Congegni
/
libretime
mirror of https://github.com/libretime/libretime.git
7
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added csrf verification to show image upload and deletion

This commit is contained in:
Duncan Sommerville 2015-03-02 16:00:11 -05:00
parent f1a311dad6
commit 17d51eb0f9
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
airtime_mvc/application/forms/AddShowStyle.php
View File

@ -79,7 +79,7 @@ class Application_Form_AddShowStyle extends Zend_Form_SubForm
->addValidator('Count', false, 1) ->addValidator('Count', false, 1)
->addValidator('Extension', false, 'jpg,jpeg,png,gif') ->addValidator('Extension', false, 'jpg,jpeg,png,gif')
->addFilter('ImageSize'); ->addFilter('ImageSize');
$this->addElement($upload); $this->addElement($upload);
// Add image preview // Add image preview
@ -93,6 +93,14 @@ class Application_Form_AddShowStyle extends Zend_Form_SubForm
'class' => 'big' 'class' => 'big'
)))); ))));
$preview->setAttrib('disabled','disabled'); $preview->setAttrib('disabled','disabled');
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_element = new Zend_Form_Element_Hidden('csrf');
$csrf_element->setValue($csrf_namespace->authtoken)
->setRequired('true')
->removeDecorator('HtmlTag')
->removeDecorator('Label');
$this->addElement($csrf_element);
} }
public function disable() public function disable()

4
airtime_mvc/public/js/airtime/schedule/add-show.js
View File

@ -668,7 +668,7 @@ function setAddShowEvents(form) {
var showId = $("#add_show_id").attr("value"); var showId = $("#add_show_id").attr("value");
if (showId && $("#add_show_logo_current").attr("src") !== "") { if (showId && $("#add_show_logo_current").attr("src") !== "") {
var action = '/rest/show-image?id=' + showId; var action = '/rest/show-image?csrf_token=' + $('#csrf').val() + '&id=' + showId;
$.ajax({ $.ajax({
url: action, url: action,
@ -748,7 +748,7 @@ function setAddShowEvents(form) {
data: {format: "json", data: data, hosts: hosts, days: days}, data: {format: "json", data: data, hosts: hosts, days: days},
success: function(json) { success: function(json) {
if (json.showId && image) { // Successfully added the show, and it contains an image to upload if (json.showId && image) { // Successfully added the show, and it contains an image to upload
var imageAction = '/rest/show-image?id=' + json.showId; var imageAction = '/rest/show-image?csrf_token=' + $('#csrf').val() + '&id=' + json.showId;
// perform a second xhttprequest in order to send the show image // perform a second xhttprequest in order to send the show image
$.ajax({ $.ajax({