From 7588211732827e9d3b91b8aa8b9b480018ca7fff Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Fri, 4 Aug 2023 17:41:26 +0300
Subject: [PATCH 01/16] csrf token form

---
 .../dist/production.js                        | 12 +++++--
 .../dist/production.min.js                    | 12 +++++--
 .../src/components/record/delete.js           | 11 +++++--
 lib/Alchemy/Phrasea/Controller/Controller.php | 31 +++++++++++++++++++
 .../Controller/Prod/DownloadController.php    |  4 +++
 .../Controller/Prod/ExportController.php      | 13 ++++++++
 .../Controller/Prod/QueryController.php       |  5 +++
 .../Controller/Prod/RecordController.php      |  6 ++++
 .../Controller/Prod/RootController.php        |  2 ++
 .../Controller/Prod/ToolsController.php       | 21 +++++++++++++
 .../Order/Controller/ProdOrderController.php  |  4 +++
 templates/web/common/dialog_export.html.twig  | 12 ++++---
 .../web/prod/actions/Tools/index.html.twig    |  9 ++++--
 .../delete_records_confirm_form.html.twig     |  1 +
 templates/web/prod/index.html.twig            |  1 +
 15 files changed, 130 insertions(+), 14 deletions(-)

diff --git a/Phraseanet-production-client/dist/production.js b/Phraseanet-production-client/dist/production.js
index 63f26f123f..bae34931cf 100644
--- a/Phraseanet-production-client/dist/production.js
+++ b/Phraseanet-production-client/dist/production.js
@@ -62256,6 +62256,7 @@ var deleteRecord = function deleteRecord(services) {
                 $trash_counter = $form.find(".to_trash_count"),
                 $loader = $form.find(".form-action-loader");
             var lst = (0, _jquery2.default)("input[name='lst']", $form).val().split(';');
+            var csrfToken = (0, _jquery2.default)("input[name='prodDeleteRecord_token']", $form).val();
 
             /**
              *  same parameters for every delete call, except the list of (CHUNKSIZE) records
@@ -62265,9 +62266,10 @@ var deleteRecord = function deleteRecord(services) {
                 type: $form.attr("method"),
                 url: $form.attr("action"),
                 data: {
-                    'lst': "" // set in f
+                    lst: '', // set in f
+                    prodDeleteRecord_token: csrfToken
                 },
-                dataType: "json"
+                dataType: 'json'
             };
 
             var runningTasks = 0,
@@ -62293,7 +62295,11 @@ var deleteRecord = function deleteRecord(services) {
                 }
                 // pop & truncate
                 ajaxParms.data.lst = lst.splice(0, CHUNKSIZE).join(';');
-                _jquery2.default.ajax(ajaxParms).success(function (data) {
+                _jquery2.default.ajax(ajaxParms).error(function (data) {
+                    fCancel();
+                    $dialog.close();
+                    alert('invalid csrf token delete form');
+                }).success(function (data) {
                     // prod feedback only if result ok
                     _jquery2.default.each(data, function (i, n) {
                         var imgt = (0, _jquery2.default)('#IMGT_' + n),
diff --git a/Phraseanet-production-client/dist/production.min.js b/Phraseanet-production-client/dist/production.min.js
index 63f26f123f..bae34931cf 100644
--- a/Phraseanet-production-client/dist/production.min.js
+++ b/Phraseanet-production-client/dist/production.min.js
@@ -62256,6 +62256,7 @@ var deleteRecord = function deleteRecord(services) {
                 $trash_counter = $form.find(".to_trash_count"),
                 $loader = $form.find(".form-action-loader");
             var lst = (0, _jquery2.default)("input[name='lst']", $form).val().split(';');
+            var csrfToken = (0, _jquery2.default)("input[name='prodDeleteRecord_token']", $form).val();
 
             /**
              *  same parameters for every delete call, except the list of (CHUNKSIZE) records
@@ -62265,9 +62266,10 @@ var deleteRecord = function deleteRecord(services) {
                 type: $form.attr("method"),
                 url: $form.attr("action"),
                 data: {
-                    'lst': "" // set in f
+                    lst: '', // set in f
+                    prodDeleteRecord_token: csrfToken
                 },
-                dataType: "json"
+                dataType: 'json'
             };
 
             var runningTasks = 0,
@@ -62293,7 +62295,11 @@ var deleteRecord = function deleteRecord(services) {
                 }
                 // pop & truncate
                 ajaxParms.data.lst = lst.splice(0, CHUNKSIZE).join(';');
-                _jquery2.default.ajax(ajaxParms).success(function (data) {
+                _jquery2.default.ajax(ajaxParms).error(function (data) {
+                    fCancel();
+                    $dialog.close();
+                    alert('invalid csrf token delete form');
+                }).success(function (data) {
                     // prod feedback only if result ok
                     _jquery2.default.each(data, function (i, n) {
                         var imgt = (0, _jquery2.default)('#IMGT_' + n),
diff --git a/Phraseanet-production-client/src/components/record/delete.js b/Phraseanet-production-client/src/components/record/delete.js
index 10f2aefe8a..e6ed7eddc3 100644
--- a/Phraseanet-production-client/src/components/record/delete.js
+++ b/Phraseanet-production-client/src/components/record/delete.js
@@ -76,6 +76,7 @@ const deleteRecord = (services) => {
             $trash_counter = $form.find(".to_trash_count"),
             $loader = $form.find(".form-action-loader");
         let lst = $("input[name='lst']", $form).val().split(';');
+        let csrfToken = $("input[name='prodDeleteRecord_token']", $form).val();
 
         /**
          *  same parameters for every delete call, except the list of (CHUNKSIZE) records
@@ -85,9 +86,10 @@ const deleteRecord = (services) => {
             type: $form.attr("method"),
             url: $form.attr("action"),
             data: {
-                'lst': ""      // set in f
+                lst: '',      // set in f
+                prodDeleteRecord_token: csrfToken
             },
-            dataType: "json"
+            dataType: 'json'
         };
 
         let runningTasks = 0,   // number of running tasks
@@ -113,6 +115,11 @@ const deleteRecord = (services) => {
             // pop & truncate
             ajaxParms.data.lst = lst.splice(0, CHUNKSIZE).join(';');
             $.ajax(ajaxParms)
+                .error(function (data) {
+                    fCancel();
+                    $dialog.close();
+                    alert('invalid csrf token delete form');
+                })
                 .success(function (data) {     // prod feedback only if result ok
                     $.each(data, function (i, n) {
                         let imgt = $('#IMGT_' + n),
diff --git a/lib/Alchemy/Phrasea/Controller/Controller.php b/lib/Alchemy/Phrasea/Controller/Controller.php
index 79890b3501..97919b3f0f 100644
--- a/lib/Alchemy/Phrasea/Controller/Controller.php
+++ b/lib/Alchemy/Phrasea/Controller/Controller.php
@@ -15,7 +15,9 @@
 use Alchemy\Phrasea\Authentication\Authenticator;
 use Alchemy\Phrasea\Core\Configuration\PropertyAccess;
 use Alchemy\Phrasea\Model\Entities\User;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
 
 class Controller
 {
@@ -112,6 +114,35 @@ public function getAuthenticatedUser()
         return $this->getAuthenticator()->getUser();
     }
 
+    public function setSessionFormToken($formName)
+    {
+        $randomValue = bin2hex(random_bytes(35));
+        $this->app['session']->set($formName.'_token', $randomValue);
+
+        return $randomValue;
+    }
+
+    public function getSessionFormToken($formName)
+    {
+        return $this->app['session']->get($formName.'_token');
+    }
+
+    public function isCrsfValid(Request $request, $formName)
+    {
+        if (!$request->isMethod("POST")) {
+            return false;
+        }
+
+        $formTokenName = $formName . '_token';
+        $formToken = (string) $request->request->get($formTokenName);
+
+        if (empty($formToken) || $formToken != $this->getSessionFormToken($formName)) {
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * @return PropertyAccess
      */
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/DownloadController.php b/lib/Alchemy/Phrasea/Controller/Prod/DownloadController.php
index 9d19d7297c..c575c86431 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/DownloadController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/DownloadController.php
@@ -29,6 +29,10 @@ class DownloadController extends Controller
      */
     public function checkDownload(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExportDownload')) {
+            $this->app->abort(403);
+        }
+
         $lst = $request->request->get('lst');
         $ssttid = $request->request->get('ssttid', '');
         $subdefs = $request->request->get('obj', []);
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/ExportController.php b/lib/Alchemy/Phrasea/Controller/Prod/ExportController.php
index 50db492c2c..996796bcb8 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/ExportController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/ExportController.php
@@ -44,6 +44,11 @@ public function displayMultiExport(Request $request)
             $request->request->get('story')
         );
 
+        $this->setSessionFormToken('prodExportDownload');
+        $this->setSessionFormToken('prodExportEmail');
+        $this->setSessionFormToken('prodExportFTP');
+        $this->setSessionFormToken('prodExportOrder');
+
         return new Response($this->render('common/dialog_export.html.twig', [
             'download'             => $download,
             'ssttid'               => $request->request->get('ssel'),
@@ -90,6 +95,10 @@ public function testFtpConnexion(Request $request)
      */
     public function exportFtp(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExportFTP')) {
+            return $this->app->json(['message' => 'invalid export ftp form'], 403);
+        }
+
         $download = new \set_exportftp($this->app, $request->request->get('lst'), $request->request->get('ssttid'));
 
         $mandatoryParameters = ['address', 'login', 'obj'];
@@ -153,6 +162,10 @@ public function exportFtp(Request $request)
      */
     public function exportMail(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExportEmail')) {
+            return $this->app->json(['message' => 'invalid export mail form'], 403);
+        }
+
         set_time_limit(0);
         session_write_close();
         ignore_user_abort(true);
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/QueryController.php b/lib/Alchemy/Phrasea/Controller/Prod/QueryController.php
index d055206d18..9ae6b379e4 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/QueryController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/QueryController.php
@@ -21,6 +21,7 @@
 use Alchemy\Phrasea\Utilities\StringHelper;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use unicode;
 
 class QueryController extends Controller
@@ -121,6 +122,10 @@ public function completion(Request $request)
      */
     public function query(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'searchForm')) {
+            return $this->app->json(['message' => 'invalid search token'], 403);
+        }
+
         $query = (string) $request->request->get('qry');
 
         // since the query comes from a submited form, normalize crlf,cr,lf ...
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
index 3c4e09ad75..bc55f20a40 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
@@ -224,6 +224,10 @@ public function getRecordById($sbasId, $recordId)
      */
     public function doDeleteRecords(Request $request)
     {
+        if ($this->isCrsfValid($request, 'prodDeleteRecord')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid delete form'], 403);
+        }
+
         $records = RecordsRequest::fromRequest(
             $this->app,
             $request,
@@ -351,6 +355,8 @@ public function whatCanIDelete(Request $request)
             'deletableCount' => count($filteredRecords['delete'])
         ];
 
+        $this->setSessionFormToken('prodDeleteRecord');
+
         return $this->render(
             'prod/actions/delete_records_confirm.html.twig',
             $viewParms
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/RootController.php b/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
index b89c919ed9..2052795756 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
@@ -104,6 +104,8 @@ public function indexAction(Request $request) {
             'actionbar' => $filter('actionbar'),
         ];
 
+        $this->setSessionFormToken('searchForm');
+
         return $this->render('prod/index.html.twig', [
             'module_name'          => 'Production',
             'WorkZone'             => new WorkzoneHelper($this->app, $request),
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php b/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php
index 3987296e0c..6a30a0c055 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php
@@ -113,6 +113,11 @@ public function indexAction(Request $request)
             }
         }
 
+        $this->setSessionFormToken('prodToolsSubdef');
+        $this->setSessionFormToken('prodToolsRotate');
+        $this->setSessionFormToken('prodToolsHDSubstitution');
+        $this->setSessionFormToken('prodToolsThumbSubstitution');
+
         return $this->render('prod/actions/Tools/index.html.twig', [
             'records'           => $records,
             'record'            => $record,
@@ -127,6 +132,10 @@ public function indexAction(Request $request)
 
     public function rotateAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodToolsRotate')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid rotate form'], 403);
+        }
+
         $records = RecordsRequest::fromRequest($this->app, $request, false);
         $rotation = (int)$request->request->get('rotation', 90);
         $rotation %= 360;
@@ -165,6 +174,10 @@ public function rotateAction(Request $request)
 
     public function imageAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodToolsSubdef')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid create subview form'], 403);
+        }
+
         $return = ['success' => true];
 
         $force = $request->request->get('force_substitution') == '1';
@@ -211,6 +224,10 @@ public function imageAction(Request $request)
 
     public function hddocAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodToolsHDSubstitution')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid document substitution form'], 403);
+        }
+
         $success = false;
         $message = $this->app->trans('An error occured');
 
@@ -269,6 +286,10 @@ public function hddocAction(Request $request)
 
     public function changeThumbnailAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodToolsThumbSubstitution')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid thumbnail substitution form'], 403);
+        }
+
         $file = $request->files->get('newThumb');
 
         if (empty($file)) {
diff --git a/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php b/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php
index ac176bab42..976ab8611b 100644
--- a/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php
+++ b/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php
@@ -37,6 +37,10 @@ class ProdOrderController extends BaseOrderController
      */
     public function createOrder(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExportOrder')) {
+            return $this->app->json(['message' => 'invalid export order form'], 403);
+        }
+
         $records = RecordsRequest::fromRequest($this->app, $request, true, [\ACL::CANCMD]);
 
         try {
diff --git a/templates/web/common/dialog_export.html.twig b/templates/web/common/dialog_export.html.twig
index b4faf0029f..b99a837708 100644
--- a/templates/web/common/dialog_export.html.twig
+++ b/templates/web/common/dialog_export.html.twig
@@ -108,7 +108,7 @@
             <div id="download">
                 <div style="padding:10px; text-align: center;">
                     <h4>{{ 'export:: telechargement' | trans }}</h4>
-                    <form method="post" target="_blank" action="{{ path('check_download') }}" style="text-align: left;">
+                    <form method="post" target="_blank" name="prodExportDownload" action="{{ path('check_download') }}" style="text-align: left;">
                         <input type="hidden" name="lst" value="{{lst}}"/>
                         <input type="hidden" name="ssttid" value="{{ssttid}}"/>
                         {% for name, values in download.get_display_download() %}
@@ -168,13 +168,14 @@
                             <button type="button" class="download_button btn btn-inverse">{{ 'boutton::telecharger' | trans }}</button>
                             <button type="button" class="close_button btn btn-inverse">{{ 'boutton::annuler' | trans }}</button>
                         </div>
+                        <input type="hidden" name="prodExportDownload_token" value="{{ app['session'].get('prodExportDownload_token') }}">
                     </form>
                 </div>
             </div>
             <div id="sendmail">
                 <div style="padding:10px; text-align: center;">
                     <h4>{{ 'export:: envoi par mail' | trans }}</h4>
-                        <form action="{{ path('export_mail') }}" method="post" target="sendmail_target" style="text-align: left;">
+                    <form action="{{ path('export_mail') }}" method="post" name="prodExportEmail" target="sendmail_target" style="text-align: left;">
                         <input type="hidden" name="lst" value="{{lst}}"/>
                         <input type="hidden" name="ssttid" value="{{ssttid}}"/>
                             <div class="acceptDl-info" style="padding-top: 4px; margin-left: 25px; margin-bottom: 8px;">
@@ -257,6 +258,7 @@
                             <img class="sendmail_button_loader" src="/assets/common/images/icons/loader404040.gif" style="visibility:hidden;margin:0 5px;"/>
                             <button type="button" class="close_button btn btn-inverse">{{ 'boutton::annuler' | trans }}</button>
                         </div>
+                        <input type="hidden" name="prodExportEmail_token" value="{{ app['session'].get('prodExportEmail_token') }}">
                     </form>
                 </div>
             </div>
@@ -296,7 +298,7 @@
                     {% endif %}
                 {% endfor %}
                 <hr />
-                <form class="form-horizontal">
+                <form class="form-horizontal" name="prodExportOrder">
                     <input type="hidden" name="lst" value="{{lst}}"/>
                     <input type="hidden" name="ssel" value="{{ssttid}}"/>
 
