Add missing CSRF checks
This commit is contained in:
Frédéric Guillot
committed by
fguillot
fguillot
parent
41102ec161
commit
71123b0f37
@@ -33,6 +33,13 @@ abstract class BaseController extends Base
|
||||
}
|
||||
}
|
||||
|
||||
protected function checkReusableGETCSRFParam()
|
||||
{
|
||||
if (! $this->token->validateReusableCSRFToken($this->request->getStringParam('csrf_token'))) {
|
||||
throw new AccessForbiddenException();
|
||||
}
|
||||
}
|
||||
|
||||
protected function checkCSRFForm()
|
||||
{
|
||||
if (! $this->token->validateCSRFToken($this->request->getRawValue('csrf_token'))) {
|
||||
|
||||
@@ -21,6 +21,7 @@ class BoardAjaxController extends BaseController
|
||||
*/
|
||||
public function save()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$project_id = $this->request->getIntegerParam('project_id');
|
||||
|
||||
if (! $project_id || ! $this->request->isAjax()) {
|
||||
|
||||
@@ -150,6 +150,7 @@ class ColumnController extends BaseController
|
||||
*/
|
||||
public function move()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$project = $this->getProject();
|
||||
$values = $this->request->getJson();
|
||||
|
||||
|
||||
@@ -166,6 +166,7 @@ class CommentController extends BaseController
|
||||
*/
|
||||
public function toggleSorting()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$task = $this->getTask();
|
||||
$this->helper->comment->toggleSorting();
|
||||
|
||||
|
||||
@@ -149,8 +149,12 @@ class ProjectViewController extends BaseController
|
||||
*/
|
||||
public function doDuplication()
|
||||
{
|
||||
$this->checkCSRFForm();
|
||||
|
||||
$project = $this->getProject();
|
||||
$project_id = $this->projectDuplicationModel->duplicate($project['id'], array_keys($this->request->getValues()), $this->userSession->getId());
|
||||
$values = $this->request->getRawFormValues();
|
||||
|
||||
$project_id = $this->projectDuplicationModel->duplicate($project['id'], array_keys($values), $this->userSession->getId());
|
||||
|
||||
if ($project_id !== false) {
|
||||
$this->flash->success(t('Project cloned successfully.'));
|
||||
|
||||
@@ -17,6 +17,7 @@ class SubtaskStatusController extends BaseController
|
||||
*/
|
||||
public function change()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$task = $this->getTask();
|
||||
$subtask = $this->getSubtask($task);
|
||||
$fragment = $this->request->getStringParam('fragment');
|
||||
|
||||
@@ -205,6 +205,7 @@ class SwimlaneController extends BaseController
|
||||
*/
|
||||
public function move()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$project = $this->getProject();
|
||||
$values = $this->request->getJson();
|
||||
|
||||
|
||||
@@ -23,6 +23,13 @@ class TaskListController extends BaseController
|
||||
$project = $this->getProject();
|
||||
$search = $this->helper->projectHeader->getSearchQuery($project);
|
||||
|
||||
if ($this->request->getIntegerParam('show_subtasks') !== 0 ||
|
||||
$this->request->getIntegerParam('hide_subtasks') !== 0 ||
|
||||
$this->request->getStringParam('direction') !== '' ||
|
||||
$this->request->getStringParam('order') !== '') {
|
||||
$this->checkReusableGETCSRFParam();
|
||||
}
|
||||
|
||||
if ($this->request->getIntegerParam('show_subtasks')) {
|
||||
session_set('subtaskListToggle', true);
|
||||
} elseif ($this->request->getIntegerParam('hide_subtasks')) {
|
||||
@@ -41,7 +48,7 @@ class TaskListController extends BaseController
|
||||
$this->userSession->setListOrder($project['id'], $order, $direction);
|
||||
|
||||
$paginator = $this->paginator
|
||||
->setUrl('TaskListController', 'show', array('project_id' => $project['id']))
|
||||
->setUrl('TaskListController', 'show', array('project_id' => $project['id'], 'csrf_token' => $this->token->getReusableCSRFToken()))
|
||||
->setMax(30)
|
||||
->setOrder($order)
|
||||
->setDirection($direction)
|
||||
|
||||
@@ -16,6 +16,7 @@ class TaskModificationController extends BaseController
|
||||
{
|
||||
public function assignToMe()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$task = $this->getTask();
|
||||
$values = ['id' => $task['id'], 'owner_id' => $this->userSession->getId()];
|
||||
|
||||
@@ -38,6 +39,7 @@ class TaskModificationController extends BaseController
|
||||
*/
|
||||
public function start()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$task = $this->getTask();
|
||||
$values = ['id' => $task['id'], 'date_started' => time()];
|
||||
|
||||
|
||||
@@ -31,6 +31,7 @@ class TaskMovePositionController extends BaseController
|
||||
|
||||
public function save()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$task = $this->getTask();
|
||||
$values = $this->request->getJson();
|
||||
|
||||
|
||||
@@ -34,6 +34,7 @@ class WebNotificationController extends BaseController
|
||||
*/
|
||||
public function flush()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$userId = $this->getUserId();
|
||||
$this->userUnreadNotificationModel->markAllAsRead($userId);
|
||||
$this->show();
|
||||
@@ -46,6 +47,7 @@ class WebNotificationController extends BaseController
|
||||
*/
|
||||
public function remove()
|
||||
{
|
||||
$this->checkReusableGETCSRFParam();
|
||||
$user_id = $this->getUserId();
|
||||
$notification_id = $this->request->getIntegerParam('notification_id');
|
||||
$this->userUnreadNotificationModel->markAsRead($user_id, $notification_id);
|
||||
|
||||
Reference in New Issue
Block a user