From a86e3ed4a8f3dba26bcb044c1863e8d9c23cbf38 Mon Sep 17 00:00:00 2001
From: Albert Santoni <albert.santoni@sourcefabric.org>
Date: Wed, 23 Sep 2015 18:21:30 -0400
Subject: [PATCH] Improvements to the preferences screen

---
 airtime_mvc/application/common/SecurityHelper.php   | 13 +++++++++++++
 .../controllers/PreferenceController.php            | 12 ++++++++++++
 .../public/js/airtime/preferences/preferences.js    | 11 +++++++----
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/airtime_mvc/application/common/SecurityHelper.php b/airtime_mvc/application/common/SecurityHelper.php
index 95353407e..baf4ca46b 100644
--- a/airtime_mvc/application/common/SecurityHelper.php
+++ b/airtime_mvc/application/common/SecurityHelper.php
@@ -12,4 +12,17 @@ class SecurityHelper {
         }
         return $arr;
     }
+
+    public static function verifyAjaxCSRFToken($observedToken) {
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $observedToken;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if ($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            return false;
+        }
+
+    }
 }
\ No newline at end of file
diff --git a/airtime_mvc/application/controllers/PreferenceController.php b/airtime_mvc/application/controllers/PreferenceController.php
index 7eee7afbe..478d1d332 100644
--- a/airtime_mvc/application/controllers/PreferenceController.php
+++ b/airtime_mvc/application/controllers/PreferenceController.php
@@ -134,6 +134,12 @@ class PreferenceController extends Zend_Controller_Action
         // Remove reliance on .phtml files to render requests
         $this->_helper->viewRenderer->setNoRender(true);
 
+        if (!SecurityHelper::verifyAjaxCSRFToken($this->_getParam('csrf_token'))) {
+            Logging::error(__FILE__ . ': Invalid CSRF token');
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+            return;
+        }
+
         Application_Model_Preference::SetStationLogo("");
     }
 
@@ -479,6 +485,12 @@ class PreferenceController extends Zend_Controller_Action
     {
         $this->view->layout()->disableLayout();
         $this->_helper->viewRenderer->setNoRender(true);
+        
+        if (!SecurityHelper::verifyAjaxCSRFToken($this->_getParam('csrf_token'))) {
+            Logging::error(__FILE__ . ': Invalid CSRF token');
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+            return;
+        }
 
         // Only admin users should get here through ACL permissioning
         // Only allow POST requests
diff --git a/airtime_mvc/public/js/airtime/preferences/preferences.js b/airtime_mvc/public/js/airtime/preferences/preferences.js
index 91a9bef3a..a03f0094e 100644
--- a/airtime_mvc/public/js/airtime/preferences/preferences.js
+++ b/airtime_mvc/public/js/airtime/preferences/preferences.js
@@ -114,15 +114,18 @@ function setMsAuthenticationFieldsReadonly(ele) {
 }
 
 function removeLogo() {
-    $.post(baseUrl+'Preference/remove-logo', function(json){});
-    location.reload();
+    $.post(baseUrl+'preference/remove-logo', {'csrf_token' : $('#csrf').val()}, function(json){
+        // Reload without resubmitting the form
+        location.href = location.href.replace(location.hash,"");
+    });
 }
 
 function deleteAllFiles() {
     var resp = confirm($.i18n._("Are you sure you want to delete all the tracks in your library?"))
     if (resp) {
-        $.post(baseUrl+'Preference/delete-all-files', function(json){});
-        location.reload();
+        $.post(baseUrl+'preference/delete-all-files', {'csrf_token' : $('#csrf').val()}, function(json){
+            location.reload();
+        });
     }
 }