mirror of
https://github.com/Mibew/mibew.git
synced 2024-11-16 09:04:11 +03:00
Do not use IDs from form fields
This commit is contained in:
Dmitriy Simushev
parent
9527ef632f
commit
36b817ac58
@ -145,7 +145,7 @@ class CannedMessageController extends AbstractController
|
||||
set_csrf_token();
|
||||
|
||||
$operator = $request->attributes->get('_operator');
|
||||
$message_id = $request->attributes->getInt('message_id', false);
|
||||
$message_id = $request->attributes->getInt('message_id');
|
||||
$page = array(
|
||||
// Use errors list stored in the request. We need to do so to have
|
||||
// an ability to pass the request from the "submitEditForm" action.
|
||||
@ -205,15 +205,9 @@ class CannedMessageController extends AbstractController
|
||||
csrf_check_token($request);
|
||||
|
||||
$operator = $request->attributes->get('_operator');
|
||||
$message_id = $request->attributes->getInt('message_id');
|
||||
$errors = array();
|
||||
|
||||
// Use value from the form and not from the path to make sure it is
|
||||
// correct. If not, treat the param as empty one.
|
||||
$message_id = $request->request->get('key');
|
||||
if (!preg_match("/^(\d{1,10})?$/", $message_id)) {
|
||||
$message_id = false;
|
||||
}
|
||||
|
||||
$title = $request->request->get('title');
|
||||
if (!$title) {
|
||||
$errors[] = no_field("form.field.title");
|
||||
|
||||
@ -38,7 +38,7 @@ class SettingsController extends AbstractController
|
||||
set_csrf_token();
|
||||
|
||||
$operator = $request->attributes->get('_operator');
|
||||
$group_id = $request->attributes->getInt('group_id', false);
|
||||
$group_id = $request->attributes->getInt('group_id');
|
||||
|
||||
$page = array(
|
||||
'gid' => false,
|
||||
@ -110,12 +110,7 @@ class SettingsController extends AbstractController
|
||||
|
||||
$errors = array();
|
||||
|
||||
// Use value from the form and not from the path to make sure it is
|
||||
// correct. If not, treat the param as empty one.
|
||||
$group_id = $request->request->get('gid', false);
|
||||
if (!preg_match("/^\d{1,10}$/", $group_id)) {
|
||||
$group_id = false;
|
||||
}
|
||||
$group_id = $request->attributes->get('group_id', false);
|
||||
|
||||
$parent_group = $request->request->get('parentgroup');
|
||||
if (!$parent_group || !preg_match("/^\d{1,10}$/", $parent_group)) {
|
||||
|
||||
@ -17,7 +17,6 @@
|
||||
|
||||
namespace Mibew\Controller\Operator;
|
||||
|
||||
use Mibew\Http\Exception\BadRequestException;
|
||||
use Mibew\Http\Exception\NotFoundException;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
@ -100,8 +99,6 @@ class GroupsController extends AbstractController
|
||||
* @return string Rendered page content.
|
||||
* @throws NotFoundException If the operator with specified ID is not found
|
||||
* in the system.
|
||||
* @throws BadRequestException If the "op" field of the form is in wrong
|
||||
* format.
|
||||
*/
|
||||
public function submitFormAction(Request $request)
|
||||
{
|
||||
@ -109,13 +106,7 @@ class GroupsController extends AbstractController
|
||||
|
||||
$operator = $request->attributes->get('_operator');
|
||||
$operator_in_isolation = in_isolation($operator);
|
||||
|
||||
// Use value from the form and not from the path to make sure it is
|
||||
// correct. If not, throw an exception.
|
||||
$op_id = $request->request->get('op');
|
||||
if (!preg_match("/^\d{1,10}$/", $op_id)) {
|
||||
throw new BadRequestException('Wrong value of "op" form field.');
|
||||
}
|
||||
$op_id = $request->attributes->getInt('operator_id');
|
||||
|
||||
// Check if the target operator exists
|
||||
$op = operator_by_id($op_id);
|
||||
|
||||
@ -17,7 +17,6 @@
|
||||
|
||||
namespace Mibew\Controller\Operator;
|
||||
|
||||
use Mibew\Http\Exception\BadRequestException;
|
||||
use Mibew\Http\Exception\NotFoundException;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
@ -90,21 +89,13 @@ class PermissionsController extends AbstractController
|
||||
* @return string Rendered page content.
