From ba068af6e707fbcf118ff4e8d00639aeab82f508 Mon Sep 17 00:00:00 2001
From: Denis Chenu <denis@sondages.pro>
Date: Wed, 1 Feb 2023 15:41:29 +0000
Subject: [PATCH] Fixed issue [security] #18514 : no CSRF control when delete
 token table (#2750)

Dev: move to a post action forum, validate with getPost
---
 application/controllers/admin/Tokens.php      | 44 +++++++-------
 .../token/afterDeleteParticipantsTable.php    |  9 +--
 .../admin/token/deleteParticipantsTable.php   | 59 ++++++++++---------
 3 files changed, 56 insertions(+), 56 deletions(-)

diff --git a/application/controllers/admin/Tokens.php b/application/controllers/admin/Tokens.php
index 97e7c1a5d75..699cba3e699 100644
--- a/application/controllers/admin/Tokens.php
+++ b/application/controllers/admin/Tokens.php
@@ -2365,34 +2365,32 @@ public function kill(int $iSurveyId)
 
         $aData['topBar']['hide'] = true;
 
-        if (!Yii::app()->request->getQuery('ok')) {
+        if (!Yii::app()->request->getPost('ok')) {
             $aData['sidemenu']['state'] = false;
             $aData['backupTableName']   = $newtableDisplay;
-
             $this->renderWrappedTemplate('token', 'deleteParticipantsTable', $aData);
-        } else /* The user has confirmed they want to delete the tokens table */
-        {
-            Yii::app()->db->createCommand()->renameTable("{{{$oldtable}}}", "{{{$newtable}}}");
-
-            $archivedTokenSettings = new ArchivedTableSettings();
-            $archivedTokenSettings->survey_id = $iSurveyId;
-            $archivedTokenSettings->user_id = $userID;
-            $archivedTokenSettings->tbl_name = $newtable;
-            $archivedTokenSettings->tbl_type = 'token';
-            $archivedTokenSettings->created = $DBDate;
-            $archivedTokenSettings->properties = $aData['thissurvey']['tokenencryptionoptions'];
-            $archivedTokenSettings->attributes = json_encode($aData['thissurvey']['attributedescriptions']);
-            $archivedTokenSettings->save();
-
-            //Remove any survey_links to the CPDB
-            SurveyLink::model()->deleteLinksBySurvey($iSurveyId);
+            return;
+        }
+        /* The user has confirmed they want to delete the tokens table */
+        Yii::app()->db->createCommand()->renameTable("{{{$oldtable}}}", "{{{$newtable}}}");
 
-            $aData['sidemenu']['state'] = false;
-            $aData['backupTableName'] = $newtableDisplay;
-            $this->renderWrappedTemplate('token', 'afterDeleteParticipantsTable', $aData);
+        $archivedTokenSettings = new ArchivedTableSettings();
+        $archivedTokenSettings->survey_id = $iSurveyId;
+        $archivedTokenSettings->user_id = $userID;
+        $archivedTokenSettings->tbl_name = $newtable;
+        $archivedTokenSettings->tbl_type = 'token';
+        $archivedTokenSettings->created = $DBDate;
+        $archivedTokenSettings->properties = $aData['thissurvey']['tokenencryptionoptions'];
+        $archivedTokenSettings->attributes = json_encode($aData['thissurvey']['attributedescriptions']);
+        $archivedTokenSettings->save();
 
-            LimeExpressionManager::SetDirtyFlag(); // so that knows that survey participants tables have changed
-        }
+        //Remove any survey_links to the CPDB
+        SurveyLink::model()->deleteLinksBySurvey($iSurveyId);
+
+        $aData['sidemenu']['state'] = false;
+        $aData['backupTableName'] = $newtableDisplay;
+        $this->renderWrappedTemplate('token', 'afterDeleteParticipantsTable', $aData);
+        LimeExpressionManager::SetDirtyFlag(); // so that knows that survey participants tables have changed
     }
 
     /**
diff --git a/application/views/admin/token/afterDeleteParticipantsTable.php b/application/views/admin/token/afterDeleteParticipantsTable.php
index a83c2c5969d..33798ecb992 100644
--- a/application/views/admin/token/afterDeleteParticipantsTable.php
+++ b/application/views/admin/token/afterDeleteParticipantsTable.php
@@ -18,13 +18,10 @@
                     <br /> <br />
                     <?php eT("You can switch back to closed-access mode at any time. Navigate to Settings --> Survey participants and click on the 'Switch to closed-access mode' button."); ?>
                     <br /><br />
-                    <input
+                    <a
                         class="btn btn-default"
-                        type="submit"
-                        value="<?php eT('Main Admin Screen'); ?>"
-                        onclick="window.open(
-                            '<?php echo $this->createUrl("surveyAdministration/view/surveyid/{$iSurveyId}"); ?>',
-                            '_top'" />
+                        href="<?php echo $this->createUrl("surveyAdministration/view/surveyid/{$iSurveyId}"); ?>"
+                    ><?php eT('Main Admin Screen'); ?></a>
             </div>
         </div>
     </div>
diff --git a/application/views/admin/token/deleteParticipantsTable.php b/application/views/admin/token/deleteParticipantsTable.php
index 510b079d479..24ad4ec737b 100644
--- a/application/views/admin/token/deleteParticipantsTable.php
+++ b/application/views/admin/token/deleteParticipantsTable.php
@@ -7,33 +7,38 @@
     <div class="row welcom survey-action">
         <div class="col-lg-12 content-right">
             <div class="jumbotron message-box">
+                <?php echo CHtml::form(
+                    array("admin/tokens/sa/kill", 'surveyid' => $surveyid),
+                    'post',
+                    array('id' => 'deletetokentable', 'name' => 'deletetokentable')
+                ); ?>
                 <h3 class="lead"><?php eT('Delete survey participants table'); ?></h3>
                 <p>
-            <?php eT('Deleting the participants table will switch the survey back to open-access mode.'); ?>
-            <br /> <br />
-            <?php eT('Access codes will no longer be required to access this survey.'); ?>
-            <br /> <br />
-            <?php eT('A backup of this table will be made if you proceed. Your site administrator will be able to access this table.'); ?>
-            <br />
-            <?php echo '('. $backupTableName .')'; ?>
-            <br /> <br />
-            <?php eT("You can switch back to closed-access mode at any time. Navigate to Settings --> Survey participants and click on the 'Switch to closed-access mode' button."); ?>
-            <br /> <br />
-        </p>
-        <input
-            class="btn btn-default"
-            type="submit"
-            value="<?php eT('Cancel'); ?>"
-            onclick="window.open(
-                '<?php echo $this->createUrl("admin/tokens/sa/index/surveyid/{$iSurveyId}"); ?>',
-                '_top')" />
-        <input 
-            class="btn btn-danger"
-            type='submit' 
-            value="<?php eT('Delete table'); ?>" 
-            onclick="window.open(
-                '<?php echo $this->createUrl("admin/tokens/sa/kill/surveyid/{$iSurveyId}/ok/Y"); ?>',
-                '_top')" />
-        
+                    <?php eT('Deleting the participants table will switch the survey back to open-access mode.'); ?>
+                    <br /> <br />
+                    <?php eT('Access codes will no longer be required to access this survey.'); ?>
+                    <br /> <br />
+                    <?php eT('A backup of this table will be made if you proceed. Your site administrator will be able to access this table.'); ?>
+                    <br />
+                    <?php echo '(' . $backupTableName . ')'; ?>
+                    <br /> <br />
+                    <?php eT("You can switch back to closed-access mode at any time. Navigate to Settings --> Survey participants and click on the 'Switch to closed-access mode' button."); ?>
+                    <br />
+                </p>
+                <button
+                    class="btn btn-danger"
+                    type='submit'
+                    name="ok"
+                    value="Y"
+                >
+                    <?php eT('Delete table'); ?>
+                </button>
+                <a
+                    class="btn btn-default"
+                    href="<?php echo $this->createUrl("admin/tokens/sa/index/surveyid/{$iSurveyId}"); ?>"
+                ><?php eT('Cancel'); ?></a>
+                </form>
+            </div>
         </div>
-</div>
\ No newline at end of file
+    </div>
+</div>