@@ -404,6 +406,7 @@
                         <img class="order_button_loader" src="/assets/common/images/icons/loader404040.gif" style="visibility:hidden;margin:0 5px;"/>
                         <button type="button" class="close_button btn btn-inverse">{{ 'boutton::annuler' | trans }}</button>
                     </div>
+                    <input type="hidden" name="prodExportOrder_token" value="{{ app['session'].get('prodExportOrder_token') }}">
                 </form>
             </div>
         {% endif %}
@@ -430,7 +433,7 @@
                             {% endfor %}
                         </div>
                     </div>
-                    <form id="ftp_joined" class="form-horizontal" style="text-align: left;">
+                    <form id="ftp_joined" class="form-horizontal"  name="prodExportFTP" style="text-align: left;">
                         <input type="hidden" name="lst" value="{{lst}}"/>
                         <input type="hidden" name="ssttid" value="{{ssttid}}"/>
                         <div>
@@ -479,6 +482,7 @@
                                 </label>
                             </div>
                         {% endif %}
+                        <input type="hidden" name="prodExportFTP_token" value="{{ app['session'].get('prodExportFTP_token') }}">
                     </form>
                     <div class="buttons_line">
                         <button type="button" class="tryftp_button btn btn-inverse">{{ 'boutton::essayer' | trans }}</button>
diff --git a/templates/web/prod/actions/Tools/index.html.twig b/templates/web/prod/actions/Tools/index.html.twig
index d4fa372ec0..2df6f62224 100644
--- a/templates/web/prod/actions/Tools/index.html.twig
+++ b/templates/web/prod/actions/Tools/index.html.twig
@@ -61,7 +61,7 @@
         </div>
         {# subdef section #}
         <div id="subdefs" class="tabBox">
-            <form id="new-img-form" action="{{ path('prod_tools_image') }}" method="post">
+            <form id="new-img-form" action="{{ path('prod_tools_image') }}" method="post" name="prodToolsSubdef">
                 <fieldset style='border:1px solid #999; padding:20px;'>
                     <legend style="margin-bottom: 0px;">&nbsp;<b>{{ "Reconstruire les sous definitions" | trans }}</b>&nbsp;</legend>
                     {% if nbSubdefSubstitute > 0 %}
@@ -107,7 +107,9 @@
                 <div class="confirm_block text-center hide" style="margin-top: 45px;">
                     <span class="alert alert-info">
                         {{ 'prod::tool:recreatesubviews: warning for rebuild sub-definitions' | trans }}
-                    </span></div>
+                    </span>
+                </div>
+                <input type="hidden" name="prodToolsSubdef_token" value="{{ app['session'].get('prodToolsSubdef_token') }}">
             </form>
         </div>
 
@@ -136,6 +138,7 @@
           <button class="action_submiter btn btn-inverse">{{ "validate"|trans }}</button>
           <button class="action_cancel btn btn-inverse">{{ "cancel"|trans }}</button>
         </div>
+          <input type="hidden" name="prodToolsRotate_token" value="{{ app['session'].get('prodToolsRotate_token') }}">
       </form>
     </div>
 
@@ -176,6 +179,7 @@
                       <button class="iframe_submiter btn btn-inverse">{{ "validate" | trans }}</button>
                       <button class="action_cancel btn btn-inverse">{{ "cancel" | trans }}</button>
                     </div>
+                      <input type="hidden" name="prodToolsHDSubstitution_token" value="{{ app['session'].get('prodToolsHDSubstitution_token') }}">
                   </form>
                   <div class='resultAction'></div>
                 </div>
@@ -202,6 +206,7 @@
                       <button class="iframe_submiter btn btn-inverse">{{ "validate" | trans }}</button>
                       <button class="action_cancel btn btn-inverse">{{ "cancel" | trans }}</button>
                     </div>
+                    <input type="hidden" name="prodToolsThumbSubstitution_token" value="{{ app['session'].get('prodToolsThumbSubstitution_token') }}">
                   </form>
                   <div class='resultAction'></div>
                 </div>
diff --git a/templates/web/prod/actions/delete_records_confirm_form.html.twig b/templates/web/prod/actions/delete_records_confirm_form.html.twig
index 91beb1b15f..fc20b73862 100644
--- a/templates/web/prod/actions/delete_records_confirm_form.html.twig
+++ b/templates/web/prod/actions/delete_records_confirm_form.html.twig
@@ -37,6 +37,7 @@
                 <img src="/assets/common/images/icons/loader000.gif"/>
             </span>
         </div>
+        <input type="hidden" name="prodDeleteRecord_token" value="{{ app['session'].get('prodDeleteRecord_token') }}">
     </form>
 {% elseif records.received().count() == 0 %}
     <div class="well-small" style="text-align:center;">
diff --git a/templates/web/prod/index.html.twig b/templates/web/prod/index.html.twig
index 4e2a92daf3..a7dba2e875 100644
--- a/templates/web/prod/index.html.twig
+++ b/templates/web/prod/index.html.twig
@@ -744,6 +744,7 @@
                                 </tr>
                             </table>
                         </div>
+                        <input type="hidden" name="searchForm_token" value="{{ app['session'].get('searchForm_token') }}">
                     </form>
                     <div id="facet_filter_in_search" style="width:100%;height:40px;overflow-y: scroll;">
                     </div>

From b5c99f082699d640c7a8fd6d4ed38630f7946774 Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Fri, 4 Aug 2023 18:23:02 +0300
Subject: [PATCH 02/16] add csrf token

---
 Phraseanet-production-client/config/config.js        |  2 +-
 Phraseanet-production-client/dist/authenticate.js    |  2 +-
 .../dist/authenticate.min.js                         |  2 +-
 Phraseanet-production-client/dist/commons.js         |  2 +-
 Phraseanet-production-client/dist/commons.min.js     |  2 +-
 .../Phrasea/Controller/Prod/PropertyController.php   | 12 ++++++++++++
 lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php     |  2 +-
 templates/web/prod/actions/Property/index.html.twig  |  1 +
 templates/web/prod/actions/Property/type.html.twig   |  1 +
 9 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/Phraseanet-production-client/config/config.js b/Phraseanet-production-client/config/config.js
index 7b1bdbf13f..208c4dd76c 100644
--- a/Phraseanet-production-client/config/config.js
+++ b/Phraseanet-production-client/config/config.js
@@ -13,5 +13,5 @@ module.exports = {
     setupDir: _root + 'tests/setup/node.js',
     karmaConf: _root + 'config/karma.conf.js',
     // change this version when you change JS file for lazy loading
-    assetFileVersion: 92
+    assetFileVersion: 93
 };
diff --git a/Phraseanet-production-client/dist/authenticate.js b/Phraseanet-production-client/dist/authenticate.js
index eef05c259d..d95caa7394 100644
--- a/Phraseanet-production-client/dist/authenticate.js
+++ b/Phraseanet-production-client/dist/authenticate.js
@@ -96,7 +96,7 @@ return /******/ (function(modules) { // webpackBootstrap
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=92";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=93";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {
diff --git a/Phraseanet-production-client/dist/authenticate.min.js b/Phraseanet-production-client/dist/authenticate.min.js
index 1e11703f65..d4069e03e9 100644
--- a/Phraseanet-production-client/dist/authenticate.min.js
+++ b/Phraseanet-production-client/dist/authenticate.min.js
@@ -96,7 +96,7 @@ return /******/ (function(modules) { // webpackBootstrap
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=92";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=93";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {
diff --git a/Phraseanet-production-client/dist/commons.js b/Phraseanet-production-client/dist/commons.js
index 72933035c0..e4393dad66 100644
--- a/Phraseanet-production-client/dist/commons.js
+++ b/Phraseanet-production-client/dist/commons.js
@@ -91,7 +91,7 @@
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=92";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".js?v=93";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {
diff --git a/Phraseanet-production-client/dist/commons.min.js b/Phraseanet-production-client/dist/commons.min.js
index 4671744f14..c52c6a587d 100644
--- a/Phraseanet-production-client/dist/commons.min.js
+++ b/Phraseanet-production-client/dist/commons.min.js
@@ -91,7 +91,7 @@
 /******/ 		if (__webpack_require__.nc) {
 /******/ 			script.setAttribute("nonce", __webpack_require__.nc);
 /******/ 		}
-/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=92";
+/******/ 		script.src = __webpack_require__.p + "lazy-" + ({}[chunkId]||chunkId) + ".min.js?v=93";
 /******/ 		var timeout = setTimeout(onScriptComplete, 120000);
 /******/ 		script.onerror = script.onload = onScriptComplete;
 /******/ 		function onScriptComplete() {
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php b/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php
index 74022f1422..a67a221613 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php
@@ -33,6 +33,8 @@ public function displayStatusProperty(Request $request)
 
         $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CHGSTATUS]);
 
+        $this->setSessionFormToken('prodPropertyStatus');
+
         $databoxes = $records->databoxes();
         if (count($databoxes) > 1) {
             return new Response($this->render('prod/actions/Property/index.html.twig', [
@@ -103,6 +105,8 @@ public function displayTypeProperty(Request $request)
             $recordsType[$sbasId][$record->getType()][] = $record;
         }
 
+        $this->setSessionFormToken('prodPropertyType');
+
         return new Response($this->render('prod/actions/Property/type.html.twig', [
             'records'     => $records,
             'recordsType' => $recordsType,
@@ -117,6 +121,10 @@ public function displayTypeProperty(Request $request)
      */
     public function changeStatus(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodPropertyStatus')) {
+            return $this->app->json(['message' => 'invalid change status form'], 403);
+        }
+
         $applyStatusToChildren = $request->request->get('apply_to_children', []);
         $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CHGSTATUS]);
         $updated = [];
@@ -151,6 +159,10 @@ public function changeStatus(Request $request)
      */
     public function changeType(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodPropertyType')) {
+            return $this->app->json(['message' => 'invalid change type form'], 403);
+        }
+
         $typeLst = $request->request->get('types', []);
         $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANMODIFRECORD]);
         $mimeLst = $request->request->get('mimes', []);
diff --git a/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php b/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php
index 34f120f19e..a1936c09ed 100644
--- a/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php
+++ b/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php
@@ -62,7 +62,7 @@ public function getGlobals()
     {
         return [
             // change this version when you change JS file to force the navigation to reload js file
-            'assetFileVersion' => 92
+            'assetFileVersion' => 93
         ];
 
     }
diff --git a/templates/web/prod/actions/Property/index.html.twig b/templates/web/prod/actions/Property/index.html.twig
index f3abc7d6c3..1525aca1f0 100644
--- a/templates/web/prod/actions/Property/index.html.twig
+++ b/templates/web/prod/actions/Property/index.html.twig
@@ -116,6 +116,7 @@
                         <img src="/assets/common/images/icons/loader414141.gif" />
                     </span>
                 </div>
+                <input type="hidden" name="prodPropertyStatus_token" value="{{ app['session'].get('prodPropertyStatus_token') }}">
             </form>
         </div>
         <div id="type-status"></div>
diff --git a/templates/web/prod/actions/Property/type.html.twig b/templates/web/prod/actions/Property/type.html.twig
index 4ce19322a0..e33c5f640c 100644
--- a/templates/web/prod/actions/Property/type.html.twig
+++ b/templates/web/prod/actions/Property/type.html.twig
@@ -52,4 +52,5 @@
             <img src="/assets/common/images/icons/loader414141.gif" />
         </span>
     </div>
+    <input type="hidden" name="prodPropertyType_token" value="{{ app['session'].get('prodPropertyType_token') }}">
  </form>

From 1a84d79077179f5854bd91e4ba2cb23c1a11d0aa Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Mon, 7 Aug 2023 18:59:35 +0300
Subject: [PATCH 03/16] add csrf

---
 Phraseanet-production-client/dist/production.js             | 3 ++-
 Phraseanet-production-client/dist/production.min.js         | 3 ++-
 Phraseanet-production-client/src/components/record/move.js  | 3 ++-
 .../Phrasea/Controller/Prod/MoveCollectionController.php    | 6 ++++++
 lib/Alchemy/Phrasea/Controller/Prod/PushController.php      | 6 ++++++
 templates/web/prod/actions/Push.html.twig                   | 1 +
 templates/web/prod/actions/collection_default.html.twig     | 1 +
 7 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/Phraseanet-production-client/dist/production.js b/Phraseanet-production-client/dist/production.js
index bae34931cf..9c638265c8 100644
--- a/Phraseanet-production-client/dist/production.js
+++ b/Phraseanet-production-client/dist/production.js
@@ -21998,7 +21998,8 @@ var moveRecord = function moveRecord(services) {
             var datas = {
                 lst: (0, _jquery2.default)('input[name="lst"]', $form).val(),
                 base_id: (0, _jquery2.default)('select[name="base_id"]', $form).val(),
-                chg_coll_son: coll_son
+                chg_coll_son: coll_son,
+                prodMoveCollection_token: (0, _jquery2.default)('input[name="prodMoveCollection_token"]', $form).val()
             };
 
             var buttonPanel = $dialog.getDomElement().closest('.ui-dialog').find('.ui-dialog-buttonpane');
diff --git a/Phraseanet-production-client/dist/production.min.js b/Phraseanet-production-client/dist/production.min.js
index bae34931cf..9c638265c8 100644
--- a/Phraseanet-production-client/dist/production.min.js
+++ b/Phraseanet-production-client/dist/production.min.js
@@ -21998,7 +21998,8 @@ var moveRecord = function moveRecord(services) {
             var datas = {
                 lst: (0, _jquery2.default)('input[name="lst"]', $form).val(),
                 base_id: (0, _jquery2.default)('select[name="base_id"]', $form).val(),
-                chg_coll_son: coll_son
+                chg_coll_son: coll_son,
+                prodMoveCollection_token: (0, _jquery2.default)('input[name="prodMoveCollection_token"]', $form).val()
             };
 
             var buttonPanel = $dialog.getDomElement().closest('.ui-dialog').find('.ui-dialog-buttonpane');
diff --git a/Phraseanet-production-client/src/components/record/move.js b/Phraseanet-production-client/src/components/record/move.js
index 77ed60b9a5..3e2d840b34 100644
--- a/Phraseanet-production-client/src/components/record/move.js
+++ b/Phraseanet-production-client/src/components/record/move.js
@@ -48,7 +48,8 @@ const moveRecord = (services) => {
             var datas = {
                 lst: $('input[name="lst"]', $form).val(),
                 base_id: $('select[name="base_id"]', $form).val(),
-                chg_coll_son: coll_son
+                chg_coll_son: coll_son,
+                prodMoveCollection_token: $('input[name="prodMoveCollection_token"]', $form).val()
             };
 
             var buttonPanel = $dialog.getDomElement()
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php b/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php
index 274ab2ac17..23ff3c2b83 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php
@@ -62,6 +62,8 @@ public function displayForm(Request $request)
             // sort the collections
             array_multisort($aName, $uorder, SORT_REGULAR, $collections);
 
+            $this->setSessionFormToken('prodMoveCollection');
+
             $parameters = [
               'records' => $records,
               'message' => '',
@@ -81,6 +83,10 @@ public function displayForm(Request $request)
 
     public function apply(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodMoveCollection')) {
+            return $this->app->json(['success' => false, 'message' => 'invalid move collection form']);
+        }
+
         /** @var \record_adapter[] $records */
         $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANDELETERECORD]);
 
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
index 796b4f80ba..9d9b063018 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
@@ -215,6 +215,10 @@ public function sendAction(Request $request)
      */
     public function sharebasketAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodShareBasket')) {
+            return $this->app->json(['success' => false, 'message' => 'invalid form']);
+        }
+
         $ret = [
             'success' => false,
             'message' => $this->app->trans('Unable to send the documents')
@@ -817,6 +821,8 @@ public function renderPushTemplate(Request $request, $context)
         $repository = $this->getUserListRepository();
         $recommendedUsers = $this->getUsersInSelectionExtractor($push->get_elements());
 
+        $this->setSessionFormToken('prodShareBasket');
+
         return $this->render(
             'prod/actions/Push.html.twig',
             [
diff --git a/templates/web/prod/actions/Push.html.twig b/templates/web/prod/actions/Push.html.twig
index 86a22989b9..4eb20d39b0 100644
--- a/templates/web/prod/actions/Push.html.twig
+++ b/templates/web/prod/actions/Push.html.twig
@@ -508,6 +508,7 @@
                             {% endif %}
 
                         </div>
+                        <input type="hidden" name="prodShareBasket_token" value="{{ app['session'].get('prodShareBasket_token') }}">
                     </form>
 
                     <div class="footer">
diff --git a/templates/web/prod/actions/collection_default.html.twig b/templates/web/prod/actions/collection_default.html.twig
index cadc0eada2..9846079a70 100644
--- a/templates/web/prod/actions/collection_default.html.twig
+++ b/templates/web/prod/actions/collection_default.html.twig
@@ -38,5 +38,6 @@
 
         <input type="hidden" name="act" value="WORK">
         <input type="hidden" name="lst" value="{{ records.serializedList() }}">
+        <input type="hidden" name="prodMoveCollection_token" value="{{ app['session'].get('prodMoveCollection_token') }}">
     </form>
 </div>

From c9f98f51aef0f92f64dc74c606c0c54ec9dc4d5c Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Wed, 9 Aug 2023 18:05:18 +0300
Subject: [PATCH 04/16] add csrf

---
 .../Controller/Prod/BasketController.php      | 18 ++++++++++
 .../Controller/Prod/PrinterController.php     |  6 ++++
 .../Controller/Prod/PushController.php        |  6 ++++
 .../Controller/Prod/StoryController.php       | 12 +++++++
 templates/web/prod/Baskets/Create.html.twig   |  1 +
 templates/web/prod/Baskets/Reorder.html.twig  | 33 ++++++++++---------
 templates/web/prod/Baskets/Update.html.twig   |  1 +
 templates/web/prod/Story/Create.html.twig     |  2 +-
 templates/web/prod/Story/Reorder.html.twig    |  1 +
 templates/web/prod/User/Add.html.twig         |  1 +
 .../prod/actions/printer_default.html.twig    |  3 +-
 11 files changed, 66 insertions(+), 18 deletions(-)

diff --git a/lib/Alchemy/Phrasea/Controller/Prod/BasketController.php b/lib/Alchemy/Phrasea/Controller/Prod/BasketController.php
index 57c22d0dbe..843d1d476d 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/BasketController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/BasketController.php
@@ -203,6 +203,10 @@ private function getEntityManager()
 
     public function createBasket(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodCreateBasket')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid form'], 403);
+        }
+
         $basket = new Basket();
 
         $basket->setName($request->request->get('name', ''));
@@ -271,6 +275,10 @@ public function removeBasketElement(Request $request, Basket $basket, $basket_el
 
     public function updateBasket(Request $request, Basket $basket)
     {
+        if (!$this->isCrsfValid($request, 'prodBasketRename')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid form'], 403);
+        }
+
         $success = false;
 
         try {
@@ -305,16 +313,24 @@ public function updateBasket(Request $request, Basket $basket)
 
     public function displayUpdateForm(Basket $basket)
     {
+        $this->setSessionFormToken('prodBasketRename');
+
         return $this->render('prod/Baskets/Update.html.twig', ['basket' => $basket]);
     }
 
     public function displayReorderForm(Basket $basket)
     {
+        $this->setSessionFormToken('prodBasketReorder');
+
         return $this->render('prod/Baskets/Reorder.html.twig', ['basket' => $basket]);
     }
 
     public function reorder(Request $request, Basket $basket)
     {
+        if (!$this->isCrsfValid($request, 'prodBasketReorder')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid form'], 403);
+        }
+
         $ret = ['success' => false, 'message' => $this->app->trans('An error occured')];
         try {
             $order = $request->request->get('element');
@@ -417,6 +433,8 @@ public function stealElements(Request $request, Basket $basket)
 
     public function displayCreateForm()
     {
+        $this->setSessionFormToken('prodCreateBasket');
+
         return $this->render('prod/Baskets/Create.html.twig');
     }
 
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PrinterController.php b/lib/Alchemy/Phrasea/Controller/Prod/PrinterController.php
index edd01bba04..8a2f48e38f 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/PrinterController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/PrinterController.php
@@ -48,6 +48,8 @@ public function postPrinterAction(Request $request)
             $storyId = $r->singleStory()->getId();
         }
 
+        $this->setSessionFormToken('prodPrint');
+
         return $this->render('prod/actions/printer_default.html.twig', [
             'printer' => $printer,
             'message' => '',
@@ -59,6 +61,10 @@ public function postPrinterAction(Request $request)
 
     public function printAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodPrint')) {
+            $this->app->abort(403);
+        }
+
         $printer = new RecordHelper\Printer($this->app, $request);
         $printer->setThumbnailName($request->request->get('thumbnail-chosen'));
         $printer->setPreviewName($request->request->get('preview-chosen'));
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
index 9d9b063018..ca0d585655 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php
@@ -397,6 +397,10 @@ public function getListAction($list_id)
      */
     public function addUserAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodShareAddUser')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid add user form'], 403);
+        }
+
         $result = ['success' => false, 'message' => '', 'user'    => null];
 
         try {
@@ -474,6 +478,8 @@ public function getAddUserFormAction(Request $request)
     {
         $params = ['callback' => $request->query->get('callback')];
 
+        $this->setSessionFormToken('prodShareAddUser');
+
         return $this->render('prod/User/Add.html.twig', $params);
     }
 
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php b/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php
index dc5ec6bd5a..01c7528088 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php
@@ -45,6 +45,8 @@ public function displayCreateFormAction(Request $request)
             }
         }
 
+        $this->setSessionFormToken('prodCreateStory');
+
         return $this->render('prod/Story/Create.html.twig', [
             'isMultipleDataboxes'   => count($databoxes) > 1 ? 1 : 0,
             'isMultipleCollections' => count($collections) > 1 ? 1 : 0,
@@ -56,6 +58,10 @@ public function displayCreateFormAction(Request $request)
 
     public function postCreateFormAction(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodCreateStory')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid form'], 403);
+        }
+
         $collection = \collection::getByBaseId($this->app, $request->request->get('base_id'));
 
         if (!$this->getAclForUser()->has_right_on_base($collection->get_base_id(), \ACL::CANADDRECORD)) {
@@ -209,6 +215,8 @@ public function displayReorderFormAction($sbas_id, $record_id)
             throw new \Exception('This is not a story');
         }
 
+        $this->setSessionFormToken('prodStoryReorder');
+
         return $this->renderResponse('prod/Story/Reorder.html.twig', [
             'story' => $story,
         ]);
@@ -216,6 +224,10 @@ public function displayReorderFormAction($sbas_id, $record_id)
 
     public function reorderAction(Request $request, $sbas_id, $record_id)
     {
+        if (!$this->isCrsfValid($request, 'prodStoryReorder')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid form'], 403);
+        }
+
         try {
             $story = new \record_adapter($this->app, $sbas_id, $record_id);
             $previousDescription = $story->getRecordDescriptionAsArray();
diff --git a/templates/web/prod/Baskets/Create.html.twig b/templates/web/prod/Baskets/Create.html.twig
index a758c16e61..d8207647bf 100644
--- a/templates/web/prod/Baskets/Create.html.twig
+++ b/templates/web/prod/Baskets/Create.html.twig
@@ -9,4 +9,5 @@
         <input type="checkbox" name="lst" value="" id="new_basket_add_sel"/>
         {{ 'Ajouter ma selection courrante' | trans }}
     </label>
+    <input type="hidden" name="prodCreateBasket_token" value="{{ app['session'].get('prodCreateBasket_token') }}">
 </form>
diff --git a/templates/web/prod/Baskets/Reorder.html.twig b/templates/web/prod/Baskets/Reorder.html.twig
index dbaa113496..f594af2925 100644
--- a/templates/web/prod/Baskets/Reorder.html.twig
+++ b/templates/web/prod/Baskets/Reorder.html.twig
@@ -2,22 +2,23 @@
 <div id="reorder_box">
     <div id="reorder_options" class="row-fluid">
         <form class="form-inline span10">
-        <label for="auto_order">{{ 'Reordonner automatiquement' | trans }}</label>
-        <select id="auto_order">
-            <option value="">{{ 'Choisir' | trans }}</option>
-            <option value="default">{{ 'Re-initialiser' | trans }}</option>
-            <option value="title">{{ 'Titre' | trans }}</option>
-            <option value="date_created">{{ 'Date de création' | trans }}</option>
-            <option value="date_updated">{{ 'Date de modification' | trans }}</option>
-        </select>
-        <button type="button" class="autoorder btn btn-inverse">{{ 'Re-ordonner' | trans }}</button>
-        <button type="button" class="reverseorder btn btn-inverse">{{ 'Inverser' | trans }}</button>
-        </form>
-        <form class="form-inline span2" name="reorder" method="POST" action="{{ path('prod_baskets_basket_reorder', { 'basket' : basket.getId() }) }}">
-        {% for element in basket.getElements() %}
-                <input type="hidden" name="element[{{ element.getId() }}]" value="{{ element.getOrd() }}"/>
-        {% endfor %}
-        <input type="submit" class="btn btn-inverse" value="{{ 'boutton::valider' | trans }}" />
+            <label for="auto_order">{{ 'Reordonner automatiquement' | trans }}</label>
+            <select id="auto_order">
+                <option value="">{{ 'Choisir' | trans }}</option>
+                <option value="default">{{ 'Re-initialiser' | trans }}</option>
+                <option value="title">{{ 'Titre' | trans }}</option>
+                <option value="date_created">{{ 'Date de création' | trans }}</option>
+                <option value="date_updated">{{ 'Date de modification' | trans }}</option>
+            </select>
+            <button type="button" class="autoorder btn btn-inverse">{{ 'Re-ordonner' | trans }}</button>
+            <button type="button" class="reverseorder btn btn-inverse">{{ 'Inverser' | trans }}</button>
+            </form>
+            <form class="form-inline span2" name="reorder" method="POST" action="{{ path('prod_baskets_basket_reorder', { 'basket' : basket.getId() }) }}">
+            {% for element in basket.getElements() %}
+                    <input type="hidden" name="element[{{ element.getId() }}]" value="{{ element.getOrd() }}"/>
+            {% endfor %}
+            <input type="submit" class="btn btn-inverse" value="{{ 'boutton::valider' | trans }}" />
+            <input type="hidden" name="prodBasketReorder_token" value="{{ app['session'].get('prodBasketReorder_token') }}">
         </form>
     </div>
     <div class="elements row-fluid">
diff --git a/templates/web/prod/Baskets/Update.html.twig b/templates/web/prod/Baskets/Update.html.twig
index c5b577252d..06f68fa601 100644
--- a/templates/web/prod/Baskets/Update.html.twig
+++ b/templates/web/prod/Baskets/Update.html.twig
@@ -5,5 +5,6 @@
         <label style="margin:5px 0 0 0;">{{ 'panier:: description' | trans }}</label>
         <textarea style="width:98%;height:120px;" name="description">{{ basket.getDescription() }}</textarea>
         <button type='button' class="btn btn-inverse" style="margin: 5px 40%;">{{ 'boutton::valider' | trans }}</button>
+        <input type="hidden" name="prodBasketRename_token" value="{{ app['session'].get('prodBasketRename_token') }}">
     </form>
 </div>
diff --git a/templates/web/prod/Story/Create.html.twig b/templates/web/prod/Story/Create.html.twig
index 6eeb5682bf..4c7344a2fe 100644
--- a/templates/web/prod/Story/Create.html.twig
+++ b/templates/web/prod/Story/Create.html.twig
@@ -43,5 +43,5 @@
         <input {% if isMultipleDataboxes %} disabled {% endif %} type="checkbox" name="lst" value="" id="new_story_add_sel"/>
         {{ 'Ajouter ma selection courrante' | trans }}
     </label>
-
+    <input type="hidden" name="prodCreateStory_token" value="{{ app['session'].get('prodCreateStory_token') }}">
 </form>
diff --git a/templates/web/prod/Story/Reorder.html.twig b/templates/web/prod/Story/Reorder.html.twig
index 39d6a33b5c..0146fd41a9 100644
--- a/templates/web/prod/Story/Reorder.html.twig
+++ b/templates/web/prod/Story/Reorder.html.twig
@@ -18,6 +18,7 @@
             <input type="hidden" name="element[{{ element.get_record_id() }}]" value="{{ element.getNumber() }}"/>
         {% endfor %}
         <input type="submit" class="btn btn-inverse" value="{{ 'boutton::valider' | trans }}"/>
+        <input type="hidden" name="prodStoryReorder_token" value="{{ app['session'].get('prodStoryReorder_token') }}">
     </form>
 </div>
 <div style="top:45px;overflow:auto;" id="reorder_box" class="row-fluid">
diff --git a/templates/web/prod/User/Add.html.twig b/templates/web/prod/User/Add.html.twig
index 8661ac97da..4c92fc3656 100644
--- a/templates/web/prod/User/Add.html.twig
+++ b/templates/web/prod/User/Add.html.twig
@@ -35,6 +35,7 @@
                 <td class="messages"></td>
             </tr>
         </table>
+        <input type="hidden" name="prodShareAddUser_token" value="{{ app['session'].get('prodShareAddUser_token') }}">
     </form>
 </div>
 
diff --git a/templates/web/prod/actions/printer_default.html.twig b/templates/web/prod/actions/printer_default.html.twig
index daf7e198d8..c880703e41 100644
--- a/templates/web/prod/actions/printer_default.html.twig
+++ b/templates/web/prod/actions/printer_default.html.twig
@@ -191,7 +191,8 @@
 
             </div>
         </div>
-    </form>
+    <input type="hidden" name="prodPrint_token" value="{{ app['session'].get('prodPrint_token') }}">
+</form>
 
 <script type="text/javascript">
     $(document).ready(function() {

From 4602d0460ed97673b31b50ccf7642fc754531cc5 Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Thu, 10 Aug 2023 21:57:57 +0300
Subject: [PATCH 05/16] add csrf

---
 .../dist/production.js                        |  8 +++++
 .../dist/production.min.js                    |  8 +++++
 .../src/components/ui/workzone/index.js       |  8 +++++
 lib/Alchemy/Phrasea/Controller/Controller.php |  2 +-
 .../Controller/Prod/RootController.php        |  1 +
 .../Controller/PSExposeController.php         | 29 ++++++++++++++++++-
 .../web/prod/WorkZone/ExposeEdit.html.twig    |  5 ++--
 .../WorkZone/ExposeFieldMapping.html.twig     |  2 ++
 .../web/prod/WorkZone/ExposeNew.html.twig     |  5 ++--
 .../prod/WorkZone/ExposeOauthLogin.html.twig  |  1 +
 10 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/Phraseanet-production-client/dist/production.js b/Phraseanet-production-client/dist/production.js
index 9c638265c8..8d3c9842a6 100644
--- a/Phraseanet-production-client/dist/production.js
+++ b/Phraseanet-production-client/dist/production.js
@@ -10120,6 +10120,10 @@ var workzone = function workzone(services) {
                 data: formData,
                 success: function success(data) {
                     (0, _jquery2.default)('#DIALOG-field-mapping').dialog('close');
+                },
+                error: function error(xhr, status, _error) {
+                    var err = JSON.parse(xhr.responseText);
+                    alert(err.message);
                 }
             });
         });
@@ -10206,6 +10210,10 @@ var workzone = function workzone(services) {
                 data: formData,
                 success: function success(data) {
                     (0, _jquery2.default)('#DIALOG-field-mapping').dialog('close');
+                },
+                error: function error(xhr, status, _error2) {
+                    var err = JSON.parse(xhr.responseText);
+                    alert(err.message);
                 }
             });
         });
diff --git a/Phraseanet-production-client/dist/production.min.js b/Phraseanet-production-client/dist/production.min.js
index 9c638265c8..8d3c9842a6 100644
--- a/Phraseanet-production-client/dist/production.min.js
+++ b/Phraseanet-production-client/dist/production.min.js
@@ -10120,6 +10120,10 @@ var workzone = function workzone(services) {
                 data: formData,
                 success: function success(data) {
                     (0, _jquery2.default)('#DIALOG-field-mapping').dialog('close');
+                },
+                error: function error(xhr, status, _error) {
+                    var err = JSON.parse(xhr.responseText);
+                    alert(err.message);
                 }
             });
         });
@@ -10206,6 +10210,10 @@ var workzone = function workzone(services) {
                 data: formData,
                 success: function success(data) {
                     (0, _jquery2.default)('#DIALOG-field-mapping').dialog('close');
+                },
+                error: function error(xhr, status, _error2) {
+                    var err = JSON.parse(xhr.responseText);
+                    alert(err.message);
                 }
             });
         });
diff --git a/Phraseanet-production-client/src/components/ui/workzone/index.js b/Phraseanet-production-client/src/components/ui/workzone/index.js
index d9d5aeb32a..677b04c9b4 100644
--- a/Phraseanet-production-client/src/components/ui/workzone/index.js
+++ b/Phraseanet-production-client/src/components/ui/workzone/index.js
@@ -195,6 +195,10 @@ const workzone = (services) => {
                 data: formData,
                 success: function (data) {
                     $('#DIALOG-field-mapping').dialog('close');
+                },
+                error: function (xhr, status, error) {
+                    let err = JSON.parse(xhr.responseText);
+                    alert(err.message);
                 }
             });
         });
@@ -281,6 +285,10 @@ const workzone = (services) => {
                 data: formData,
                 success: function (data) {
                     $('#DIALOG-field-mapping').dialog('close');
+                },
+                error: function (xhr, status, error) {
+                    let err = JSON.parse(xhr.responseText);
+                    alert(err.message);
                 }
             });
 
diff --git a/lib/Alchemy/Phrasea/Controller/Controller.php b/lib/Alchemy/Phrasea/Controller/Controller.php
index 97919b3f0f..82b6c291e2 100644
--- a/lib/Alchemy/Phrasea/Controller/Controller.php
+++ b/lib/Alchemy/Phrasea/Controller/Controller.php
@@ -129,7 +129,7 @@ public function getSessionFormToken($formName)
 
     public function isCrsfValid(Request $request, $formName)
     {
-        if (!$request->isMethod("POST")) {
+        if (!$request->isMethod("POST") && !$request->isMethod("PUT")) {
             return false;
         }
 
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/RootController.php b/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
index 2052795756..9b9462e2ac 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
@@ -105,6 +105,7 @@ public function indexAction(Request $request) {
         ];
 
         $this->setSessionFormToken('searchForm');
+        $this->setSessionFormToken('prodExposeNew');
 
         return $this->render('prod/index.html.twig', [
             'module_name'          => 'Production',
diff --git a/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php b/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php
index 0f6ae15ad4..7c024e0d2c 100644
--- a/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php
+++ b/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php
@@ -25,6 +25,10 @@ class PSExposeController extends Controller
      */
     public function authenticateAction(PhraseaApplication $app, Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExposeLogin')) {
+            return $this->app->json(['success' => false , 'error_description' => 'invalid csrf form']);
+        }
+
         $exposeConfiguration = $app['conf']->get(['phraseanet-service', 'expose-service', 'exposes'], []);
         $exposeConfiguration = $exposeConfiguration[$request->request->get('exposeName')];
 
@@ -201,7 +205,9 @@ public function listPublicationAction(PhraseaApplication $app, Request $request)
         }
 
         if (!$session->has($passSessionName) && $exposeConfiguration['connection_kind'] == 'password' && $request->get('format') != 'json') {
-             return $app->json([
+            $this->setSessionFormToken('prodExposeLogin');
+
+            return $app->json([
                 'twig'  => $this->render("prod/WorkZone/ExposeOauthLogin.html.twig", [
                     'exposeName' => $exposeName
                 ])
@@ -352,6 +358,8 @@ public function getPublicationAction(PhraseaApplication $app, Request $request)
 
         list($permissions, $listUsers, $listGroups) = $this->getPermissions($exposeClient, $request->get('publicationId'), $accessToken);
 
+        $this->setSessionFormToken('prodExposeEdit');
+
         return $this->render("prod/WorkZone/ExposeEdit.html.twig", [
             'timezone'    => $request->get('timezone'),
             'publication' => $publication,
@@ -590,6 +598,10 @@ public function listProfileAction(PhraseaApplication $app, Request $request)
      */
     public function createPublicationAction(PhraseaApplication $app, Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExposeNew')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid crsf token form']);
+        }
+
         $exposeName = $request->get('exposeName');
         if ( $exposeName == null) {
             return $app->json([
@@ -658,6 +670,10 @@ public function createPublicationAction(PhraseaApplication $app, Request $reques
      */
     public function updatePublicationAction(PhraseaApplication $app, Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExposeEdit')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid crsf token form']);
+        }
+
         $exposeName = $request->get('exposeName');
         $exposeClient = $this->getExposeClient($exposeName);
         if ($exposeClient == null) {
@@ -942,6 +958,9 @@ public function getSubdefsListAction(PhraseaApplication $app, Request $request)
 
     public function getFieldMappingAction(PhraseaApplication $app, Request $request)
     {
+        $this->setSessionFormToken('prodExposeFieldMapping');
+        $this->setSessionFormToken('prodExposeSubdefMapping');
+
         return $this->render('prod/WorkZone/ExposeFieldMapping.html.twig', [
             'exposeName'    => $request->get('exposeName')
         ]);
@@ -955,6 +974,10 @@ public function getFieldMappingAction(PhraseaApplication $app, Request $request)
      */
     public function saveFieldMappingAction(PhraseaApplication $app, Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExposeFieldMapping')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid crsf token form'], 403);
+        }
+
         $exposeName = $request->get('exposeName');
         $profile = $request->request->get('profile');
         $sendGeolocField = !empty($request->request->get('sendGeolocField')) ? array_keys($request->request->get('sendGeolocField')): [];
@@ -1031,6 +1054,10 @@ public function saveFieldMappingAction(PhraseaApplication $app, Request $request
 
     public function saveSubdefMappingAction(PhraseaApplication $app, Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodExposeSubdefMapping')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid crsf token form'], 403);
+        }
+
         $exposeName = $request->get('exposeName');
         $profile = $request->request->get('profile');
         $exposeClient = $this->getExposeClient($exposeName);
diff --git a/templates/web/prod/WorkZone/ExposeEdit.html.twig b/templates/web/prod/WorkZone/ExposeEdit.html.twig
index ddf75ead50..9e207466b3 100644
--- a/templates/web/prod/WorkZone/ExposeEdit.html.twig
+++ b/templates/web/prod/WorkZone/ExposeEdit.html.twig
@@ -175,7 +175,7 @@
                         </div>
                     </div>
                 </div>
-
+                <input type="hidden" name="prodExposeEdit_token" value="{{ app['session'].get('prodExposeEdit_token') }}">
             </form>
 
 
@@ -382,7 +382,8 @@
                     dataType: 'json',
                     data: {
                         exposeName: "{{ exposeName }}",
-                        publicationData: advancedSetting.val()
+                        publicationData: advancedSetting.val(),
+                        prodExposeEdit_token: $('#publication-json input[name="prodExposeEdit_token"]').val()
                     },
                     success: function (data) {
                         if (data.success) {
diff --git a/templates/web/prod/WorkZone/ExposeFieldMapping.html.twig b/templates/web/prod/WorkZone/ExposeFieldMapping.html.twig
index cf2d75b329..3e938b3a00 100644
--- a/templates/web/prod/WorkZone/ExposeFieldMapping.html.twig
+++ b/templates/web/prod/WorkZone/ExposeFieldMapping.html.twig
@@ -41,6 +41,7 @@
                             </div>
                         </div>
                     </div>
+                    <input type="hidden" name="prodExposeFieldMapping_token" value="{{ app['session'].get('prodExposeFieldMapping_token') }}">
                 </form>
             {% else %}
                 <h3>{{ 'expose::setting You have to select an expose to continue' | trans }}</h3>
@@ -76,6 +77,7 @@
                         </div>
                     </div>
                 </div>
+                <input type="hidden" name="prodExposeSubdefMapping_token" value="{{ app['session'].get('prodExposeSubdefMapping_token') }}">
             </form>
         </div>
     </div>
diff --git a/templates/web/prod/WorkZone/ExposeNew.html.twig b/templates/web/prod/WorkZone/ExposeNew.html.twig
index ab13b27d13..a04d078e39 100644
--- a/templates/web/prod/WorkZone/ExposeNew.html.twig
+++ b/templates/web/prod/WorkZone/ExposeNew.html.twig
@@ -131,7 +131,7 @@
                         </div>
                     </div>
                 </div>
-
+                <input type="hidden" name="prodExposeNew_token" value="{{ app['session'].get('prodExposeNew_token') }}">
             </form>
 
 
@@ -373,7 +373,8 @@
                 dataType: 'json',
                 data: {
                     exposeName: $('#expose_list').val(),
-                    publicationData: $('#DIALOG-expose-add').find('#advancedSetting').val()
+                    publicationData: $('#DIALOG-expose-add').find('#advancedSetting').val(),
+                    prodExposeNew_token: $('#publication-json input[name="prodExposeNew_token"]').val()
                 },
                 success: function (data) {
                     if (data.success) {
diff --git a/templates/web/prod/WorkZone/ExposeOauthLogin.html.twig b/templates/web/prod/WorkZone/ExposeOauthLogin.html.twig
index 9dd073923d..f8e0f9f9b0 100644
--- a/templates/web/prod/WorkZone/ExposeOauthLogin.html.twig
+++ b/templates/web/prod/WorkZone/ExposeOauthLogin.html.twig
@@ -17,6 +17,7 @@
             <div>
                 <button class="btn btn-primary auth-sign-in">{{ 'prod:expose:connection:Sign in' |trans }}</button>
             </div>
+            <input type="hidden" name="prodExposeLogin_token" value="{{ app['session'].get('prodExposeLogin_token') }}">
         </form>
     </div>
 </div>

From caea93ac80c3f9567d5249d04e52956079d0eb74 Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Wed, 6 Sep 2023 15:00:23 +0300
Subject: [PATCH 06/16] test

---
 tests/classes/record/adapterTest.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/classes/record/adapterTest.php b/tests/classes/record/adapterTest.php
index 07ec468e4c..487f176310 100644
--- a/tests/classes/record/adapterTest.php
+++ b/tests/classes/record/adapterTest.php
@@ -76,6 +76,9 @@ public function testSetExport()
         $app['phraseanet.user-query']->expects($this->any())->method('who_have_right')->will($this->returnSelf());
         $app['phraseanet.user-query']->expects($this->any())->method('execute')->will($this->returnSelf());
 
+        $randomValue = bin2hex(random_bytes(35));
+        $app['session']->set('prodExportOrder_token', $randomValue);
+
         $app['notification.deliverer'] = $this->getMockBuilder('Alchemy\Phrasea\Notification\Deliverer')
             ->disableOriginalConstructor()
             ->getMock();
@@ -87,7 +90,8 @@ public function testSetExport()
         $this->getClient()->request(
             'POST', $app['url_generator']->generate('prod_order_new'), [
             'lst'      => $this->getRecord1()->getId(),
-            'deadline' => '+10 minutes'
+            'deadline' => '+10 minutes',
+            'prodExportOrder_token' =>  $randomValue
         ]);
 
         $this->assertTrue($triggered);

