Skip to content

Commit

Permalink
Messages: add csrf token while deleting messages.
Browse files Browse the repository at this point in the history 
--HG--
branch : 3.13
  • Loading branch information
@jexi
jexi committed Jun 24, 2022
1 parent 2b48869 commit 14c72cc
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 49 deletions.
43 changes: 24 additions & 19 deletions modules/message/ajax_handler.php
View file
Expand Up @@ -52,6 +52,7 @@
$message_path = $inbox->get_mailbox_path();
$msg = new Msg($mid, $uid, 'any');
if (!$msg->error) {
if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error();
$msg->delete($message_path);
}
exit();
Expand All @@ -63,6 +64,7 @@
foreach ($msgs as $msg) {
$message_path = $webDir . "/courses/" . course_id_to_code($msg->course_id) . "/dropbox";
if (!$msg->error) {
if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error();
$msg->delete($message_path);
}
}
Expand All @@ -72,6 +74,7 @@
$msgs = $inbox->getInboxMsgs();
foreach ($msgs as $msg) {
if (!$msg->error) {
if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error();
$msg->delete($message_path);
}
}
Expand All @@ -86,6 +89,7 @@
foreach ($msgs as $msg) {
$message_path = $webDir . "/courses/" . course_id_to_code($msg->course_id) . "/dropbox";
if (!$msg->error) {
if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error();
$msg->delete($message_path);
}
}
Expand All @@ -95,37 +99,38 @@
$msgs = $outbox->getOutboxMsgs();
foreach ($msgs as $msg) {
if (!$msg->error) {
if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error();
$msg->delete($message_path);
}
}
}
exit();
}

$mbox = new Mailbox($uid, $course_id);

$limit = intval($_GET['iDisplayLength']);
$offset = intval($_GET['iDisplayStart']);

//Total records
$data['iTotalRecords'] = $mbox->MsgsNumber($mbox_type);

$keyword = $_GET['sSearch'];

if ($mbox_type == 'inbox') {
//Total records after applying search filter
$data['iTotalDisplayRecords'] = count($mbox->getInboxMsgs($keyword));

$msgs = $mbox->getInboxMsgs($keyword, $limit, $offset);
} else {
//Total records after applying search filter
$data['iTotalDisplayRecords'] = count($mbox->getOutboxMsgs($keyword));

$msgs = $mbox->getOutboxMsgs($keyword, $limit, $offset);
}

$data['aaData'] = array();

foreach ($msgs as $msg) {
if ($msg->is_read == 1) {
$bold_start = "";
Expand All @@ -136,12 +141,12 @@
$bold_end = "</strong>";
$envelove_icon = "fa-envelope";
}

$urlstr = '';
if ($course_id != 0) {
$urlstr = "&amp;course=".course_id_to_code($course_id);
}

if (($msg->filename != '') and ($msg->filesize != 0)) {
$ahref = "message_download.php?course=".course_id_to_code($msg->course_id)."&amp;id=".$msg->id;
$filename = "&nbsp;&nbsp;&#124;&nbsp;&nbsp;" .
Expand All @@ -151,37 +156,37 @@
} else {
$filename = '';
}

$i = 0;

if ($mbox_type == 'inbox') {
$td[$i++] = "<i class='fa $envelove_icon' title='".q($msg->subject)."' /></i>&nbsp;&nbsp;$bold_start<a href='inbox.php?mid=$msg->id".$urlstr."'>".q($msg->subject)."</a>".$bold_end.$filename;
} else {
$td[$i++] = "<i class='fa fa-envelope-o' title='".q($msg->subject)."' /></i>&nbsp;&nbsp;<a href='outbox.php?mid=$msg->id".$urlstr."'>".q($msg->subject)."</a>".$filename;
}

if ($course_id == 0) {
if ($msg->course_id != 0) {
$td[$i++] = "$bold_start<a class=\"outtabs\" href=\"index.php?course=".course_id_to_code($msg->course_id)."\">".course_id_to_title($msg->course_id)."</a>$bold_end";
} else {
$td[$i++] = "";
}
}

if ($mbox_type == 'inbox') {
$td[$i++] = display_user($msg->author_id, false, false, "outtabs");
} else {
$recipients = '';
foreach ($msg->recipients as $r) {
if ($r != $msg->author_id) {
if ($r != $msg->author_id) {
$recipients .= display_user($r, false, false, "outtabs").' ,&nbsp;';
}
}
$recipients = rtrim($recipients, ',&nbsp;'); // remove the last comma
$td[$i++] = "<div><p class='recipients'>$recipients</p></div>";
}
$td[$i++] = nice_format(date('Y-m-d H:i:s',$msg->timestamp), true);

