Skip to content
Snippets Groups Projects
Commit 970111dc authored by Jan-Hendrik Willms's avatar Jan-Hendrik Willms
Browse files

fix csrf protection, fixes #2184 

Closes #2184

Merge request studip/studip!1410
parent 7e7ed801
No related branches found
No related tags found
1 merge request!4Draft: Icon creation
Hide whitespace changes
Inline Side-by-side
app/controllers/resources/admin.php
+ 12
4
View file @ 970111dc
......@@ -748,10 +748,6 @@ class Resources_AdminController extends AuthenticatedController
_('Teilbare Räume verwalten')
);
if (Request::isPost()) {
CSRFProtection::verifyUnsafeRequest();
}
$this->separable_room_name = '';
$db = DBManager::get();
......@@ -767,6 +763,8 @@ class Resources_AdminController extends AuthenticatedController
}
if (Request::submitted('create_separable_room')) {
CSRFProtection::verifyUnsafeRequest();
$selected_single_room_ids = Request::getArray('selected_single_rooms');
$this->separable_room_name = Request::get('separable_room_name');
......@@ -854,6 +852,8 @@ class Resources_AdminController extends AuthenticatedController
}
if (Request::submitted('add_room_part')) {
CSRFProtection::verifyUnsafeRequest();
$selected_single_room_ids = Request::getArray('selected_single_rooms');
$resources = Resource::findMany($selected_single_room_ids);
......@@ -959,23 +959,31 @@ class Resources_AdminController extends AuthenticatedController
}
if (Request::submitted('delete_separable_room')) {
CSRFProtection::verifyUnsafeRequest();
$delete_separable_room_array = Request::getArray('delete_separable_room');
$separable_room_id = array_keys($delete_separable_room_array)[0];
$this->deleteSeparableRoomsById([$separable_room_id]);
}
if (Request::submitted('bulk_delete_separable_rooms')) {
CSRFProtection::verifyUnsafeRequest();
$separable_room_ids = Request::getArray('selected_separable_rooms');
$this->deleteSeparableRoomsById($separable_room_ids);
}
if (Request::submitted('delete_room_part')) {
CSRFProtection::verifyUnsafeRequest();
$delete_room_part_array = Request::getArray('delete_room_part');
$room_part_id = array_keys($delete_room_part_array)[0];
$this->deleteSeparableRoomPartsById([$room_part_id]);
}
if (Request::submitted('bulk_delete_room_parts')) {
CSRFProtection::verifyUnsafeRequest();
$room_part_ids = Request::getArray('selected_room_parts');
$this->deleteSeparableRoomPartsById($room_part_ids);
}
......
app/controllers/resources/export.php
+ 1
3
View file @ 970111dc
......@@ -243,9 +243,7 @@ class Resources_ExportController extends AuthenticatedController
public function bookings_action()
{
if (Request::isPost()) {
CSRFProtection::verifyUnsafeRequest();
}
CSRFProtection::verifyUnsafeRequest();
//Get the IDs of all selected clipboards and rooms:
$this->selected_clipboard_ids = Request::getArray('selected_clipboards');
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment