Skip to content

Commit

Permalink
Fixed csrf issue
Browse files Browse the repository at this point in the history
  • Loading branch information
@rmathis
rmathis committed Apr 13, 2022
1 parent a964a88 commit d4ed7e8
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 34 deletions.
5 changes: 4 additions & 1 deletion Controller/GrouperGroupsController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,10 @@
class GrouperGroupsController extends GrouperLiteAppController
{
public $helpers = array('Html', 'Form', 'Flash');
public $components = array('Flash', 'Paginator', 'RequestHandler');
public $components = array('Flash', 'Paginator', 'RequestHandler', 'Security' => array(
'validatePost' => false,
'csrfUseOnce' => false
));

public $name = 'GrouperGroups';

Expand Down
6 changes: 0 additions & 6 deletions Model/GrouperGroup.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,12 +102,6 @@ public function isUserOwner(string $userId)
}
}

public function beforeFilter()
{
$this->Security->csrfUseOnce = false;
// ...
}

/**
* Used to instantiate API class
*
Expand Down
61 changes: 34 additions & 27 deletions View/Elements/Components/subscriberList.ctp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
<div class="d-flex mb-4">
<?php echo $this->Form->create(false, array(
'url' => array('controller' => 'grouper_groups', 'action' => 'groupSubscribers'),
'class' => 'add-user-form',
'class' => 'add-user-form w-100',
'id' => 'add-user-form',
)); ?>
<label class="sr-only" for="addUser"><?php echo _txt('pl.grouperlite.search.tags.text'); ?></label>
Expand Down Expand Up @@ -57,23 +57,23 @@
array(
'plugin' => "grouper_lite",
'controller' => 'grouper_groups',
'action' => 'groupSubscribers.json'
'action' => 'groupSubscribers'
)
); ?>';

var removeUrl = '<?php print $this->Html->url(
array(
'plugin' => "grouper_lite",
'controller' => 'grouper_groups',
'action' => 'removeSubscriber.json'
'action' => 'removeSubscriber'
)
); ?>';

var addUrl = '<?php print $this->Html->url(
array(
'plugin' => "grouper_lite",
'controller' => 'grouper_groups',
'action' => 'addSubscriber.json'
'action' => 'addSubscriber'
)
); ?>';
$('.members-btn').click(function(ev) {
Expand All @@ -93,19 +93,30 @@
function onAddUserSubmit(ev) {
ev.preventDefault();
ev.stopPropagation();
var field = $(ev.target).find('#addUser');
var form = $(ev.target);
var field = form.find('#addUser');
var user = field.val();
var token = $(ev.target).find('[name="data[_Token][key]"]').val();
onAddUser(user, group, field, token);
var token = form.find('[name="data[_Token][key]"]').val();

var data = form.serializeArray().reduce((o, kv) => ({
...o,
[kv.name]: kv.value
}), {});

onAddUser(user, group, field, data);
}

function onRemoveUserSubmit(ev) {
ev.preventDefault();
ev.stopPropagation();
var button = $(ev.target).find('button');
var form = $(ev.target);
var button = form.find('button');
var user = button.data('user');
var token = $(ev.target).find('[name="data[_Token][key]"]').val();
onRemoveUser(user, group, button, token);
var data = form.serializeArray().reduce((o, kv) => ({
...o,
[kv.name]: kv.value
}), {});
onRemoveUser(user, group, button, data);
}

function loadModalData(id) {
Expand Down Expand Up @@ -141,13 +152,13 @@
'</td>',
'<td>',
'<?php echo $this->Form->create(false, array(
"url" => array(
"controller" => "grouper_groups",
"action" => "removeSubscriber"
),
"class" => "remove-user-form",
"id" => "remove-user-form"
)); ?>',
"url" => array(
"controller" => "grouper_groups",
"action" => "removeSubscriber"
),
"class" => "remove-user-form",
"id" => "remove-user-form"
)); ?>',
'<button data-user="' + item.id + '" class="btn btn-grouper btn-block btn-primary btn-sm m-1 text-nowrap member-del-btn">',
'<?php echo _txt('pl.grouperlite.action.remove-user'); ?>',
'</button>',
Expand All @@ -170,34 +181,30 @@
// $('#add-user-form').off('submit', onAddUserSubmit);
}

function onRemoveUser(user, group, button, token) {
function onRemoveUser(user, group, button, data) {

$.ajax({
method: 'DELETE',
url: removeUrl + '?group=' + group + '&userId=' + user,
dataType: 'json',
headers: {
'X-CSRF-Token': token,
},
data: data,
success: function(data) {
load();
},
error: function() {
$(field).attr('disabled', 'disabled');
$(button).attr('disabled', 'disabled');
var err = $('#subscribers .error');
err.text('<?php echo _txt('pl.grouperlite.message.user-not-removed-error'); ?>').show();
}
});
}

function onAddUser(user, group, field, token) {
function onAddUser(user, group, field, data) {
$.ajax({
method: 'POST',
url: addUrl + '?group=' + group + '&userId=' + user,
dataType: 'json',
headers: {
'X-CSRF-Token': token,
},
data: data,
success: function(data) {
load();
},
Expand Down

0 comments on commit d4ed7e8

Please sign in to comment.