Fixed issue #16792: Delete permission on Survey : no CRSF control (#2029

) Co-authored-by: encuestabizdevgit <devgit@encuesta.biz>
LimeSurvey · Sep 20, 2021 · 9451ad6 · 9451ad6
1 parent 451f362
commit 9451ad6
Show file tree

Hide file tree

Showing 31 changed files with 2,124 additions and 1,318 deletions.
diff --git a/application/controllers/SurveysGroupsPermissionController.php b/application/controllers/SurveysGroupsPermissionController.php
@@ -48,6 +48,12 @@ public function accessRules()
         ];
     }
 
+    public function filters()
+    {
+        return array(
+            'postOnly + DeleteUser'
+        );
+    }
 
     /**
      * Shown permissions list, allow to add user and group,

diff --git a/application/controllers/admin/PermissiontemplatesController.php b/application/controllers/admin/PermissiontemplatesController.php
@@ -356,6 +356,8 @@ public function batchDelete()
      */
     public function delete()
     {
+        $this->requirePostRequest();
+
         if (!Permission::model()->hasGlobalPermission('superadmin', 'read')) {
             Yii::app()->session['flashmessage'] = gT('You have no access to the role management!');
             $this->getController()->redirect(array('/admin'));

diff --git a/application/controllers/admin/PluginManagerController.php b/application/controllers/admin/PluginManagerController.php
@@ -166,6 +166,7 @@ public function scanFiles()
 
     public function deleteFiles($plugin)
     {
+        $this->requirePostRequest();
         $this->checkUpdatePermission();
 
         // Pre supposes the plugin is in the uploads folder. Other plugins are not deletable by button.

diff --git a/application/controllers/admin/SurveysGroupsController.php b/application/controllers/admin/SurveysGroupsController.php
@@ -351,6 +351,8 @@ public function surveySettings(int $id)
      */
     public function delete($id)
     {
+        $this->requirePostRequest();
+
         $oGroupToDelete = $this->loadModel($id);
         if (!$oGroupToDelete->hasPermission('group', 'delete')) {
             throw new CHttpException(403, gT("You do not have permission to access this page."));

diff --git a/application/controllers/admin/dataentry.php b/application/controllers/admin/dataentry.php
@@ -1302,6 +1302,8 @@ public function editdata($subaction, $id, $surveyid)
      */
     public function delete()
     {
+        $this->requirePostRequest();
+
         $surveyid = '';
         if (isset($_REQUEST['surveyid']) && !empty($_REQUEST['surveyid'])) {
             $surveyid = $_REQUEST['surveyid'];

diff --git a/application/controllers/admin/labels.php b/application/controllers/admin/labels.php
@@ -402,6 +402,8 @@ public function saveNewLabelSet()
      */
     public function delete()
     {
+        $this->requirePostRequest();
+
         if (!Permission::model()->hasGlobalPermission('labelsets', 'delete')) {
             throw new CHttpException(403, gT("You are not authorized to delete label sets.", 'unescaped'));
         }

diff --git a/application/controllers/admin/participantsaction.php b/application/controllers/admin/participantsaction.php
@@ -2368,6 +2368,8 @@ public function rejectShareParticipant()
      */
     public function deleteSingleParticipantShare($participantId, $shareUid)
     {
+        $this->requirePostRequest();
+
         $participantShare = ParticipantShare::model()->findByPk(array(
             'participant_id' => $participantId,
             'share_uid' => $shareUid

diff --git a/application/controllers/admin/quotas.php b/application/controllers/admin/quotas.php
@@ -303,6 +303,8 @@ public function delans($iSurveyId)
 
     public function delquota($iSurveyId)
     {
+        $this->requirePostRequest();
+
         $iSurveyId = sanitize_int($iSurveyId);
         $this->_checkPermissions($iSurveyId, 'delete');
 

diff --git a/application/controllers/admin/responses.php b/application/controllers/admin/responses.php
@@ -703,6 +703,8 @@ public function actionDelete($surveyid)
      */
     public function actionDeleteSingle($surveyid, $responseId)
     {
+        $this->requirePostRequest();
+
         if (!Permission::model()->hasSurveyPermission($surveyid, 'responses', 'delete')) {
             throw new CHttpException(403, gT("You do not have permission to access this page."));
         }

diff --git a/application/controllers/admin/surveypermission.php b/application/controllers/admin/surveypermission.php
@@ -130,7 +130,7 @@ public function index($iSurveyID)
                         'uid' => $PermissionRow['uid']
                     ));
                     $deleteConfirmMessage = gT("Are you sure you want to delete this entry?");
-                    $surveysecurity .= "<span data-toggle='tooltip' title='" . gT("Delete") . "'><a data-target='#confirmation-modal' data-toggle='modal' data-message='{$deleteConfirmMessage}' data-href='{$deleteUrl}' type='submit' class='btn-sm btn btn-default'>
+                    $surveysecurity .= "<span data-toggle='tooltip' title='" . gT("Delete") . "'><a data-target='#confirmation-modal' data-toggle='modal' data-message='{$deleteConfirmMessage}' data-post-url='{$deleteUrl}' type='submit' class='btn-sm btn btn-default'>
                         <span class='fa fa-trash text-danger'></span>
                         </a></span>";
                 }
@@ -499,6 +499,7 @@ function set($surveyid)
      */
     function delete($surveyid)
     {
+        $this->requirePostRequest();
 
         $aData['surveyid'] = $surveyid = sanitize_int($surveyid);
         $oSurvey = Survey::model()->findByPk($surveyid);

diff --git a/application/controllers/admin/tokens.php b/application/controllers/admin/tokens.php
@@ -259,6 +259,8 @@ public function deleteMultiple()
      */
     public function deleteToken()
     {
+        $this->requirePostRequest();
+
         $aTokenId = Yii::app()->getRequest()->getParam('sItem');
         $iSid = (int) Yii::app()->getRequest()->getParam('sid');
         if (!Permission::model()->hasSurveyPermission($iSid, 'tokens', 'delete')) {

diff --git a/application/controllers/admin/update.php b/application/controllers/admin/update.php
@@ -174,6 +174,8 @@ public function manage_submitkey()
 
     public function delete_key()
     {
+        $this->requirePostRequest();
+
         if (Permission::model()->hasGlobalPermission('superadmin')) {
             SettingGlobal::model()->deleteByPk('update_key');
             App()->setFlashMessage('Your update key has been removed');

diff --git a/application/core/Survey_Common_Action.php b/application/core/Survey_Common_Action.php
@@ -1218,4 +1218,19 @@ protected function renderJSON($aData, $success = true)
         ], true, false);
         return;
     }
+
+    /**
+     * Validates that the request method is POST.
+     *
+     * This is intended to be used on subactions. When possible (eg. when refactoring
+     * a Survey_Common_Action into an actual controller), use 'postOnly' filter instead.
+     *
+     * @throws CHttpException with 405 status if the request method is not POST.
+     */
+    protected function requirePostRequest()
+    {
+        if(!Yii::app()->getRequest()->isPostRequest) {
+            throw new CHttpException(405, gT("Invalid action"));
+        }
+    }
 }
diff --git a/application/models/LabelSet.php b/application/models/LabelSet.php
@@ -148,7 +148,7 @@ public function getbuttons()
             $button .= '<span data-toggle="tooltip" data-placement="top" title="' . gT('Delete label set') . '"><a 
             class="btn btn-default btn-sm"  
             data-toggle="modal"
-            data-href ="' . $url . '"
+            data-post-url ="' . $url . '"
             data-message="' . $message . '"
             data-target="#confirmation-modal" 
             title="' . gT("Delete") . '" 

