Skip to content

Commit a46d263

Browse files
FasseFasse
authored
Merge commit from fork
implement csrf-token check on deleting mylists
2 parents 32eeded + 6897f2f commit a46d263

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

modules/groups-roles/mylist_function.php

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,12 @@
3838
throw new Exception('SYS_MODULE_DISABLED');
3939
}
4040

41+
// check the CSRF token of the form against the session token
42+
$myListForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
43+
if ($_POST['adm_csrf_token'] !== $myListForm->getCsrfToken()) {
44+
throw new Exception('Invalid or missing CSRF token!');
45+
}
46+
4147
// At least one field should be assigned (has a non-empty value)
4248
if (
4349
empty($_POST['column']) ||
@@ -77,12 +83,6 @@
7783

7884
// save list
7985
if (in_array($getMode, array('save', 'save_as', 'save_temporary'))) {
80-
// check the CSRF token of the form against the session token
81-
$categoryReportConfigForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
82-
if ($_POST['adm_csrf_token'] !== $categoryReportConfigForm->getCsrfToken()) {
83-
throw new Exception('Invalid or missing CSRF token!');
84-
}
85-
8686
$globalConfiguration = admFuncVariableIsValid($_POST, 'cbx_global_configuration', 'bool', array('defaultValue' => false));
8787

8888
// go through all existing columns
@@ -98,22 +98,22 @@ function ($col, $sort = null, $cond = null) use ($list, $gProfileFields, &$colum
9898
$list->deleteColumn($columnNumber, false);
9999
return null;
100100
}
101-
101+
102102
// Add column (profile fields usr_/mem_ stay as-is, others map to usf_id)
103103
if (StringUtils::strStartsWith($col, 'usr_') || StringUtils::strStartsWith($col, 'mem_')) {
104104
$list->addColumn($col, $columnNumber, $sort ?? '', $cond ?? '');
105105
} else {
106106
$list->addColumn($gProfileFields->getProperty($col, 'usf_id'), $columnNumber, $sort ?? '', $cond ?? '');
107107
}
108-
108+
109109
$columnNumber++;
110110
return null; // return value unused
111111
},
112112
$columns,
113113
$sorts,
114114
$conditions
115115
);
116-
116+
117117
// Remove potentially deleted columns at the end
118118
$list->deleteColumn($columnNumber, true);
119119

0 commit comments

Comments
 (0)