fix adding deputies by allowing multi person search to be verified using a...

fix adding deputies by allowing multi person search to be verified using a ticket instead of a post request, fixes #4897

Closes #4897

Merge request studip/studip!3680

app/controllers/multipersonsearch.php

@@ -71,11 +71,14 @@ class MultipersonsearchController extends AuthenticatedController
      * This action checks for CSRF and redirects to the action which
      * handles adding/removing users.
      */
-    public function js_form_exec_action() {
+    public function js_form_exec_action()
+    {
         CSRFProtection::verifyUnsafeRequest();
         $this->name = Request::get("name");
         $mp = MultiPersonSearch::load($this->name);
+        $mp->verifySearch();
         $mp->saveAddedUsersToSession();
+
         $this->redirect($mp->getExecuteURL());
     }
 

app/controllers/settings/deputies.php

@@ -101,9 +101,12 @@ class Settings_DeputiesController extends Settings_SettingsController
 
     public function add_member_action()
     {
-        CSRFProtection::verifyUnsafeRequest();
-
         $mp = MultiPersonSearch::load('settings_add_deputy');
+
+        if (!$mp->isVerified()) {
+            throw new MethodNotAllowedException(_('Suche wurde nicht korrekt abgeschickt.'));
+        }
+
         $msg = [
             'error' => [],
             'success' => [],

lib/classes/MultiPersonSearch.php

@@ -34,6 +34,7 @@ class MultiPersonSearch {
     private $additionalHMTL = "";
     private $navigationItem = "";
     private $dataDialogStatus = false;
+    private $verified = null;
 
     /**
      * restores a MultiPersonSearch object.
@@ -479,10 +480,30 @@ class MultiPersonSearch {
         return $this->navigationItem;
     }
 
+    /**
+     * Mark the search as verified/posted correctly.
+     */
+    public function verifySearch(): void
+    {
+        $this->verified = get_ticket();
+
+        $_SESSION['multipersonsearch'][$this->name]['verified'] = $this->verified;
+    }
+
+    /**
+     * Returns whether the search is verified / has been posted correctly.
+     */
+    public function isVerified(): bool
+    {
+        return isset($this->verified)
+            && check_ticket($this->verified);
+    }
+
     /**
      * stores the internal data to a session.
      */
-    public function storeToSession() {
+    public function storeToSession()
+    {
         $_SESSION['multipersonsearch'][$this->name]['title'] = $this->title;
         $_SESSION['multipersonsearch'][$this->name]['description'] = $this->description;
         $_SESSION['multipersonsearch'][$this->name]['additionalHMTL'] = $this->additionalHMTL;
@@ -500,7 +521,8 @@ class MultiPersonSearch {
     /**
      * restores the internal data from a session.
      */
-    public function restoreFromSession() {
+    public function restoreFromSession()
+    {
         if (isset($_SESSION['multipersonsearch'][$this->name])) {
             $this->title = $_SESSION['multipersonsearch'][$this->name]['title'] ?? '';
             $this->description = $_SESSION['multipersonsearch'][$this->name]['description'] ?? '';
@@ -514,6 +536,7 @@ class MultiPersonSearch {
             $this->searchObject = unserialize($_SESSION['multipersonsearch'][$this->name]['searchObject'] ?? null);
             $this->navigationItem = $_SESSION['multipersonsearch'][$this->name]['navigationItem'] ?? null;
             $this->dataDialogStatus = $_SESSION['multipersonsearch'][$this->name]['dataDialogStatus'] ?? '';
+            $this->verified = $_SESSION['multipersonsearch'][$this->name]['verified'] ?? null;
         }
     }