From 5d5deba1f8cc30c39f39f030d505d920ae28f9fe Mon Sep 17 00:00:00 2001
From: Yannis Exidaridis <jexi@noc.uoa.gr>
Date: Wed, 6 Oct 2021 11:22:22 +0300
Subject: [PATCH] Notes, Personal Calendar: add missing token.

--HG--
branch : 3.12
---
 main/notes/index.php             | 29 ++++++++++++++++-------------
 main/personal_calendar/index.php |  3 +++
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/main/notes/index.php b/main/notes/index.php
index 23bf5040dd..89d29ecb06 100644
--- a/main/notes/index.php
+++ b/main/notes/index.php
@@ -77,21 +77,24 @@
 if (isset($_GET['down'])) {
     $thisNoteId = intval(getDirectReference($_GET['down']));
     Notes::movedown_note($thisNoteId);
-    redirect_to_home_page('main/notes/index.php');  
+    redirect_to_home_page('main/notes/index.php');
 }
 if (isset($_GET['up'])) {
     $thisNoteId = intval(getDirectReference($_GET['up']));
     Notes::moveup_note($thisNoteId);
-    redirect_to_home_page('main/notes/index.php');  
+    redirect_to_home_page('main/notes/index.php');
 }
 
 /* submit form: new or updated note */
 if (isset($_POST['submitNote'])) {
+
+    if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error();
+
     $v = new Valitron\Validator($_POST);
     $v->rule('required', array('newTitle'));
     $v->labels(array(
         'newTitle' => "$langTheField $langTitle"
-    ));    
+    ));
     if($v->validate()) {
         $newTitle = $_POST['newTitle'];
         $newContent = $_POST['newContent'];
@@ -100,7 +103,7 @@
             $id = intval(getDirectReference($_POST['id']));
             Notes::update_note($id, $newTitle, $newContent, $refobjid);
             Session::Messages($langNoteModify, 'alert-success');
-            redirect_to_home_page('main/notes/index.php');        
+            redirect_to_home_page('main/notes/index.php');
         } else { // new note
             $id = Notes::add_note($newTitle, $newContent, $refobjid);
             if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
@@ -122,22 +125,21 @@
     $thisNoteId = intval(getDirectReference($_GET['delete']));
     Notes::delete_note($thisNoteId);
     Session::Messages($langNoteDel, 'alert-success');
-    redirect_to_home_page('main/notes/index.php');
+//    redirect_to_home_page('main/notes/index.php');
 }
 
 
-
 /* display form */
 if (isset($_GET['addNote']) or isset($_GET['modify'])) {
     $navigation[] = array('url' => "index.php", 'name' => $langNotes);
     if (isset($_GET['modify'])) {
         $langAdd = $pageName = $langModifNote;
         $modify = intval(getDirectReference($_GET['modify']));
-        $note = Notes::get_note($modify);      
+        $note = Notes::get_note($modify);
     } else {
         $pageName = $langAddNote;
     }
-    $noteToModify = isset($note) ? $note->id : '';    
+    $noteToModify = isset($note) ? $note->id : '';
     $titleToModify = Session::has('newTitle') ? Session::get('newTitle') : (isset($note) ? q($note->title) : '');
     $contentToModify = Session::has('newContent') ? Session::get('newContent') : (isset($note) ? $note->content : '');
     $gen_type_selected = isset($note) ? $note->reference_obj_module : null;
@@ -184,9 +186,10 @@
     if($noteToModify!=""){
         $tool_content .="<input type='hidden' name='id' value='" . getIndirectReference($noteToModify)."' />";
     }
-    $tool_content .="</fieldset>
+    $tool_content .= "</fieldset>
+    ". generate_csrf_token_form_field() ."
     </form></div>";
-    
+
 } elseif (isset($_GET['nid'])) {
     $tool_content .= action_bar(array(
         array(
@@ -196,10 +199,10 @@
             'url' => $_SERVER['SCRIPT_NAME']
         )
     ));
-    
+
     $note = Notes::get_note(intval(getDirectReference($_GET['nid'])));
     $navigation[] = array("url" => "$_SERVER[SCRIPT_NAME]", "name" => $langNotes);
-    $pageName = q($note->title);    
+    $pageName = q($note->title);
     $tool_content .= "
         <div class='panel panel-action-btn-default'>
             <div class='panel-heading'>
@@ -239,7 +242,7 @@
     if (isset($_GET['course'])) {
         $cid = course_code_to_id($_GET['course']);
         $notelist = Notes::get_all_course_notes($cid);
-    } else { 
+    } else {
         $notelist = Notes::get_user_notes();
     }
     //$notelist = isset($_GET['nid']) ? array(Notes::get_note(intval($_GET['nid']))) : Notes::get_user_notes();
diff --git a/main/personal_calendar/index.php b/main/personal_calendar/index.php
index 7bdf638c3e..ddf0d4ae3e 100644
--- a/main/personal_calendar/index.php
+++ b/main/personal_calendar/index.php
@@ -192,6 +192,8 @@ function checkrequired(thisform) {
 /* submit form: new or updated event */
 if (isset($_POST['newTitle'])) {
 
+    if (!isset($_POST['token']) || !validate_csrf_token($_POST['token'])) csrf_token_error();
+
     $newTitle = $_POST['newTitle'];
     $newContent = $_POST['newContent'];
     if (isset($_POST['visibility_level'])) {
@@ -456,6 +458,7 @@ function checkrequired(thisform) {
                    <a class='btn btn-default' href='index.php'>$langCancel</a>
               </div>
             </div>
+            ". generate_csrf_token_form_field() ."
             </form>
         </div>";
 } else {