friendica
/
friendica
mirror of https://github.com/friendica/friendica
6
0
Fork 1
Code Issues Packages Projects Releases 1 Wiki Activity

Add form security token to contact actions 

- Add token to batch POST actions
- Add token to individual GET actions
This commit is contained in:
Hypolite Petovan 2021-09-06 12:23:15 -04:00
parent 0c8c0f7374
commit e9aa27b19f
3 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/Module/Contact.php
View File

@ -59,6 +59,10 @@ class Contact extends BaseModule
return; return;
} }
$redirectUrl = $_POST['redirect_url'] ?? 'contact';
self::checkFormSecurityTokenRedirectOnError($redirectUrl, 'contact_batch_actions');
$orig_records = Model\Contact::selectToArray(['id', 'uid'], ['id' => $_POST['contact_batch'], 'uid' => [0, local_user()], 'self' => false, 'deleted' => false]); $orig_records = Model\Contact::selectToArray(['id', 'uid'], ['id' => $_POST['contact_batch'], 'uid' => [0, local_user()], 'self' => false, 'deleted' => false]);
$count_actions = 0; $count_actions = 0;
@ -93,7 +97,7 @@ class Contact extends BaseModule
info(DI::l10n()->tt('%d contact edited.', '%d contacts edited.', $count_actions)); info(DI::l10n()->tt('%d contact edited.', '%d contacts edited.', $count_actions));
} }
DI::baseUrl()->redirect($_POST['redirect_url'] ?? 'contact'); DI::baseUrl()->redirect($redirectUrl);
} }
public static function post(array $parameters = []) public static function post(array $parameters = [])
@ -361,6 +365,8 @@ class Contact extends BaseModule
throw new NotFoundException(DI::l10n()->t('Contact not found')); throw new NotFoundException(DI::l10n()->t('Contact not found'));
} }
self::checkFormSecurityTokenRedirectOnError('contact/' . $contact_id, 'contact_action', 't');
$cdata = Model\Contact::getPublicAndUserContactID($orig_record['id'], local_user()); $cdata = Model\Contact::getPublicAndUserContactID($orig_record['id'], local_user());
if (empty($cdata)) { if (empty($cdata)) {
throw new NotFoundException(DI::l10n()->t('Contact not found')); throw new NotFoundException(DI::l10n()->t('Contact not found'));
@ -840,6 +846,7 @@ class Contact extends BaseModule
'$submit' => DI::l10n()->t('Find'), '$submit' => DI::l10n()->t('Find'),
'$cmd' => DI::args()->getCommand(), '$cmd' => DI::args()->getCommand(),
'$contacts' => $contacts, '$contacts' => $contacts,
'$form_security_token' => BaseModule::getFormSecurityToken('contact_batch_actions'),
'$contact_drop_confirm' => DI::l10n()->t('Do you really want to delete this contact?'), '$contact_drop_confirm' => DI::l10n()->t('Do you really want to delete this contact?'),
'multiselect' => 1, 'multiselect' => 1,
'$batch_actions' => [ '$batch_actions' => [
@ -1080,6 +1087,8 @@ class Contact extends BaseModule
$poll_enabled = in_array($contact['network'], [Protocol::ACTIVITYPUB, Protocol::DFRN, Protocol::OSTATUS, Protocol::FEED, Protocol::MAIL]); $poll_enabled = in_array($contact['network'], [Protocol::ACTIVITYPUB, Protocol::DFRN, Protocol::OSTATUS, Protocol::FEED, Protocol::MAIL]);
$contact_actions = []; $contact_actions = [];
$formSecurityToken = self::getFormSecurityToken('contact_action');
// Provide friend suggestion only for Friendica contacts // Provide friend suggestion only for Friendica contacts
if ($contact['network'] === Protocol::DFRN) { if ($contact['network'] === Protocol::DFRN) {
$contact_actions['suggest'] = [ $contact_actions['suggest'] = [
@ -1094,7 +1103,7 @@ class Contact extends BaseModule
if ($poll_enabled) { if ($poll_enabled) {
$contact_actions['update'] = [ $contact_actions['update'] = [
'label' => DI::l10n()->t('Update now'), 'label' => DI::l10n()->t('Update now'),
'url' => 'contact/' . $contact['id'] . '/update', 'url' => 'contact/' . $contact['id'] . '/update?t=' . $formSecurityToken,
'title' => '', 'title' => '',
'sel' => '', 'sel' => '',
'id' => 'update', 'id' => 'update',
@ -1104,7 +1113,7 @@ class Contact extends BaseModule
if (in_array($contact['network'], Protocol::NATIVE_SUPPORT)) { if (in_array($contact['network'], Protocol::NATIVE_SUPPORT)) {
$contact_actions['updateprofile'] = [ $contact_actions['updateprofile'] = [
'label' => DI::l10n()->t('Refetch contact data'), 'label' => DI::l10n()->t('Refetch contact data'),
'url' => 'contact/' . $contact['id'] . '/updateprofile', 'url' => 'contact/' . $contact['id'] . '/updateprofile?t=' . $formSecurityToken,
'title' => '', 'title' => '',
'sel' => '', 'sel' => '',
'id' => 'updateprofile', 'id' => 'updateprofile',
@ -1113,7 +1122,7 @@ class Contact extends BaseModule
$contact_actions['block'] = [ $contact_actions['block'] = [
'label' => (intval($contact['blocked']) ? DI::l10n()->t('Unblock') : DI::l10n()->t('Block')), 'label' => (intval($contact['blocked']) ? DI::l10n()->t('Unblock') : DI::l10n()->t('Block')),
'url' => 'contact/' . $contact['id'] . '/block', 'url' => 'contact/' . $contact['id'] . '/block?t=' . $formSecurityToken,
'title' => DI::l10n()->t('Toggle Blocked status'), 'title' => DI::l10n()->t('Toggle Blocked status'),
'sel' => (intval($contact['blocked']) ? 'active' : ''), 'sel' => (intval($contact['blocked']) ? 'active' : ''),
'id' => 'toggle-block', 'id' => 'toggle-block',
@ -1121,7 +1130,7 @@ class Contact extends BaseModule
$contact_actions['ignore'] = [ $contact_actions['ignore'] = [
'label' => (intval($contact['readonly']) ? DI::l10n()->t('Unignore') : DI::l10n()->t('Ignore')), 'label' => (intval($contact['readonly']) ? DI::l10n()->t('Unignore') : DI::l10n()->t('Ignore')),
'url' => 'contact/' . $contact['id'] . '/ignore', 'url' => 'contact/' . $contact['id'] . '/ignore?t=' . $formSecurityToken,
'title' => DI::l10n()->t('Toggle Ignored status'), 'title' => DI::l10n()->t('Toggle Ignored status'),
'sel' => (intval($contact['readonly']) ? 'active' : ''), 'sel' => (intval($contact['readonly']) ? 'active' : ''),
'id' => 'toggle-ignore', 'id' => 'toggle-ignore',
@ -1130,7 +1139,7 @@ class Contact extends BaseModule
if ($contact['uid'] != 0) { if ($contact['uid'] != 0) {
$contact_actions['delete'] = [ $contact_actions['delete'] = [
'label' => DI::l10n()->t('Delete'), 'label' => DI::l10n()->t('Delete'),
'url' => 'contact/' . $contact['id'] . '/drop', 'url' => 'contact/' . $contact['id'] . '/drop?t=' . $formSecurityToken,
'title' => DI::l10n()->t('Delete contact'), 'title' => DI::l10n()->t('Delete contact'),
'sel' => '', 'sel' => '',
'id' => 'delete', 'id' => 'delete',

