Fix CSRF validation for sorting in property tables (#2893)
This commit is contained in:
Eric Lippmann
GitHub
commit
853efc8c6d
|
|
@ -0,0 +1,34 @@
|
|||
<?php
|
||||
|
||||
namespace Icinga\Module\Director\Web\Form;
|
||||
|
||||
use Icinga\Web\Session;
|
||||
use ipl\Html\Form;
|
||||
use ipl\Html\ValidHtml;
|
||||
use ipl\Web\Common\CsrfCounterMeasure;
|
||||
|
||||
class PropertyTableSortForm extends Form
|
||||
{
|
||||
use CsrfCounterMeasure;
|
||||
|
||||
protected $method = 'POST';
|
||||
|
||||
/** @var string Name of the form */
|
||||
private $name;
|
||||
|
||||
/** @var ValidHtml Property table to sort */
|
||||
private $table;
|
||||
|
||||
public function __construct(string $name, ValidHtml $table)
|
||||
{
|
||||
$this->name = $name;
|
||||
$this->table = $table;
|
||||
}
|
||||
|
||||
protected function assemble()
|
||||
{
|
||||
$this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]);
|
||||
$this->addElement($this->createCsrfCounterMeasure(Session::getSession()->getId()));
|
||||
$this->addHtml($this->table);
|
||||
}
|
||||
}
|
||||
|
|
@ -4,12 +4,16 @@ namespace Icinga\Module\Director\Web\Table;
|
|||
|
||||
use Error;
|
||||
use Exception;
|
||||
use GuzzleHttp\Psr7\ServerRequest;
|
||||
use Icinga\Module\Director\Hook\ImportSourceHook;
|
||||
use Icinga\Module\Director\Objects\ImportSource;
|
||||
use gipfl\IcingaWeb2\Link;
|
||||
use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
|
||||
use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
|
||||
use gipfl\IcingaWeb2\Url;
|
||||
use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
|
||||
use ipl\Html\Form;
|
||||
use ipl\Html\HtmlString;
|
||||
|
||||
class PropertymodifierTable extends ZfQueryBasedTable
|
||||
{
|
||||
|
|
@ -48,10 +52,20 @@ class PropertymodifierTable extends ZfQueryBasedTable
|
|||
|
||||
public function render()
|
||||
{
|
||||
if ($this->readOnly) {
|
||||
if ($this->readOnly || $this->request === null) {
|
||||
return parent::render();
|
||||
}
|
||||
return $this->renderWithSortableForm();
|
||||
|
||||
return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
|
||||
->setAction($this->request->getUrl()->getAbsoluteUrl())
|
||||
->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
|
||||
$csrf = $form->getElement('CSRFToken');
|
||||
if ($csrf !== null && $csrf->isValid()) {
|
||||
$this->reallyHandleSortPriorityActions();
|
||||
}
|
||||
})
|
||||
->handleRequest(ServerRequest::fromGlobals())
|
||||
->render();
|
||||
}
|
||||
|
||||
protected function assemble()
|
||||
|
|
|
|||
|
|
@ -2,10 +2,14 @@
|
|||
|
||||
namespace Icinga\Module\Director\Web\Table;
|
||||
|
||||
use GuzzleHttp\Psr7\ServerRequest;
|
||||
use Icinga\Module\Director\Objects\SyncRule;
|
||||
use gipfl\IcingaWeb2\Link;
|
||||
use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
|
||||
use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
|
||||
use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
|
||||
use ipl\Html\Form;
|
||||
use ipl\Html\HtmlString;
|
||||
|
||||
class SyncpropertyTable extends ZfQueryBasedTable
|
||||
{
|
||||
|
|
@ -33,7 +37,20 @@ class SyncpropertyTable extends ZfQueryBasedTable
|
|||
|
||||
public function render()
|
||||
{
|
||||
return $this->renderWithSortableForm();
|
||||
if ($this->request === null) {
|
||||
return parent::render();
|
||||
}
|
||||
|
||||
return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
|
||||
->setAction($this->request->getUrl()->getAbsoluteUrl())
|
||||
->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
|
||||
$csrf = $form->getElement('CSRFToken');
|
||||
if ($csrf !== null && $csrf->isValid()) {
|
||||
$this->reallyHandleSortPriorityActions();
|
||||
}
|
||||
})
|
||||
->handleRequest(ServerRequest::fromGlobals())
|
||||
->render();
|
||||
}
|
||||
|
||||
public function renderRow($row)
|
||||
|
|
|
|||
Loading…
Reference in New Issue