From c2c8c42ef3194d1aeba8c48240fe2e9063f77635 Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Sat, 23 Oct 2021 09:29:07 +0200
Subject: [PATCH] Catch CSRF issues

---
 .../Controllers/Rule/CreateController.php     | 15 +++--
 .../Controllers/RuleGroup/EditController.php  | 56 +++++++++----------
 .../RuleGroup/RuleGroupRepository.php         |  3 -
 public/v1/js/ff/rules/index.js                | 29 ++++++++++
 resources/views/v1/rules/index.twig           | 10 +++-
 routes/web.php                                |  9 +--
 6 files changed, 76 insertions(+), 46 deletions(-)

diff --git a/app/Http/Controllers/Rule/CreateController.php b/app/Http/Controllers/Rule/CreateController.php
index c9d2173d277..e0915c010e8 100644
--- a/app/Http/Controllers/Rule/CreateController.php
+++ b/app/Http/Controllers/Rule/CreateController.php
@@ -34,6 +34,7 @@
 use FireflyIII\Support\Http\Controllers\RuleManagement;
 use FireflyIII\Support\Search\SearchInterface;
 use Illuminate\Contracts\View\Factory;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Redirector;
@@ -237,15 +238,17 @@ public function createFromJournal(Request $request, TransactionJournal $journal)
     /**
      * @param Rule $rule
      *
-     * @return RedirectResponse
+     * @return JsonResponse
      */
-    public function duplicate(Rule $rule): RedirectResponse
+    public function duplicate(Request $request): JsonResponse
     {
-        $newRule = $this->ruleRepos->duplicate($rule);
-
-        session()->flash('success', trans('firefly.duplicated_rule', ['title' => $rule->title, 'newTitle' => $newRule->title]));
+        $ruleId = (int)$request->get('id');
+        $rule   = $this->ruleRepos->find($ruleId);
+        if (null !== $rule) {
+            $this->ruleRepos->duplicate($rule);
+        }
 
-        return redirect(route('rules.index'));
+        return new JsonResponse(['OK']);
     }
 
     /**
diff --git a/app/Http/Controllers/RuleGroup/EditController.php b/app/Http/Controllers/RuleGroup/EditController.php
index 0a962da6ee2..9a0532fbb94 100644
--- a/app/Http/Controllers/RuleGroup/EditController.php
+++ b/app/Http/Controllers/RuleGroup/EditController.php
@@ -28,6 +28,7 @@
 use FireflyIII\Models\RuleGroup;
 use FireflyIII\Repositories\RuleGroup\RuleGroupRepositoryInterface;
 use Illuminate\Contracts\View\Factory;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Redirector;
@@ -62,24 +63,38 @@ function ($request, $next) {
     }
 
     /**
-     * Move a rule group down.
+     * Move a rule group in either direction.
      *
-     * @param RuleGroup $ruleGroup
+     * @param Request $request
      *
-     * @return RedirectResponse|Redirector
+     * @return JsonResponse
      */
-    public function down(RuleGroup $ruleGroup)
+    public function moveGroup(Request $request): JsonResponse
     {
-        $maxOrder = $this->repository->maxOrder();
-        $order    = (int)$ruleGroup->order;
-        if ($order < $maxOrder) {
-            $newOrder = $order + 1;
-            $this->repository->setOrder($ruleGroup, $newOrder);
+        $groupId = (int)$request->get('id');
+        $ruleGroup= $this->repository->find($groupId);
+        if(null !== $ruleGroup) {
+            $direction = $request->get('direction');
+            if('down' === $direction) {
+                $maxOrder = $this->repository->maxOrder();
+                $order    = (int)$ruleGroup->order;
+                if ($order < $maxOrder) {
+                    $newOrder = $order + 1;
+                    $this->repository->setOrder($ruleGroup, $newOrder);
+                }
+            }
+            if('up' === $direction) {
+                $order = (int)$ruleGroup->order;
+                if ($order > 1) {
+                    $newOrder = $order - 1;
+                    $this->repository->setOrder($ruleGroup, $newOrder);
+                }
+            }
         }
-
-        return redirect(route('rules.index'));
+        return new JsonResponse(['OK']);
     }
 
