diff --git a/modules/message/ajax_handler.php b/modules/message/ajax_handler.php index 3a1288fe95..9a333e4a21 100644 --- a/modules/message/ajax_handler.php +++ b/modules/message/ajax_handler.php @@ -52,6 +52,7 @@ $message_path = $inbox->get_mailbox_path(); $msg = new Msg($mid, $uid, 'any'); if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } exit(); @@ -63,6 +64,7 @@ foreach ($msgs as $msg) { $message_path = $webDir . "/courses/" . course_id_to_code($msg->course_id) . "/dropbox"; if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } @@ -72,6 +74,7 @@ $msgs = $inbox->getInboxMsgs(); foreach ($msgs as $msg) { if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } @@ -86,6 +89,7 @@ foreach ($msgs as $msg) { $message_path = $webDir . "/courses/" . course_id_to_code($msg->course_id) . "/dropbox"; if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } @@ -95,37 +99,38 @@ $msgs = $outbox->getOutboxMsgs(); foreach ($msgs as $msg) { if (!$msg->error) { + if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error(); $msg->delete($message_path); } } } exit(); } - + $mbox = new Mailbox($uid, $course_id); - + $limit = intval($_GET['iDisplayLength']); $offset = intval($_GET['iDisplayStart']); - + //Total records $data['iTotalRecords'] = $mbox->MsgsNumber($mbox_type); - + $keyword = $_GET['sSearch']; - + if ($mbox_type == 'inbox') { //Total records after applying search filter $data['iTotalDisplayRecords'] = count($mbox->getInboxMsgs($keyword)); - + $msgs = $mbox->getInboxMsgs($keyword, $limit, $offset); } else { //Total records after applying search filter $data['iTotalDisplayRecords'] = count($mbox->getOutboxMsgs($keyword)); - + $msgs = $mbox->getOutboxMsgs($keyword, $limit, $offset); } - + $data['aaData'] = array(); - + foreach ($msgs as $msg) { if ($msg->is_read == 1) { $bold_start = ""; @@ -136,12 +141,12 @@ $bold_end = ""; $envelove_icon = "fa-envelope"; } - + $urlstr = ''; if ($course_id != 0) { $urlstr = "&course=".course_id_to_code($course_id); } - + if (($msg->filename != '') and ($msg->filesize != 0)) { $ahref = "message_download.php?course=".course_id_to_code($msg->course_id)."&id=".$msg->id; $filename = "  |  " . @@ -151,15 +156,15 @@ } else { $filename = ''; } - + $i = 0; - + if ($mbox_type == 'inbox') { $td[$i++] = "  $bold_start".q($msg->subject)."".$bold_end.$filename; } else { $td[$i++] = "  ".q($msg->subject)."".$filename; } - + if ($course_id == 0) { if ($msg->course_id != 0) { $td[$i++] = "$bold_startcourse_id)."\">".course_id_to_title($msg->course_id)."$bold_end"; @@ -167,13 +172,13 @@ $td[$i++] = ""; } } - + if ($mbox_type == 'inbox') { $td[$i++] = display_user($msg->author_id, false, false, "outtabs"); } else { $recipients = ''; foreach ($msg->recipients as $r) { - if ($r != $msg->author_id) { + if ($r != $msg->author_id) { $recipients .= display_user($r, false, false, "outtabs").' , '; } } @@ -181,7 +186,7 @@ $td[$i++] = "

$recipients

"; } $td[$i++] = nice_format(date('Y-m-d H:i:s',$msg->timestamp), true); - + // $td[$i++] = action_button(array( // array( // 'icon' => 'fa-times', @@ -195,7 +200,7 @@ // ); $btn_class = ($mbox_type == 'inbox')? 'delete_in' : 'delete_out'; $td[$i++] = ""; - + if ($course_id == 0) { $data['aaData'][] = array( 'DT_RowId' => $msg->id, @@ -215,7 +220,7 @@ ); } } - + echo json_encode($data); exit(); } diff --git a/modules/message/inbox.php b/modules/message/inbox.php index ad97cf5f3e..041f43c9c9 100644 --- a/modules/message/inbox.php +++ b/modules/message/inbox.php @@ -434,29 +434,28 @@ $(document).on("click", ".delete_in_inner", function (e) { e.preventDefault(); var id = $(this).children("a").data("id"); - var string = "mid="+id; + var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'"; bootbox.confirm("'.js_escape($langConfirmDelete).'", function(result) { if(result) { $.ajax({ - type: "POST", - url: "'.$ajax_url.'", - datatype: "json", - data: string, - success: function(){ - $("#del_msg").html("

'.js_escape($langMessageDeleteSuccess).'

