course/grouping controller: use CSRF protection, fixes #3271

Closes #3271 Merge request studip/studip!2211

course/grouping controller: use CSRF protection, fixes #3271
99c25263 · Moritz Strohm · Jan-Hendrik Willms · 2cce16d9 · 99c25263 · 99c25263
Commit 99c25263 authored 1 year ago by Moritz Strohm Committed by Jan-Hendrik Willms 1 year ago
--- a/app/controllers/course/grouping.php
+++ b/app/controllers/course/grouping.php
@@ -267,6 +267,7 @@ class Course_GroupingController extends AuthenticatedController
     */
    public function action_action()
    {
+        CSRFProtection::verifyUnsafeRequest();
        if (Request::submitted('single_action')) {
            list($course_id, $permission) = explode('-', Request::get('single_action'));

@@ -327,6 +328,8 @@ class Course_GroupingController extends AuthenticatedController
     */
    public function move_members_action($source_id)
    {
+        CSRFProtection::verifyUnsafeRequest();
+
        $source = Seminar::getInstance($source_id);
        $target = Seminar::getInstance(Request::option('target'));

@@ -459,6 +462,7 @@ class Course_GroupingController extends AuthenticatedController
     */
    public function unassign_parent_action()
    {
+        CSRFProtection::verifyUnsafeRequest();
        $parent = $this->course->parent_course;
        $this->course->parent_course = null;
        NotificationCenter::postNotification('CourseWillRemoveFromGroup', $this->course->id, $parent);
@@ -477,6 +481,8 @@ class Course_GroupingController extends AuthenticatedController
     */
    public function assign_child_action()
    {
+        CSRFProtection::verifyUnsafeRequest();
+
        if ($child = Request::option('child')) {

            $child_course = Course::find($child);

--- a/app/views/course/grouping/children.php
+++ b/app/views/course/grouping/children.php
 <form class="default" method="post" action="<?= $controller->url_for('course/grouping/assign_child') ?>">
+    <?= CSRFProtection::tokenTag() ?>
    <fieldset>
        <legend>
            <?= _('Bereits zugeordnet') ?>

--- a/app/views/course/grouping/members.php
+++ b/app/views/course/grouping/members.php
 <? if (!empty($courses)) : ?>
    <form class="default" action="<?= $controller->url_for('course/grouping/action') ?>" method="post"
          data-dialog="size=auto">
+        <?= CSRFProtection::tokenTag() ?>
        <section class="studip">
            <? foreach ($courses as $child) : ?>
                <article class="studip toggle" id="<?= $child->id ?>">
@@ -8,6 +9,7 @@
                        <h1>
                            <input type="checkbox" name="courses[]" value="<?= $child->id ?>" class="courses"
                                   data-activates="#actions-courses">
+
                            <a href="<?= ContentBoxHelper::href($child->id, ['contentbox_type' => 'news']) ?>"
                               data-course-id="<?= $child->id ?>"
                               data-get-members-url="<?= $controller->url_for('course/grouping/child_course_members', $child->id) ?>"

--- a/app/views/course/grouping/move_members_target.php
+++ b/app/views/course/grouping/move_members_target.php
 <form class="default" action="<?= $controller->url_for('course/grouping/move_members', $source_id) ?>" method="post">
+    <?= CSRFProtection::tokenTag() ?>
    <fieldset>
        <legend><?= _('Personen verschieben') ?></legend>


--- a/app/views/course/grouping/parent.php
+++ b/app/views/course/grouping/parent.php
 <? if ($parent) : ?>
 <form class="default" method="post" action="<?= $controller->url_for('course/grouping/unassign_parent') ?>">
+    <?= CSRFProtection::tokenTag() ?>
    <fieldset>
        <legend><?= _('Veranstaltung zuordnen') ?></legend>
        <section>