+
     /**
      * Edit a rule group.
      *
@@ -106,25 +121,6 @@ public function edit(Request $request, RuleGroup $ruleGroup)
         return prefixView('rules.rule-group.edit', compact('ruleGroup', 'subTitle'));
     }
 
-    /**
-     * Move the rule group up.
-     *
-     * @param RuleGroup $ruleGroup
-     *
-     * @return RedirectResponse|Redirector
-     *
-     */
-    public function up(RuleGroup $ruleGroup)
-    {
-        $order = (int)$ruleGroup->order;
-        if ($order > 1) {
-            $newOrder = $order - 1;
-            $this->repository->setOrder($ruleGroup, $newOrder);
-        }
-
-        return redirect(route('rules.index'));
-    }
-
     /**
      * Update the rule group.
      *
diff --git a/app/Repositories/RuleGroup/RuleGroupRepository.php b/app/Repositories/RuleGroup/RuleGroupRepository.php
index f4b76585b61..9bdb1f4d330 100644
--- a/app/Repositories/RuleGroup/RuleGroupRepository.php
+++ b/app/Repositories/RuleGroup/RuleGroupRepository.php
@@ -329,10 +329,8 @@ public function maxOrder(): int
      */
     public function resetOrder(): bool
     {
-        $this->user->ruleGroups()->where('active', false)->update(['order' => 0]);
         $set   = $this->user
             ->ruleGroups()
-            ->where('active', true)
             ->whereNull('deleted_at')
             ->orderBy('order', 'ASC')
             ->orderBy('title', 'DESC')
@@ -363,7 +361,6 @@ public function resetRuleOrder(RuleGroup $ruleGroup): bool
     {
         $set   = $ruleGroup->rules()
                            ->orderBy('order', 'ASC')
-                           ->where('active', true)
                            ->orderBy('title', 'DESC')
                            ->orderBy('updated_at', 'DESC')
                            ->get(['rules.*']);
diff --git a/public/v1/js/ff/rules/index.js b/public/v1/js/ff/rules/index.js
index 6caf69298c6..cae9c524bc4 100644
--- a/public/v1/js/ff/rules/index.js
+++ b/public/v1/js/ff/rules/index.js
@@ -59,6 +59,32 @@ function readCookie(name) {
     return null;
 }
 
+function moveRuleGroup(e) {
+    let box = $(e.currentTarget);
+    var direction = box.data('direction');
+    var groupId = box.data('id');
+
+    $.post(moveRuleGroupUrl, {_token: token, direction: direction, id: groupId}).then(function () {
+        location.reload();
+    }).fail(function() {
+        alert('I failed :(');
+    });
+
+    return false;
+}
+
+function duplicateRule(e) {
+    let box = $(e.currentTarget);
+    var ruleId = box.data('id');
+    $.post(duplicateRuleUrl, {_token: token, id: ruleId}).then(function () {
+        location.reload();
+    }).fail(function() {
+        alert('I failed :(');
+    });
+
+    return false;
+}
+
 
 $(function () {
       "use strict";
@@ -71,6 +97,9 @@ $(function () {
           }
       );
 
+      $('.move-group').click(moveRuleGroup);
+      $('.duplicate-rule').click(duplicateRule);
+
       $('.rules-box').each(function (i, v) {
           var box = $(v);
           var groupId = box.data('group');
diff --git a/resources/views/v1/rules/index.twig b/resources/views/v1/rules/index.twig
index e39e18fa0a8..4e66394ae8b 100644
--- a/resources/views/v1/rules/index.twig
+++ b/resources/views/v1/rules/index.twig
@@ -45,11 +45,11 @@
                                                     class="fa fa-fw fa-power-off"></span> {{ trans('firefly.apply_rule_group_selection', {title: ruleGroup.title}) }}
                                         </a></li>
                                     {% if ruleGroup.order > 1 %}
-                                        <li><a href="{{ route('rule-groups.up',ruleGroup.id) }}"><span
+                                        <li><a href="#" class="move-group" data-direction="up" data-id="{{ ruleGroup.id }}"><span
                                                         class="fa fa-fw fa-arrow-up"></span> {{ 'move_rule_group_up'|_ }}</a></li>
                                     {% endif %}
                                     {% if ruleGroup.order < ruleGroups|length %}
-                                        <li><a href="{{ route('rule-groups.down',ruleGroup.id) }}"><span
+                                        <li><a href="#" class="move-group" data-direction="down" data-id="{{ ruleGroup.id }}"><span
                                                         class="fa fa-fw fa-arrow-down"></span> {{ 'move_rule_group_down'|_ }}
                                             </a></li>
                                     {% endif %}
@@ -105,7 +105,7 @@
                                                 {% endif %}
 
