Merge commit from fork

implement csrf-token check for all registration functions

Author: Fasse

modules/profile/profile_new.php

@@ -52,6 +52,11 @@
     foreach ($getUserUuids as $userUuid) {
         // read user data
         if (!$gValidLogin || $getAcceptRegistration) {
+            if ($getAcceptRegistration) {
+                // check the CSRF token of the form against the session token
+                SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
+            }
+
             // create a user registration object and set requested organization
             $user = new UserRegistration($gDb, $gProfileFields);
             $user->readDataByUuid($userUuid);

modules/registration.php

@@ -88,6 +88,9 @@
         $page->createContentAssignUser($registrationUser, true);
         $page->show();
     } elseif (in_array($getMode, array('assign_member', 'assign_user'))) {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
+
         $registrationService = new RegistrationService($gDb, $getUserUUID);
         $message = $registrationService->assignRegistration($getUserUUIDAssigned, $getMode === 'assign_member');
 
@@ -104,6 +107,10 @@
         exit();
     } elseif ($getMode === 'create_user') {
         // accept a registration, assign necessary roles and send a notification email
+
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
+
         $registrationUser->acceptRegistration();
 
         // if current user has the right to assign roles then show roles dialog

src/Session/Entity/Session.php

@@ -150,12 +150,12 @@ protected function clearUserData()
 
     /**
      * Returns a CSRF token from the session. If no CSRF token exists a new one will be
-     * generated and stored within the session. The next call of the method will than
+     * generated and stored within the session. The next call of the method will then
      * return the existing token. The CSRF token has 30 characters. A new token could
      * be forced by the parameter **$newToken**
      * @param bool $newToken If set to true, always a new token will be generated.
      * @return string Returns the CSRF token
-     * @throws Exception
+     * @throws \Exception
      */
     public function getCsrfToken(bool $newToken = false): string
     {

src/UI/Presenter/RegistrationPresenter.php

@@ -89,8 +89,14 @@ public function createRegistrationList(): void
                     'name' => $gL10n->get('SYS_ASSIGN_REGISTRATION')
                 );
             } else {
+                if ($gCurrentUser->isAdministratorUsers()) {
+                    $url = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES.'/profile/profile_new.php', array('accept_registration' => true, 'user_uuid' => $row['usr_uuid']));
+                } else {
+                    $url = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES.'/registration.php', array('mode' => 'create_user', 'user_uuid' => $row['usr_uuid']));
+                }
                 $templateRow['buttons'][] = array(
-                    'url' => ($gCurrentUser->isAdministratorUsers() ? SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES.'/profile/profile_new.php', array('accept_registration' => true, 'user_uuid' => $row['usr_uuid'])) : SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES.'/registration.php', array('mode' => 'create_user', 'user_uuid' => $row['usr_uuid']))),
+                    'csrfToken' => $gCurrentSession->getCsrfToken(),
+                    'url' => $url,
                     'name' => $gL10n->get('SYS_CONFIRM_REGISTRATION')
                 );
             }

system/classes/ModuleContacts.php

@@ -45,7 +45,7 @@ public function __construct(string $id, string $headline = '')
      */
     public function createContentAssignUser(User $user, bool $assignRegistration = false)
     {
-        global $gL10n, $gSettingsManager, $gCurrentUser, $gDb, $gProfileFields, $gCurrentOrganization;
+        global $gL10n, $gSettingsManager, $gCurrentUser, $gDb, $gProfileFields, $gCurrentOrganization, $gCurrentSession;
 
         $templateData = array();
         $userUuid = $user->getValue('usr_uuid');
@@ -127,11 +127,13 @@ public function createContentAssignUser(User $user, bool $assignRegistration = f
                         $button['icon'] = 'bi-person-check-fill';
                         $button['url'] = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/registration.php', array('user_uuid' => $userUuid, 'user_uuid_assigned' => $similarUser->getValue('usr_uuid'), 'mode' => 'assign_member'));
                     }
+                    $button['csrfToken'] = $gCurrentSession->getCsrfToken();
                 }
             } else {
                 // found user is NOT a member of this organization yet
                 $button['label'] = $gL10n->get('SYS_ASSIGN_MEMBERSHIP');
                 $button['icon'] = 'bi-person-check-fill';
+                $button['csrfToken'] = $gCurrentSession->getCsrfToken();
 
                 if($assignRegistration) {
                     $button['url'] = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/registration.php', array('user_uuid' => $userUuid, 'user_uuid_assigned' => $similarUser->getValue('usr_uuid'), 'mode' => 'assign_user'));
@@ -156,6 +158,7 @@ public function createContentAssignUser(User $user, bool $assignRegistration = f
             $templateData[] = $templateRow;
         }
 
+        $this->smarty->assign('csrfToken', $gCurrentSession->getCsrfToken());
         $this->smarty->assign('similarUsers', $templateData);
         $this->smarty->assign('l10n', $gL10n);
         $this->pageContent .= $this->smarty->fetch('modules/contacts.assign.tpl');

themes/simple/templates/modules/contacts.assign.tpl

@@ -19,7 +19,7 @@
                     {if {array_key_exists array=$similarUser key='button'}}
                         <br />
                         <p>{$similarUser.button.description}</p>
-                        <button class="btn btn-primary" onclick="window.location.href='{$similarUser.button.url}'">
+                        <button class="btn btn-primary" onclick="redirectPost('{$similarUser.button.url}',{ adm_csrf_token: '{$similarUser.button.csrfToken}' });">
                             <i class="bi {$similarUser.button.icon}"></i>{$similarUser.button.label}</button>
                     {/if}
                 </li>
@@ -32,7 +32,7 @@
     <div class="card-body">
         <p>{$l10n->get('SYS_CONTACT_NOT_FOUND_CREATE_NEW')}</p>
 
-        <button class="btn btn-primary" onclick="window.location.href='{$createNewUserUrl}'">
+        <button class="btn btn-primary" onclick="redirectPost('{$createNewUserUrl}', { adm_csrf_token: '{$csrfToken}' });">
             <i class="bi bi-plus-circle-fill"></i>{$l10n->get('SYS_CREATE_CONTACT')}</button>
     </div>
 </div>

themes/simple/templates/sys-template-parts/card.information.button.tpl

@@ -22,7 +22,11 @@
             </ul>
             {if {array_key_exists array=$card key="buttons"} && count($card.buttons) > 0}
                 {foreach $card.buttons as $buttonItem}
-                    <a class="btn btn-primary mt-auto" href="{$buttonItem.url}">{$buttonItem.name}</a>
+                    {if isset($buttonItem.csrfToken)}
+                        <a class="btn btn-primary mt-auto" onclick="redirectPost('{$buttonItem.url}', { adm_csrf_token: '{$buttonItem.csrfToken}' });">{$buttonItem.name}</a>
+                    {else}
+                        <a class="btn btn-primary mt-auto" href="{$buttonItem.url}">{$buttonItem.name}</a>
+                    {/if}
                 {/foreach}
             {/if}
         </div>