Added CSRF tokens to JS

internet2 · Apr 13, 2022 · a964a88 · a964a88
1 parent 3612a46
commit a964a88
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 19 deletions.
diff --git a/Model/GrouperGroup.php b/Model/GrouperGroup.php
@@ -102,6 +102,12 @@ public function isUserOwner(string $userId)
     }
   }
 
+  public function beforeFilter()
+  {
+    $this->Security->csrfUseOnce = false;
+    // ...
+  }
+
   /**
    * Used to instantiate API class
    *

diff --git a/View/Elements/Components/subscriberList.ctp b/View/Elements/Components/subscriberList.ctp
@@ -16,24 +16,30 @@
                 <p>There was an error retrieving the subscribers.</p>
             </div>
             <div class="modal-body subs">
-                <form class="add-user-form" id="add-user-form">
-                    <div class="d-flex mb-4">
-                        <label class="sr-only" for="addUser"><?php echo _txt('pl.grouperlite.search.tags.text'); ?></label>
-                        <div class="input-group">
-                            <?php echo $this->Form->input("addUser", array('label' => false, 'class' => 'form-control', 'value' => isset($searchcriteria) ? $searchcriteria : '')) ?>
-                            <!--<input type="text" name="search" class="form-control" value="<?php echo isset($searchcriteria) ? $searchcriteria : ''; ?>" /> -->
-                            <div class="input-group-append">
-                                <button class="btn btn-grouper btn-primary px-4" type="submit" value="Submit">
-                                    <i class="fa fa-plus"></i>
-                                    <span class="ml-2"><?php echo _txt('pl.grouperlite.action.add-user'); ?></span>
-                                </button>
-                            </div>
+
+                <div class="d-flex mb-4">
+                    <?php echo $this->Form->create(false, array(
+                        'url' => array('controller' => 'grouper_groups', 'action' => 'groupSubscribers'),
+                        'class' => 'add-user-form',
+                        'id' => 'add-user-form',
+                    )); ?>
+                    <label class="sr-only" for="addUser"><?php echo _txt('pl.grouperlite.search.tags.text'); ?></label>
+                    <div class="input-group">
+                        <?php echo $this->Form->input("addUser", array('label' => false, 'class' => 'form-control', 'value' => isset($searchcriteria) ? $searchcriteria : '')) ?>
+                        <!--<input type="text" name="search" class="form-control" value="<?php echo isset($searchcriteria) ? $searchcriteria : ''; ?>" /> -->
+                        <div class="input-group-append">
+                            <button class="btn btn-grouper btn-primary px-4" type="submit" value="Submit">
+                                <i class="fa fa-plus"></i>
+                                <span class="ml-2"><?php echo _txt('pl.grouperlite.action.add-user'); ?></span>
+                            </button>
                         </div>
                     </div>
-                </form>
+                    <?php echo $this->Form->end(); ?>
+                </div>
                 <table class="table table-striped">
                     <tbody id="sub-body"></tbody>
                 </table>
+
             </div>
             <div class="modal-footer d-flex justify-content-between">
                 <div>
@@ -89,7 +95,17 @@
             ev.stopPropagation();
             var field = $(ev.target).find('#addUser');
             var user = field.val();
-            onAddUser(user, group, field);
+            var token = $(ev.target).find('[name="data[_Token][key]"]').val();
+            onAddUser(user, group, field, token);
+        }
+
+        function onRemoveUserSubmit(ev) {
+            ev.preventDefault();
+            ev.stopPropagation();
+            var button = $(ev.target).find('button');
+            var user = button.data('user');
+            var token = $(ev.target).find('[name="data[_Token][key]"]').val();
+            onRemoveUser(user, group, button, token);
         }
 
         function loadModalData(id) {
@@ -124,9 +140,18 @@
                     item.id,
                     '</td>',
                     '<td>',
+                    '<?php echo $this->Form->create(false, array(
+                        "url" => array(
+                            "controller" => "grouper_groups",
+                            "action" => "removeSubscriber"
+                        ),
+                        "class" => "remove-user-form",
+                        "id" => "remove-user-form"
+                    )); ?>',
                     '<button data-user="' + item.id + '" class="btn btn-grouper btn-block btn-primary btn-sm m-1 text-nowrap member-del-btn">',
                     '<?php echo _txt('pl.grouperlite.action.remove-user'); ?>',
                     '</button>',
+                    '<?php echo $this->Form->end(); ?>',
                     '</td>',
                     '</tr>'
                 ].join('');
@@ -135,7 +160,7 @@
                 return table;
             }, ''));
 
-            $('.member-del-btn').on('click', onRemoveUser);
+            $('.remove-user-form').on('submit', onRemoveUserSubmit);
         }
 
         function clean() {
@@ -145,28 +170,34 @@
             // $('#add-user-form').off('submit', onAddUserSubmit);
         }
 
-        function onRemoveUser(ev) {
-            var user = $(ev.target).data('user');
+        function onRemoveUser(user, group, button, token) {
+
             $.ajax({
                 method: 'DELETE',
                 url: removeUrl + '?group=' + group + '&userId=' + user,
                 dataType: 'json',
+                headers: {
+                    'X-CSRF-Token': token,
+                },
                 success: function(data) {
                     load();
                 },
                 error: function() {
-                    $(ev.target).attr('disabled', 'disabled');
+                    $(field).attr('disabled', 'disabled');
                     var err = $('#subscribers .error');
                     err.text('<?php echo _txt('pl.grouperlite.message.user-not-removed-error'); ?>').show();
                 }
             });
         }
 
-        function onAddUser(user, group, field) {
+        function onAddUser(user, group, field, token) {
             $.ajax({
                 method: 'POST',
                 url: addUrl + '?group=' + group + '&userId=' + user,
                 dataType: 'json',
+                headers: {
+                    'X-CSRF-Token': token,
+                },
                 success: function(data) {
                     load();
                 },