add form token in report

alchemy-fr · Sep 8, 2023 · babe6d0 · babe6d0
1 parent 8b4f59c
commit babe6d0
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/lib/Alchemy/Phrasea/Controller/Report/RootController.php b/lib/Alchemy/Phrasea/Controller/Report/RootController.php
@@ -90,6 +90,11 @@ public function getDashboard(Request $request)
 
         $conf = $this->getConf();
 
+        $this->setSessionFormToken('reportConnection');
+        $this->setSessionFormToken('reportDownload');
+        $this->setSessionFormToken('reportRecord');
+
+
         return $this->render('report/report_layout_child.html.twig', [
             'ajax_dash'     => true,
             'dashboard'     => null,

diff --git a/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php b/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php
@@ -15,6 +15,7 @@
 use Alchemy\Phrasea\Report\ReportActions;
 use Alchemy\Phrasea\Report\ReportFactory;
 use Alchemy\Phrasea\Report\ReportRecords;
+use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -57,6 +58,8 @@ public function __construct(ReportFactory $reportFactory, $anonymousReport, \ACL
         $this->anonymousReport = $anonymousReport;
         $this->acl             = $acl;
         $this->appbox          = $appbox;
+
+        parent::__construct($appbox->getPhraseApplication());
     }
 
     /**
@@ -77,11 +80,15 @@ public function indexAction(Request $request)
      *
      * @param Request $request
      * @param $sbasId
-     * @return RedirectResponse|StreamedResponse
+     * @return RedirectResponse|StreamedResponse|JsonResponse
      */
     public function connectionsAction(Request $request, $sbasId)
     {
         if ($request->isMethod("POST")) {
+            if (!$this->isCrsfValid($request, 'reportConnection')) {
+                return new JsonResponse(['message' => 'invalid report connection token'], 403);
+            }
+
             if (!($extension = $request->get('format'))) {
                 $extension = 'csv';
             }
@@ -123,11 +130,15 @@ public function connectionsAction(Request $request, $sbasId)
      *
      * @param Request $request
      * @param $sbasId
-     * @return RedirectResponse|StreamedResponse
+     * @return RedirectResponse|StreamedResponse|JsonResponse
      */
     public function downloadsAction(Request $request, $sbasId)
     {
         if ($request->isMethod("POST")) {
+            if (!$this->isCrsfValid($request, 'reportDownload')) {
+                return new JsonResponse(['message' => 'invalid report download token'], 403);
+            }
+
             if(!($extension = $request->get('format'))) {
                 $extension = 'csv';
             }
@@ -172,11 +183,15 @@ public function downloadsAction(Request $request, $sbasId)
      *
      * @param Request $request
      * @param $sbasId
-     * @return RedirectResponse|StreamedResponse
+     * @return RedirectResponse|StreamedResponse|JsonResponse
      */
     public function recordsAction(Request $request, $sbasId)
     {
         if ($request->isMethod("POST")) {
+            if (!$this->isCrsfValid($request, 'reportRecord')) {
+                return new JsonResponse(['message' => 'invalid report record token'], 403);
+            }
+
             if (!($extension = $request->get('format'))) {
                 $extension = 'csv';
             }

diff --git a/templates/web/report/report_layout_child.html.twig b/templates/web/report/report_layout_child.html.twig
@@ -20,6 +20,7 @@
                         <option value="res" id="connections_res">{{ 'report:: (connexions) res' | trans }}</option>
                 </select>
             </div>
+            <input type="hidden" name="reportConnection_token" value="{{ app['session'].get('reportConnection_token') }}">
             {% endblock form_connexion %}
         </form>
 
@@ -57,6 +58,7 @@
                     {% endfor %}
                 </select>
             </div>
+            <input type="hidden" name="reportDownload_token" value="{{ app['session'].get('reportDownload_token') }}">
         </form>
 
         <div class="form_submit">
@@ -115,6 +117,7 @@
                 </select>
             </div>
 
+            <input type="hidden" name="reportRecord_token" value="{{ app['session'].get('reportRecord_token') }}">
         </form>
 
         <div class="form_submit">