#confirm-delete .btn-delete').data('set_id', set_id);
}).find('.btn-delete').on('click', function(e) {
var set_id = jQuery(this).data('set_id');
jQuery.getJSON('<?php print caNavUrl($this->request, '*', '*', 'DeleteLightbox'); ?>', {'set_id': set_id }, function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '*', '*', 'DeleteLightbox'); ?>', {'set_id': set_id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> }, function(data) {
if(data.status == 'ok') {
jQuery("#crSetContainer" + set_id).remove();
jQuery("#crUserResponse").html(' ');
Expand Down Expand Up @@ -499,15 +499,15 @@
var data = $(this).sortable('serialize');
jQuery.ajax({
type: 'POST',
url: '<?php print caNavUrl($this->request, "", "Lightbox", "AjaxReorderItems"); ?>/row_ids/' + data
url: '<?php print caNavUrl($this->request, "", "Lightbox", "AjaxReorderItems", ['csrfToken' => caGenerateCSRFToken($this->request)]); ?>/row_ids/' + data
});
}
});

jQuery("#lbSetResultLoadContainer").on('click', ".lbItemDeleteButton", function(e) {
var id = jQuery(this).data("item_id");

jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteItem'); ?>', {'set_id': '<?php print $t_set->get("set_id"); ?>', 'item_id':id} , function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteItem'); ?>', {'set_id': '<?php print $t_set->get("set_id"); ?>', 'item_id':id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?>} , function(data) {
if(data.status == 'ok') {
jQuery('.lbItem' + data.item_id).fadeOut(500, function() { jQuery('.lbItem' + data.item_id).remove(); });
jQuery('.lbSetCountInt').html(data.count); // update count
Expand All @@ -522,7 +522,7 @@
);

jQuery("#addComment").on('submit', function(e) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxAddComment'); ?>', {'id': '<?php print $t_set->get("set_id"); ?>', 'type': 'ca_sets', 'comment': jQuery("#addCommentTextArea").val() } , function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxAddComment'); ?>', {'id': '<?php print $t_set->get("set_id"); ?>', 'type': 'ca_sets', 'comment': jQuery("#addCommentTextArea").val(), 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> } , function(data) {
if(data.status == 'ok') {
jQuery("#lbSetCommentErrors").hide()
jQuery("#addCommentTextArea").val('');
Expand All @@ -541,7 +541,7 @@
jQuery("div.lbComments").on('click', '.lbComment', function(e) {
var comment_id = jQuery(this).data("comment_id");
if(comment_id) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteComment'); ?>', {'comment_id': comment_id }, function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteComment'); ?>', {'comment_id': comment_id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> }, function(data) {
if(data.status == 'ok') {
jQuery("#lbSetCommentErrors").hide()
jQuery("#lbComments" + data.comment_id).remove();
Expand All @@ -565,4 +565,4 @@
</script>
<?php
} //!ajax
?>
?>
3 changes: 2 additions & 1 deletion themes/default/views/Details/form_comments_html.php
Expand Up @@ -10,6 +10,7 @@
?>
<form method="post" id="CommentForm" action="#" class="form-horizontal" role="form" enctype="multipart/form-data">
<?php
print caHTMLHiddenInput('csrfToken', array('value' => caGenerateCSRFToken($this->request)));
print "<div class='form-group'><label for='tags' class='col-sm-4 control-label'>"._t("Tags")."</label><div class='col-sm-7'><input type='text' name='tags' value='' class='form-control' placeholder='"._t("tags separated by commas")."'></div><!-- end col-sm-7 --></div><!-- end form-group -->\n";
print "<div class='form-group'><label for='comment' class='col-sm-4 control-label'>"._t("Comment")."</label><div class='col-sm-7'><textarea name='comment' class='form-control' rows='3'></textarea></div><!-- end col-sm-7 --></div><!-- end form-group -->\n";
?>
Expand All @@ -34,4 +35,4 @@
return false;
});
});
</script>
</script>
5 changes: 3 additions & 2 deletions themes/default/views/Lightbox/ajax_comments.php
Expand Up @@ -58,6 +58,7 @@
<div>
<form action="#" id="addComment<?php print $vn_item_id; ?>">
<?php
print caHTMLHiddenInput('csrfToken', array('value' => caGenerateCSRFToken($this->request)));
if($vs_error){
print "<div>".$vs_error."</div>";
}
Expand Down Expand Up @@ -96,7 +97,7 @@
jQuery("#lbSetComments{{{item_id}}}").on('click', '.lbCommentRemove', function(e) {
var comment_id = jQuery(this).data("comment_id");
if(comment_id) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteComment'); ?>', {'comment_id': comment_id }, function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteComment'); ?>', {'comment_id': comment_id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> }, function(data) {
if(data.status == 'ok') {
jQuery("#lbSetCommentErrors{{{item_id}}}").hide();
jQuery("#lbComments" + data.comment_id).remove();
Expand All @@ -116,4 +117,4 @@
}
});
});
</script>
</script>
4 changes: 2 additions & 2 deletions themes/default/views/Lightbox/form_add_set_item_html.php
Expand Up @@ -44,6 +44,7 @@
?>
<form id="AddItemForm" action="#" class="form-horizontal" role="form">
<?php
print caHTMLHiddenInput('csrfToken', array('value' => caGenerateCSRFToken($this->request)));
if(is_array($va_write_sets) && sizeof($va_write_sets)){
$t_write_set = new ca_sets();
print "<div class='form-group'><div class='col-sm-offset-4 col-sm-7'><select name='set_id' class='form-control'>";
Expand All @@ -57,7 +58,6 @@
print "<div class='form-group'><div class='col-sm-offset-4 col-sm-7'><H3>"._t("OR<br/>Create a New %1", ucfirst($vs_display_name))."</H3></div></div><!-- end form-group -->\n";
}
print "<div class='form-group'><label for='name' class='col-sm-4 control-label'>"._t("Name")."</label><div class='col-sm-7'><input type='text' name='name' placeholder='"._t("Your %1", $vs_display_name)."' class='form-control'></div><!-- end col-sm-7 --></div><!-- end form-group -->\n";
#print $t_set->htmlFormElement("access","<div class='form-group'><label for='access' class='col-sm-4 control-label'>"._t("Display Option")."</label><div class='col-sm-7' class='form-control'>^ELEMENT</div><!-- end col-sm-7 --></div><!-- end form-group -->\n", array("classname" => "form-control"));
print "<div class='form-group'><label for='description' class='col-sm-4 control-label'>"._t("Description")."</label><div class='col-sm-7'><textarea name='".$vs_description_attribute."' class='form-control' rows='3'></textarea></div><!-- end col-sm-7 --></div><!-- end form-group -->\n";

