Skip to content
Snippets Groups Projects
Commit 2cce16d9 authored by Moritz Strohm's avatar Moritz Strohm Committed by Jan-Hendrik Willms
Browse files

use CSRF protection when creating/editing/deleting an OER material, fixes #3268 

Closes #3268

Merge request studip/studip!2210
parent 87573977
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/controllers/oer/mymaterial.php
+ 2
0
View file @ 2cce16d9
...@@ -28,12 +28,14 @@ class Oer_MymaterialController extends AuthenticatedController ...@@ -28,12 +28,14 @@ class Oer_MymaterialController extends AuthenticatedController
$content_types = ['application/x-zip-compressed', 'application/zip', 'application/x-zip']; $content_types = ['application/x-zip-compressed', 'application/zip', 'application/x-zip'];
$tmp_folder = $GLOBALS['TMP_PATH'] . '/temp_folder_' . md5(uniqid()); $tmp_folder = $GLOBALS['TMP_PATH'] . '/temp_folder_' . md5(uniqid());
if (Request::submitted('delete') && Request::isPost()) { if (Request::submitted('delete') && Request::isPost()) {
CSRFProtection::verifyUnsafeRequest();
$material->pushDataToIndexServers('delete'); $material->pushDataToIndexServers('delete');
$material->delete(); $material->delete();
PageLayout::postSuccess(_('Das Material wurde gelöscht.')); PageLayout::postSuccess(_('Das Material wurde gelöscht.'));
$this->redirect('oer/market/index'); $this->redirect('oer/market/index');
return; return;
} elseif (Request::isPost()) { } elseif (Request::isPost()) {
CSRFProtection::verifyUnsafeRequest();
$was_new = $material->isNew(); $was_new = $material->isNew();
$was_on_twillo = (bool) $material['published_id_on_twillo']; $was_on_twillo = (bool) $material['published_id_on_twillo'];
$data = Request::getArray('data'); $data = Request::getArray('data');
......
app/views/oer/market/details.php
+ 1
0
View file @ 2cce16d9
...@@ -73,6 +73,7 @@ ...@@ -73,6 +73,7 @@
<? if (!$material['host_id'] && ($material->isMine() || $GLOBALS['perm']->have_perm("root"))) : ?> <? if (!$material['host_id'] && ($material->isMine() || $GLOBALS['perm']->have_perm("root"))) : ?>
<?= \Studip\LinkButton::create(_('Bearbeiten'), $controller->link_for("oer/mymaterial/edit/".$material->getId()), ['data-dialog' => "1"]) ?> <?= \Studip\LinkButton::create(_('Bearbeiten'), $controller->link_for("oer/mymaterial/edit/".$material->getId()), ['data-dialog' => "1"]) ?>
<form action="<?= $controller->link_for("oer/mymaterial/edit/".$material->getId()) ?>" method="post" style="display: inline;"> <form action="<?= $controller->link_for("oer/mymaterial/edit/".$material->getId()) ?>" method="post" style="display: inline;">
<?= CSRFProtection::tokenTag() ?>
<?= \Studip\Button::create(_('Löschen'), "delete", ['value' => 1, 'data-confirm' => _('Wirklich löschen?')]) ?> <?= \Studip\Button::create(_('Löschen'), "delete", ['value' => 1, 'data-confirm' => _('Wirklich löschen?')]) ?>
</form> </form>
<? endif ?> <? endif ?>
......
app/views/oer/mymaterial/edit.php
+ 1
1
View file @ 2cce16d9
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
onsubmit="$(window).off('beforeunload')" onsubmit="$(window).off('beforeunload')"
data-secure data-secure
enctype="multipart/form-data"> enctype="multipart/form-data">
<?= CSRFProtection::tokenTag() ?>
<div class="oercampus_editmaterial"> <div class="oercampus_editmaterial">
<fieldset> <fieldset>
<legend><?= _('Grunddaten') ?></legend> <legend><?= _('Grunddaten') ?></legend>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment