From 869bc61f08921e22dcb3ad0f048ddbfe93a64d1b Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Tue, 26 Nov 2024 12:40:41 +0000
Subject: [PATCH] fix adding deputies by allowing multi person search to be
verified using a ticket instead of a post request, fixes #4897
Closes #4897
Merge request studip/studip!3680
---
app/controllers/multipersonsearch.php | 5 ++++-
app/controllers/settings/deputies.php | 7 +++++--
lib/classes/MultiPersonSearch.php | 27 +++++++++++++++++++++++++--
3 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/app/controllers/multipersonsearch.php b/app/controllers/multipersonsearch.php
index 3aa50c6a1f3..b3855c71e2b 100644
--- a/app/controllers/multipersonsearch.php
+++ b/app/controllers/multipersonsearch.php
@@ -71,11 +71,14 @@ class MultipersonsearchController extends AuthenticatedController
* This action checks for CSRF and redirects to the action which
* handles adding/removing users.
*/
- public function js_form_exec_action() {
+ public function js_form_exec_action()
+ {
CSRFProtection::verifyUnsafeRequest();
$this->name = Request::get("name");
$mp = MultiPersonSearch::load($this->name);
+ $mp->verifySearch();
$mp->saveAddedUsersToSession();
+
$this->redirect($mp->getExecuteURL());
}
diff --git a/app/controllers/settings/deputies.php b/app/controllers/settings/deputies.php
index 8ce4555e7d7..63fd743dd08 100644
--- a/app/controllers/settings/deputies.php
+++ b/app/controllers/settings/deputies.php
@@ -101,9 +101,12 @@ class Settings_DeputiesController extends Settings_SettingsController
public function add_member_action()
{
- CSRFProtection::verifyUnsafeRequest();
-
$mp = MultiPersonSearch::load('settings_add_deputy');
+
+ if (!$mp->isVerified()) {
+ throw new MethodNotAllowedException(_('Suche wurde nicht korrekt abgeschickt.'));
+ }
+
$msg = [
'error' => [],
'success' => [],
diff --git a/lib/classes/MultiPersonSearch.php b/lib/classes/MultiPersonSearch.php
index 3ca617bfed2..5216138f7cf 100644
--- a/lib/classes/MultiPersonSearch.php
+++ b/lib/classes/MultiPersonSearch.php
@@ -34,6 +34,7 @@ class MultiPersonSearch {
private $additionalHMTL = "";
private $navigationItem = "";
private $dataDialogStatus = false;
+ private $verified = null;
/**
* restores a MultiPersonSearch object.
@@ -479,10 +480,30 @@ class MultiPersonSearch {
return $this->navigationItem;
}
+ /**
+ * Mark the search as verified/posted correctly.
+ */
+ public function verifySearch(): void
+ {
+ $this->verified = get_ticket();
+
+ $_SESSION['multipersonsearch'][$this->name]['verified'] = $this->verified;
+ }
+
+ /**
+ * Returns whether the search is verified / has been posted correctly.
+ */
+ public function isVerified(): bool
+ {
+ return isset($this->verified)
+ && check_ticket($this->verified);
+ }
+
/**
* stores the internal data to a session.
*/
- public function storeToSession() {
+ public function storeToSession()
+ {
$_SESSION['multipersonsearch'][$this->name]['title'] = $this->title;
$_SESSION['multipersonsearch'][$this->name]['description'] = $this->description;
$_SESSION['multipersonsearch'][$this->name]['additionalHMTL'] = $this->additionalHMTL;
@@ -500,7 +521,8 @@ class MultiPersonSearch {
/**
* restores the internal data from a session.
*/
- public function restoreFromSession() {
+ public function restoreFromSession()
+ {
if (isset($_SESSION['multipersonsearch'][$this->name])) {
$this->title = $_SESSION['multipersonsearch'][$this->name]['title'] ?? '';
$this->description = $_SESSION['multipersonsearch'][$this->name]['description'] ?? '';
@@ -514,6 +536,7 @@ class MultiPersonSearch {
$this->searchObject = unserialize($_SESSION['multipersonsearch'][$this->name]['searchObject'] ?? null);
$this->navigationItem = $_SESSION['multipersonsearch'][$this->name]['navigationItem'] ?? null;
$this->dataDialogStatus = $_SESSION['multipersonsearch'][$this->name]['dataDialogStatus'] ?? '';
+ $this->verified = $_SESSION['multipersonsearch'][$this->name]['verified'] ?? null;
}
}
--
GitLab