Fixed issue #16792: Delete permission on Survey : no CRSF control (#1967

)

- Added 'send post' feature to ConfirmationModal: if element has 'data-post-url' attribute, window.LS.sendPost() is used.
- Places where ConfirmationModal was used with 'data-href' were updated to use 'data-post-url':
	surveypermission.php
	SurveysGroups.php
	SurveyTimingDynamic.php
	viewquotas_quota_actions.php
	manage_key.php
- ParticipantShare.php was using $.ajax() with 'GET' method. It was changed to use 'POST'.
- The respective controller actions where updated to require a POST request.

Co-authored-by: encuestabizdevgit <devgit@encuesta.biz>

application/controllers/admin/SurveysGroupsController.php

@@ -116,6 +116,8 @@ public function update($id)
      */
     public function delete($id)
     {
+        $this->requirePostRequest();
+
         $oGroupToDelete = $this->loadModel($id);
         $sGroupTitle    = $oGroupToDelete->title;
 

application/controllers/admin/dataentry.php

@@ -1270,6 +1270,8 @@ public function editdata($subaction, $id, $surveyid)
      */
     public function delete()
     {
+        $this->requirePostRequest();
+
         $surveyid = '';
         if (isset($_REQUEST['surveyid']) && !empty($_REQUEST['surveyid'])) {
             $surveyid = $_REQUEST['surveyid'];

application/controllers/admin/participantsaction.php

@@ -2215,6 +2215,8 @@ public function rejectShareParticipant()
      */
     public function deleteSingleParticipantShare($participantId, $shareUid)
     {
+        $this->requirePostRequest();
+
         $participantShare = ParticipantShare::model()->findByPk(array(
             'participant_id' => $participantId,
             'share_uid' => $shareUid

application/controllers/admin/quotas.php

@@ -301,6 +301,8 @@ public function delans($iSurveyId)
 
     public function delquota($iSurveyId)
     {
+        $this->requirePostRequest();
+
         $iSurveyId = sanitize_int($iSurveyId);
         $this->_checkPermissions($iSurveyId, 'delete');
 

application/controllers/admin/surveypermission.php

@@ -129,7 +129,9 @@ public function index($iSurveyID)
                         'user' => $PermissionRow['users_name']
                     ));
                     $deleteConfirmMessage = gT("Are you sure you want to delete this entry?");
-                    $surveysecurity .= "<a data-target='#confirmation-modal' data-toggle='modal' data-message='{$deleteConfirmMessage}' data-href='{$deleteUrl}' type='submit' class='btn-xs btn btn-default'>
+                    // The "Delete" button is using confirmationModal and it's data-post-url attribute because we need the request method to be POST (so CSRF validation is applied)
+                    // and we are not able to use neither 'confirmGridAction' nor 'runAjaxRequest' (this is not a grid view).
+                    $surveysecurity .= "<a data-target='#confirmation-modal' data-toggle='modal' data-message='{$deleteConfirmMessage}' data-post-url='{$deleteUrl}' type='submit' class='btn-xs btn btn-default'>
                         <span class='fa fa-trash text-warning' data-toggle='tooltip' title='".gT("Delete")."'></span>
                         </a>";
                 }
@@ -541,6 +543,7 @@ function set($surveyid)
      */
     function delete($surveyid)
     {
+        $this->requirePostRequest();
 
         $aData['surveyid'] = $surveyid = sanitize_int($surveyid);
         $oSurvey = Survey::model()->findByPk($surveyid);

application/controllers/admin/update.php

@@ -168,6 +168,8 @@ public function manage_submitkey()
 
     public function delete_key()
     {
+        $this->requirePostRequest();
+
         if (Permission::model()->hasGlobalPermission('superadmin')) {
             SettingGlobal::model()->deleteByPk('update_key');
             App()->setFlashMessage('Your update key has been removed');

application/core/Survey_Common_Action.php

@@ -1271,4 +1271,14 @@ protected function fetchExtraMenus(array $aData)
         return $extraMenus;
     }
 
+    /**
+     * Throws a 405 HTTP exception if the request method is not POST
+     */
+    protected function requirePostRequest()
+    {
+        if(!Yii::app()->getRequest()->isPostRequest) {
+            throw new CHttpException(405, gT("Invalid action"));
+        }
+    }
+
 }

application/models/SurveyTimingDynamic.php

@@ -198,7 +198,7 @@ public function getButtons()
         // Delete
         if (Permission::model()->hasSurveyPermission(self::$sid, 'responses', 'delete')) {
             $deleteUrl = App()->createUrl("admin/dataentry/sa/delete/subaction/edit/surveyid/".self::$sid."/id/".$this->id);
-            $buttons .= '&nbsp;<a class="btn btn-xs btn-default" data-target="#confirmation-modal" data-href="'.$deleteUrl.'" role="button" data-toggle="modal" data-tooltip="true" title="'.gT('Delete this response').'"><span class="text-danger fa fa-trash" ></span></a>';
+            $buttons .= '&nbsp;<a class="btn btn-xs btn-default" data-target="#confirmation-modal" data-post-url="'.$deleteUrl.'" role="button" data-toggle="modal" data-tooltip="true" title="'.gT('Delete this response').'"><span class="text-danger fa fa-trash" ></span></a>';
         }
 
         return $buttons;

application/models/SurveysGroups.php

@@ -260,7 +260,7 @@ public function getButtons()
             $button .= '<a class="btn btn-default" href="'.$sEditUrl.'" role="button" data-toggle="tooltip" title="'.gT('Edit survey group').'"><i class="fa fa-edit" ></i><span class="sr-only">'.gT('Edit survey group').'</span></a>';
         }
         if (!$this->hasSurveys) {
-            $button .= '<a class="btn btn-default" href="#" data-href="'.$sDeleteUrl.'" data-target="#confirmation-modal" role="button" data-toggle="modal" data-message="'.gT('Do you want to continue?').'" data-tooltip="true" title="'.gT('Delete survey group').'"><i class="fa fa-trash text-danger "></i><span class="sr-only">'.gT('Delete survey group').'</span></a>';
+            $button .= '<a class="btn btn-default" href="#" data-post-url="'.$sDeleteUrl.'" data-target="#confirmation-modal" role="button" data-toggle="modal" data-message="'.gT('Do you want to continue?').'" data-tooltip="true" title="'.gT('Delete survey group').'"><i class="fa fa-trash text-danger "></i><span class="sr-only">'.gT('Delete survey group').'</span></a>';
         }
 
         return $button;

application/views/admin/quotas/viewquotas_quota_actions.php

@@ -14,7 +14,7 @@
     </a>
 <?php } ?>
 <?php if (Permission::model()->hasSurveyPermission($oSurvey->getPrimaryKey(), 'quotas','delete')) { ?>
-    <a data-href="<?php echo $deleteUrl; ?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
+    <a data-post-url="<?php echo $deleteUrl; ?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
         <span class='fa fa-trash text-danger'></span>
     </a>
 <?php } ?>

application/views/admin/update/manage/manage_key.php

@@ -44,7 +44,7 @@
                             <?php echo $updateKeyInfos->remaining_updates; ?>
                         </td>
                         <td>
-                            <a data-href="<?php echo App()->createUrl('/admin/update/sa/delete_key');?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
+                            <a data-post-url="<?php echo App()->createUrl('/admin/update/sa/delete_key');?>" class="btn btn-default" data-toggle="modal" data-target="#confirmation-modal" data-tooltip="true" title="<?php eT("Delete");?>" >
                                 <span class="text-danger fa fa-trash"></span>
                             </a>
                         </td>

assets/packages/adminbasics/build/adminbasics.css

@@ -3926,74 +3926,6 @@ textarea.form-control.input-text {
   overflow: visible !important;
 }
 
-#cpdbatt {
-  min-height: 100px;
-}
-
-#selectable .ui-selecting {
-  background: #8CCE00;
-}
-
-#selectable .ui-selected {
-  background: #C1DD7F;
-  color: #000000;
-}
-
-#selectable {
-  list-style-type: none;
-  margin: 2px;
-  padding: 0;
-  width: 90%;
-}
-
-#selectable li {
-  padding: 1em;
-  font-size: 1em;
-  height: 9px;
-  text-align: center;
-  margin: 4px;
-}
-
-.ui-icon.exporticon {
-  background-image: url("images/export.gif");
-}
-
-#feedback {
-  font-size: 1.4em;
-}
-
-#selectableadd .ui-selecting {
-  background: #0066CC;
-}
-
-#selectableadd .ui-selected {
-  background: #0066CC;
-  color: white;
-}
-
-#selectableadd {
-  list-style-type: none;
-  margin: 0;
-  padding: 0;
-  width: 90%;
-  text-align: center;
-}
-
-#selectableadd li {
-  margin: 3px;
-  padding: 0.4em;
-  font-size: 1 em;
-  height: 18px;
-  text-align: center;
-}
-
-.popupgroup {
-  border: 1px solid #DAE5F4;
-  padding: 10px;
-  border-radius: 3px;
-  margin: 8px;
-}
-
 .jcarousel-wrapper {
   margin: 20px auto;
   position: relative;
@@ -4218,6 +4150,74 @@ div.mappable-attribute-wrapper.paired.ui-state-disabled {
   min-height: 100px;
 }
 
+#selectable .ui-selecting {
+  background: #8CCE00;
+}
+
+#selectable .ui-selected {
+  background: #C1DD7F;
+  color: #000000;
+}
+
+#selectable {
+  list-style-type: none;
+  margin: 2px;
+  padding: 0;
+  width: 90%;
+}
+
+#selectable li {
+  padding: 1em;
+  font-size: 1em;
+  height: 9px;
+  text-align: center;
+  margin: 4px;
+}
+
+.ui-icon.exporticon {
+  background-image: url("images/export.gif");
+}
+
+#feedback {
+  font-size: 1.4em;
+}
+
+#selectableadd .ui-selecting {
+  background: #0066CC;
+}
+
+#selectableadd .ui-selected {
+  background: #0066CC;
+  color: white;
+}
+
+#selectableadd {
+  list-style-type: none;
+  margin: 0;
+  padding: 0;
+  width: 90%;
+  text-align: center;
+}
+
+#selectableadd li {
+  margin: 3px;
+  padding: 0.4em;
+  font-size: 1 em;
+  height: 18px;
+  text-align: center;
+}
+
+.popupgroup {
+  border: 1px solid #DAE5F4;
+  padding: 10px;
+  border-radius: 3px;
+  margin: 8px;
+}
+
+#cpdbatt {
+  min-height: 100px;
+}
+
 .grid-view .table td.button-column, .grid-view .table th.button-column {
   white-space: nowrap;
   text-align: initial;

assets/packages/adminbasics/build/adminbasics.js

@@ -28223,7 +28223,8 @@
       keepopen: null,
       postDatas: null,
       gridid: null,
-      "ajax-url": null
+      "ajax-url": null,
+      postUrl: null
     }; //////METHODS
     //Parse available options from specific item.data settings, if not available load relatedTarget settings
 
@@ -28275,6 +28276,12 @@
           }
         });
       });
+    },
+        _sendPost = function _sendPost() {
+      adminCoreLSConsole.log('Binding post handler on confirmation dialog');
+      $(_this).find('.btn-ok').on('click', function (ev) {
+        window.LS.sendPost(options.postUrl, options.postDatas);
+      });
     },
         _setTarget = function _setTarget() {
       //Set up normal href
@@ -28295,6 +28302,13 @@
       if (!!options['ajax-url']) {
         _ajaxHandler();
 
+        return;
+      } //Set up a handler to send a POST request
+
+
+      if (!!options.postUrl) {
+        _sendPost();
+
         return;
       }