                                                 {# duplicate rule #}
-                                                <a href="{{ route('rules.duplicate',rule.id) }}" class="btn btn-default" title=" {{ trans('firefly.duplicate_rule', {title: rule.title}) }}"><span class="fa fa-fw fa-copy"></span></a>
+                                                <a href="#" class="btn btn-default duplicate-rule" data-id="{{ rule.id }}" title=" {{ trans('firefly.duplicate_rule', {title: rule.title}) }}"><span class="fa fa-fw fa-copy"></span></a>
                                             </div>
                                         </td>
                                         <td class="markdown">
@@ -195,6 +195,10 @@
 
 {% endblock %}
 {% block scripts %}
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
+        var moveRuleGroupUrl = '{{ route('rule-groups.move') }}';
+        var duplicateRuleUrl = '{{ route('rules.duplicate') }}';
+    </script>
     <script type="text/javascript" src="v1/js/lib/jquery-ui.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
     <script type="text/javascript" src="v1/js/ff/rules/index.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% endblock %}
diff --git a/routes/web.php b/routes/web.php
index 51fb1ca59f6..9a0473a0bb5 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -917,7 +917,7 @@ static function () {
         Route::get('create-from-bill/{bill}', ['uses' => 'Rule\CreateController@createFromBill', 'as' => 'create-from-bill']);
         Route::get('create-from-journal/{tj}', ['uses' => 'Rule\CreateController@createFromJournal', 'as' => 'create-from-journal']);
         Route::post('store', ['uses' => 'Rule\CreateController@store', 'as' => 'store']);
-        Route::get('duplicate/{rule}', ['uses' => 'Rule\CreateController@duplicate', 'as' => 'duplicate']);
+        Route::post('duplicate', ['uses' => 'Rule\CreateController@duplicate', 'as' => 'duplicate']);
 
         // delete controller
         Route::get('delete/{rule}', ['uses' => 'Rule\DeleteController@delete', 'as' => 'delete']);
@@ -949,10 +949,11 @@ static function () {
         Route::get('create', ['uses' => 'RuleGroup\CreateController@create', 'as' => 'create']);
         Route::get('edit/{ruleGroup}', ['uses' => 'RuleGroup\EditController@edit', 'as' => 'edit']);
         Route::get('delete/{ruleGroup}', ['uses' => 'RuleGroup\DeleteController@delete', 'as' => 'delete']);
-        Route::get('up/{ruleGroup}', ['uses' => 'RuleGroup\EditController@up', 'as' => 'up']);
-        Route::get('down/{ruleGroup}', ['uses' => 'RuleGroup\EditController@down', 'as' => 'down']);
-        Route::get('select/{ruleGroup}', ['uses' => 'RuleGroup\ExecutionController@selectTransactions', 'as' => 'select-transactions']);
 
+        // new route to move rule groups:
+        Route::post('move', ['uses' => 'RuleGroup\EditController@moveGroup', 'as' => 'move']);
+
+        Route::get('select/{ruleGroup}', ['uses' => 'RuleGroup\ExecutionController@selectTransactions', 'as' => 'select-transactions']);
         Route::post('store', ['uses' => 'RuleGroup\CreateController@store', 'as' => 'store']);
         Route::post('update/{ruleGroup}', ['uses' => 'RuleGroup\EditController@update', 'as' => 'update']);
         Route::post('destroy/{ruleGroup}', ['uses' => 'RuleGroup\DeleteController@destroy', 'as' => 'destroy']);