diff --git a/app/controllers/multipersonsearch.php b/app/controllers/multipersonsearch.php
index 3aa50c6a1f3018badf5ae4523827ba3986f13e90..b3855c71e2b773a59ef17bf37255f50f278c169a 100644
--- a/app/controllers/multipersonsearch.php
+++ b/app/controllers/multipersonsearch.php
@@ -71,11 +71,14 @@ class MultipersonsearchController extends AuthenticatedController
* This action checks for CSRF and redirects to the action which
* handles adding/removing users.
*/
- public function js_form_exec_action() {
+ public function js_form_exec_action()
+ {
CSRFProtection::verifyUnsafeRequest();
$this->name = Request::get("name");
$mp = MultiPersonSearch::load($this->name);
+ $mp->verifySearch();
$mp->saveAddedUsersToSession();
+
$this->redirect($mp->getExecuteURL());
}
diff --git a/app/controllers/settings/deputies.php b/app/controllers/settings/deputies.php
index 8ce4555e7d7d10ac24a7d54d69a398acac8dad65..63fd743dd082ef3a26daf598162a290d42a077fa 100644
--- a/app/controllers/settings/deputies.php
+++ b/app/controllers/settings/deputies.php
@@ -101,9 +101,12 @@ class Settings_DeputiesController extends Settings_SettingsController
public function add_member_action()
{
- CSRFProtection::verifyUnsafeRequest();
-
$mp = MultiPersonSearch::load('settings_add_deputy');
+
+ if (!$mp->isVerified()) {
+ throw new MethodNotAllowedException(_('Suche wurde nicht korrekt abgeschickt.'));
+ }
+
$msg = [
'error' => [],
'success' => [],
diff --git a/lib/classes/MultiPersonSearch.php b/lib/classes/MultiPersonSearch.php
index 3ca617bfed203570bae42b8226545410a4199673..5216138f7cf69b0a8d66c5e787ecb3604944b5f5 100644
--- a/lib/classes/MultiPersonSearch.php
+++ b/lib/classes/MultiPersonSearch.php
@@ -34,6 +34,7 @@ class MultiPersonSearch {
private $additionalHMTL = "";
private $navigationItem = "";
private $dataDialogStatus = false;
+ private $verified = null;
/**
* restores a MultiPersonSearch object.
@@ -479,10 +480,30 @@ class MultiPersonSearch {
return $this->navigationItem;
}
+ /**
+ * Mark the search as verified/posted correctly.
+ */
+ public function verifySearch(): void
+ {
+ $this->verified = get_ticket();
+
+ $_SESSION['multipersonsearch'][$this->name]['verified'] = $this->verified;
+ }
+
+ /**
+ * Returns whether the search is verified / has been posted correctly.
+ */
+ public function isVerified(): bool
+ {
+ return isset($this->verified)
+ && check_ticket($this->verified);
+ }
+
/**
* stores the internal data to a session.
*/
- public function storeToSession() {
+ public function storeToSession()
+ {
$_SESSION['multipersonsearch'][$this->name]['title'] = $this->title;
$_SESSION['multipersonsearch'][$this->name]['description'] = $this->description;
$_SESSION['multipersonsearch'][$this->name]['additionalHMTL'] = $this->additionalHMTL;
@@ -500,7 +521,8 @@ class MultiPersonSearch {
/**
* restores the internal data from a session.
*/
- public function restoreFromSession() {
+ public function restoreFromSession()
+ {
if (isset($_SESSION['multipersonsearch'][$this->name])) {
$this->title = $_SESSION['multipersonsearch'][$this->name]['title'] ?? '';
$this->description = $_SESSION['multipersonsearch'][$this->name]['description'] ?? '';
@@ -514,6 +536,7 @@ class MultiPersonSearch {
$this->searchObject = unserialize($_SESSION['multipersonsearch'][$this->name]['searchObject'] ?? null);
$this->navigationItem = $_SESSION['multipersonsearch'][$this->name]['navigationItem'] ?? null;
$this->dataDialogStatus = $_SESSION['multipersonsearch'][$this->name]['dataDialogStatus'] ?? '';
+ $this->verified = $_SESSION['multipersonsearch'][$this->name]['verified'] ?? null;
}
}