"); - $(".alert-success").delay(3000).fadeOut(1500); - $("#msg_area").remove(); - }}); - } + type: "POST", + url: "'.$ajax_url.'", + datatype: "json", + data: string, + success: function(){ + $("#del_msg").html("

'.js_escape($langMessageDeleteSuccess).'

"); + $(".alert-success").delay(3000).fadeOut(1500); + $("#msg_area").remove(); + }}); + } }); }); - $(".delete").click(function() { if (confirm("' . js_escape($langConfirmDelete) . '")) { var rowContainer = $(this).parent().parent(); var id = rowContainer.attr("id"); - var string = "mid="+id; + var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'"; $.ajax({ type: "POST", url: "'.$ajax_url.'", @@ -541,7 +540,7 @@ class : 'form-control input-sm', $(document).on( 'click','.delete_in', function (e) { e.preventDefault(); var id = $(this).data('id'); - var string = 'mid='+id; + var string = 'mid='+id+'&". generate_csrf_token_link_parameter() ."'; bootbox.confirm('".js_escape($langConfirmDelete)."', function(result) { if (result) { $.ajax({ @@ -576,7 +575,7 @@ class : 'form-control input-sm', $('.delete_all_in').click(function() { bootbox.confirm('".js_escape($langConfirmDeleteAllMsgs)."', function(result) { if(result) { - var string = 'all_inbox=1'; + var string = 'all_inbox=1&". generate_csrf_token_link_parameter() . "'; $.ajax({ type: 'POST', url: '$ajax_url', @@ -693,4 +692,4 @@ function addRecipientOptions() { } } } -} \ No newline at end of file +} diff --git a/modules/message/outbox.php b/modules/message/outbox.php index 61e4d65656..4a8f52f3b0 100644 --- a/modules/message/outbox.php +++ b/modules/message/outbox.php @@ -45,11 +45,11 @@ $mid = intval($_GET['mid']); $msg = new Msg($mid, $uid, 'msg_view'); if (!$msg->error) { - + $urlstr = ''; if ($course_id != 0) { $urlstr = "?course=".$course_code; - } + } $out = action_bar(array( array('title' => $langBack, 'url' => "outbox.php".$urlstr, @@ -66,8 +66,8 @@ foreach ($msg->recipients as $r) { if ($r != $msg->author_id) { $recipients .= display_user($r, false, false, "outtabs").' , '; - } - } + } + } $recipients = rtrim($recipients, ', '); // remove the last comma $out .= "
@@ -137,7 +137,7 @@    (".format_file_size($msg->filesize).")
"; - } + } $out .= " "; @@ -159,7 +159,7 @@ $(document).on( "click",".delete_out_inner", function (e) { e.preventDefault(); var id = $(this).children("a").data("id"); - var string = "mid="+id; + var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'"; bootbox.confirm("'.js_escape($langConfirmDelete).'", function(result) { if(result) { $.ajax({ @@ -179,9 +179,8 @@ $(".delete").click(function() { if (confirm("' . js_escape($langConfirmDelete) . '")) { var rowContainer = $(this).parent().parent(); - var id = rowContainer.attr("id"); - var string = \'mid=\'+ id; - + var id = rowContainer.attr("id"); + var string = "mid="+id+"&'. generate_csrf_token_link_parameter() .'"; $.ajax({ type: "POST", url: "'.$ajax_url.'", @@ -201,7 +200,7 @@ '; } } else { - + $out = "
"; $out .= " @@ -218,7 +217,7 @@
"; - + $out .= "