From cf575136a637cc69701c4ce69984717cbe8833c2 Mon Sep 17 00:00:00 2001
From: Moritz Strohm <strohm@data-quest.de>
Date: Wed, 4 Oct 2023 11:16:53 +0000
Subject: [PATCH] course/grouping controller: use CSRF protection, fixes #3271

Closes #3271

Merge request studip/studip!2211
---
 app/controllers/course/grouping.php               | 6 ++++++
 app/views/course/grouping/children.php            | 1 +
 app/views/course/grouping/members.php             | 2 ++
 app/views/course/grouping/move_members_target.php | 1 +
 app/views/course/grouping/parent.php              | 1 +
 5 files changed, 11 insertions(+)

diff --git a/app/controllers/course/grouping.php b/app/controllers/course/grouping.php
index e35728255ca..526217f66c7 100644
--- a/app/controllers/course/grouping.php
+++ b/app/controllers/course/grouping.php
@@ -267,6 +267,7 @@ class Course_GroupingController extends AuthenticatedController
      */
     public function action_action()
     {
+        CSRFProtection::verifyUnsafeRequest();
         if (Request::submitted('single_action')) {
             list($course_id, $permission) = explode('-', Request::get('single_action'));
 
@@ -327,6 +328,8 @@ class Course_GroupingController extends AuthenticatedController
      */
     public function move_members_action($source_id)
     {
+        CSRFProtection::verifyUnsafeRequest();
+
         $source = Seminar::getInstance($source_id);
         $target = Seminar::getInstance(Request::option('target'));
 
@@ -459,6 +462,7 @@ class Course_GroupingController extends AuthenticatedController
      */
     public function unassign_parent_action()
     {
+        CSRFProtection::verifyUnsafeRequest();
         $parent = $this->course->parent_course;
         $this->course->parent_course = null;
         NotificationCenter::postNotification('CourseWillRemoveFromGroup', $this->course->id, $parent);
@@ -477,6 +481,8 @@ class Course_GroupingController extends AuthenticatedController
      */
     public function assign_child_action()
     {
+        CSRFProtection::verifyUnsafeRequest();
+
         if ($child = Request::option('child')) {
 
             $child_course = Course::find($child);
diff --git a/app/views/course/grouping/children.php b/app/views/course/grouping/children.php
index 789b0ce6349..9e7a239766d 100644
--- a/app/views/course/grouping/children.php
+++ b/app/views/course/grouping/children.php
@@ -1,4 +1,5 @@
 <form class="default" method="post" action="<?= $controller->url_for('course/grouping/assign_child') ?>">
+    <?= CSRFProtection::tokenTag() ?>
     <fieldset>
         <legend>
             <?= _('Bereits zugeordnet') ?>
diff --git a/app/views/course/grouping/members.php b/app/views/course/grouping/members.php
index 7a12273cf6a..3c3b022040f 100644
--- a/app/views/course/grouping/members.php
+++ b/app/views/course/grouping/members.php
@@ -1,6 +1,7 @@
 <? if (!empty($courses)) : ?>
     <form class="default" action="<?= $controller->url_for('course/grouping/action') ?>" method="post"
           data-dialog="size=auto">
+        <?= CSRFProtection::tokenTag() ?>
         <section class="studip">
             <? foreach ($courses as $child) : ?>
                 <article class="studip toggle" id="<?= $child->id ?>">
@@ -8,6 +9,7 @@
                         <h1>
                             <input type="checkbox" name="courses[]" value="<?= $child->id ?>" class="courses"
                                    data-activates="#actions-courses">
+
                             <a href="<?= ContentBoxHelper::href($child->id, ['contentbox_type' => 'news']) ?>"
                                data-course-id="<?= $child->id ?>"
                                data-get-members-url="<?= $controller->url_for('course/grouping/child_course_members', $child->id) ?>"
diff --git a/app/views/course/grouping/move_members_target.php b/app/views/course/grouping/move_members_target.php
index 0322f92d778..793fc195f27 100644
--- a/app/views/course/grouping/move_members_target.php
+++ b/app/views/course/grouping/move_members_target.php
@@ -1,4 +1,5 @@
 <form class="default" action="<?= $controller->url_for('course/grouping/move_members', $source_id) ?>" method="post">
+    <?= CSRFProtection::tokenTag() ?>
     <fieldset>
         <legend><?= _('Personen verschieben') ?></legend>
 
diff --git a/app/views/course/grouping/parent.php b/app/views/course/grouping/parent.php
index 64c1b394b6a..1278cc3690a 100644
--- a/app/views/course/grouping/parent.php
+++ b/app/views/course/grouping/parent.php
@@ -1,5 +1,6 @@
 <? if ($parent) : ?>
 <form class="default" method="post" action="<?= $controller->url_for('course/grouping/unassign_parent') ?>">
+    <?= CSRFProtection::tokenTag() ?>
     <fieldset>
         <legend><?= _('Veranstaltung zuordnen') ?></legend>
         <section>
-- 
GitLab