diff --git a/app/lib/BaseFindController.php b/app/lib/BaseFindController.php
index ba89fb7f07..b4076bc392 100755
--- a/app/lib/BaseFindController.php
+++ b/app/lib/BaseFindController.php
@@ -733,6 +733,11 @@ public function addToSet() {
public function createSetFromResult() {
global $g_ui_locale_id;
+ if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) {
+ throw new ApplicationException(_t('CSRF check failed'));
+ return;
+ }
+
$vs_set_name = $vs_set_code = null;
$vn_added_items_count = 0;
@@ -1150,6 +1155,11 @@ public function getResultsEditorData() {
* (2) "complex" editing from a popup editing window. Data is submitted from a form as standard editor UI form data from a psuedo editor UI screen.
*/
public function saveResultsEditorData() {
+ if (!caValidateCSRFToken($this->request, null, ['notifications' => $this->notification])) {
+ throw new ApplicationException(_t('CSRF check failed'));
+ return;
+ }
+
$t_display = new ca_bundle_displays($this->opo_result_context->getCurrentBundleDisplay($this->opn_type_restriction_id, $this->_getShowInStr()));
$response = $t_display->saveResultsEditorData($this->ops_tablename, [
'request' => $this->request,
diff --git a/assets/ca/ca.quickaddform.js b/assets/ca/ca.quickaddform.js
index 45ec7e6771..1aa7ec731f 100644
--- a/assets/ca/ca.quickaddform.js
+++ b/assets/ca/ca.quickaddform.js
@@ -6,7 +6,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2014-2019 Whirl-i-Gig
+ * Copyright 2014-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
@@ -43,6 +43,7 @@ var caUI = caUI || {};
fileUploadUrl: null,
saveUrl: null,
+ csrfToken: null,
headerText: "QuickAdd",
saveText: "Saved record: %1",
@@ -73,6 +74,7 @@ var caUI = caUI || {};
});
formData = jQuery("#" + that.formID).serializeObject();
+ formData['csrfToken'] = that.csrfToken;
// Added "forced relationship" settings if available
var relatedID = jQuery("#" + that.formID).parent().data('relatedID');
diff --git a/assets/ca/ca.tableview.js b/assets/ca/ca.tableview.js
index caaab9d683..e515f19fa2 100644
--- a/assets/ca/ca.tableview.js
+++ b/assets/ca/ca.tableview.js
@@ -6,7 +6,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2013-2020 Whirl-i-Gig
+ * Copyright 2013-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
@@ -44,6 +44,7 @@ var caUI = caUI || {};
dataSaveUrl: null,
dataEditUrl: null,
+ csrfToken: null,
rowHeaders: null,
colHeaders: null,
@@ -183,7 +184,7 @@ var caUI = caUI || {};
});
that.saveQueue = [];
- jQuery.post(that.dataSaveUrl, { changes: q },
+ jQuery.post(that.dataSaveUrl, { changes: q, csrfToken: that.csrfToken },
function(data) {
if (parseInt(data.status) !== 0) {
var errorMessages = [];
@@ -336,4 +337,4 @@ var caUI = caUI || {};
// --------------------------------------------------------------------------------
};
-})(jQuery);
\ No newline at end of file
+})(jQuery);
diff --git a/themes/default/views/administrate/setup/Search/search_sets_html.php b/themes/default/views/administrate/setup/Search/search_sets_html.php
index 893757ceaf..d1df38a468 100644
--- a/themes/default/views/administrate/setup/Search/search_sets_html.php
+++ b/themes/default/views/administrate/setup/Search/search_sets_html.php
@@ -175,7 +175,8 @@ function caCreateSetFromResults() {
{
set_name: jQuery('#caCreateSetFromResultsInput').val(),
mode: jQuery('#caCreateSetFromResultsMode').val(),
- item_ids: caGetSelectedItemIDsToAddToSet().join(';')
+ item_ids: caGetSelectedItemIDsToAddToSet().join(';'),
+ csrfToken: = json_encode(caGenerateCSRFToken($this->request));?>
},
function(res) {
jQuery("#caCreateSetFromResultsIndicator").hide();
diff --git a/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php b/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php
index fb9dfdc4ad..d7bfe0f43c 100644
--- a/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php
+++ b/themes/default/views/find/Results/ajax_results_editable_complex_data_form_html.php
@@ -7,7 +7,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2016-2020 Whirl-i-Gig
+ * Copyright 2016-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
@@ -82,17 +82,18 @@
formErrorsPanelID: 'caEditableResultsComplexDataFormErrors',
formTypeSelectID: null,
- formUrl: 'request, '*', '*', 'resultsComplexDataEditor'); ?>',
- fileUploadUrl: 'request, "*", "*", "saveResultsEditorFiles"); ?>',
- saveUrl: 'request, "*", "*", "saveResultsEditorData"); ?>',
+ formUrl: = json_encode(caNavUrl($this->request, '*', '*', 'resultsComplexDataEditor')); ?>,
+ fileUploadUrl: = json_encode(caNavUrl($this->request, "*", "*", "saveResultsEditorFiles")); ?>,
+ saveUrl: = json_encode(caNavUrl($this->request, "*", "*", "saveResultsEditorData")); ?>,
+ csrfToken: = json_encode(caGenerateCSRFToken($this->request)); ?>,
- headerText: 'getTypeName())); ?>',
- saveText: 'getTypeName())); ?> %1',
- busyIndicator: 'request)); ?>',
+ headerText: = json_encode(_t('Edit %1', $t_subject->getTypeName())); ?>,
+ saveText: = json_encode(_t('Updated %1 ', $t_subject->getTypeName())." %1"); ?>,
+ busyIndicator: = json_encode(caBusyIndicatorIcon($this->request)); ?>,
onSave: function(resp) {
if (resp.status == 0) {
var ht = jQuery("#caResultsEditorWrapper .caResultsEditorContent").data('handsontable');
- ht.setDataAtCell(, , resp.display, 'external');
+ ht.setDataAtCell(= (int)$vn_row; ?>, = (int)$vn_col; ?>, resp.display, 'external');
if (jQuery("#caEditableResultsComplexDataForm") && jQuery("#caEditableResultsComplexDataForm").parent() && jQuery("#caEditableResultsComplexDataForm").parent().parent() && jQuery("#caEditableResultsComplexDataForm").parent().parent().data("panel")) { jQuery("#caEditableResultsComplexDataForm").parent().parent().data("panel").hidePanel(); }
jQuery(".caResultsEditorStatus").html("Saved changes").show();
setTimeout(function() { jQuery('.caResultsEditorStatus').fadeOut(500); }, 5000);
diff --git a/themes/default/views/find/Results/results_editable_html.php b/themes/default/views/find/Results/results_editable_html.php
index 3a45a6aa4c..e843fb63a0 100644
--- a/themes/default/views/find/Results/results_editable_html.php
+++ b/themes/default/views/find/Results/results_editable_html.php
@@ -7,7 +7,7 @@
* ----------------------------------------------------------------------
*
* Software by Whirl-i-Gig (http://www.whirl-i-gig.com)
- * Copyright 2015-2016 Whirl-i-Gig
+ * Copyright 2015-2021 Whirl-i-Gig
*
* For more information visit http://www.CollectiveAccess.org
*
@@ -54,16 +54,17 @@
\ No newline at end of file
+