// $td[$i++] = action_button(array(
// array(
// 'icon' => 'fa-times',
Expand All @@ -195,7 +200,7 @@
// );
$btn_class = ($mbox_type == 'inbox')? 'delete_in' : 'delete_out';
$td[$i++] = "<a href='javascript:void(0)' class='$btn_class' data-id='$msg->id'><span class='fa fa-times text-danger' style='padding-top:8px; font-size:1.2em;'></span></a>";

if ($course_id == 0) {
$data['aaData'][] = array(
'DT_RowId' => $msg->id,
Expand All @@ -215,7 +220,7 @@
);
}
}

echo json_encode($data);
exit();
}
31 changes: 15 additions & 16 deletions modules/message/inbox.php
View file
Expand Up @@ -434,29 +434,28 @@
$(document).on("click", ".delete_in_inner", function (e) {
e.preventDefault();
var id = $(this).children("a").data("id");
var string = "mid="+id;
var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'";
bootbox.confirm("'.js_escape($langConfirmDelete).'", function(result) {
if(result) {
$.ajax({
type: "POST",
url: "'.$ajax_url.'",
datatype: "json",
data: string,
success: function(){
$("#del_msg").html("<p class=\"alert alert-success\">'.js_escape($langMessageDeleteSuccess).'</p>");
$(".alert-success").delay(3000).fadeOut(1500);
$("#msg_area").remove();
}});
}
type: "POST",
url: "'.$ajax_url.'",
datatype: "json",
data: string,
success: function(){
$("#del_msg").html("<p class=\"alert alert-success\">'.js_escape($langMessageDeleteSuccess).'</p>");
$(".alert-success").delay(3000).fadeOut(1500);
$("#msg_area").remove();
}});
}
});
});
$(".delete").click(function() {
if (confirm("' . js_escape($langConfirmDelete) . '")) {
var rowContainer = $(this).parent().parent();
var id = rowContainer.attr("id");
var string = "mid="+id;
var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'";
$.ajax({
type: "POST",
url: "'.$ajax_url.'",
Expand Down Expand Up @@ -541,7 +540,7 @@ class : 'form-control input-sm',
$(document).on( 'click','.delete_in', function (e) {
e.preventDefault();
var id = $(this).data('id');
var string = 'mid='+id;
var string = 'mid='+id+'&". generate_csrf_token_link_parameter() ."';
bootbox.confirm('".js_escape($langConfirmDelete)."', function(result) {
if (result) {
$.ajax({
Expand Down Expand Up @@ -576,7 +575,7 @@ class : 'form-control input-sm',
$('.delete_all_in').click(function() {
bootbox.confirm('".js_escape($langConfirmDeleteAllMsgs)."', function(result) {
if(result) {
var string = 'all_inbox=1';
var string = 'all_inbox=1&". generate_csrf_token_link_parameter() . "';
$.ajax({
type: 'POST',
url: '$ajax_url',
Expand Down Expand Up @@ -693,4 +692,4 @@ function addRecipientOptions() {
}
}
}
}
}
27 changes: 13 additions & 14 deletions modules/message/outbox.php
View file
Expand Up @@ -45,11 +45,11 @@
$mid = intval($_GET['mid']);
$msg = new Msg($mid, $uid, 'msg_view');
if (!$msg->error) {

$urlstr = '';
if ($course_id != 0) {
$urlstr = "?course=".$course_code;
}
}
$out = action_bar(array(
array('title' => $langBack,
'url' => "outbox.php".$urlstr,
Expand All @@ -66,8 +66,8 @@
foreach ($msg->recipients as $r) {
if ($r != $msg->author_id) {
$recipients .= display_user($r, false, false, "outtabs").' ,&nbsp';
}
}
}
}
$recipients = rtrim($recipients, ',&nbsp;'); // remove the last comma
$out .= "<div id='out_del_msg'></div>
<div id='out_msg_area'>
Expand Down Expand Up @@ -137,7 +137,7 @@
&nbsp<i class='fa fa-save'></i></a>&nbsp;&nbsp;(".format_file_size($msg->filesize).")
</div>
</div>";
}
}
$out .= "</div>
</div>";

Expand All @@ -159,7 +159,7 @@
$(document).on( "click",".delete_out_inner", function (e) {
e.preventDefault();
var id = $(this).children("a").data("id");
var string = "mid="+id;
var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'";
bootbox.confirm("'.js_escape($langConfirmDelete).'", function(result) {
if(result) {
$.ajax({
Expand All @@ -179,9 +179,8 @@
$(".delete").click(function() {
if (confirm("' . js_escape($langConfirmDelete) . '")) {
var rowContainer = $(this).parent().parent();
var id = rowContainer.attr("id");
var string = \'mid=\'+ id;
var id = rowContainer.attr("id");
var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'";
$.ajax({
type: "POST",
url: "'.$ajax_url.'",
Expand All @@ -201,7 +200,7 @@
</script>';
}
} else {

$out = "<div id='out_del_msg'></div><div id='outbox' class='table-responsive'>";
$out .= "<table id='outbox_table' class='table-default'>
<thead>
Expand All @@ -218,7 +217,7 @@
<tbody>
</tbody>
</table></div>";

$out .= "<script type='text/javascript'>
$(document).ready(function() {
Expand Down Expand Up @@ -271,8 +270,8 @@ class : 'form-control input-sm',
$(document).off( 'click','.delete_out_inner');
$(document).on( 'click','.delete_out', function (e) {
e.preventDefault();
var id = $(this).data('id');
var string = 'mid='+ id ;
var id = $(this).data('id');
var string = 'mid='+id+'&". generate_csrf_token_link_parameter() ."';
bootbox.confirm('".js_escape($langConfirmDelete)."', function(result) {
if (result) {
$.ajax({
Expand Down Expand Up @@ -302,7 +301,7 @@ class : 'form-control input-sm',
$('.delete_all_out').click(function() {
bootbox.confirm('".js_escape($langConfirmDeleteAllMsgs)."', function(result) {
if(result) {
var string = 'all_outbox=1';
var string = 'all_outbox=1&". generate_csrf_token_link_parameter() ."';
$.ajax({
type: 'POST',
url: '$ajax_url',
Expand Down

0 comments on commit 14c72cc

Please sign in to comment.