3
view/templates/contacts-template.tpl
View File

@ -15,7 +15,8 @@
{{$tabs nofilter}} {{$tabs nofilter}}
<form action="{{$baseurl}}/contact/batch/" method="POST"> <form action="{{$baseurl}}/contact/batch/" method="POST">
<input type="hidden" name="redirect_url" value="{{$cmd}}"/> <input type="hidden" name="redirect_url" value="{{$cmd}}" />
<input type="hidden" name="form_security_token" value="{{$form_security_token}}" />
{{foreach $contacts as $contact}} {{foreach $contacts as $contact}}
{{include file="contact_template.tpl"}} {{include file="contact_template.tpl"}}
{{/foreach}} {{/foreach}}

3
view/theme/frio/templates/contacts-template.tpl
View File

@ -29,7 +29,8 @@
{{* we need the form container to make batch actions work *}} {{* we need the form container to make batch actions work *}}
<form name="batch_actions_submit" action="{{$baseurl}}/contact/batch/" method="POST"> <form name="batch_actions_submit" action="{{$baseurl}}/contact/batch/" method="POST">
<input type="hidden" name="redirect_url" value="{{$cmd}}"/> <input type="hidden" name="redirect_url" value="{{$cmd}}" />
<input type="hidden" name="form_security_token" value="{{$form_security_token}}" />
{{* we put here a hidden input element. This is needed to transmit the batch actions with javascript*}} {{* we put here a hidden input element. This is needed to transmit the batch actions with javascript*}}
<input type="hidden" class="batch-action no-input fakelist" name="batch_submit" value="{{$l}}"> <input type="hidden" class="batch-action no-input fakelist" name="batch_submit" value="{{$l}}">