From 169885a1de6554b519f264b213d91d4847d1a088 Mon Sep 17 00:00:00 2001
From: Alec Smecher <alec@smecher.bc.ca>
Date: Mon, 18 Oct 2021 18:22:23 -0700
Subject: [PATCH] pkp/pkp-lib#7371 Add missing CSRF check (save reordered
 items)

---
 classes/controllers/grid/GridHandler.inc.php               | 3 +++
 classes/controllers/grid/feature/OrderItemsFeature.inc.php | 3 ++-
 js/classes/features/OrderGridItemsFeature.js               | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/classes/controllers/grid/GridHandler.inc.php b/classes/controllers/grid/GridHandler.inc.php
index a15c72fc339..17c2cca9782 100644
--- a/classes/controllers/grid/GridHandler.inc.php
+++ b/classes/controllers/grid/GridHandler.inc.php
@@ -857,6 +857,9 @@ public function fetchCell(&$args, $request)
      */
     public function saveSequence($args, $request)
     {
+        if (!$request->checkCSRF()) {
+            throw new \Exception('CSRF mismatch!');
+        }
         $this->callFeaturesHook('saveSequence', ['request' => &$request, 'grid' => &$this]);
 
         return \PKP\db\DAO::getDataChangedEvent();
diff --git a/classes/controllers/grid/feature/OrderItemsFeature.inc.php b/classes/controllers/grid/feature/OrderItemsFeature.inc.php
index f302440b1d0..fb244219aa2 100644
--- a/classes/controllers/grid/feature/OrderItemsFeature.inc.php
+++ b/classes/controllers/grid/feature/OrderItemsFeature.inc.php
@@ -111,7 +111,8 @@ public function setOptions($request, $grid)
 
         $router = $request->getRouter();
         $this->addOptions([
-            'saveItemsSequenceUrl' => $router->url($request, null, null, 'saveSequence', null, $grid->getRequestArgs())
+            'saveItemsSequenceUrl' => $router->url($request, null, null, 'saveSequence', null, $grid->getRequestArgs()),
+            'csrfToken' => $request->getSession()->getCsrfToken(),
         ]);
     }
 
diff --git a/js/classes/features/OrderGridItemsFeature.js b/js/classes/features/OrderGridItemsFeature.js
index 3c87d9aeec3..f4f8fc9bdf7 100644
--- a/js/classes/features/OrderGridItemsFeature.js
+++ b/js/classes/features/OrderGridItemsFeature.js
@@ -56,7 +56,7 @@
 		stringifiedData = JSON.stringify(this.getItemsDataId());
 		saveOrderCallback = this.callbackWrapper(
 				this.saveOrderResponseHandler_, this);
-		$.post(options.saveItemsSequenceUrl, {data: stringifiedData},
+		$.post(options.saveItemsSequenceUrl, {data: stringifiedData, csrfToken: options.csrfToken},
 				saveOrderCallback, 'json');
 
 		return false;