lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 5 Wiki Activity

Adds CSRF tokens to settings edit page

main
Yasen Pramatarov 2025-02-22 18:55:17 +02:00
parent 4b4cac7cec
commit ad6ca25493
2 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
app/pages/settings.php
View File

@ -7,6 +7,10 @@
* adding, editing, and deleting platforms, hosts, agents. * adding, editing, and deleting platforms, hosts, agents.
*/ */
// Check if this is an AJAX request
$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
// Get any new feedback messages // Get any new feedback messages
include '../app/helpers/feedback.php'; include '../app/helpers/feedback.php';
@ -73,8 +77,10 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$_SESSION['error'] = "Editing the host failed. Error: $result"; $_SESSION['error'] = "Editing the host failed. Error: $result";
} }
} }
header('Location: ' . $redirectUrl); if (!$isAjax) {
exit; header('Location: ' . $redirectUrl);
exit;
}
// agent operations // agent operations
} elseif (isset($_POST['item']) && $_POST['item'] === 'agent') { } elseif (isset($_POST['item']) && $_POST['item'] === 'agent') {
@ -114,8 +120,10 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$_SESSION['error'] = "Editing the agent failed. Error: $result"; $_SESSION['error'] = "Editing the agent failed. Error: $result";
} }
} }
header('Location: ' . $redirectUrl); if (!$isAjax) {
exit; header('Location: ' . $redirectUrl);
exit;
}
// platform operations // platform operations
} elseif (isset($_POST['item']) && $_POST['item'] === 'platform') { } elseif (isset($_POST['item']) && $_POST['item'] === 'platform') {
@ -153,8 +161,10 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$_SESSION['error'] = "Editing the platform failed. Error: $result"; $_SESSION['error'] = "Editing the platform failed. Error: $result";
} }
} }
header('Location: ' . $redirectUrl); if (!$isAjax) {
exit; header('Location: ' . $redirectUrl);
exit;
}
} }
} else { } else {

3
app/templates/settings.php
View File

@ -691,6 +691,7 @@ $(function() {
const formData = new FormData(); const formData = new FormData();
formData.append('item', 'platform'); formData.append('item', 'platform');
formData.append('platform', platformId); formData.append('platform', platformId);
formData.append('csrf_token', '<?= $security->generateCsrfToken() ?>');
formData.append('name', platformTable.find('input[name="name"]').val()); formData.append('name', platformTable.find('input[name="name"]').val());
formData.append('jitsi_url', platformTable.find('input[name="jitsi_url"]').val()); formData.append('jitsi_url', platformTable.find('input[name="jitsi_url"]').val());
formData.append('jilo_database', platformTable.find('input[name="jilo_database"]').val()); formData.append('jilo_database', platformTable.find('input[name="jilo_database"]').val());
@ -914,6 +915,7 @@ $(function() {
formData.append('item', 'host'); formData.append('item', 'host');
formData.append('host', hostId); formData.append('host', hostId);
formData.append('platform', platformId); formData.append('platform', platformId);
formData.append('csrf_token', '<?= $security->generateCsrfToken() ?>');
card.find('.host-edit-mode input').each(function() { card.find('.host-edit-mode input').each(function() {
formData.append($(this).attr('name'), $(this).val()); formData.append($(this).attr('name'), $(this).val());
@ -1048,6 +1050,7 @@ $(function() {
formData.append('item', 'agent'); formData.append('item', 'agent');
formData.append('agent', agentId); formData.append('agent', agentId);
formData.append('host', hostId); formData.append('host', hostId);
formData.append('csrf_token', '<?= $security->generateCsrfToken() ?>');
row.find('.agent-edit-mode input, .agent-edit-mode select').each(function() { row.find('.agent-edit-mode input, .agent-edit-mode select').each(function() {
formData.append($(this).attr('name'), $(this).val()); formData.append($(this).attr('name'), $(this).val());