From 944c29b96429ec95ac1371cb33cc43704a60c7b1 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Tue, 20 Nov 2018 16:02:03 +0100 Subject: Require POST for sending forms * Ensure that the form is submitted with a post request * Replaced several links with forms Closes #494 (Security Vulnerability) --- includes/view/AngelTypes_view.php | 17 ++--- includes/view/Questions_view.php | 16 ++--- includes/view/ShiftEntry_view.php | 31 +++++---- includes/view/ShiftTypes_view.php | 20 +++--- includes/view/UserAngelTypes_view.php | 123 ++++++++++++++-------------------- includes/view/UserWorkLog_view.php | 17 +++-- 6 files changed, 96 insertions(+), 128 deletions(-) (limited to 'includes/view') diff --git a/includes/view/AngelTypes_view.php b/includes/view/AngelTypes_view.php index 58c9567b..ab4ce517 100644 --- a/includes/view/AngelTypes_view.php +++ b/includes/view/AngelTypes_view.php @@ -53,17 +53,12 @@ function AngelType_delete_view($angeltype) { return page_with_title(sprintf(__('Delete angeltype %s'), $angeltype['name']), [ info(sprintf(__('Do you want to delete angeltype %s?'), $angeltype['name']), true), - buttons([ - button(page_link_to('angeltypes'), glyph('remove') . __('cancel')), - button( - page_link_to( - 'angeltypes', - ['action' => 'delete', 'angeltype_id' => $angeltype['id'], 'confirmed' => 1] - ), - glyph('ok') . __('delete'), - 'btn-danger' - ) - ]) + form([ + buttons([ + button(page_link_to('angeltypes'), glyph('remove') . __('cancel')), + form_submit('delete', glyph('ok') . __('delete'), 'btn-danger', false), + ]) + ]), ]); } diff --git a/includes/view/Questions_view.php b/includes/view/Questions_view.php index 4008b7cd..29629074 100644 --- a/includes/view/Questions_view.php +++ b/includes/view/Questions_view.php @@ -9,22 +9,18 @@ function Questions_view($open_questions, $answered_questions, $ask_action) { foreach ($open_questions as &$question) { - $question['actions'] = '' - . __('delete') - . ''; + $question['actions'] = form([ + form_submit('submit', __('delete'), 'btn-default btn-xs') + ], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']])); $question['Question'] = str_replace("\n", '
', $question['Question']); } foreach ($answered_questions as &$question) { $question['Question'] = str_replace("\n", '
', $question['Question']); $question['Answer'] = str_replace("\n", '
', $question['Answer']); - $question['actions'] = '' - . __('delete') - . ''; + $question['actions'] = form([ + form_submit('submit', __('delete'), 'btn-default btn-xs') + ], page_link_to('user_questions', ['action' => 'delete', 'id' => $question['QID']])); } return page_with_title(questions_title(), [ diff --git a/includes/view/ShiftEntry_view.php b/includes/view/ShiftEntry_view.php index 5d4364f5..26e9896d 100644 --- a/includes/view/ShiftEntry_view.php +++ b/includes/view/ShiftEntry_view.php @@ -5,14 +5,13 @@ use Engelsystem\Models\User\User; /** * Sign off from an user from a shift with admin permissions, asking for ack. * - * @param array $shiftEntry * @param array $shift * @param array $angeltype * @param User $signoff_user * * @return string HTML */ -function ShiftEntry_delete_view_admin($shiftEntry, $shift, $angeltype, $signoff_user) +function ShiftEntry_delete_view_admin($shift, $angeltype, $signoff_user) { return page_with_title(ShiftEntry_delete_title(), [ info(sprintf( @@ -23,26 +22,25 @@ function ShiftEntry_delete_view_admin($shiftEntry, $shift, $angeltype, $signoff_ date('Y-m-d H:i', $shift['end']), $angeltype['name'] ), true), - buttons([ - button(user_link($signoff_user->id), glyph('remove') . __('cancel')), - button(shift_entry_delete_link($shiftEntry, [ - 'continue' => 1 - ]), glyph('ok') . __('delete'), 'btn-danger') - ]) + form([ + buttons([ + button(user_link($signoff_user->id), glyph('remove') . __('cancel')), + form_submit('delete', glyph('ok') . __('delete'), 'btn-danger', false) + ]), + ]), ]); } /** * Sign off from a