Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add CSRF checks to search-by-set and spreadsheet editor
  • Loading branch information
collectiveaccess committed Oct 26, 2021
1 parent 2ab409f commit 815d5d7
Show file tree
Hide file tree
Showing 6 changed files with 37 additions and 21 deletions.
10 changes: 10 additions & 0 deletions app/lib/BaseFindController.php
Expand Up @@ -733,6 +733,11 @@ public function addToSet() {
public function createSetFromResult() {
global $g_ui_locale_id;

if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) {
throw new ApplicationException(_t('CSRF check failed'));
return;
}

$vs_set_name = $vs_set_code = null;
$vn_added_items_count = 0;

Expand Down Expand Up @@ -1150,6 +1155,11 @@ public function getResultsEditorData() {
* (2) "complex" editing from a popup editing window. Data is submitted from a form as standard editor UI form data from a psuedo editor UI screen.
*/
public function saveResultsEditorData() {
if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) {
throw new ApplicationException(_t('CSRF check failed'));
return;
}

$t_display = new ca_bundle_displays($this->opo_result_context->getCurrentBundleDisplay($this->opn_type_restriction_id, $this->_getShowInStr()));
$response = $t_display->saveResultsEditorData($this->ops_tablename, [
'request' => $this->request,
Expand Down
4 changes: 3 additions & 1 deletion assets/ca/ca.quickaddform.js
Expand Up @@ -6,7 +6,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
* Copyright 2014-2019 Whirl-i-Gig
* Copyright 2014-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
Expand Down Expand Up @@ -43,6 +43,7 @@ var caUI = caUI || {};

fileUploadUrl: null,
saveUrl: null,
csrfToken: null,

headerText: "QuickAdd",
saveText: "Saved record: %1",
Expand Down Expand Up @@ -73,6 +74,7 @@ var caUI = caUI || {};
});

formData = jQuery("#" + that.formID).serializeObject();
formData['csrfToken'] = that.csrfToken;

// Added "forced relationship" settings if available
var relatedID = jQuery("#" + that.formID).parent().data('relatedID');
Expand Down
7 changes: 4 additions & 3 deletions assets/ca/ca.tableview.js
Expand Up @@ -6,7 +6,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
* Copyright 2013-2020 Whirl-i-Gig
* Copyright 2013-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
Expand Down Expand Up @@ -44,6 +44,7 @@ var caUI = caUI || {};

dataSaveUrl: null,
dataEditUrl: null,
csrfToken: null,

rowHeaders: null,
colHeaders: null,
Expand Down Expand Up @@ -183,7 +184,7 @@ var caUI = caUI || {};
});

that.saveQueue = [];
jQuery.post(that.dataSaveUrl, { changes: q },
jQuery.post(that.dataSaveUrl, { changes: q, csrfToken: that.csrfToken },
function(data) {
if (parseInt(data.status) !== 0) {
var errorMessages = [];
Expand Down Expand Up @@ -336,4 +337,4 @@ var caUI = caUI || {};

// --------------------------------------------------------------------------------
};
})(jQuery);
})(jQuery);
Expand Up @@ -175,7 +175,8 @@ function caCreateSetFromResults() {
{
set_name: jQuery('#caCreateSetFromResultsInput').val(),
mode: jQuery('#caCreateSetFromResultsMode').val(),
item_ids: caGetSelectedItemIDsToAddToSet().join(';')
item_ids: caGetSelectedItemIDsToAddToSet().join(';'),
csrfToken: <?= json_encode(caGenerateCSRFToken($this->request));?>
},
function(res) {
jQuery("#caCreateSetFromResultsIndicator").hide();
Expand Down
Expand Up @@ -7,7 +7,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
* Copyright 2016-2020 Whirl-i-Gig
* Copyright 2016-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
Expand Down Expand Up @@ -82,17 +82,18 @@
formErrorsPanelID: 'caEditableResultsComplexDataFormErrors',
formTypeSelectID: null,

