diff --git a/modules/message/ajax_handler.php b/modules/message/ajax_handler.php index 3a1288fe95..9a333e4a21 100644 --- a/modules/message/ajax_handler.php +++ b/modules/message/ajax_handler.php @@ -52,6 +52,7 @@ $message_path = $inbox->get_mailbox_path(); $msg = new Msg($mid, $uid, 'any'); if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } exit(); @@ -63,6 +64,7 @@ foreach ($msgs as $msg) { $message_path = $webDir . "/courses/" . course_id_to_code($msg->course_id) . "/dropbox"; if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } @@ -72,6 +74,7 @@ $msgs = $inbox->getInboxMsgs(); foreach ($msgs as $msg) { if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } @@ -86,6 +89,7 @@ foreach ($msgs as $msg) { $message_path = $webDir . "/courses/" . course_id_to_code($msg->course_id) . "/dropbox"; if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } @@ -95,37 +99,38 @@ $msgs = $outbox->getOutboxMsgs(); foreach ($msgs as $msg) { if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } } exit(); } - + $mbox = new Mailbox($uid, $course_id); - + $limit = intval($_GET['iDisplayLength']); $offset = intval($_GET['iDisplayStart']); - + //Total records $data['iTotalRecords'] = $mbox->MsgsNumber($mbox_type); - + $keyword = $_GET['sSearch']; - + if ($mbox_type == 'inbox') { //Total records after applying search filter $data['iTotalDisplayRecords'] = count($mbox->getInboxMsgs($keyword)); - + $msgs = $mbox->getInboxMsgs($keyword, $limit, $offset); } else { //Total records after applying search filter $data['iTotalDisplayRecords'] = count($mbox->getOutboxMsgs($keyword)); - + $msgs = $mbox->getOutboxMsgs($keyword, $limit, $offset); } - + $data['aaData'] = array(); - + foreach ($msgs as $msg) { if ($msg->is_read == 1) { $bold_start = ""; @@ -136,12 +141,12 @@ $bold_end = ""; $envelove_icon = "fa-envelope"; } - + $urlstr = ''; if ($course_id != 0) { $urlstr = "&course=".course_id_to_code($course_id); } - + if (($msg->filename != '') and ($msg->filesize != 0)) { $ahref = "message_download.php?course=".course_id_to_code($msg->course_id)."&id=".$msg->id; $filename = " | " . @@ -151,15 +156,15 @@ } else { $filename = ''; } - + $i = 0; - + if ($mbox_type == 'inbox') { $td[$i++] = " $bold_start".q($msg->subject)."".$bold_end.$filename; } else { $td[$i++] = " ".q($msg->subject)."".$filename; } - + if ($course_id == 0) { if ($msg->course_id != 0) { $td[$i++] = "$bold_startcourse_id)."\">".course_id_to_title($msg->course_id)."$bold_end"; @@ -167,13 +172,13 @@ $td[$i++] = ""; } } - + if ($mbox_type == 'inbox') { $td[$i++] = display_user($msg->author_id, false, false, "outtabs"); } else { $recipients = ''; foreach ($msg->recipients as $r) { - if ($r != $msg->author_id) { + if ($r != $msg->author_id) { $recipients .= display_user($r, false, false, "outtabs").' , '; } } @@ -181,7 +186,7 @@ $td[$i++] = "
$recipients
'.js_escape($langMessageDeleteSuccess).'
"); - $(".alert-success").delay(3000).fadeOut(1500); - $("#msg_area").remove(); - }}); - } + type: "POST", + url: "'.$ajax_url.'", + datatype: "json", + data: string, + success: function(){ + $("#del_msg").html("'.js_escape($langMessageDeleteSuccess).'
"); + $(".alert-success").delay(3000).fadeOut(1500); + $("#msg_area").remove(); + }}); + } }); }); - $(".delete").click(function() { if (confirm("' . js_escape($langConfirmDelete) . '")) { var rowContainer = $(this).parent().parent(); var id = rowContainer.attr("id"); - var string = "mid="+id; + var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'"; $.ajax({ type: "POST", url: "'.$ajax_url.'", @@ -541,7 +540,7 @@ class : 'form-control input-sm', $(document).on( 'click','.delete_in', function (e) { e.preventDefault(); var id = $(this).data('id'); - var string = 'mid='+id; + var string = 'mid='+id+'&". generate_csrf_token_link_parameter() ."'; bootbox.confirm('".js_escape($langConfirmDelete)."', function(result) { if (result) { $.ajax({ @@ -576,7 +575,7 @@ class : 'form-control input-sm', $('.delete_all_in').click(function() { bootbox.confirm('".js_escape($langConfirmDeleteAllMsgs)."', function(result) { if(result) { - var string = 'all_inbox=1'; + var string = 'all_inbox=1&". generate_csrf_token_link_parameter() . "'; $.ajax({ type: 'POST', url: '$ajax_url', @@ -693,4 +692,4 @@ function addRecipientOptions() { } } } -} \ No newline at end of file +} diff --git a/modules/message/outbox.php b/modules/message/outbox.php index 61e4d65656..4a8f52f3b0 100644 --- a/modules/message/outbox.php +++ b/modules/message/outbox.php @@ -45,11 +45,11 @@ $mid = intval($_GET['mid']); $msg = new Msg($mid, $uid, 'msg_view'); if (!$msg->error) { - + $urlstr = ''; if ($course_id != 0) { $urlstr = "?course=".$course_code; - } + } $out = action_bar(array( array('title' => $langBack, 'url' => "outbox.php".$urlstr, @@ -66,8 +66,8 @@ foreach ($msg->recipients as $r) { if ($r != $msg->author_id) { $recipients .= display_user($r, false, false, "outtabs").' , '; - } - } + } + } $recipients = rtrim($recipients, ', '); // remove the last comma $out .= "