From 09fa81f3e476f2ec20fe3cf1bce1b160b6b38ec1 Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Wed, 6 Sep 2023 16:41:12 +0300
Subject: [PATCH 07/16] test

---
 .../Phrasea/Controller/Prod/BasketTest.php    | 20 ++++++++++++---
 .../Phrasea/Controller/Prod/DownloadTest.php  | 18 ++++++++++---
 .../Phrasea/Controller/Prod/ExportTest.php    | 25 +++++++++++++------
 .../Phrasea/Controller/Prod/OrderTest.php     |  8 ++++--
 .../Phrasea/Controller/Prod/PrinterTest.php   |  5 +++-
 .../Phrasea/Controller/Prod/PropertyTest.php  |  9 +++++--
 .../Phrasea/Controller/Prod/QueryTest.php     |  3 ++-
 .../Phrasea/Controller/Prod/StoryTest.php     | 21 ++++++++++++----
 .../Phrasea/Controller/Prod/ToolsTest.php     |  7 ++++++
 tests/classes/PhraseanetTestCase.php          |  8 ++++++
 10 files changed, 99 insertions(+), 25 deletions(-)

diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/BasketTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/BasketTest.php
index 5a01263b20..3d1f79d574 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/BasketTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/BasketTest.php
@@ -20,6 +20,8 @@ public function testRootPost()
         self::$DI['record_2'];
         $route = '/prod/baskets/';
 
+        $randomValue = $this->setSessionFormToken('prodCreateBasket');
+
         $records = [
             self::$DI['record_1']->get_serialize_key(),
             self::$DI['record_2']->get_serialize_key(),
@@ -34,7 +36,9 @@ public function testRootPost()
             'POST', $route, [
             'name' => 'panier',
             'desc' => 'mon beau panier',
-            'lst'  => $lst]
+            'lst'  => $lst,
+            'prodCreateBasket_token'  =>   $randomValue
+            ]
         );
 
         $response = self::$DI['client']->getResponse();
@@ -60,6 +64,8 @@ public function testRootPostJSON()
         $query = $entityManager->createQuery('SELECT COUNT(b.id) FROM Phraseanet:Basket b');
         $count = $query->getSingleScalarResult();
 
+        $randomValue = $this->setSessionFormToken('prodCreateBasket');
+
         $route = '/prod/baskets/';
 
         $client = $this->getClient();
@@ -69,6 +75,7 @@ public function testRootPostJSON()
             [
                 'name' => 'panier',
                 'desc' => 'mon beau panier',
+                'prodCreateBasket_token'  =>   $randomValue
             ],
             [],
             [
@@ -200,10 +207,14 @@ public function testBasketUpdatePost()
         $basket = self::$DI['app']['orm.em']->find('Phraseanet:Basket', 1);
         $route = sprintf('/prod/baskets/%s/update/', $basket->getId());
 
+        $randomValue = $this->setSessionFormToken('prodBasketRename');
+
         self::$DI['client']->request(
             'POST', $route, [
             'name'        => 'new_name',
-            'description' => 'new_desc']
+            'description' => 'new_desc',
+            'prodBasketRename_token' => $randomValue
+            ]
         );
 
         $response = self::$DI['client']->getResponse();
@@ -217,10 +228,13 @@ public function testBasketUpdatePostJSON()
         $basket = self::$DI['app']['orm.em']->find('Phraseanet:Basket', 1);
         $route = sprintf('/prod/baskets/%s/update/', $basket->getId());
 
+        $randomValue = $this->setSessionFormToken('prodBasketRename');
+
         self::$DI['client']->request(
             'POST', $route, [
             'name'        => 'new_name',
-            'description' => 'new_desc'
+            'description' => 'new_desc',
+            'prodBasketRename_token' => $randomValue
             ], [], [
             "HTTP_ACCEPT" => "application/json"]
         );
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/DownloadTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/DownloadTest.php
index a3909c95e9..58848c7072 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/DownloadTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/DownloadTest.php
@@ -22,6 +22,8 @@ class DownloadTest extends \PhraseanetAuthenticatedWebTestCase
     public function testDownloadRecords()
     {
         $triggered = false;
+        $randomValue = $this->setSessionFormToken('prodExportDownload');
+
         self::$DI['app']['dispatcher']->addListener(PhraseaEvents::EXPORT_CREATE, function (Event $event) use (&$triggered) {
             $triggered = true;
         });
@@ -30,7 +32,8 @@ public function testDownloadRecords()
             'ssttid'            => '',
             'obj'               => ['preview', 'document'],
             'title'             => 'export_title_test',
-            'businessfields'    => '1'
+            'businessfields'    => '1',
+            'prodExportDownload_token' => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
@@ -46,6 +49,8 @@ public function testDownloadRecords()
     public function testDownloadRestricted()
     {
         $triggered = false;
+        $randomValue = $this->setSessionFormToken('prodExportDownload');
+
         self::$DI['app']['dispatcher']->addListener(PhraseaEvents::EXPORT_CREATE, function (Event $event) use (&$triggered) {
             $triggered = true;
         });
@@ -84,7 +89,8 @@ public function testDownloadRestricted()
             'ssttid'            => '',
             'obj'               => ['preview', 'document'],
             'title'             => 'export_title_test',
-            'businessfields'    => '1'
+            'businessfields'    => '1',
+            'prodExportDownload_token' => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
@@ -100,6 +106,7 @@ public function testDownloadRestricted()
     public function testDownloadBasket()
     {
         $basket = self::$DI['app']['orm.em']->find('Phraseanet:Basket', 4);
+        $randomValue = $this->setSessionFormToken('prodExportDownload');
 
         $triggered = false;
         self::$DI['app']['dispatcher']->addListener(PhraseaEvents::EXPORT_CREATE, function (Event $event) use (&$triggered) {
@@ -111,7 +118,8 @@ public function testDownloadBasket()
             'ssttid'            => $basket->getId(),
             'obj'               => ['preview', 'document'],
             'title'             => 'export_title_test',
-            'businessfields'    => '1'
+            'businessfields'    => '1',
+            'prodExportDownload_token' => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
@@ -127,6 +135,7 @@ public function testDownloadBasket()
     public function testDownloadBasketValidation()
     {
         $basket = self::$DI['app']['orm.em']->find('Phraseanet:Basket', 4);
+        $randomValue = $this->setSessionFormToken('prodExportDownload');
 
         $triggered = false;
         self::$DI['app']['dispatcher']->addListener(PhraseaEvents::EXPORT_CREATE, function (Event $event) use (&$triggered) {
@@ -138,7 +147,8 @@ public function testDownloadBasketValidation()
             'ssttid'            => $basket->getId(),
             'obj'               => ['preview', 'document'],
             'title'             => 'export_title_test',
-            'businessfields'    => '1'
+            'businessfields'    => '1',
+            'prodExportDownload_token' => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php
index e49a967d0c..e2b9816c9b 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php
@@ -87,13 +87,17 @@ public function testFtpConnexionNoXMLHTTPRequests()
      */
     public function testExportFtpNoDocs()
     {
+        $randomValue = $this->setSessionFormToken('prodExportFTP');
+
         self::$DI['client']->request('POST', '/prod/export/ftp/',  [
             'address' => 'test.ftp',
             'login'      => 'login',
             'dest_folder' => 'documents',
             'prefix_folder' => 'documents',
-            'obj'        => ['preview']
+            'obj'        => ['preview'],
+            'prodExportFTP_token' => $randomValue
         ]);
+
         $response = self::$DI['client']->getResponse();
         $this->assertTrue($response->isOk());
         $datas = (array) json_decode($response->getContent());
@@ -116,12 +120,14 @@ public function testExportFtpBadRequest($params)
 
     public function getMissingArguments()
     {
+        $randomValue = $this->setSessionFormToken('prodExportFTP');
+
         return [
-            [[]],
-            [['address' => '']],
-            [['address'  => '', 'login' => '']],
-            [['address'       => '', 'login'      => '', 'dest_folder' => '']],
-            [['address'       => '', 'login'      => '', 'dest_folder' => '', 'prefix_folder' => '']],
+            [['prodExportFTP_token' => $randomValue]],
+            [['address' => '', 'prodExportFTP_token' => $randomValue]],
+            [['address'  => '', 'login' => '', 'prodExportFTP_token' => $randomValue]],
+            [['address'       => '', 'login'      => '', 'dest_folder' => '', 'prodExportFTP_token' => $randomValue]],
+            [['address'       => '', 'login'      => '', 'dest_folder' => '', 'prefix_folder' => '', 'prodExportFTP_token' => $randomValue]],
         ];
     }
 
@@ -131,6 +137,7 @@ public function getMissingArguments()
     public function testExportFtp()
     {
         $app = $this->getApplication();
+        $randomValue = $this->setSessionFormToken('prodExportFTP');
 
         $bkp = $app['conf']->get('registry');
 
@@ -150,7 +157,8 @@ public function testExportFtp()
             'login'      => $user->getEmail(),
             'dest_folder' => '/home/test/',
             'prefix_folder' => 'test2/',
-            'obj'        => ['preview']
+            'obj'        => ['preview'],
+            'prodExportFTP_token' => $randomValue
         ]);
 
         $response = $this->getClient()->getResponse();
@@ -172,10 +180,13 @@ public function testExportMail()
         //  deliver method removed in the listener
 //        $this->mockNotificationDeliverer('Alchemy\Phrasea\Notification\Mail\MailRecordsExport');
 
+        $randomValue = $this->setSessionFormToken('prodExportEmail');
+
         $this->getClient()->request('POST', '/prod/export/mail/', [
             'lst'        => $this->getRecord1()->getId(),
             'destmail'   => 'user@example.com',
             'obj'        => ['preview'],
+            'prodExportEmail_token' => $randomValue
         ]);
 
         $response = $this->getClient()->getResponse();
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/OrderTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/OrderTest.php
index e4205b7c28..fdc68df288 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/OrderTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/OrderTest.php
@@ -19,6 +19,7 @@ class OrderTest extends \PhraseanetAuthenticatedWebTestCase
     public function testCreateOrder()
     {
         $app = $this->getApplication();
+        $randomValue = $this->setSessionFormToken('prodExportOrder');
 
         $triggered = false;
         $app['dispatcher']->addListener(PhraseaEvents::ORDER_CREATE, function () use (&$triggered) {
@@ -27,7 +28,8 @@ public function testCreateOrder()
 
         $response = $this->request('POST', '/prod/order/', [
             'lst'      => $this->getRecord1()->getId(),
-            'deadline' => '+10 minutes'
+            'deadline' => '+10 minutes',
+            'prodExportOrder_token' => $randomValue
         ]);
 
         $this->assertTrue($response->isRedirect(), 'Response should be redirect');
@@ -41,6 +43,7 @@ public function testCreateOrder()
     public function testCreateOrderJson()
     {
         $app = $this->getApplication();
+        $randomValue = $this->setSessionFormToken('prodExportOrder');
 
         $triggered = false;
         $app['dispatcher']->addListener(PhraseaEvents::ORDER_CREATE, function (Event $event) use (&$triggered) {
@@ -49,7 +52,8 @@ public function testCreateOrderJson()
 
         $response = $this->XMLHTTPRequest('POST', '/prod/order/', [
             'lst' => $this->getRecord1()->getId(),
-            'deadline' => '+10 minutes'
+            'deadline' => '+10 minutes',
+            'prodExportOrder_token' => $randomValue
         ]);
 
         $this->assertTrue($response->isOk(), 'Invalid response from create order');
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/PrinterTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/PrinterTest.php
index c99084431e..fab6fd5d7f 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/PrinterTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/PrinterTest.php
@@ -33,6 +33,8 @@ public function testRouteSlash()
 
     public function testRoutePrintPdf()
     {
+        $randomValue = $this->setSessionFormToken('prodPrint');
+
         $records = [
             self::$DI['record_1']->get_serialize_key(),
             self::$DI['record_2']->get_serialize_key(),
@@ -53,7 +55,8 @@ public function testRoutePrintPdf()
         foreach ($layouts as $layout) {
             self::$DI['client']->request('POST', '/prod/printer/print.pdf', [
                 'lst' => $lst,
-                'lay' => $layout
+                'lay' => $layout,
+                'prodPrint_token' => $randomValue
                 ]
             );
 
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/PropertyTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/PropertyTest.php
index 7dbfa21760..96afb9fd47 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/PropertyTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/PropertyTest.php
@@ -100,6 +100,7 @@ public function testChangeStatus()
             ->will($this->returnValue($acl));
 
         self::$DI['app']['acl'] = $aclProvider;
+        $randomValue = $this->setSessionFormToken('prodPropertyStatus');
 
         self::$DI['client']->request('POST', '/prod/records/property/status/', [
             'apply_to_children' => [$story->getDataboxId() => true],
@@ -108,8 +109,10 @@ public function testChangeStatus()
             ],
             'lst' => implode(';', [
                 $record->getId(),$story->getId()
-            ])
+            ]),
+            'prodPropertyStatus_token' => $randomValue
         ]);
+
         $response = self::$DI['client']->getResponse();
         $datas = (array) json_decode($response->getContent());
         $this->assertArrayHasKey('success', $datas);
@@ -152,6 +155,7 @@ public function testChangeType()
         $file = new File(self::$DI['app'], self::$DI['app']['mediavorus']->guess(__DIR__ . '/../../../../../files/cestlafete.jpg'), self::$DI['collection']);
         $record = \record_adapter::createFromFile($file, self::$DI['app']);
         $record2 = \record_adapter::createFromFile($file, self::$DI['app']);
+        $randomValue = $this->setSessionFormToken('prodPropertyType');
 
         self::$DI['client']->request('POST', '/prod/records/property/type/',  [
             'lst' => implode(';', [
@@ -160,7 +164,8 @@ public function testChangeType()
             'types' => [
                 $record->getId() => 'document',
                 $record2->getId() => 'flash',
-            ]
+            ],
+            'prodPropertyType_token' => $randomValue
         ]);
         $response = self::$DI['client']->getResponse();
         $datas = (array) json_decode($response->getContent());
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/QueryTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/QueryTest.php
index 5de67bd775..8d3b3851c3 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/QueryTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/QueryTest.php
@@ -29,11 +29,12 @@ public function testQuery()
             ->getMock();
 
         self::$DI['app']['manipulator.user'] = $userManipulator;
+        $randomValue = $this->setSessionFormToken('searchForm');
 
         $userManipulator->expects($this->once())->method('logQuery');
 
         $client = $this->getClient();
-        $client->request('POST', $route);
+        $client->request('POST', $route, ['searchForm_token' => $randomValue]);
 
         $response = $client->getResponse();
         $this->assertEquals('application/json', $response->headers->get('Content-type'));
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/StoryTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/StoryTest.php
index bb09193b93..30724943db 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/StoryTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/StoryTest.php
@@ -15,6 +15,8 @@ class StoryTest extends \PhraseanetAuthenticatedWebTestCase
     public function testRootPost()
     {
         self::$DI['app']['phraseanet.SE'] = $this->createSearchEngineMock();
+        $randomValue = $this->setSessionFormToken('prodCreateStory');
+
         $route = "/prod/story/";
 
