Fixed issue #14290: Some form can not be submitted if csrfTokenName i…

…s updated Dev: adding csrfTokenName for input name in LS.data Dev: adding csrfTokenData as object to allow usage of $.extend in LS.data Dev: replace 'YII_CSRF_TOKEN' by LS.data.csrfTokenName when found Dev: usage of $.extend for uploader (public) Dev: but have a syntax error in gulp …
LimeSurvey · Nov 27, 2018 · f99b354 · f99b354
1 parent 008711d
commit f99b354
Show file tree

Hide file tree

Showing 12 changed files with 21 additions and 21 deletions.
diff --git a/application/controllers/UploaderController.php b/application/controllers/UploaderController.php
@@ -265,7 +265,7 @@ function run($actionID)
             var surveyid = "'.$surveyid.'";
             var fieldname = "'.$sFieldName.'";
             var questgrppreview  = '.$sPreview.';
-            csrfToken = '.ls_json_encode(Yii::app()->request->csrfToken).';
+            var csrfData = '.ls_json_encode(array(Yii::app()->request->csrfTokenName => Yii::app()->request->csrfToken)).';
             showpopups="'.$oTemplate->showpopups.'";
         ';
         $sLangScriptVar = "

diff --git a/application/extensions/LimeScript/LimeScript.php b/application/extensions/LimeScript/LimeScript.php
@@ -14,7 +14,9 @@ public function run()
             $data['showScriptName']             = Yii::app()->urlManager->showScriptName;
             $data['urlFormat']                  = Yii::app()->urlManager->urlFormat;
             $data['adminImageUrl']              = Yii::app()->getConfig('adminimageurl');
+            $data['csrfTokenName']              = Yii::app()->request->csrfTokenName;
             $data['csrfToken']                  = Yii::app()->request->csrfToken;
+            $data['csrfTokenData']              = array(Yii::app()->request->csrfTokenName=>Yii::app()->request->csrfToken);
             $data['language']                   = Yii::app()->language;
             $data['replacementFields']['path']  = App()->createUrl("admin/limereplacementfields/sa/index/");
             $json = json_encode($data, JSON_FORCE_OBJECT);
@@ -25,7 +27,7 @@ public function run()
                             confirm_ok: '".gT('OK')."'
                         }
                     };\n"
-                    . "$.ajaxSetup({data: {YII_CSRF_TOKEN: LS.data.csrfToken}});";
+                    . "$.ajaxSetup({data: {".Yii::app()->request->csrfTokenName.": LS.data.csrfToken}});";
             App()->getClientScript()->registerScript('LimeScript', $script, CClientScript::POS_HEAD);
         }
     }

diff --git a/application/extensions/admin/grid/MassiveActionsWidget/assets/listActions.js b/application/extensions/admin/grid/MassiveActionsWidget/assets/listActions.js
@@ -52,7 +52,7 @@ var onClickListAction =  function () {
             'value': $oCheckedItems.join("|"),
             'type': 'hidden'
         })).append(jQuery('<input>', {
-            'name': 'YII_CSRF_TOKEN',
+            'name': LS.data.csrfTokenName,
             'value': LS.data.csrfToken,
             'type': 'hidden'
         })).appendTo('body');

diff --git a/assets/packages/adminbasics/build/adminbasics.js b/assets/packages/adminbasics/build/adminbasics.js
@@ -21103,7 +21103,7 @@ const globalWindowMethods = {
             $("<input type='hidden'>").attr("name", key).attr("value", value).appendTo($form);
         });
 
-        $("<input type='hidden'>").attr("name", 'YII_CSRF_TOKEN').attr("value", LS.data.csrfToken).appendTo($form);
+        $("<input type='hidden'>").attr("name", LS.data.csrfTokenName).attr("value", LS.data.csrfToken).appendTo($form);
         $form.appendTo("body");
         $form.submit();
     },
@@ -27531,7 +27531,7 @@ const ConfirmDeleteModal = function (options) {
                 formObject.append('<input name="' + key + '" value="' + value + '" type="' + type + '" ' + (htmlClass ? 'class="' + htmlClass + '"' : '') + ' />');
             }
 
-            formObject.append('<input name="YII_CSRF_TOKEN" value="' + LS.data.csrfToken + '" type="hidden" />');
+            formObject.append('<input name="' + LS.data.csrfTokenName + '" value="' + LS.data.csrfToken + '" type="hidden" />');
             modalObject.find('.modal-body').append(formObject)
             modalObject.find('.modal-body').append('<p>' + confirmText + '</p>');
 

diff --git a/assets/packages/adminbasics/build/adminbasics.min.js b/assets/packages/adminbasics/build/adminbasics.min.js
diff --git a/assets/packages/adminbasics/src/components/confirmdeletemodal.js b/assets/packages/adminbasics/src/components/confirmdeletemodal.js
@@ -77,7 +77,7 @@ const ConfirmDeleteModal = function (options) {
                 formObject.append('<input name="' + key + '" value="' + value + '" type="' + type + '" ' + (htmlClass ? 'class="' + htmlClass + '"' : '') + ' />');
             }
 
-            formObject.append('<input name="YII_CSRF_TOKEN" value="' + LS.data.csrfToken + '" type="hidden" />');
+            formObject.append('<input name="' + LS.data.csrfTokenName + '" value="' + LS.data.csrfToken + '" type="hidden" />');
             modalObject.find('.modal-body').append(formObject)
             modalObject.find('.modal-body').append('<p>' + confirmText + '</p>');
 

diff --git a/assets/packages/adminbasics/src/components/gridAction.js b/assets/packages/adminbasics/src/components/gridAction.js
@@ -15,7 +15,7 @@ const gridButton = {
         $.bsconfirm(text,utf8,function onClickOK() {
             $('#'+gridid).yiiGridView('update', {
                 type : 'POST',
-                url : actionUrl, // No need to add csrfToken, already in ajaxSetup
+                url : actionUrl,
                 success: function(data) {
                     jQuery('#'+gridid).yiiGridView('update');
                     $('#identity__bsconfirmModal').modal('hide');

diff --git a/assets/packages/adminbasics/src/parts/globalMethods.js b/assets/packages/adminbasics/src/parts/globalMethods.js
@@ -100,7 +100,7 @@ const globalWindowMethods = {
             $("<input type='hidden'>").attr("name", key).attr("value", value).appendTo($form);
         });
 
-        $("<input type='hidden'>").attr("name", 'YII_CSRF_TOKEN').attr("value", LS.data.csrfToken).appendTo($form);
+        $("<input type='hidden'>").attr("name", LS.data.csrfTokenName).attr("value", LS.data.csrfToken).appendTo($form);
         $form.appendTo("body");
         $form.submit();
     },

diff --git a/assets/scripts/admin/assessments.js b/assets/scripts/admin/assessments.js
@@ -39,7 +39,7 @@ var bindAction = function(){
         $('input[name=action]').val('assessmentupdate');
         $.ajax({
             url: loadEditUrl,
-            data: {id: $(this).closest('tr').data('assessment-id'), YII_CSRF_TOKEN : LS.data.csrfToken},
+            data: {id: $(this).closest('tr').data('assessment-id')},// crsf is already in ajaxsetup
             method: 'GET',
             success: function(responseData){
                 $("#in_survey_common").css({cursor: ""});

diff --git a/assets/scripts/admin/participantpanel.js b/assets/scripts/admin/participantpanel.js
@@ -68,8 +68,7 @@ LS.CPDB = (function() {
     onClickExport = function(all) {
         var postdata = {
             selectedParticipant: [],
-            YII_CSRF_TOKEN : LS.data.csrfToken
-        }; 
+        }; /* csrf is already in ajaxSetup */
 
         if (!all) {
             $('.selector_participantCheckbox:checked').each(function(i,item){
@@ -147,7 +146,7 @@ LS.CPDB = (function() {
                 //data can be string of parameters or array/object
                 data = typeof data == 'string' ? data : jQuery.param(data);
                 //split params into form inputs
-                var inputs = '<input type="hidden" name="YII_CSRF_TOKEN" value="'+LS.data.csrfToken+'">';
+                var inputs = '<input type="hidden" name="'+LS.data.csrfTokenName+'" value="'+LS.data.csrfToken+'">';
                 jQuery.each(data.split('&'), function(){
                     var pair = this.split('=');
                     inputs+='<input type="hidden" name="'+ pair[0] +'" value="'+ pair[1] +'">';

diff --git a/assets/scripts/admin/users.js b/assets/scripts/admin/users.js
@@ -29,7 +29,7 @@ function runAction(el){
         form.append('<input type="hidden" name="uid" value="'+uid+'" />');
         form.append('<input type="hidden" name="action" value="'+action+'" />');
         form.append('<input type="hidden" name="user" value="'+user+'" />');
-        form.append('<input type="hidden" name="YII_CSRF_TOKEN" value="'+LS.data.csrfToken+'" />');
+        form.append('<input type="hidden" name="'+LS.data.csrfTokenName+'" value="'+LS.data.csrfToken+'" />');
         form.appendTo('body');
         form.submit();
 }
@@ -51,4 +51,4 @@ function UsertypeChange(ui,evt)
     else {ldap_user='';}
     $("#new_email").prop('disabled',ldap_user);
     $("#new_full_name").prop('disabled',ldap_user);
-}
+}
diff --git a/assets/scripts/uploader.js b/assets/scripts/uploader.js
@@ -81,14 +81,14 @@ function doFileUpload(){
     new AjaxUpload(button, {
         action: uploadurl + '/sid/'+surveyid+'/preview/'+questgrppreview+'/fieldname/'+fieldname+'/',
         name: 'uploadfile',
-        data: {
+        data: $.extend({
             valid_extensions : $('#'+fieldname+'_allowed_filetypes').val(),
             max_filesize : $('#'+fieldname+'_maxfilesize').val(),
             preview : $('#preview').val(),
             surveyid : surveyid,
             fieldname : fieldname,
-            YII_CSRF_TOKEN : csrfToken
-        },
+            },csrfData
+        ),
         onSubmit : function(file, ext){
 
             var maxfiles = parseInt($('#'+fieldname+'_maxfiles').val());
@@ -303,13 +303,12 @@ function deletefile(fieldname, count) {
     {
         method: "POST",
         url: uploadurl,
-        data: {
+        data: $.extend({
             'delete': 1,
             'fieldname': fieldname,
             'filename' : filename,
             'name' : name,
-            YII_CSRF_TOKEN : csrfToken
-            }
+            },csrfData)
     })
     .done(function( msg )
     {