shift, asking for ack. * - * @param array $shiftEntry * @param array $shift * @param array $angeltype * @param int $signoff_user_id * * @return string HTML */ -function ShiftEntry_delete_view($shiftEntry, $shift, $angeltype, $signoff_user_id) +function ShiftEntry_delete_view($shift, $angeltype, $signoff_user_id) { return page_with_title(ShiftEntry_delete_title(), [ info(sprintf( @@ -52,12 +50,13 @@ function ShiftEntry_delete_view($shiftEntry, $shift, $angeltype, $signoff_user_i date('Y-m-d H:i', $shift['end']), $angeltype['name'] ), true), - buttons([ - button(user_link($signoff_user_id), glyph('remove') . __('cancel')), - button(shift_entry_delete_link($shiftEntry, [ - 'continue' => 1 - ]), glyph('ok') . __('delete'), 'btn-danger') - ]) + + form([ + buttons([ + button(user_link($signoff_user_id), glyph('remove') . __('cancel')), + form_submit('delete', glyph('ok') . __('delete'), 'btn-danger', false), + ]), + ]), ]); } diff --git a/includes/view/ShiftTypes_view.php b/includes/view/ShiftTypes_view.php index 7053f164..72d119ff 100644 --- a/includes/view/ShiftTypes_view.php +++ b/includes/view/ShiftTypes_view.php @@ -21,17 +21,17 @@ function ShiftType_delete_view($shifttype) { return page_with_title(sprintf(__('Delete shifttype %s'), $shifttype['name']), [ info(sprintf(__('Do you want to delete shifttype %s?'), $shifttype['name']), true), - buttons([ - button(page_link_to('shifttypes'), glyph('remove') . __('cancel')), - button( - page_link_to( - 'shifttypes', - ['action' => 'delete', 'shifttype_id' => $shifttype['id'], 'confirmed' => 1] + form([ + buttons([ + button(page_link_to('shifttypes'), glyph('remove') . __('cancel')), + form_submit( + 'delete', + glyph('ok') . __('delete'), + 'btn-danger', + false ), - glyph('ok') . __('delete'), - 'btn-danger' - ) - ]) + ]), + ]), ]); } diff --git a/includes/view/UserAngelTypes_view.php b/includes/view/UserAngelTypes_view.php index 1c583389..d4d8aab6 100644 --- a/includes/view/UserAngelTypes_view.php +++ b/includes/view/UserAngelTypes_view.php @@ -20,22 +20,19 @@ function UserAngelType_update_view($user_angeltype, $user, $angeltype, $supporte $angeltype['name'], User_Nick_render($user) ), true), - buttons([ - button( - page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype['id']]), - glyph('remove') . __('cancel') - ), - button( - page_link_to('user_angeltypes', [ - 'action' => 'update', - 'user_angeltype_id' => $user_angeltype['id'], - 'supporter' => ($supporter ? '1' : '0'), - 'confirmed' => 1, - ]), - glyph('ok') . __('yes'), - 'btn-primary' - ) - ]) + form([ + buttons([ + button( + page_link_to('angeltypes', ['action' => 'view', 'angeltype_id' => $angeltype['id']]), + glyph('remove') . __('cancel') + ), + form_submit('submit', glyph('ok') . __('yes'), 'btn-primary', false), + ]), + ], page_link_to('user_angeltypes', [ + 'action' => 'update', + 'user_angeltype_id' => $user_angeltype['id'], + 'supporter' => ($supporter ? '1' : '0'), + ])), ]); } @@ -48,23 +45,18 @@ function UserAngelTypes_delete_all_view($angeltype) return page_with_title(__('Deny all users'), [ msg(), info(sprintf(__('Do you really want to deny all users for %s?'), $angeltype['name']), true), - buttons([ - button( - page_link_to( - 'angeltypes', - ['action' => 'view', 'angeltype_id' => $angeltype['id']] - ), - glyph('remove') . __('cancel') - ), - button( - page_link_to( - 'user_angeltypes', - ['action' => 'delete_all', 'angeltype_id' => $angeltype['id'], 'confirmed' => 1] + form([ + buttons([ + button( + page_link_to( + 'angeltypes', + ['action' => 'view', 'angeltype_id' => $angeltype['id']] + ), + glyph('remove') . __('cancel') ), - glyph('ok') . __('yes'), - 'btn-primary' - ) - ]) + form_submit('deny_all', glyph('ok') . __('yes'), 'btn-primary', false) + ]), + ], page_link_to('user_angeltypes', ['action' => 'delete_all', 'angeltype_id' => $angeltype['id']])), ]); } @@ -77,15 +69,12 @@ function