         $collections = self::$DI['app']->getAclForUser(self::$DI['app']->getAuthenticatedUser())
@@ -25,7 +27,8 @@ public function testRootPost()
         self::$DI['client']->request(
             'POST', $route, [
             'base_id' => $collection->get_base_id(),
-            'name'    => ['1-1' => 'test story']    //db-metastructId => storyname
+            'name'    => ['1-1' => 'test story'],    //db-metastructId => storyname
+            'prodCreateStory_token'  => $randomValue
             ]
         );
 
@@ -44,6 +47,7 @@ public function testRootPost()
 
     public function testRootPostJSON()
     {
+        $randomValue = $this->setSessionFormToken('prodCreateStory');
         $route = "/prod/story/";
 
         $collections = self::$DI['app']->getAclForUser(self::$DI['app']->getAuthenticatedUser())
@@ -52,10 +56,17 @@ public function testRootPostJSON()
         $collection = array_shift($collections);
 
         $crawler = self::$DI['client']->request(
-            'POST', $route, [
-            'base_id' => $collection->get_base_id(),
-            'name'    => 'test story'], [], [
-            "HTTP_ACCEPT" => "application/json"]
+            'POST',
+            $route,
+            [
+                'base_id' => $collection->get_base_id(),
+                'name'    => 'test story',
+                'prodCreateStory_token' => $randomValue
+            ],
+            [],
+            [
+                "HTTP_ACCEPT" => "application/json"
+            ]
         );
 
         $response = self::$DI['client']->getResponse();
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/ToolsTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/ToolsTest.php
index 33ed490c28..a573c23f81 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/ToolsTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/ToolsTest.php
@@ -35,9 +35,13 @@ public function testRouteChangeDoc()
         self::$DI['app']['phraseanet.SE'] = $this->createSearchEngineMock();
         $record = self::$DI['record_1'];
 
+        $randomValue = bin2hex(random_bytes(35));
+        self::$DI['app']['session']->set('prodToolsHDSubstitution_token', $randomValue);
+
         $crawler = self::$DI['client']->request('POST', '/prod/tools/hddoc/', [
             'sbas_id' => $record->get_sbas_id(),
             'record_id' => $record->get_record_id(),
+            'prodToolsHDSubstitution_token' => $randomValue
         ], [
             'newHD' => new UploadedFile(
                $this->tmpFile, 'KIKOO.JPG', 'image/jpg', 2000
@@ -53,10 +57,13 @@ public function testRouteChangeDoc()
     public function testRouteChangeThumb()
     {
         $record = self::$DI['record_1'];
+        $randomValue = bin2hex(random_bytes(35));
+        self::$DI['app']['session']->set('prodToolsThumbSubstitution_token', $randomValue);
 
         $crawler = self::$DI['client']->request('POST', '/prod/tools/chgthumb/', [
             'sbas_id' => $record->get_sbas_id(),
             'record_id' => $record->get_record_id(),
+            'prodToolsThumbSubstitution_token' => $randomValue
         ], [
             'newThumb' => new UploadedFile(
                $this->tmpFile, 'KIKOO.JPG', 'image/jpg', 2000
diff --git a/tests/classes/PhraseanetTestCase.php b/tests/classes/PhraseanetTestCase.php
index 836f74af48..c6d7afb8ef 100644
--- a/tests/classes/PhraseanetTestCase.php
+++ b/tests/classes/PhraseanetTestCase.php
@@ -811,4 +811,12 @@ protected function createSearchEngineMock()
 
         return $mock;
     }
+
+    protected function setSessionFormToken($formName)
+    {
+        $randomValue = bin2hex(random_bytes(35));
+        self::$DI['app']['session']->set($formName.'_token', $randomValue);
+
+        return $randomValue;
+    }
 }

From 8b4f59c2fb5859fcd9dc54f8f6e2fdbcffc7fb70 Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Wed, 6 Sep 2023 17:52:26 +0300
Subject: [PATCH 08/16] test

---
 .../Tests/Phrasea/Controller/Prod/ExportTest.php  | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php
index e2b9816c9b..7af7e618b7 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/ExportTest.php
@@ -113,21 +113,20 @@ public function testExportFtpNoDocs()
      */
     public function testExportFtpBadRequest($params)
     {
-        self::$DI['client']->request('POST', '/prod/export/ftp/', $params);
+        $randomValue = $this->setSessionFormToken('prodExportFTP');
+        self::$DI['client']->request('POST', '/prod/export/ftp/', array_merge($params, ['prodExportFTP_token' => $randomValue]));
 
         $this->assertBadResponse(self::$DI['client']->getResponse());
     }
 
     public function getMissingArguments()
     {
-        $randomValue = $this->setSessionFormToken('prodExportFTP');
-
         return [
-            [['prodExportFTP_token' => $randomValue]],
-            [['address' => '', 'prodExportFTP_token' => $randomValue]],
-            [['address'  => '', 'login' => '', 'prodExportFTP_token' => $randomValue]],
-            [['address'       => '', 'login'      => '', 'dest_folder' => '', 'prodExportFTP_token' => $randomValue]],
-            [['address'       => '', 'login'      => '', 'dest_folder' => '', 'prefix_folder' => '', 'prodExportFTP_token' => $randomValue]],
+            [[]],
+            [['address' => '']],
+            [['address'  => '', 'login' => '']],
+            [['address'       => '', 'login'      => '', 'dest_folder' => '']],
+            [['address'       => '', 'login'      => '', 'dest_folder' => '', 'prefix_folder' => '']],
         ];
     }
 

From babe6d0892ece480f1716a94d3493653007481bc Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Fri, 8 Sep 2023 11:42:49 +0300
Subject: [PATCH 09/16] add form token in report

---
 .../Controller/Report/RootController.php      |  5 +++++
 .../Controller/ProdReportController.php       | 21 ++++++++++++++++---
 .../web/report/report_layout_child.html.twig  |  3 +++
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/lib/Alchemy/Phrasea/Controller/Report/RootController.php b/lib/Alchemy/Phrasea/Controller/Report/RootController.php
index 146043240b..c085def0b9 100644
--- a/lib/Alchemy/Phrasea/Controller/Report/RootController.php
+++ b/lib/Alchemy/Phrasea/Controller/Report/RootController.php
@@ -90,6 +90,11 @@ public function getDashboard(Request $request)
 
         $conf = $this->getConf();
 
+        $this->setSessionFormToken('reportConnection');
+        $this->setSessionFormToken('reportDownload');
+        $this->setSessionFormToken('reportRecord');
+
+
         return $this->render('report/report_layout_child.html.twig', [
             'ajax_dash'     => true,
             'dashboard'     => null,
diff --git a/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php b/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php
index cb82797751..eed1a8979a 100644
--- a/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php
+++ b/lib/Alchemy/Phrasea/Report/Controller/ProdReportController.php
@@ -15,6 +15,7 @@
 use Alchemy\Phrasea\Report\ReportActions;
 use Alchemy\Phrasea\Report\ReportFactory;
 use Alchemy\Phrasea\Report\ReportRecords;
+use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -57,6 +58,8 @@ public function __construct(ReportFactory $reportFactory, $anonymousReport, \ACL
         $this->anonymousReport = $anonymousReport;
         $this->acl             = $acl;
         $this->appbox          = $appbox;
+
+        parent::__construct($appbox->getPhraseApplication());
     }
 
     /**
@@ -77,11 +80,15 @@ public function indexAction(Request $request)
      *
      * @param Request $request
      * @param $sbasId
-     * @return RedirectResponse|StreamedResponse
+     * @return RedirectResponse|StreamedResponse|JsonResponse
      */
     public function connectionsAction(Request $request, $sbasId)
     {
         if ($request->isMethod("POST")) {
+            if (!$this->isCrsfValid($request, 'reportConnection')) {
+                return new JsonResponse(['message' => 'invalid report connection token'], 403);
+            }
+
             if (!($extension = $request->get('format'))) {
                 $extension = 'csv';
             }
@@ -123,11 +130,15 @@ public function connectionsAction(Request $request, $sbasId)
      *
      * @param Request $request
      * @param $sbasId
-     * @return RedirectResponse|StreamedResponse
+     * @return RedirectResponse|StreamedResponse|JsonResponse
      */
     public function downloadsAction(Request $request, $sbasId)
     {
         if ($request->isMethod("POST")) {
+            if (!$this->isCrsfValid($request, 'reportDownload')) {
+                return new JsonResponse(['message' => 'invalid report download token'], 403);
+            }
+
             if(!($extension = $request->get('format'))) {
                 $extension = 'csv';
             }
@@ -172,11 +183,15 @@ public function downloadsAction(Request $request, $sbasId)
      *
      * @param Request $request
      * @param $sbasId
-     * @return RedirectResponse|StreamedResponse
+     * @return RedirectResponse|StreamedResponse|JsonResponse
      */
     public function recordsAction(Request $request, $sbasId)
     {
         if ($request->isMethod("POST")) {
+            if (!$this->isCrsfValid($request, 'reportRecord')) {
+                return new JsonResponse(['message' => 'invalid report record token'], 403);
+            }
+
             if (!($extension = $request->get('format'))) {
                 $extension = 'csv';
             }
diff --git a/templates/web/report/report_layout_child.html.twig b/templates/web/report/report_layout_child.html.twig
index 08486c9011..79c1bf9ef7 100644
--- a/templates/web/report/report_layout_child.html.twig
+++ b/templates/web/report/report_layout_child.html.twig
@@ -20,6 +20,7 @@
                         <option value="res" id="connections_res">{{ 'report:: (connexions) res' | trans }}</option>
                 </select>
             </div>
+            <input type="hidden" name="reportConnection_token" value="{{ app['session'].get('reportConnection_token') }}">
             {% endblock form_connexion %}
         </form>
 
@@ -57,6 +58,7 @@
                     {% endfor %}
                 </select>
             </div>
+            <input type="hidden" name="reportDownload_token" value="{{ app['session'].get('reportDownload_token') }}">
         </form>
 
         <div class="form_submit">
@@ -115,6 +117,7 @@
                 </select>
             </div>
 
+            <input type="hidden" name="reportRecord_token" value="{{ app['session'].get('reportRecord_token') }}">
         </form>
 
         <div class="form_submit">

From 0b16cadf1dacf38d4a3a4fffeadf78306646cffa Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Tue, 12 Sep 2023 10:57:31 +0300
Subject: [PATCH 10/16] csrf token upload

---
 Phraseanet-production-client/dist/production.js          | 2 ++
 Phraseanet-production-client/dist/production.min.js      | 2 ++
 .../src/components/uploader/index.js                     | 2 ++
 lib/Alchemy/Phrasea/Controller/Prod/UploadController.php | 9 +++++++++
 templates/web/prod/upload/upload.html.twig               | 2 +-
 5 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/Phraseanet-production-client/dist/production.js b/Phraseanet-production-client/dist/production.js
index 8d3c9842a6..5578135c7b 100644
--- a/Phraseanet-production-client/dist/production.js
+++ b/Phraseanet-production-client/dist/production.js
@@ -68229,6 +68229,8 @@ var uploader = function uploader(services) {
             params.push((0, _jquery2.default)('input', (0, _jquery2.default)('.collection-status:visible', uploaderInstance.getSettingsBox())).serializeArray());
             params.push((0, _jquery2.default)('select', uploaderInstance.getSettingsBox()).serializeArray());
 
+            params.push([{ name: 'prodUpload_token', value: (0, _jquery2.default)('input[name=prodUpload_token]').val() }]);
+
             _jquery2.default.each(params, function (i, p) {
                 _jquery2.default.each(p, function (i, f) {
                     data.formData.push(f);
diff --git a/Phraseanet-production-client/dist/production.min.js b/Phraseanet-production-client/dist/production.min.js
index 8d3c9842a6..5578135c7b 100644
--- a/Phraseanet-production-client/dist/production.min.js
+++ b/Phraseanet-production-client/dist/production.min.js
@@ -68229,6 +68229,8 @@ var uploader = function uploader(services) {
             params.push((0, _jquery2.default)('input', (0, _jquery2.default)('.collection-status:visible', uploaderInstance.getSettingsBox())).serializeArray());
             params.push((0, _jquery2.default)('select', uploaderInstance.getSettingsBox()).serializeArray());
 
+            params.push([{ name: 'prodUpload_token', value: (0, _jquery2.default)('input[name=prodUpload_token]').val() }]);
+
             _jquery2.default.each(params, function (i, p) {
                 _jquery2.default.each(p, function (i, f) {
                     data.formData.push(f);
diff --git a/Phraseanet-production-client/src/components/uploader/index.js b/Phraseanet-production-client/src/components/uploader/index.js
index a82b56208d..007caf1fa5 100644
--- a/Phraseanet-production-client/src/components/uploader/index.js
+++ b/Phraseanet-production-client/src/components/uploader/index.js
@@ -417,6 +417,8 @@ const uploader = (services) => {
             params.push($('input', $('.collection-status:visible', uploaderInstance.getSettingsBox())).serializeArray());
             params.push($('select', uploaderInstance.getSettingsBox()).serializeArray());
 
+            params.push([{name: 'prodUpload_token', value: $('input[name=prodUpload_token]').val()}]);
+
             $.each(params, function (i, p) {
                 $.each(p, function (i, f) {
                     data.formData.push(f);
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php b/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php
index cfe3147eba..6e1967b5c9 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php
@@ -28,6 +28,7 @@
 use DataURI\Parser;
 use GuzzleHttp\Client as Guzzle;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
+use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
@@ -56,6 +57,8 @@ public function getFlashUploadForm()
 
     public function getHtml5UploadForm()
     {
+        $this->setSessionFormToken('prodUpload');
+
         $maxFileSize = $this->getUploadMaxFileSize();
 
         return $this->render('prod/upload/upload.html.twig', [
@@ -68,6 +71,8 @@ public function getHtml5UploadForm()
 
     public function getUploadForm()
     {
+        $this->setSessionFormToken('prodUpload');
+
         $maxFileSize = $this->getUploadMaxFileSize();
 
         return $this->render('prod/upload/upload.html.twig', [
@@ -126,6 +131,10 @@ public function upload(Request $request)
             'id'      => '',
         ];
 
+        if (!$this->isCrsfValid($request, 'prodUpload')) {
+            throw new AccessDeniedHttpException('Invalid prodUpload token');
+        }
+
         if (null === $request->files->get('files')) {
             throw new BadRequestHttpException('Missing file parameter');
         }
diff --git a/templates/web/prod/upload/upload.html.twig b/templates/web/prod/upload/upload.html.twig
index c192fe6f11..5656c81172 100644
--- a/templates/web/prod/upload/upload.html.twig
+++ b/templates/web/prod/upload/upload.html.twig
@@ -140,7 +140,7 @@
                         {# download box #}
                         <div class="download-box"></div>
                     </div>
-
+                    <input type="hidden" name="prodUpload_token" value="{{ app['session'].get('prodUpload_token') }}">
                 </form>
             {% else %}
                 {{ 'You can not upload files' | trans }}

