Adds XSRF protection to the AXLetter module.

Fixes several bugs in the AXLetter module (admin validation / AX cancellation of letters wasn't properly working; it was not possible to add admins with user ids above 2^15 - 1).

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>

diff --git a/modules/axletter.php b/modules/axletter.php
index 7ea3f06..d093bd3 100644 (file)
--- a/modules/axletter.php
+++ b/modules/axletter.php
@@ -109,7 +109,7 @@ class AXLetterModule extends PLModule
                 $saved = false;
                 $new   = true;
             }
-        } elseif (Post::has('valid')) {
+        } elseif (Post::has('valid') && S::has_xsrf_token()) {
             if (!$subject && $title) {
                 $subject = $title;
             }
@@ -190,6 +190,8 @@ class AXLetterModule extends PLModule
                 pl_redirect('ax');
                 break;
             }
+        } elseif (Post::has('valid')) {
+            $page->trig("L'opération a échouée, merci de réessayer.");
         }
         $page->assign('id', $id);
         $page->assign('short_name', $short_name);
@@ -224,17 +226,12 @@ class AXLetterModule extends PLModule
     function handler_cancel(&$page, $force = null)
     {
         require_once dirname(__FILE__) . '/axletter/axletter.inc.php';
-        if (!AXLetter::hasPerms()) {
-            return PL_FORBIDDEN;
-        }
-
-        $url = parse_url($_SERVER['HTTP_REFERER']);
-        if ($force != 'force' && trim($url['path'], '/') != 'ax/edit') {
+        if (!AXLetter::hasPerms() || !S::has_xsrf_token()) {
             return PL_FORBIDDEN;
         }
 
         $al = AXLetter::awaiting();
-        if (!$alg) {
+        if (!$al) {
             $page->kill("Aucune lettre en attente");
             return;
         }
@@ -249,12 +246,7 @@ class AXLetterModule extends PLModule
     function handler_valid(&$page, $force = null)
     {
         require_once dirname(__FILE__) . '/axletter/axletter.inc.php';
-        if (!AXLetter::hasPerms()) {
-            return PL_FORBIDDEN;
-        }
-
-        $url = parse_url($_SERVER['HTTP_REFERER']);
-        if ($force != 'force' && trim($url['path'], '/') != 'ax/edit') {
+        if (!AXLetter::hasPerms() || !S::has_xsrf_token()) {
             return PL_FORBIDDEN;
         }
 
@@ -296,7 +288,7 @@ class AXLetterModule extends PLModule
             $action = Post::v('action');
             $uid    = Post::v('uid');
         }
-        if ($uid) {
+        if ($uid && S::has_xsrf_token()) {
             $uids   = preg_split('/ *[,;\: ] */', $uid);
             foreach ($uids as $uid) {
                 switch ($action) {
@@ -308,9 +300,11 @@ class AXLetterModule extends PLModule
                     break;
                 }
                 if (!$res) {
-                    $page->trig("Personne ne oorrespond à l'identifiant '$uid'");
+                    $page->trig("Personne ne correspond à l'identifiant '$uid'");
                 }
             }
+        } elseif ($uid) {
+            $page->trig("L'opération sur la liste des administrateurs AX a échouée, merci de réessayer.");
         }
 
         $page->changeTpl('axletter/admin.tpl');

diff --git a/templates/axletter/admin.tpl b/templates/axletter/admin.tpl
index 6632c49..a4ab3e3 100644 (file)
--- a/templates/axletter/admin.tpl
+++ b/templates/axletter/admin.tpl
@@ -23,6 +23,7 @@
 <h1>Droits d'administration des lettres de l'AX</h1>
 
 <form action="admin/axletter" method="post">
+  {xsrf_token_field}
   <table class="tinybicol">
     <tr>
       <th>Nom</th>
@@ -37,7 +38,7 @@
     {iterate item=a from=$admins}
     <tr class="{cycle values="impair, pair"}">
       <td><a href="profile/{$a.forlife}" class="popup2">{$a.prenom} {$a.nom} (X{$a.promo}){icon name=user_suit}</a></td>
-      <td class="right"><a href="admin/axletter/del/{$a.forlife}">{icon name=cross title="Retirer"}</a></td>
+      <td class="right"><a href="admin/axletter/del/{$a.forlife}?token={xsrf_token}">{icon name=cross title="Retirer"}</a></td>
     </tr>
     {/iterate}
   </table>

diff --git a/templates/axletter/edit.tpl b/templates/axletter/edit.tpl
index 12a0092..cea59d5 100644 (file)
--- a/templates/axletter/edit.tpl
+++ b/templates/axletter/edit.tpl
@@ -23,6 +23,7 @@
 <h1>Edition de message</h1>
 
 <form action="{$platal->pl_self()}" method="post">
+  {xsrf_token_field}
   {if $am}
   {include file="axletter/letter.tpl"}
 
@@ -76,10 +77,10 @@
       <td colspan="2" class="center">
         Envoi au plus tard le {$echeance|date_format:"%x vers %Hh"}<br />
         {if $is_xorg}
-        [<a href="ax/edit/valid" onclick="return confirm('Es-tu sûr de voiloir valider l\'envoi de ce message ?');">{*
+        [<a href="ax/edit/valid?token={xsrf_token}" onclick="return confirm('Es-tu sûr de vouloir valider l\'envoi de ce message ?');">{*
           *}{icon name=thumb_up} Valider l'envoi</a>]
         {else}
-        [<a href="ax/edit/cancel" onclick="return confirm('Es-tu sûr de vouloir annuler l\'envoi de ce message ?');">{*
+        [<a href="ax/edit/cancel?token={xsrf_token}" onclick="return confirm('Es-tu sûr de vouloir annuler l\'envoi de ce message ?');">{*
           *}{icon name=thumb_down} Annuler l'envoi</a>]
         {/if}
       </td>

diff --git a/upgrade/0.9.17/01_axletter.sql b/upgrade/0.9.17/01_axletter.sql
new file mode 100644 (file)
index 0000000..17ffb94
--- /dev/null
+++ b/upgrade/0.9.17/01_axletter.sql
@@ -0,0 +1,3 @@
+ALTER TABLE axletter_rights CHANGE COLUMN user_id user_id SMALLINT UNSIGNED NOT NULL DEFAULT 0;
+
+-- vim:set syntax=mysql: