Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improvements to the preferences screen

This commit is contained in:
Albert Santoni 2015-09-23 18:21:30 -04:00
parent 13d1534042
commit a86e3ed4a8
3 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
airtime_mvc/application/common/SecurityHelper.php
View File

@ -12,4 +12,17 @@ class SecurityHelper {
} }
return $arr; return $arr;
} }
public static function verifyAjaxCSRFToken($observedToken) {
$current_namespace = new Zend_Session_Namespace('csrf_namespace');
$observed_csrf_token = $observedToken;
$expected_csrf_token = $current_namespace->authtoken;
if ($observed_csrf_token == $expected_csrf_token){
return true;
}else{
return false;
}
}
} }

12
airtime_mvc/application/controllers/PreferenceController.php
View File

@ -134,6 +134,12 @@ class PreferenceController extends Zend_Controller_Action
// Remove reliance on .phtml files to render requests // Remove reliance on .phtml files to render requests
$this->_helper->viewRenderer->setNoRender(true); $this->_helper->viewRenderer->setNoRender(true);
if (!SecurityHelper::verifyAjaxCSRFToken($this->_getParam('csrf_token'))) {
Logging::error(__FILE__ . ': Invalid CSRF token');
$this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
return;
}
Application_Model_Preference::SetStationLogo(""); Application_Model_Preference::SetStationLogo("");
} }
@ -480,6 +486,12 @@ class PreferenceController extends Zend_Controller_Action
$this->view->layout()->disableLayout(); $this->view->layout()->disableLayout();
$this->_helper->viewRenderer->setNoRender(true); $this->_helper->viewRenderer->setNoRender(true);
if (!SecurityHelper::verifyAjaxCSRFToken($this->_getParam('csrf_token'))) {
Logging::error(__FILE__ . ': Invalid CSRF token');
$this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
return;
}
// Only admin users should get here through ACL permissioning // Only admin users should get here through ACL permissioning
// Only allow POST requests // Only allow POST requests
$method = $_SERVER['REQUEST_METHOD']; $method = $_SERVER['REQUEST_METHOD'];

11
airtime_mvc/public/js/airtime/preferences/preferences.js
View File

@ -114,15 +114,18 @@ function setMsAuthenticationFieldsReadonly(ele) {
} }
function removeLogo() { function removeLogo() {
$.post(baseUrl+'Preference/remove-logo', function(json){}); $.post(baseUrl+'preference/remove-logo', {'csrf_token' : $('#csrf').val()}, function(json){
location.reload(); // Reload without resubmitting the form
location.href = location.href.replace(location.hash,"");
});
} }
function deleteAllFiles() { function deleteAllFiles() {
var resp = confirm($.i18n._("Are you sure you want to delete all the tracks in your library?")) var resp = confirm($.i18n._("Are you sure you want to delete all the tracks in your library?"))
if (resp) { if (resp) {
$.post(baseUrl+'Preference/delete-all-files', function(json){}); $.post(baseUrl+'preference/delete-all-files', {'csrf_token' : $('#csrf').val()}, function(json){
location.reload(); location.reload();
});
} }
} }