|
||||
* @throws NotFoundException If the operator with specified ID is not found
|
||||
* in the system.
|
||||
* @throws BadRequestException If the "op" field of the form is in wrong
|
||||
* format.
|
||||
*/
|
||||
public function submitFormAction(Request $request)
|
||||
{
|
||||
csrf_check_token($request);
|
||||
|
||||
$operator = $request->attributes->get('_operator');
|
||||
|
||||
// Use value from the form and not from the path to make sure it is
|
||||
// correct. If not, throw an exception.
|
||||
$op_id = $request->request->get('op');
|
||||
if (!preg_match("/^\d{1,10}$/", $op_id)) {
|
||||
throw new BadRequestException('Wrong value of "op" form field.');
|
||||
}
|
||||
$op_id = $request->attributes->getInt('operator_id');
|
||||
|
||||
// Check if the target operator exists
|
||||
$op = operator_by_id($op_id);
|
||||
|
||||
@ -117,9 +117,7 @@ class ProfileController extends AbstractController
|
||||
|
||||
$errors = array();
|
||||
$operator = $request->attributes->get('_operator');
|
||||
// Use value from the form and not from the path to make sure it is
|
||||
// correct. If not, treat the param as empty one.
|
||||
$op_id = $request->request->getInt('opid', false);
|
||||
$op_id = $request->attributes->getInt('operator_id');
|
||||
|
||||
if (is_capable(CAN_ADMINISTRATE, $operator)) {
|
||||
$login = $request->request->get('login');
|
||||
|
||||
@ -22,7 +22,6 @@
|
||||
|
||||
<form name="cannedForm" method="post" action="{{formaction}}">
|
||||
{{csrfTokenInput}}
|
||||
<input type="hidden" name="key" value="{{key}}"/>
|
||||
|
||||
{{#unless key}}
|
||||
<input type="hidden" name="lang" value="{{locale}}"/>
|
||||
|
||||
@ -24,7 +24,6 @@
|
||||
|
||||
<form name="groupForm" method="post" action="{{formaction}}">
|
||||
{{csrfTokenInput}}
|
||||
<input type="hidden" name="gid" value="{{grid}}"/>
|
||||
|
||||
<div>
|
||||
{{> _tabs}}
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
|
||||
<form name="membersForm" method="post" action="{{mibewRoot}}/operator/group/{{groupid}}/members">
|
||||
{{csrfTokenInput}}
|
||||
<input type="hidden" name="gid" value="{{groupid}}"/>
|
||||
|
||||
<div>
|
||||
{{> _tabs}}
|
||||
|
||||
@ -11,7 +11,6 @@
|
||||
|
||||
<form name="avatarForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/avatar" enctype="multipart/form-data">
|
||||
{{csrfTokenInput}}
|
||||
<input type="hidden" name="op" value="{{opid}}"/>
|
||||
|
||||
<div>
|
||||
{{> _tabs}}
|
||||
|
||||
@ -25,7 +25,6 @@
|
||||
{{#ifAny opid canmodify}}
|
||||
<form name="agentForm" method="post" action="{{formaction}}">
|
||||
{{csrfTokenInput}}
|
||||
<input type="hidden" name="opid" value="{{opid}}"/>
|
||||
|
||||
<div>
|
||||
{{#unless needChangePassword}}{{> _tabs}}{{/unless}}
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
|
||||
<form name="opgroupsForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/groups">
|
||||
{{csrfTokenInput}}
|
||||
<input type="hidden" name="op" value="{{opid}}"/>
|
||||
|
||||
<div>
|
||||
{{> _tabs}}
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
|
||||
<form name="permissionsForm" method="post" action="{{mibewRoot}}/operator/operator/{{opid}}/permissions">
|
||||
{{csrfTokenInput}}
|
||||
<input type="hidden" name="op" value="{{opid}}"/>
|
||||
|
||||
<div>
|
||||
{{> _tabs}}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user