formUrl: '<?php print caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor'); ?>',
fileUploadUrl: '<?php print caNavUrl($this->request, "*", "*", "saveResultsEditorFiles"); ?>',
saveUrl: '<?php print caNavUrl($this->request, "*", "*", "saveResultsEditorData"); ?>',
formUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor')); ?>,
fileUploadUrl: <?= json_encode(caNavUrl($this->request, "*", "*", "saveResultsEditorFiles")); ?>,
saveUrl: <?= json_encode(caNavUrl($this->request, "*", "*", "saveResultsEditorData")); ?>,
csrfToken: <?= json_encode(caGenerateCSRFToken($this->request)); ?>,

headerText: '<?php print addslashes(_t('Edit %1', $t_subject->getTypeName())); ?>',
saveText: '<?php print addslashes(_t('Updated %1 ', $t_subject->getTypeName())); ?> <em>%1</em>',
busyIndicator: '<?php print addslashes(caBusyIndicatorIcon($this->request)); ?>',
headerText: <?= json_encode(_t('Edit %1', $t_subject->getTypeName())); ?>,
saveText: <?= json_encode(_t('Updated %1 ', $t_subject->getTypeName())." <em>%1</em>"); ?>,
busyIndicator: <?= json_encode(caBusyIndicatorIcon($this->request)); ?>,
onSave: function(resp) {
if (resp.status == 0) {
var ht = jQuery("#caResultsEditorWrapper .caResultsEditorContent").data('handsontable');
ht.setDataAtCell(<?php print (int)$vn_row; ?>, <?php print (int)$vn_col; ?>, resp.display, 'external');
ht.setDataAtCell(<?= (int)$vn_row; ?>, <?= (int)$vn_col; ?>, resp.display, 'external');
if (jQuery("#caEditableResultsComplexDataForm") && jQuery("#caEditableResultsComplexDataForm").parent() && jQuery("#caEditableResultsComplexDataForm").parent().parent() && jQuery("#caEditableResultsComplexDataForm").parent().parent().data("panel")) { jQuery("#caEditableResultsComplexDataForm").parent().parent().data("panel").hidePanel(); }
jQuery(".caResultsEditorStatus").html("Saved changes").show();
setTimeout(function() { jQuery('.caResultsEditorStatus').fadeOut(500); }, 5000);
Expand Down
17 changes: 9 additions & 8 deletions themes/default/views/find/Results/results_editable_html.php
Expand Up @@ -7,7 +7,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
* Copyright 2015-2016 Whirl-i-Gig
* Copyright 2015-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
Expand Down Expand Up @@ -54,16 +54,17 @@
<script type="text/javascript">
jQuery(document).ready(function() {
caUI.initTableView('#caResultsEditorWrapper', {
dataLoadUrl: '<?php print caNavUrl($this->request, '*', '*', 'getResultsEditorData'); ?>',
dataSaveUrl: '<?php print caNavUrl($this->request, '*', '*', 'saveResultsEditorData'); ?>',
dataEditUrl: '<?php print caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor'); ?>',
dataLoadUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'getResultsEditorData'), JSON_UNESCAPED_SLASHES); ?>,
dataSaveUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'saveResultsEditorData'), JSON_UNESCAPED_SLASHES); ?>,
dataEditUrl: <?= json_encode(caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor'), JSON_UNESCAPED_SLASHES); ?>,
csrfToken: <?= json_encode(caGenerateCSRFToken($this->request)); ?>,
rowHeaders: true,
dataEditorID: 'caResultsComplexDataEditorPanel',

colHeaders: <?php print json_encode($va_column_headers); ?>,
columns: <?php print json_encode($va_columns); ?>,
colHeaders: <?= json_encode($va_column_headers); ?>,
columns: <?= json_encode($va_columns); ?>,

rowCount: <?php print (int)$this->getVar('num_rows'); ?>
rowCount: <?= (int)$this->getVar('num_rows'); ?>
});
});
</script>
</script>

0 comments on commit 815d5d7

Please sign in to comment.