From 970111dc87321ac8ba0ea6c2d0f9930c9d4b9635 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Fri, 17 Feb 2023 10:59:18 +0000
Subject: [PATCH] fix csrf protection, fixes #2184
Closes #2184
Merge request studip/studip!1410
---
app/controllers/resources/admin.php | 16 ++++++++++++----
app/controllers/resources/export.php | 4 +---
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/app/controllers/resources/admin.php b/app/controllers/resources/admin.php
index 85538fa0855..94319113c93 100644
--- a/app/controllers/resources/admin.php
+++ b/app/controllers/resources/admin.php
@@ -748,10 +748,6 @@ class Resources_AdminController extends AuthenticatedController
_('Teilbare Räume verwalten')
);
- if (Request::isPost()) {
- CSRFProtection::verifyUnsafeRequest();
- }
-
$this->separable_room_name = '';
$db = DBManager::get();
@@ -767,6 +763,8 @@ class Resources_AdminController extends AuthenticatedController
}
if (Request::submitted('create_separable_room')) {
+ CSRFProtection::verifyUnsafeRequest();
+
$selected_single_room_ids = Request::getArray('selected_single_rooms');
$this->separable_room_name = Request::get('separable_room_name');
@@ -854,6 +852,8 @@ class Resources_AdminController extends AuthenticatedController
}
if (Request::submitted('add_room_part')) {
+ CSRFProtection::verifyUnsafeRequest();
+
$selected_single_room_ids = Request::getArray('selected_single_rooms');
$resources = Resource::findMany($selected_single_room_ids);
@@ -959,23 +959,31 @@ class Resources_AdminController extends AuthenticatedController
}
if (Request::submitted('delete_separable_room')) {
+ CSRFProtection::verifyUnsafeRequest();
+
$delete_separable_room_array = Request::getArray('delete_separable_room');
$separable_room_id = array_keys($delete_separable_room_array)[0];
$this->deleteSeparableRoomsById([$separable_room_id]);
}
if (Request::submitted('bulk_delete_separable_rooms')) {
+ CSRFProtection::verifyUnsafeRequest();
+
$separable_room_ids = Request::getArray('selected_separable_rooms');
$this->deleteSeparableRoomsById($separable_room_ids);
}
if (Request::submitted('delete_room_part')) {
+ CSRFProtection::verifyUnsafeRequest();
+
$delete_room_part_array = Request::getArray('delete_room_part');
$room_part_id = array_keys($delete_room_part_array)[0];
$this->deleteSeparableRoomPartsById([$room_part_id]);
}
if (Request::submitted('bulk_delete_room_parts')) {
+ CSRFProtection::verifyUnsafeRequest();
+
$room_part_ids = Request::getArray('selected_room_parts');
$this->deleteSeparableRoomPartsById($room_part_ids);
}
diff --git a/app/controllers/resources/export.php b/app/controllers/resources/export.php
index 82128ffb206..561bdf90627 100644
--- a/app/controllers/resources/export.php
+++ b/app/controllers/resources/export.php
@@ -243,9 +243,7 @@ class Resources_ExportController extends AuthenticatedController
public function bookings_action()
{
- if (Request::isPost()) {
- CSRFProtection::verifyUnsafeRequest();
- }
+ CSRFProtection::verifyUnsafeRequest();
//Get the IDs of all selected clipboards and rooms:
$this->selected_clipboard_ids = Request::getArray('selected_clipboards');
--
GitLab