From babe6d0892ece480f1716a94d3493653007481bc Mon Sep 17 00:00:00 2001 From: aynsix Date: Fri, 8 Sep 2023 11:42:49 +0300 Subject: [PATCH] add form token in report --- .../Controller/Report/RootController.php | 5 +++++ .../Controller/ProdReportController.php | 21 ++++++++++++++++--- .../web/report/report_layout_child.html.twig | 3 +++ 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/lib/Alchemy/Phrasea/Controller/Report/RootController.php b/lib/Alchemy/Phrasea/Controller/Report/RootController.php index 146043240b..c085def0b9 100644 --- a/lib/Alchemy/Phrasea/Controller/Report/RootController.php +++ b/lib/Alchemy/Phrasea/Controller/Report/RootController.php @@ -90,6 +90,11 @@ public function getDashboard(Request $request) $conf = $this->getConf(); + $this->setSessionFormToken('reportConnection'); + $this->setSessionFormToken('reportDownload'); + $this->setSessionFormToken('reportRecord'); + + return $this->render('report/report_layout_child.html.twig', [ 'ajax_dash' => true, 'dashboard' => null, diff --git a/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php b/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php index cb82797751..eed1a8979a 100644 --- a/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php +++ b/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php @@ -15,6 +15,7 @@ use Alchemy\Phrasea\Report\ReportActions; use Alchemy\Phrasea\Report\ReportFactory; use Alchemy\Phrasea\Report\ReportRecords; +use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; @@ -57,6 +58,8 @@ public function __construct(ReportFactory $reportFactory, $anonymousReport, \ACL $this->anonymousReport = $anonymousReport; $this->acl = $acl; $this->appbox = $appbox; + + parent::__construct($appbox->getPhraseApplication()); } /** @@ -77,11 +80,15 @@ public function indexAction(Request $request) * * @param Request $request * @param $sbasId - * @return RedirectResponse|StreamedResponse + * @return RedirectResponse|StreamedResponse|JsonResponse */ public function connectionsAction(Request $request, $sbasId) { if ($request->isMethod("POST")) { + if (!$this->isCrsfValid($request, 'reportConnection')) { + return new JsonResponse(['message' => 'invalid report connection token'], 403); + } + if (!($extension = $request->get('format'))) { $extension = 'csv'; } @@ -123,11 +130,15 @@ public function connectionsAction(Request $request, $sbasId) * * @param Request $request * @param $sbasId - * @return RedirectResponse|StreamedResponse + * @return RedirectResponse|StreamedResponse|JsonResponse */ public function downloadsAction(Request $request, $sbasId) { if ($request->isMethod("POST")) { + if (!$this->isCrsfValid($request, 'reportDownload')) { + return new JsonResponse(['message' => 'invalid report download token'], 403); + } + if(!($extension = $request->get('format'))) { $extension = 'csv'; } @@ -172,11 +183,15 @@ public function downloadsAction(Request $request, $sbasId) * * @param Request $request * @param $sbasId - * @return RedirectResponse|StreamedResponse + * @return RedirectResponse|StreamedResponse|JsonResponse */ public function recordsAction(Request $request, $sbasId) { if ($request->isMethod("POST")) { + if (!$this->isCrsfValid($request, 'reportRecord')) { + return new JsonResponse(['message' => 'invalid report record token'], 403); + } + if (!($extension = $request->get('format'))) { $extension = 'csv'; } diff --git a/templates/web/report/report_layout_child.html.twig b/templates/web/report/report_layout_child.html.twig index 08486c9011..79c1bf9ef7 100644 --- a/templates/web/report/report_layout_child.html.twig +++ b/templates/web/report/report_layout_child.html.twig @@ -20,6 +20,7 @@ + {% endblock form_connexion %} @@ -57,6 +58,7 @@ {% endfor %} +
@@ -115,6 +117,7 @@
+