From d303644361e97cf6ea4ec3574622e03790fd7bbe Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Tue, 12 Sep 2023 11:46:46 +0300
Subject: [PATCH 11/16] lazaret csrf form

---
 .../Controller/Prod/LazaretController.php     | 22 ++++++++++++++++++-
 templates/web/prod/upload/lazaret.html.twig   |  4 ++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php b/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php
index 7fcddb0b28..85cf5195d0 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php
@@ -53,6 +53,8 @@ public function listElement(Request $request)
             $lazaretFiles = $this->getLazaretFileRepository()->findPerPage($baseIds, $offset, $perPage);
         }
 
+        $this->setSessionFormToken('prodLazaret');
+
         return $this->render('prod/upload/lazaret.html.twig', [
             'lazaretFiles' => $lazaretFiles,
             'currentPage'  => $page,
@@ -110,6 +112,12 @@ public function addElement(Request $request, $file_id)
     {
         $ret = ['success' => false, 'message' => '', 'result'  => []];
 
+        if (!$this->isCrsfValid($request, 'prodLazaret')) {
+            $ret['message'] = 'invalid prodLazaret token';
+
+            return $this->app->json($ret, 403);
+        }
+
         //Mandatory parameter
         if (null === $request->request->get('bas_id')) {
             $ret['message'] = $this->app->trans('You must give a destination collection');
@@ -146,8 +154,14 @@ public function addElement(Request $request, $file_id)
      *
      * @return Response
      */
-    public function denyElement($file_id)
+    public function denyElement(Request $request, $file_id)
     {
+        if (!$this->isCrsfValid($request, 'prodLazaret')) {
+            $ret['message'] = 'invalid prodLazaret token';
+
+            return $this->app->json($ret, 403);
+        }
+
         /** @var LazaretManipulator $lazaretManipulator */
         $lazaretManipulator = $this->app['manipulator.lazaret'];
 
@@ -193,6 +207,12 @@ public function acceptElement(Request $request, $file_id)
     {
         $ret = ['success' => false, 'message' => '', 'result'  => []];
 
+        if (!$this->isCrsfValid($request, 'prodLazaret')) {
+            $ret['message'] = 'invalid prodLazaret token';
+
+            return $this->app->json($ret, 403);
+        }
+
         //Mandatory parameter
         if (null === $recordId = $request->request->get('record_id')) {
             $ret['message'] = $this->app->trans('You must give a destination record');
diff --git a/templates/web/prod/upload/lazaret.html.twig b/templates/web/prod/upload/lazaret.html.twig
index 99b0a37130..74cdce9c19 100644
--- a/templates/web/prod/upload/lazaret.html.twig
+++ b/templates/web/prod/upload/lazaret.html.twig
@@ -237,6 +237,9 @@
                 type: 'POST',
                 url: '/prod/lazaret/' + lazaretId + '/deny/',
                 dataType: 'json',
+                data: {
+                    'prodLazaret_token' : form.find('input[name=prodLazaret_token]').val()
+                },
                 beforeSend: function () {
                     startAjax(that);
                 },
@@ -530,6 +533,7 @@
                                 {% endif %}
                             </div>
                         </div>
+                        <input type="hidden" name="prodLazaret_token" value="{{ app['session'].get('prodLazaret_token') }}">
                     </form>
                     <div class="hidden form-backup"></div>
                     {# bloc to backup initial value of status list#}

From ad319c0cce1b95ff9c77775c11e6bd3ef174be2a Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Tue, 12 Sep 2023 11:57:13 +0300
Subject: [PATCH 12/16] upload test

---
 .../Phrasea/Controller/Prod/UploadTest.php    | 33 ++++++++++++++-----
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/UploadTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/UploadTest.php
index 65832cf4dc..d8fe267e94 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/UploadTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/UploadTest.php
@@ -73,10 +73,13 @@ public function testUpload()
             ->disableOriginalConstructor()
             ->getMock();
 
+        $randomValue = $this->setSessionFormToken('prodUpload');
+
         $data = DataURI\Data::buildFromFile(__DIR__ . '/../../../../../files/cestlafete.jpg');
         $params = [
-            'base_id' => self::$DI['collection']->get_base_id(),
-            'b64_image' => DataURI\Dumper::dump($data)
+            'base_id'          => self::$DI['collection']->get_base_id(),
+            'b64_image'        => DataURI\Dumper::dump($data),
+            'prodUpload_token' => $randomValue
         ];
 
         $files = [
@@ -122,8 +125,11 @@ public function testUploadWithoutB64Image()
             ->disableOriginalConstructor()
             ->getMock();
 
+        $randomValue = $this->setSessionFormToken('prodUpload');
+
         $params = [
-            'base_id' => self::$DI['collection']->get_base_id()
+            'base_id'           => self::$DI['collection']->get_base_id(),
+            'prodUpload_token'  => $randomValue
         ];
 
         $files = [
@@ -162,8 +168,11 @@ public function testUploadingTwiceTheSameRecordShouldSendToQuarantine()
         $this->mockNotificationDeliverer('Alchemy\Phrasea\Notification\Mail\MailInfoRecordQuarantined');
         $this->mockUserNotificationSettings('eventsmanager_notify_uploadquarantine');
 
+        $randomValue = $this->setSessionFormToken('prodUpload');
+
         $params = [
-            'base_id' => self::$DI['collection']->get_base_id()
+            'base_id'           => self::$DI['collection']->get_base_id(),
+            'prodUpload_token'  => $randomValue
         ];
 
         $files = [
@@ -313,9 +322,12 @@ public function testUpload2Files()
     public function testUploadForceRecord()
     {
         self::$DI['app']['phraseanet.SE'] = $this->createSearchEngineMock();
+        $randomValue = $this->setSessionFormToken('prodUpload');
+
         $params = [
-            'base_id'     => self::$DI['collection']->get_base_id(),
-            'forceAction' => Manager::FORCE_RECORD,
+            'base_id'           => self::$DI['collection']->get_base_id(),
+            'forceAction'       => Manager::FORCE_RECORD,
+            'prodUpload_token'  => $randomValue
         ];
 
         $files = [
@@ -349,10 +361,13 @@ public function testUploadForceRecord()
     public function testUploadRecordStatus()
     {
         self::$DI['app']['phraseanet.SE'] = $this->createSearchEngineMock();
+        $randomValue = $this->setSessionFormToken('prodUpload');
+
         $params = [
-            'base_id'     => self::$DI['collection']->get_base_id(),
-            'forceAction' => Manager::FORCE_RECORD,
-            'status'      => [ self::$DI['collection']->get_base_id() => [ 4 => 1]],
+            'base_id'           => self::$DI['collection']->get_base_id(),
+            'forceAction'       => Manager::FORCE_RECORD,
+            'status'            => [ self::$DI['collection']->get_base_id() => [ 4 => 1]],
+            'prodUpload_token'  => $randomValue
         ];
 
         $files = [

From d43a36c02fc7d4cbd2a3fdc37eecfdcddbb38b4f Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Tue, 12 Sep 2023 12:05:42 +0300
Subject: [PATCH 13/16] lazaret test

---
 .../Phrasea/Controller/Prod/LazaretTest.php   | 42 +++++++++++++++----
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/LazaretTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/LazaretTest.php
index 0430b61b2f..d17d317197 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/LazaretTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/LazaretTest.php
@@ -169,10 +169,14 @@ public function testAddElement()
             ->method('flush');
 
         self::$DI['app']['orm.em'] = $em;
+
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         self::$DI['client']->request('POST', '/prod/lazaret/' . $id . '/force-add/', [
             'bas_id'          => $lazaretFile->getBaseId(),
             'keep_attributes' => 1,
-            'attributes'      => [1, 2, 3, 4] //Check only the four first attributes
+            'attributes'      => [1, 2, 3, 4], //Check only the four first attributes
+            'prodLazaret_token'  => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
@@ -191,10 +195,13 @@ public function testAddElementBadRequestException()
     {
         $id = 1;
 
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         //Ommit base_id mandatory param
         self::$DI['client']->request('POST', '/prod/lazaret/' . $id . '/force-add/', [
             'keep_attributes' => 1,
-            'attributes'      => [1, 2, 3, 4] //Check only the four first attributes
+            'attributes'      => [1, 2, 3, 4], //Check only the four first attributes
+            'prodLazaret_token'  => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
@@ -208,10 +215,13 @@ public function testAddElementBadRequestException()
      */
     public function testAddElementException()
     {
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         self::$DI['client']->request('POST', '/prod/lazaret/99999/force-add/', [
             'bas_id'          => 1,
             'keep_attributes' => 1,
-            'attributes'      => [1, 2, 3, 4] //Check only the four first attributes
+            'attributes'      => [1, 2, 3, 4], //Check only the four first attributes
+            'prodLazaret_token'  => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
@@ -226,10 +236,11 @@ public function testAddElementException()
     public function testDenyElement()
     {
         $lazaretFile = self::$DI['lazaret_1'];
+        $randomValue = $this->setSessionFormToken('prodLazaret');
 
         $route = sprintf('/prod/lazaret/%s/deny/', $lazaretFile->getId());
 
-        self::$DI['client']->request('POST', $route);
+        self::$DI['client']->request('POST', $route, ['prodLazaret_token'  => $randomValue]);
 
         $response = self::$DI['client']->getResponse();
 
@@ -272,9 +283,11 @@ public function testEmptyLazaret()
      */
     public function testDenyElementException()
     {
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         $route = sprintf('/prod/lazaret/%s/deny/', '99999');
 
-        self::$DI['client']->request('POST', $route);
+        self::$DI['client']->request('POST', $route, ['prodLazaret_token'  => $randomValue]);
 
         $response = self::$DI['client']->getResponse();
 
@@ -362,8 +375,12 @@ public function testAcceptElement()
         });
 
         self::$DI['app']['orm.em'] = $em;
+
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         self::$DI['client']->request('POST', '/prod/lazaret/' . $id . '/accept/', [
-            'record_id' => self::$DI['record_1']->get_record_id()
+            'record_id'         => self::$DI['record_1']->get_record_id(),
+            'prodLazaret_token' => $randomValue
         ]);
         $this->assertTrue($called);
 
@@ -400,8 +417,11 @@ public function testAcceptElementNoRecordException()
 
         $id = 1;
 
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         self::$DI['client']->request('POST', '/prod/lazaret/' . $id . '/accept/', [
-            'record_id' => self::$DI['record_1']->get_record_id()
+            'record_id'         => self::$DI['record_1']->get_record_id(),
+            'prodLazaret_token' => $randomValue
         ]);
 
         $response = self::$DI['client']->getResponse();
@@ -415,9 +435,11 @@ public function testAcceptElementNoRecordException()
      */
     public function testAcceptElementException()
     {
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         $route = sprintf('/prod/lazaret/%s/accept/', '99999');
 
-        self::$DI['client']->request('POST', $route, ['record_id' => 1]);
+        self::$DI['client']->request('POST', $route, ['record_id' => 1, 'prodLazaret_token' => $randomValue]);
 
         $response = self::$DI['client']->getResponse();
 
@@ -432,8 +454,10 @@ public function testAcceptElementBadRequestException()
     {
         $id = 1;
 
+        $randomValue = $this->setSessionFormToken('prodLazaret');
+
         //Ommit record_id mandatory param
-        self::$DI['client']->request('POST', '/prod/lazaret/' . $id . '/accept/');
+        self::$DI['client']->request('POST', '/prod/lazaret/' . $id . '/accept/', ['prodLazaret_token' => $randomValue]);
 
         $response = self::$DI['client']->getResponse();
 

From f373f21e66c12ea56b2e9a090b071207f6527a8e Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Thu, 14 Sep 2023 12:00:27 +0300
Subject: [PATCH 14/16] add csrf token

