From d4ed7e8f31960eaa44c9c70db4d483754757179e Mon Sep 17 00:00:00 2001
From: Ryan Mathis <rmathis@unicon.net>
Date: Wed, 13 Apr 2022 13:59:29 -0700
Subject: [PATCH] Fixed csrf issue

---
 Controller/GrouperGroupsController.php      |  5 +-
 Model/GrouperGroup.php                      |  6 --
 View/Elements/Components/subscriberList.ctp | 61 ++++++++++++---------
 3 files changed, 38 insertions(+), 34 deletions(-)

diff --git a/Controller/GrouperGroupsController.php b/Controller/GrouperGroupsController.php
index 7958cd3..6160c14 100644
--- a/Controller/GrouperGroupsController.php
+++ b/Controller/GrouperGroupsController.php
@@ -37,7 +37,10 @@
 class GrouperGroupsController extends GrouperLiteAppController
 {
   public $helpers = array('Html', 'Form', 'Flash');
-  public $components = array('Flash', 'Paginator', 'RequestHandler');
+  public $components = array('Flash', 'Paginator', 'RequestHandler', 'Security' => array(
+    'validatePost' => false,
+    'csrfUseOnce' => false
+  ));
 
   public $name = 'GrouperGroups';
 
diff --git a/Model/GrouperGroup.php b/Model/GrouperGroup.php
index 6021305..980259f 100644
--- a/Model/GrouperGroup.php
+++ b/Model/GrouperGroup.php
@@ -102,12 +102,6 @@ public function isUserOwner(string $userId)
     }
   }
 
-  public function beforeFilter()
-  {
-    $this->Security->csrfUseOnce = false;
-    // ...
-  }
-
   /**
    * Used to instantiate API class
    *
diff --git a/View/Elements/Components/subscriberList.ctp b/View/Elements/Components/subscriberList.ctp
index 3e3f80c..d73e2b5 100644
--- a/View/Elements/Components/subscriberList.ctp
+++ b/View/Elements/Components/subscriberList.ctp
@@ -20,7 +20,7 @@
                 <div class="d-flex mb-4">
                     <?php echo $this->Form->create(false, array(
                         'url' => array('controller' => 'grouper_groups', 'action' => 'groupSubscribers'),
-                        'class' => 'add-user-form',
+                        'class' => 'add-user-form w-100',
                         'id' => 'add-user-form',
                     )); ?>
                     <label class="sr-only" for="addUser"><?php echo _txt('pl.grouperlite.search.tags.text'); ?></label>
@@ -57,7 +57,7 @@
                             array(
                                 'plugin' => "grouper_lite",
                                 'controller' => 'grouper_groups',
-                                'action' => 'groupSubscribers.json'
+                                'action' => 'groupSubscribers'
                             )
                         ); ?>';
 
@@ -65,7 +65,7 @@
                                 array(
                                     'plugin' => "grouper_lite",
                                     'controller' => 'grouper_groups',
-                                    'action' => 'removeSubscriber.json'
+                                    'action' => 'removeSubscriber'
                                 )
                             ); ?>';
 
@@ -73,7 +73,7 @@
                             array(
                                 'plugin' => "grouper_lite",
                                 'controller' => 'grouper_groups',
-                                'action' => 'addSubscriber.json'
+                                'action' => 'addSubscriber'
                             )
                         ); ?>';
         $('.members-btn').click(function(ev) {
@@ -93,19 +93,30 @@
         function onAddUserSubmit(ev) {
             ev.preventDefault();
             ev.stopPropagation();
-            var field = $(ev.target).find('#addUser');
+            var form = $(ev.target);
+            var field = form.find('#addUser');
             var user = field.val();
-            var token = $(ev.target).find('[name="data[_Token][key]"]').val();
-            onAddUser(user, group, field, token);
+            var token = form.find('[name="data[_Token][key]"]').val();
+
+            var data = form.serializeArray().reduce((o, kv) => ({
+                ...o,
+                [kv.name]: kv.value
+            }), {});
+
+            onAddUser(user, group, field, data);
         }
 
         function onRemoveUserSubmit(ev) {
             ev.preventDefault();
             ev.stopPropagation();
-            var button = $(ev.target).find('button');
+            var form = $(ev.target);
+            var button = form.find('button');
             var user = button.data('user');
-            var token = $(ev.target).find('[name="data[_Token][key]"]').val();
-            onRemoveUser(user, group, button, token);
+            var data = form.serializeArray().reduce((o, kv) => ({
+                ...o,
+                [kv.name]: kv.value
+            }), {});
+            onRemoveUser(user, group, button, data);
         }
 
         function loadModalData(id) {
@@ -141,13 +152,13 @@
                     '</td>',
                     '<td>',
                     '<?php echo $this->Form->create(false, array(
-                        "url" => array(
-                            "controller" => "grouper_groups",
-                            "action" => "removeSubscriber"
-                        ),
-                        "class" => "remove-user-form",
-                        "id" => "remove-user-form"
-                    )); ?>',
+                            "url" => array(
+                                "controller" => "grouper_groups",
+                                "action" => "removeSubscriber"
+                            ),
+                            "class" => "remove-user-form",
+                            "id" => "remove-user-form"
+                        )); ?>',
                     '<button data-user="' + item.id + '" class="btn btn-grouper btn-block btn-primary btn-sm m-1 text-nowrap member-del-btn">',
                     '<?php echo _txt('pl.grouperlite.action.remove-user'); ?>',
                     '</button>',
@@ -170,34 +181,30 @@
             // $('#add-user-form').off('submit', onAddUserSubmit);
         }
 
-        function onRemoveUser(user, group, button, token) {
-            
+        function onRemoveUser(user, group, button, data) {
+
             $.ajax({
                 method: 'DELETE',
                 url: removeUrl + '?group=' + group + '&userId=' + user,
                 dataType: 'json',
-                headers: {
-                    'X-CSRF-Token': token,
-                },
+                data: data,
                 success: function(data) {
                     load();
                 },
                 error: function() {
-                    $(field).attr('disabled', 'disabled');
+                    $(button).attr('disabled', 'disabled');
                     var err = $('#subscribers .error');
                     err.text('<?php echo _txt('pl.grouperlite.message.user-not-removed-error'); ?>').show();
                 }
             });
         }
 
-        function onAddUser(user, group, field, token) {
+        function onAddUser(user, group, field, data) {
             $.ajax({
                 method: 'POST',
                 url: addUrl + '?group=' + group + '&userId=' + user,
                 dataType: 'json',
-                headers: {
-                    'X-CSRF-Token': token,
-                },
+                data: data,
                 success: function(data) {
                     load();
                 },