?>
Expand All @@ -83,4 +83,4 @@
return false;
});
});
</script>
</script>
10 changes: 5 additions & 5 deletions themes/default/views/Lightbox/set_detail_html.php
Expand Up @@ -406,15 +406,15 @@ class="form-control"></textarea>
var data = $(this).sortable('serialize');
jQuery.ajax({
type: 'POST',
url: '<?php print caNavUrl($this->request, "", "Lightbox", "AjaxReorderItems"); ?>/row_ids/' + data
url: '<?php print caNavUrl($this->request, "", "Lightbox", "AjaxReorderItems", ['csrfToken' => caGenerateCSRFToken($this->request)]); ?>/row_ids/' + data
});
}
});

jQuery("#lbSetResultLoadContainer").on('click', ".lbItemDeleteButton", function(e) {
var id = jQuery(this).data("item_id");

jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteItem'); ?>', {'set_id': '<?php print $t_set->get("set_id"); ?>', 'item_id':id} , function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteItem'); ?>', {'set_id': '<?php print $t_set->get("set_id"); ?>', 'item_id':id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?>} , function(data) {
if(data.status == 'ok') {
jQuery('.lbItem' + data.item_id).fadeOut(500, function() { jQuery('.lbItem' + data.item_id).remove(); });
jQuery('.lbSetCountInt').html(data.count); // update count
Expand All @@ -429,7 +429,7 @@ class="form-control"></textarea>
);

jQuery("#addComment").on('submit', function(e) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxAddComment'); ?>', {'id': '<?php print $t_set->get("set_id"); ?>', 'type': 'ca_sets', 'comment': jQuery("#addCommentTextArea").val() } , function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxAddComment'); ?>', {'id': '<?php print $t_set->get("set_id"); ?>', 'type': 'ca_sets', 'comment': jQuery("#addCommentTextArea").val(), 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> } , function(data) {
if(data.status == 'ok') {
jQuery("#lbSetCommentErrors").hide()
jQuery("#addCommentTextArea").val('');
Expand All @@ -448,7 +448,7 @@ class="form-control"></textarea>
jQuery("div.lbComments").on('click', '.lbComment', function(e) {
var comment_id = jQuery(this).data("comment_id");
if(comment_id) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteComment'); ?>', {'comment_id': comment_id }, function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '', 'Lightbox', 'AjaxDeleteComment'); ?>', {'comment_id': comment_id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> }, function(data) {
if(data.status == 'ok') {
jQuery("#lbSetCommentErrors").hide()
jQuery("#lbComments" + data.comment_id).remove();
Expand All @@ -471,4 +471,4 @@ class="form-control"></textarea>
?>
</script>
<?php
} //!ajax
} //!ajax
4 changes: 2 additions & 2 deletions themes/default/views/Lightbox/set_list_html.php
Expand Up @@ -205,7 +205,7 @@
jQuery('#confirm-delete .btn-delete').data('set_id', set_id);
}).find('.btn-delete').on('click', function(e) {
var set_id = jQuery(this).data('set_id');
jQuery.getJSON('<?php print caNavUrl($this->request, '*', '*', 'DeleteLightbox'); ?>', {'set_id': set_id }, function(data) {
jQuery.getJSON('<?php print caNavUrl($this->request, '*', '*', 'DeleteLightbox'); ?>', {'set_id': set_id, 'csrfToken': <?= json_encode(caGenerateCSRFToken($this->request)); ?> }, function(data) {
if(data.status == 'ok') {
jQuery("#lbSetContainer" + set_id).parent().remove();
if (jQuery('.lbSetContainer').length == 0) { jQuery('#lbSetListPlaceholder').show(); } else { jQuery('#lbSetListPlaceholder').hide(); }
Expand All @@ -218,4 +218,4 @@

});
});
</script>
</script>

0 comments on commit 335159c

Please sign in to comment.