diff --git a/application/models/Permissiontemplates.php b/application/models/Permissiontemplates.php
@@ -206,7 +206,7 @@ class='btn btn-sm btn-default'
                 data-toggle='modal' 
                 data-title='" . gt('Delete user role') . "'
                 data-target='#confirmation-modal'
-                data-href ='" . $deleteUrl . "' 
+                data-post-url ='" . $deleteUrl . "' 
                 data-btntext='" . gt('Delete') . "' 
                 data-message='" . gT('Do you want to delete this role?') . "'>
                     <i class='fa fa-trash text-danger'></i>

diff --git a/application/models/SurveyDynamic.php b/application/models/SurveyDynamic.php
@@ -353,8 +353,8 @@ public function getGridButtons()
                 'data-target' => '#confirmation-modal',
                 'data-btnclass' => 'btn-danger',
                 'data-btntext' => gt('Delete'),
-                'data-href' => 'App()->createUrl("admin/responses/sa/actionDeleteSingle",array("surveyid"=>' . self::$sid . ',"responseId"=>$data->id));',
-                'evaluateOptions' => array('data-href'),
+                'data-post-url' => 'App()->createUrl("admin/responses/sa/actionDeleteSingle",array("surveyid"=>' . self::$sid . ',"responseId"=>$data->id));',
+                'evaluateOptions' => array('data-post-url'),
                 'title' => gT("Delete this response"),
                 'data-message' => gT('Do you want to delete this response?')
                 . '<br/>'

diff --git a/application/models/SurveyTimingDynamic.php b/application/models/SurveyTimingDynamic.php
@@ -198,7 +198,7 @@ public function getButtons()
         // Delete
         if (Permission::model()->hasSurveyPermission(self::$sid, 'responses', 'delete')) {
             $deleteUrl = App()->createUrl("admin/dataentry/sa/delete/subaction/edit/surveyid/" . self::$sid . "/id/" . $this->id);
-            $buttons .= '<a class="btn btn-sm btn-default" data-target="#confirmation-modal" data-href="' . $deleteUrl . '" role="button" data-toggle="modal" data-tooltip="true" title="' . gT('Delete this response') . '"><span class="fa fa-trash text-danger" ></span></a>';
+            $buttons .= '<a class="btn btn-sm btn-default" data-target="#confirmation-modal" data-post-url="' . $deleteUrl . '" role="button" data-toggle="modal" data-tooltip="true" title="' . gT('Delete this response') . '"><span class="fa fa-trash text-danger" ></span></a>';
         }
         $buttons .= '</div>';
         return $buttons;

diff --git a/application/models/SurveysGroups.php b/application/models/SurveysGroups.php
@@ -125,7 +125,7 @@ public function getColumns()
                     'type' => 'raw',
                     'value' => '$data->buttons',
                     'headerHtmlOptions' => array('class' => 'hidden-xs'),
-                    'htmlOptions' => array('class' => 'hidden-xs'),
+                    'htmlOptions' => array('class' => 'hidden-xs button-column'),   // Cells that include buttons need the 'button-column' class to avoid triggering the 'selectionChanged' event
                 ),
                 array(
                     'header' => gT('Survey group ID'),
@@ -315,7 +315,7 @@ public function getButtons()
         }
         /* Can not delete group #1 + with survey (or move it to hasPermission function ?) */
         if ($this->gsid != 1 && !$this->hasSurveys && $this->hasPermission('group', 'delete')) {
-            $button .= '<span data-toggle="tooltip" title="' . gT('Delete survey group') . '"><a class="btn btn-sm btn-default" href="#" data-href="' . $sDeleteUrl . '" data-target="#confirmation-modal" role="button" data-toggle="modal" data-message="' . gT('Do you want to continue?') . '"><i class="fa fa-trash text-danger " aria-hidden="true"></i></a></span>';
+            $button .= '<span data-toggle="tooltip" title="' . gT('Delete survey group') . '"><a class="btn btn-sm btn-default" href="#" data-post-url="' . $sDeleteUrl . '" data-target="#confirmation-modal" role="button" data-toggle="modal" data-message="' . gT('Do you want to continue?') . '"><i class="fa fa-trash text-danger " aria-hidden="true"></i></a></span>';
         }
         $button .= "</div>";
         return $button;

diff --git a/application/models/TokenDynamic.php b/application/models/TokenDynamic.php
@@ -921,8 +921,8 @@ public function getGridButtons()
                 'data-toggle' => "modal",
                 'data-target' => '#confirmation-modal',
                 'data-message' => gt('Do you really want to delete this participant') . '?',
-                'data-href' => 'App()->createUrl("/admin/tokens/sa/deleteToken",array("sid"=>' . self::$sid . ',"sItem"=>$data->tid));',
-                'evaluateOptions' => array('data-href'),
+                'data-post-url' => 'App()->createUrl("/admin/tokens/sa/deleteToken",array("sid"=>' . self::$sid . ',"sItem"=>$data->tid));',
+                'evaluateOptions' => array('data-post-url'),
                 'data-btntext' => gt('Delete'),
                 'title' => gT('Delete survey participant'),
             ),

diff --git a/application/views/SurveysGroupsPermission/subviews/currentUsersList.php b/application/views/SurveysGroupsPermission/subviews/currentUsersList.php
@@ -35,7 +35,7 @@
                                 <a class="btn btn-default btn-sm" role="button"
                                    data-target='#confirmation-modal' data-toggle='modal'
                                    data-message='<?= gT("Are you sure you want to remove all permissions for this user?") ?>'
-                                   data-href='<?= $deleteUrl ?>'
+                                   data-post-url='<?= $deleteUrl ?>'
                                 ><span class="fa fa-trash text-danger" aria-hidden="true" title="<?= gT("Delete") ?>"><span>
                             <span class="sr-only"><?= gT("Delete") ?></span>
                                 </a>

diff --git a/application/views/admin/pluginmanager/scanFilesResult.php b/application/views/admin/pluginmanager/scanFilesResult.php
@@ -35,7 +35,7 @@
                 <?php endif; ?>
 
                 <?php if (isset($scannedPlugin['deleteUrl'])) : ?>
-                    <a href='#' class='btn btn-default' data-target='#confirmation-modal' data-toggle='modal' data-href='<?= $scannedPlugin['deleteUrl'] ?>' data-message='<?php eT('Are you sure you want to delete this plugin from the file system?'); ?>' type='submit'>
+                    <a href='#' class='btn btn-default' data-target='#confirmation-modal' data-toggle='modal' data-post-url='<?= $scannedPlugin['deleteUrl'] ?>' data-message='<?php eT('Are you sure you want to delete this plugin from the file system?'); ?>' type='submit'>
                         <i class='fa fa-trash text-danger'></i>&nbsp;
                         <span data-toggle='tooltip' title='<?php eT('Delete this plugin from the file system'); ?>'>Delete files</span>
                     </a>

diff --git a/application/views/admin/quotas/viewquotas_quota_actions.php b/application/views/admin/quotas/viewquotas_quota_actions.php
@@ -15,7 +15,7 @@
 <?php } ?>
 <?php if (Permission::model()->hasSurveyPermission($oSurvey->getPrimaryKey(), 'quotas','delete')) { ?>
     <a
-            data-href="<?php echo $deleteUrl; ?>"
+            data-post-url="<?php echo $deleteUrl; ?>"
             class="btn btn-default"
             data-toggle="modal"
             data-target="#confirmation-modal"

diff --git a/application/views/admin/update/manage/manage_key.php b/application/views/admin/update/manage/manage_key.php
@@ -44,7 +44,7 @@
                             <?php echo $updateKeyInfos->remaining_updates; ?>
                         </td>
                         <td>
-                            <a data-href="<?php echo App()->createUrl('/admin/update/sa/delete_key');?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
+                            <a data-post-url="<?php echo App()->createUrl('/admin/update/sa/delete_key');?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
                                 <span class="fa fa-trash text-danger"></span>
                             </a>
                         </td>