UserAngelTypes_confirm_all_view($angeltype) return page_with_title(__('Confirm all users'), [ msg(), info(sprintf(__('Do you really want to confirm all users for %s?'), $angeltype['name']), true), - buttons([ - button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), - button( - page_link_to('user_angeltypes', - ['action' => 'confirm_all', 'angeltype_id' => $angeltype['id'], 'confirmed' => 1]), - glyph('ok') . __('yes'), - 'btn-primary' - ) - ]) + form([ + buttons([ + button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), + form_submit('confirm_all', glyph('ok') . __('yes'), 'btn-primary', false), + ]), + ], page_link_to('user_angeltypes', ['action' => 'confirm_all', 'angeltype_id' => $angeltype['id']])), ]); } @@ -104,17 +93,12 @@ function UserAngelType_confirm_view($user_angeltype, $user, $angeltype) User_Nick_render($user), $angeltype['name'] ), true), - buttons([ - button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), - button( - page_link_to( - 'user_angeltypes', - ['action' => 'confirm', 'user_angeltype_id' => $user_angeltype['id'], 'confirmed' => 1] - ), - glyph('ok') . __('yes'), - 'btn-primary' - ) - ]) + form([ + buttons([ + button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), + form_submit('confirm_user', glyph('ok') . __('yes'), 'btn-primary', false), + ]), + ], page_link_to('user_angeltypes', ['action' => 'confirm', 'user_angeltype_id' => $user_angeltype['id']])), ]); } @@ -133,15 +117,12 @@ function UserAngelType_delete_view($user_angeltype, $user, $angeltype) User_Nick_render($user), $angeltype['name'] ), true), - buttons([ - button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), - button( - page_link_to('user_angeltypes', - ['action' => 'delete', 'user_angeltype_id' => $user_angeltype['id'], 'confirmed' => 1]), - glyph('ok') . __('yes'), - 'btn-primary' - ) - ]) + form([ + buttons([ + button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), + form_submit('delete', glyph('ok') . __('yes'), 'btn-primary', false), + ]), + ], page_link_to('user_angeltypes', ['action' => 'delete', 'user_angeltype_id' => $user_angeltype['id']])), ]); } @@ -189,16 +170,14 @@ function UserAngelType_join_view($user, $angeltype) User_Nick_render($user), $angeltype['name'] ), true), - buttons([ - button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), - button( - page_link_to( - 'user_angeltypes', - ['action' => 'add', 'angeltype_id' => $angeltype['id'], 'user_id' => $user->id, 'confirmed' => 1] - ), - glyph('ok') . __('save'), - 'btn-primary' - ) - ]) + form([ + buttons([ + button(angeltype_link($angeltype['id']), glyph('remove') . __('cancel')), + form_submit('submit', glyph('ok') . __('save'), 'btn-primary', false) + ]), + ], page_link_to( + 'user_angeltypes', + ['action' => 'add', 'angeltype_id' => $angeltype['id'], 'user_id' => $user->id] + )), ]); } diff --git a/includes/view/UserWorkLog_view.php b/includes/view/UserWorkLog_view.php index 8b4e7ae3..0d5e7797 100644 --- a/includes/view/UserWorkLog_view.php +++ b/includes/view/UserWorkLog_view.php @@ -5,23 +5,22 @@ use Engelsystem\Models\User\User; /** * Delete work log entry. * - * @param User $user_source - * @param array $userWorkLog + * @param User $user_source * @return string */ -function UserWorkLog_delete_view($user_source, $userWorkLog) +function UserWorkLog_delete_view($user_source) { return page_with_title(UserWorkLog_delete_title(), [ info(sprintf( __('Do you want to delete the worklog entry for %s?'), User_Nick_render($user_source) ), true), - buttons([ - button(user_link($user_source->id), glyph('remove') . __('cancel')), - button(user_worklog_delete_link($userWorkLog, [ - 'confirmed' => 1 - ]), glyph('ok') . __('delete'), 'btn-danger') - ]) + form([ + buttons([ + button(user_link($user_source->id), glyph('remove') . __('cancel')), + form_submit('submit', glyph('ok') . __('delete'), 'btn-danger', false), + ]), + ]), ]); } -- cgit v1.2.3-54-g00ecf