---
 Phraseanet-production-client/dist/lightbox.js             | 3 ++-
 Phraseanet-production-client/dist/lightbox.min.js         | 3 ++-
 Phraseanet-production-client/dist/production.js           | 8 ++++++--
 Phraseanet-production-client/dist/production.min.js       | 8 ++++++--
 .../src/components/lightbox/index.js                      | 3 ++-
 .../src/components/thesaurus/index.js                     | 8 ++++++--
 lib/Alchemy/Phrasea/Controller/LightboxController.php     | 6 ++++++
 lib/Alchemy/Phrasea/Controller/Prod/RecordController.php  | 2 +-
 lib/Alchemy/Phrasea/Controller/Prod/RootController.php    | 1 +
 .../Controller/Thesaurus/ThesaurusXmlHttpController.php   | 4 ++++
 templates/web/lightbox/sc_note.html.twig                  | 1 +
 templates/web/prod/tab_thesaurus.html.twig                | 1 +
 12 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/Phraseanet-production-client/dist/lightbox.js b/Phraseanet-production-client/dist/lightbox.js
index e2968fcd1f..aac0a3a98f 100644
--- a/Phraseanet-production-client/dist/lightbox.js
+++ b/Phraseanet-production-client/dist/lightbox.js
@@ -1064,7 +1064,8 @@ var lightbox = function lightbox(services) {
             url: '/lightbox/ajax/SET_NOTE/' + sselcont_id + '/',
             dataType: 'json',
             data: {
-                note: note
+                note: note,
+                lightbox_token: (0, _jquery2.default)(button).closest('form').find('input[name=lightbox_token]').val()
             },
             success: function success(datas) {
                 _hideNotes(container);
diff --git a/Phraseanet-production-client/dist/lightbox.min.js b/Phraseanet-production-client/dist/lightbox.min.js
index e2968fcd1f..aac0a3a98f 100644
--- a/Phraseanet-production-client/dist/lightbox.min.js
+++ b/Phraseanet-production-client/dist/lightbox.min.js
@@ -1064,7 +1064,8 @@ var lightbox = function lightbox(services) {
             url: '/lightbox/ajax/SET_NOTE/' + sselcont_id + '/',
             dataType: 'json',
             data: {
-                note: note
+                note: note,
+                lightbox_token: (0, _jquery2.default)(button).closest('form').find('input[name=lightbox_token]').val()
             },
             success: function success(datas) {
                 _hideNotes(container);
diff --git a/Phraseanet-production-client/dist/production.js b/Phraseanet-production-client/dist/production.js
index 5578135c7b..71a73f35c7 100644
--- a/Phraseanet-production-client/dist/production.js
+++ b/Phraseanet-production-client/dist/production.js
@@ -12248,7 +12248,9 @@ var thesaurusService = function thesaurusService(services) {
                     sbas[i].seeker = _jquery2.default.ajax({
                         url: _zurl,
                         type: 'POST',
-                        data: [],
+                        data: {
+                            prodTabThesaurus_token: (0, _jquery2.default)('form.thesaurus-filter-submit-action input[name=prodTabThesaurus_token]').val()
+                        },
                         dataType: 'json',
                         success: function success(j) {
                             var z = '#TX_P\\.' + j.parm.sbid + '\\.T';
@@ -12285,7 +12287,9 @@ var thesaurusService = function thesaurusService(services) {
                 sbas[i].seeker = _jquery2.default.ajax({
                     url: zurl,
                     type: 'POST',
-                    data: [],
+                    data: {
+                        prodTabThesaurus_token: (0, _jquery2.default)('form.thesaurus-filter-submit-action input[name=prodTabThesaurus_token]').val()
+                    },
                     dataType: 'json',
                     success: function success(j) {
                         var z = '#TX_P\\.' + j.parm.sbid + '\\.T';
diff --git a/Phraseanet-production-client/dist/production.min.js b/Phraseanet-production-client/dist/production.min.js
index 5578135c7b..71a73f35c7 100644
--- a/Phraseanet-production-client/dist/production.min.js
+++ b/Phraseanet-production-client/dist/production.min.js
@@ -12248,7 +12248,9 @@ var thesaurusService = function thesaurusService(services) {
                     sbas[i].seeker = _jquery2.default.ajax({
                         url: _zurl,
                         type: 'POST',
-                        data: [],
+                        data: {
+                            prodTabThesaurus_token: (0, _jquery2.default)('form.thesaurus-filter-submit-action input[name=prodTabThesaurus_token]').val()
+                        },
                         dataType: 'json',
                         success: function success(j) {
                             var z = '#TX_P\\.' + j.parm.sbid + '\\.T';
@@ -12285,7 +12287,9 @@ var thesaurusService = function thesaurusService(services) {
                 sbas[i].seeker = _jquery2.default.ajax({
                     url: zurl,
                     type: 'POST',
-                    data: [],
+                    data: {
+                        prodTabThesaurus_token: (0, _jquery2.default)('form.thesaurus-filter-submit-action input[name=prodTabThesaurus_token]').val()
+                    },
                     dataType: 'json',
                     success: function success(j) {
                         var z = '#TX_P\\.' + j.parm.sbid + '\\.T';
diff --git a/Phraseanet-production-client/src/components/lightbox/index.js b/Phraseanet-production-client/src/components/lightbox/index.js
index 4312cdb8bd..cf9875906f 100644
--- a/Phraseanet-production-client/src/components/lightbox/index.js
+++ b/Phraseanet-production-client/src/components/lightbox/index.js
@@ -1036,7 +1036,8 @@ const lightbox = services => {
             url: '/lightbox/ajax/SET_NOTE/' + sselcont_id + '/',
             dataType: 'json',
             data: {
-                note: note
+                note: note,
+                lightbox_token: $(button).closest('form').find('input[name=lightbox_token]').val()
             },
             success: function (datas) {
                 _hideNotes(container);
diff --git a/Phraseanet-production-client/src/components/thesaurus/index.js b/Phraseanet-production-client/src/components/thesaurus/index.js
index 37a6493a8a..c9f9d6c9e8 100644
--- a/Phraseanet-production-client/src/components/thesaurus/index.js
+++ b/Phraseanet-production-client/src/components/thesaurus/index.js
@@ -636,7 +636,9 @@ const thesaurusService = services => {
                 sbas[i].seeker = $.ajax({
                     url: zurl,
                     type: 'POST',
-                    data: [],
+                    data: {
+                        prodTabThesaurus_token: $('form.thesaurus-filter-submit-action input[name=prodTabThesaurus_token]').val()
+                    },
                     dataType: 'json',
                     success: function (j) {
                         var z = '#TX_P\\.' + j.parm.sbid + '\\.T';
@@ -680,7 +682,9 @@ const thesaurusService = services => {
                 sbas[i].seeker = $.ajax({
                     url: zurl,
                     type: 'POST',
-                    data: [],
+                    data: {
+                        prodTabThesaurus_token: $('form.thesaurus-filter-submit-action input[name=prodTabThesaurus_token]').val()
+                    },
                     dataType: 'json',
                     success: function (j) {
                         var z = '#TX_P\\.' + j.parm.sbid + '\\.T';
diff --git a/lib/Alchemy/Phrasea/Controller/LightboxController.php b/lib/Alchemy/Phrasea/Controller/LightboxController.php
index f17c036ab7..8347903f52 100644
--- a/lib/Alchemy/Phrasea/Controller/LightboxController.php
+++ b/lib/Alchemy/Phrasea/Controller/LightboxController.php
@@ -264,6 +264,8 @@ private function markBasketRead(Basket $basket)
      */
     private function getValidationTemplate()
     {
+        $this->setSessionFormToken('lightbox');
+
         return 'lightbox/validate.html.twig';
     }
 
@@ -338,6 +340,10 @@ public function ajaxReportAction(Basket $basket)
      */
     public function ajaxSetNoteAction(Request $request, $sselcont_id)
     {
+        if (!$this->isCrsfValid($request, 'lightbox')) {
+            return new Response('invalid crsf token form', 403);
+        }
+
         $note = $request->request->get('note');
 
         if (is_null($note)) {
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
index bc55f20a40..3671a9e40a 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php
@@ -224,7 +224,7 @@ public function getRecordById($sbasId, $recordId)
      */
     public function doDeleteRecords(Request $request)
     {
-        if ($this->isCrsfValid($request, 'prodDeleteRecord')) {
+        if (!$this->isCrsfValid($request, 'prodDeleteRecord')) {
             return $this->app->json(['success' => false , 'message' => 'invalid delete form'], 403);
         }
 
diff --git a/lib/Alchemy/Phrasea/Controller/Prod/RootController.php b/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
index 9b9462e2ac..3f5b6d2673 100644
--- a/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/RootController.php
@@ -106,6 +106,7 @@ public function indexAction(Request $request) {
 
         $this->setSessionFormToken('searchForm');
         $this->setSessionFormToken('prodExposeNew');
+        $this->setSessionFormToken('prodTabThesaurus');
 
         return $this->render('prod/index.html.twig', [
             'module_name'          => 'Production',
diff --git a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php
index 8677fc9d13..5983d4e14b 100644
--- a/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php
+++ b/lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusXmlHttpController.php
@@ -1440,6 +1440,10 @@ public function replaceCandidateJson(Request $request)
 
     public function searchTermJson(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'prodTabThesaurus')) {
+            return $this->app->json(['success' => false , 'message' => 'invalid form token'], 403);
+        }
+
         $lng = $request->get('lng');
 
         $html = '';
diff --git a/templates/web/lightbox/sc_note.html.twig b/templates/web/lightbox/sc_note.html.twig
index 2265371c3d..bb03ff4f54 100644
--- a/templates/web/lightbox/sc_note.html.twig
+++ b/templates/web/lightbox/sc_note.html.twig
@@ -26,6 +26,7 @@
                   {{ 'boutton::enregistrer' | trans }}
                 </button>
             </div>
+            <input type="hidden" name="lightbox_token" value="{{ app['session'].get('lightbox_token') }}">
         </form>
     </div>
 </div>
diff --git a/templates/web/prod/tab_thesaurus.html.twig b/templates/web/prod/tab_thesaurus.html.twig
index 7ad6feb90e..5fd693292f 100644
--- a/templates/web/prod/tab_thesaurus.html.twig
+++ b/templates/web/prod/tab_thesaurus.html.twig
@@ -30,6 +30,7 @@
                             </button>
                             <input type="button" class="th_clear"/>
                         </div>
+                        <input type="hidden" name="prodTabThesaurus_token" value="{{ app['session'].get('prodTabThesaurus_token') }}">
                     </form>
                 </div>
                 <div id="THPD_T">

From 1a915fba06d96612f3ba9c928ea744a5890cc220 Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Thu, 14 Sep 2023 14:49:40 +0300
Subject: [PATCH 15/16] fix test

---
 tests/Alchemy/Tests/Phrasea/Application/LightboxTest.php    | 6 ++++--
 tests/Alchemy/Tests/Phrasea/Controller/Prod/RecordsTest.php | 5 ++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/tests/Alchemy/Tests/Phrasea/Application/LightboxTest.php b/tests/Alchemy/Tests/Phrasea/Application/LightboxTest.php
index d72b7a8e1a..f5d4f7a071 100644
--- a/tests/Alchemy/Tests/Phrasea/Application/LightboxTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Application/LightboxTest.php
@@ -292,13 +292,15 @@ public function testAjaxSetNote()
         $validationBasket = $app['orm.em']->find('Phraseanet:Basket', 4);
         $validationBasketElement = $validationBasket->getElements()->first();
 
-        $client->request('POST', '/lightbox/ajax/SET_NOTE/' . $validationBasketElement->getId() . '/');
+        $randomValue = $this->setSessionFormToken('lightbox');
+
+        $client->request('POST', '/lightbox/ajax/SET_NOTE/' . $validationBasketElement->getId() . '/', ['lightbox_token'  => $randomValue]);
         $this->assertEquals(400, $client->getResponse()->getStatusCode());
 
         $client->request(
             'POST'
             , '/lightbox/ajax/SET_NOTE/' . $validationBasketElement->getId() . '/'
-            , ['note' => 'une jolie note']
+            , ['note' => 'une jolie note', 'lightbox_token'  => $randomValue]
         );
 
         $this->assertEquals(200, $client->getResponse()->getStatusCode(), sprintf('set note to element %s ', $validationBasketElement->getId()));
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Prod/RecordsTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Prod/RecordsTest.php
index c87103f878..d2e76eb251 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Prod/RecordsTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Prod/RecordsTest.php
@@ -30,7 +30,10 @@ public function testDoDeleteRecords()
     {
         $file = new File(self::$DI['app'], self::$DI['app']['mediavorus']->guess(__DIR__ . '/../../../../../files/cestlafete.jpg'), self::$DI['collection']);
         $record = \record_adapter::createFromFile($file, self::$DI['app']);
-        $response = $this->XMLHTTPRequest('POST', '/prod/records/delete/', ['lst' => $record->getId()]);
+        $randomValue = $this->setSessionFormToken('prodDeleteRecord');
+
+        $response = $this->XMLHTTPRequest('POST', '/prod/records/delete/', ['lst' => $record->getId(), 'prodDeleteRecord_token'  => $randomValue]);
+
         $datas = (array) json_decode($response->getContent());
         $this->assertContains($record->getId(), $datas);
         try {

From d7733baf2b4a7f9c145de3c16e4f722df28d5784 Mon Sep 17 00:00:00 2001
From: aynsix <asr@esokia-webagency.com>
Date: Wed, 27 Sep 2023 19:33:51 +0300
Subject: [PATCH 16/16] fix set cover publication

---
 Phraseanet-production-client/dist/production.js               | 3 ++-
 Phraseanet-production-client/dist/production.min.js           | 3 ++-
 .../src/components/ui/workzone/index.js                       | 3 ++-
 .../PhraseanetService/Controller/PSExposeController.php       | 4 ++--
 templates/web/prod/WorkZone/ExposePublicationAssets.html.twig | 1 +
 5 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/Phraseanet-production-client/dist/production.js b/Phraseanet-production-client/dist/production.js
index 3aa7700ce8..0ea0d75acd 100644
--- a/Phraseanet-production-client/dist/production.js
+++ b/Phraseanet-production-client/dist/production.js
@@ -10989,7 +10989,8 @@ var workzone = function workzone(services) {
                 dataType: 'json',
                 data: {
                     exposeName: '' + exposeName,
-                    publicationData: publicationData
+                    publicationData: publicationData,
+                    prodExposeEdit_token: (0, _jquery2.default)(this).find('input[name="prodExposeEdit_token"]').val()
                 },
                 success: function success(data) {
                     if (data.success) {
diff --git a/Phraseanet-production-client/dist/production.min.js b/Phraseanet-production-client/dist/production.min.js
index 3aa7700ce8..0ea0d75acd 100644
--- a/Phraseanet-production-client/dist/production.min.js
+++ b/Phraseanet-production-client/dist/production.min.js
@@ -10989,7 +10989,8 @@ var workzone = function workzone(services) {
                 dataType: 'json',
                 data: {
                     exposeName: '' + exposeName,
-                    publicationData: publicationData
+                    publicationData: publicationData,
+                    prodExposeEdit_token: (0, _jquery2.default)(this).find('input[name="prodExposeEdit_token"]').val()
                 },
                 success: function success(data) {
                     if (data.success) {
diff --git a/Phraseanet-production-client/src/components/ui/workzone/index.js b/Phraseanet-production-client/src/components/ui/workzone/index.js
index c0f262f19e..83bf5b083e 100644
--- a/Phraseanet-production-client/src/components/ui/workzone/index.js
+++ b/Phraseanet-production-client/src/components/ui/workzone/index.js
@@ -1076,7 +1076,8 @@ const workzone = (services) => {
                 dataType: 'json',
                 data: {
                     exposeName: `${exposeName}`,
-                    publicationData: publicationData
+                    publicationData: publicationData,
+                    prodExposeEdit_token: $(this).find('input[name="prodExposeEdit_token"]').val()
                 },
                 success: function (data) {
                     if (data.success) {
diff --git a/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php b/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php
index 361d8b5f92..9df6ada7b6 100644
--- a/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php
+++ b/lib/Alchemy/Phrasea/PhraseanetService/Controller/PSExposeController.php
@@ -302,6 +302,8 @@ public function listPublicationAction(PhraseaApplication $app, Request $request)
             ]);
         }
 
+        $this->setSessionFormToken('prodExposeEdit');
+
         $exposeListTwig = $this->render("prod/WorkZone/ExposeList.html.twig", [
             'publications'          => $publications,
             'exposeFrontBasePath'   => $exposeFrontBasePath
@@ -382,8 +384,6 @@ public function getPublicationAction(PhraseaApplication $app, Request $request)
 
         list($permissions, $listUsers, $listGroups) = $this->getPermissions($exposeClient, $request->get('publicationId'), $accessToken);
 
-        $this->setSessionFormToken('prodExposeEdit');
-
         return $this->render("prod/WorkZone/ExposeEdit.html.twig", [
             'timezone'    => $request->get('timezone'),
             'publication' => $publication,
diff --git a/templates/web/prod/WorkZone/ExposePublicationAssets.html.twig b/templates/web/prod/WorkZone/ExposePublicationAssets.html.twig
index 9b71f21340..d12dc5ceaa 100644
--- a/templates/web/prod/WorkZone/ExposePublicationAssets.html.twig
+++ b/templates/web/prod/WorkZone/ExposePublicationAssets.html.twig
@@ -73,6 +73,7 @@
             {% if capabilitiesEdit %}
                 <div class="set-cover" style="position: absolute;bottom: 0;cursor: pointer;" title="Set as Cover"
                      data-publication-id="{{ publicationId }}" data-asset-id="{{ asset.id }}">
+                    <input name="prodExposeEdit_token" type="hidden" value="{{ app['session'].get('prodExposeEdit_token') }}"/>
 
                     <img src="/assets/common/images/icons/icon_story.gif" title="Set as Cover">
                 </div>