Merge pull request #2091 from Shnoulle/master_fixTokenAnonymous

Fixed issue #14302: Easy way to get token in a anonymous survey (noxss)

application/controllers/survey/index.php

@@ -37,7 +37,13 @@ public function action()
         $surveyid    = $param['sid'];
         $thisstep    = $param['thisstep'];
         $move        = getMove();
+
+        /* Get client token by POST or GET value */
         $clienttoken = trim($param['token']);
+        /* If not set : get by SESSION to avoid multiple submit of same token in different navigator */
+        if(empty($clienttoken) && !empty($_SESSION['survey_' . $surveyid]['token'] ))  {
+            $clienttoken = $_SESSION['survey_' . $surveyid]['token'];
+        }
 
         $oSurvey = Survey::model()->findByPk($surveyid);
 

application/helpers/SurveyRuntimeHelper.php

@@ -540,8 +540,9 @@ public function run($surveyid, $args)
             $this->aSurveyInfo['hiddenInputs']         .= \CHtml::hiddenField('start_time', time(), array('id' => 'start_time'));
             $_SESSION[$this->LEMsessid]['LEMpostKey'] =  isset($_POST['LEMpostKeyPreset']) ? $_POST['LEMpostKeyPreset'] : mt_rand();
             $this->aSurveyInfo['hiddenInputs']         .= \CHtml::hiddenField('LEMpostKey', $_SESSION[$this->LEMsessid]['LEMpostKey'], array('id' => 'LEMpostKey'));
-            if (!empty($_SESSION[$this->LEMsessid]['token'])) {
-                $this->aSurveyInfo['hiddenInputs']     .= \CHtml::hiddenField('token', $_SESSION[$this->LEMsessid]['token'], array('id' => 'token'));
+            /* Reset session with multiple tabs (show Token mismatch issue) , but only for not anonymous survey */
+            if (!empty($_SESSION[$this->LEMsessid]['token']) and $this->aSurveyInfo['anonymized'] != 'Y') {
+                $this->aSurveyInfo['hiddenInputs']     .= \CHtml::hiddenField('token', $_SESSION[$this->LEMsessid]['token'], array('id'=>'token'));
             }
         }
 

application/helpers/frontend_helper.php

@@ -1897,9 +1897,8 @@ function display_first_page($thissurvey, $aSurveyInfo)
     $thissurvey['EM']['ScriptsAndHiddenInputs'] .= \CHtml::hiddenField('lastgroupname', '_WELCOME_SCREEN_', array('id' => 'lastgroupname')); //This is to ensure consistency with mandatory checks, and new group test
     $thissurvey['EM']['ScriptsAndHiddenInputs'] .= \CHtml::hiddenField('LEMpostKey', $_SESSION['survey_' . $surveyid]['LEMpostKey'], array('id' => 'LEMpostKey'));
     $thissurvey['EM']['ScriptsAndHiddenInputs'] .= \CHtml::hiddenField('thisstep', 0, array('id' => 'thisstep'));
-
-    if (!empty($_SESSION['survey_' . $surveyid]['token'])) {
-        $thissurvey['EM']['ScriptsAndHiddenInputs'] .= \CHtml::hiddenField('token', $_SESSION['survey_' . $surveyid]['token'], array('id' => 'token'));
+    if (!empty($_SESSION['survey_'.$surveyid]['token']) && $thissurvey['anonymized'] != "Y") {
+        $thissurvey['EM']['ScriptsAndHiddenInputs'] .= \CHtml::hiddenField('token', $_SESSION['survey_'.$surveyid]['token'], array('id'=>'token'));
     }
 
     if (!empty($loadsecurity)) {