Improvements to the preferences screen

2015-09-23 18:21:30 -04:00 · 2015-09-23 18:21:30 -04:00 · a86e3ed4a8
parent 13d1534042
commit a86e3ed4a8
3 changed files with 32 additions and 4 deletions
--- a/airtime_mvc/application/common/SecurityHelper.php
+++ b/airtime_mvc/application/common/SecurityHelper.php
@ -12,4 +12,17 @@ class SecurityHelper {
        }
        return $arr;
    }
+
+    public static function verifyAjaxCSRFToken($observedToken) {
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $observedToken;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if ($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            return false;
+        }
+
+    }
 }
--- a/airtime_mvc/application/controllers/PreferenceController.php
+++ b/airtime_mvc/application/controllers/PreferenceController.php
@ -134,6 +134,12 @@ class PreferenceController extends Zend_Controller_Action
        // Remove reliance on .phtml files to render requests
        $this->_helper->viewRenderer->setNoRender(true);

+        if (!SecurityHelper::verifyAjaxCSRFToken($this->_getParam('csrf_token'))) {
+            Logging::error(__FILE__ . ': Invalid CSRF token');
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+            return;
+        }
+
        Application_Model_Preference::SetStationLogo("");
    }

@ -479,6 +485,12 @@ class PreferenceController extends Zend_Controller_Action
    {
        $this->view->layout()->disableLayout();
        $this->_helper->viewRenderer->setNoRender(true);
+        
+        if (!SecurityHelper::verifyAjaxCSRFToken($this->_getParam('csrf_token'))) {
+            Logging::error(__FILE__ . ': Invalid CSRF token');
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+            return;
+        }

        // Only admin users should get here through ACL permissioning
        // Only allow POST requests
--- a/airtime_mvc/public/js/airtime/preferences/preferences.js
+++ b/airtime_mvc/public/js/airtime/preferences/preferences.js
@ -114,15 +114,18 @@ function setMsAuthenticationFieldsReadonly(ele) {
 }

 function removeLogo() {
-    $.post(baseUrl+'Preference/remove-logo', function(json){});
-    location.reload();
+    $.post(baseUrl+'preference/remove-logo', {'csrf_token' : $('#csrf').val()}, function(json){
+        // Reload without resubmitting the form
+        location.href = location.href.replace(location.hash,"");
+    });
 }

 function deleteAllFiles() {
    var resp = confirm($.i18n._("Are you sure you want to delete all the tracks in your library?"))
    if (resp) {
-        $.post(baseUrl+'Preference/delete-all-files', function(json){});
-        location.reload();
+        $.post(baseUrl+'preference/delete-all-files', {'csrf_token' : $('#csrf').val()}, function(json){
+            location.reload();
+        });
    }
 }