PropertyTableSortForm: Don't use ipl`s CSRF counter measure

It's incompatible with gipfl`s… fixes #2935
2025-07-31 01:34:12 +02:00 · 2024-12-02 14:52:35 +01:00 · 2024-12-02 14:52:35 +01:00 · cdd3fea9d2
commit cdd3fea9d2
parent 4032d49553
3 changed files with 38 additions and 7 deletions
--- a/library/Director/Web/Form/PropertyTableSortForm.php
+++ b/library/Director/Web/Form/PropertyTableSortForm.php
@ -2,15 +2,13 @@

 namespace Icinga\Module\Director\Web\Form;

-use Icinga\Web\Session;
+use ipl\Html\Contract\FormElement;
 use ipl\Html\Form;
+use ipl\Html\FormElement\HiddenElement;
 use ipl\Html\ValidHtml;
-use ipl\Web\Common\CsrfCounterMeasure;

 class PropertyTableSortForm extends Form
 {
-    use CsrfCounterMeasure;
-
    protected $method = 'POST';

    /** @var string Name of the form */
@ -28,7 +26,38 @@ class PropertyTableSortForm extends Form
    protected function assemble()
    {
        $this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]);
-        $this->addElement($this->createCsrfCounterMeasure(Session::getSession()->getId()));
+        $this->addElement($this->createCsrfCounterMeasure());
        $this->addHtml($this->table);
    }
+
+    /**
+     * Create a form element to countermeasure CSRF attacks
+     *
+     * @return FormElement
+     */
+    protected function createCsrfCounterMeasure(): FormElement
+    {
+        $token = CsrfToken::generate();
+
+        $options = [
+            'ignore'        => true,
+            'required'      => true,
+            'validators'    => ['Callback' => function ($token) {
+                return CsrfToken::isValid($token);
+            }]
+        ];
+
+        $element = new class (QuickForm::CSRF, $options) extends HiddenElement {
+            public function hasValue(): bool
+            {
+                return true; // The validator must run even if the value is empty
+            }
+        };
+
+        $element->getAttributes()->registerAttributeCallback('value', function () use ($token) {
+            return $token;
+        });
+
+        return $element;
+    }
 }
--- a/library/Director/Web/Table/PropertymodifierTable.php
+++ b/library/Director/Web/Table/PropertymodifierTable.php
@ -12,6 +12,7 @@ use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
 use gipfl\IcingaWeb2\Url;
 use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use Icinga\Module\Director\Web\Form\QuickForm;
 use ipl\Html\Form;
 use ipl\Html\HtmlString;

@ -59,7 +60,7 @@ class PropertymodifierTable extends ZfQueryBasedTable
        return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
            ->setAction($this->request->getUrl()->getAbsoluteUrl())
            ->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
-                $csrf = $form->getElement('CSRFToken');
+                $csrf = $form->getElement(QuickForm::CSRF);
                if ($csrf !== null && $csrf->isValid()) {
                    $this->reallyHandleSortPriorityActions();
                }
--- a/library/Director/Web/Table/SyncpropertyTable.php
+++ b/library/Director/Web/Table/SyncpropertyTable.php
@ -8,6 +8,7 @@ use gipfl\IcingaWeb2\Link;
 use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
 use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use Icinga\Module\Director\Web\Form\QuickForm;
 use ipl\Html\Form;
 use ipl\Html\HtmlString;

@ -44,7 +45,7 @@ class SyncpropertyTable extends ZfQueryBasedTable
        return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
            ->setAction($this->request->getUrl()->getAbsoluteUrl())
            ->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
-                $csrf = $form->getElement('CSRFToken');
+                $csrf = $form->getElement(QuickForm::CSRF);
                if ($csrf !== null && $csrf->isValid()) {
                    $this->reallyHandleSortPriorityActions();
                }