Fixed issue #19139: [security] CSRF in Reset Survey menus (#3531)

LimeSurvey · Nov 3, 2023 · 9d2faa4 · 9d2faa4
1 parent cdcf12b
commit 9d2faa4
Showing 1 changed file with 33 additions and 31 deletions.
diff --git a/application/controllers/admin/SurveymenuController.php b/application/controllers/admin/SurveymenuController.php
@@ -21,6 +21,7 @@ public function __construct($controller, $id)
 
     /**
      * @return string[] action filters
+     * @todo: Review if this code is actually running.
      */
     public function filters()
     {
@@ -284,52 +285,27 @@ public function delete()
      */
     public function restore()
     {
+        $this->requirePostRequest();
+
         if (!(Permission::model()->hasGlobalPermission('settings', 'delete') && Permission::model()->hasGlobalPermission('settings', 'update'))) {
             Yii::app()->user->setFlash('error', gT("Access denied"));
             $this->getController()->redirect(Yii::app()->createUrl('/admin'));
         }
 
         $model = Surveymenu::model();
-        if (Yii::app()->request->isPostRequest) {
-            //Check for permission!
-            if (!Permission::model()->hasGlobalPermission('superadmin', 'read')) {
-                $debug = App()->getConfig('debug');
-                $returnData = array(
-                    'data' => [
-                        'success' => 0,
-                        'redirect' => false,
-                        'settings' => array(
-                            'extrasettings' => false,
-                            'parseHTML' => false,
-                        ),
-                        'message' => gT("You don't have the right to restore the settings to default")
-                    ]
-                );
-
-                if ($debug > 0) {
-                    $returnData['data']['debug'] = [$model, $_POST];
-                    $returnData['data']['debugErrors'] = $model->getErrors();
-                }
 
-                return Yii::app()->getController()->renderPartial(
-                    '/admin/super/_renderJson',
-                    $returnData,
-                    false,
-                    false
-                );
-            }
-            //get model to do the work
-            $success = $model->restoreDefaults();
+        //Check for permission!
+        if (!Permission::model()->hasGlobalPermission('superadmin', 'read')) {
             $debug = App()->getConfig('debug');
             $returnData = array(
                 'data' => [
-                    'success' => $success,
+                    'success' => 0,
                     'redirect' => false,
                     'settings' => array(
                         'extrasettings' => false,
                         'parseHTML' => false,
                     ),
-                    'message' =>  ($success ? gT("Default survey menus restored.") : gT("Something went wrong!"))
+                    'message' => gT("You don't have the right to restore the settings to default")
                 ]
             );
 
@@ -345,6 +321,32 @@ public function restore()
                 false
             );
         }
+        //get model to do the work
+        $success = $model->restoreDefaults();
+        $debug = App()->getConfig('debug');
+        $returnData = array(
+            'data' => [
+                'success' => $success,
+                'redirect' => false,
+                'settings' => array(
+                    'extrasettings' => false,
+                    'parseHTML' => false,
+                ),
+                'message' =>  ($success ? gT("Default survey menus restored.") : gT("Something went wrong!"))
+            ]
+        );
+
+        if ($debug > 0) {
+            $returnData['data']['debug'] = [$model, $_POST];
+            $returnData['data']['debugErrors'] = $model->getErrors();
+        }
+
+        return Yii::app()->getController()->renderPartial(
+            '/admin/super/_renderJson',
+            $returnData,
+            false,
+            false
+        );
     }
 
     /**