Fix CSRF validation for sorting in property tables

library/Director/Web/Form/PropertyTableSortForm.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace Icinga\Module\Director\Web\Form;
+
+use Icinga\Web\Session;
+use ipl\Html\Form;
+use ipl\Html\ValidHtml;
+use ipl\Web\Common\CsrfCounterMeasure;
+
+class PropertyTableSortForm extends Form
+{
+    use CsrfCounterMeasure;
+
+    protected $method = 'POST';
+
+    /** @var string Name of the form */
+    private $name;
+
+    /** @var ValidHtml Property table to sort */
+    private $table;
+
+    public function __construct(string $name, ValidHtml $table)
+    {
+        $this->name = $name;
+        $this->table = $table;
+    }
+
+    protected function assemble()
+    {
+        $this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]);
+        $this->addElement($this->createCsrfCounterMeasure(Session::getSession()->getId()));
+        $this->addHtml($this->table);
+    }
+}

library/Director/Web/Table/PropertymodifierTable.php

@@ -4,12 +4,16 @@ namespace Icinga\Module\Director\Web\Table;
 
 use Error;
 use Exception;
+use GuzzleHttp\Psr7\ServerRequest;
 use Icinga\Module\Director\Hook\ImportSourceHook;
 use Icinga\Module\Director\Objects\ImportSource;
 use gipfl\IcingaWeb2\Link;
 use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
 use gipfl\IcingaWeb2\Url;
+use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use ipl\Html\Form;
+use ipl\Html\HtmlString;
 
 class PropertymodifierTable extends ZfQueryBasedTable
 {
@@ -48,10 +52,20 @@ class PropertymodifierTable extends ZfQueryBasedTable
 
     public function render()
     {
-        if ($this->readOnly) {
+        if ($this->readOnly || $this->request === null) {
             return parent::render();
         }
-        return $this->renderWithSortableForm();
+
+        return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
+            ->setAction($this->request->getUrl()->getAbsoluteUrl())
+            ->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
+                $csrf = $form->getElement('CSRFToken');
+                if ($csrf !== null && $csrf->isValid()) {
+                    $this->reallyHandleSortPriorityActions();
+                }
+            })
+            ->handleRequest(ServerRequest::fromGlobals())
+            ->render();
     }
 
     protected function assemble()

library/Director/Web/Table/SyncpropertyTable.php

@@ -2,10 +2,14 @@
 
 namespace Icinga\Module\Director\Web\Table;
 
+use GuzzleHttp\Psr7\ServerRequest;
 use Icinga\Module\Director\Objects\SyncRule;
 use gipfl\IcingaWeb2\Link;
 use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
+use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use ipl\Html\Form;
+use ipl\Html\HtmlString;
 
 class SyncpropertyTable extends ZfQueryBasedTable
 {
@@ -33,7 +37,20 @@ class SyncpropertyTable extends ZfQueryBasedTable
 
     public function render()
     {
-        return $this->renderWithSortableForm();
+        if ($this->request === null) {
+            return parent::render();
+        }
+
+        return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
+            ->setAction($this->request->getUrl()->getAbsoluteUrl())
+            ->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
+                $csrf = $form->getElement('CSRFToken');
+                if ($csrf !== null && $csrf->isValid()) {
+                    $this->reallyHandleSortPriorityActions();
+                }
+            })
+            ->handleRequest(ServerRequest::fromGlobals())
+            ->render();
     }
 
     public function renderRow($row)