Skip to content
Permalink
Browse files

Fixed issue #13562: CSRF in box deletion

  • Loading branch information...
lacrioque committed Apr 5, 2018
1 parent 2e35aa1 commit d36a92d45ed6f3d608d9816c41c7453f219b7f51
Showing with 12 additions and 4 deletions.
  1. +2 −1 application/controllers/admin/homepagesettings.php
  2. +10 −3 application/models/Boxes.php
@@ -122,8 +122,9 @@ public function update($id)
* If deletion is successful, the browser will be redirected to the 'admin' page.
* @param integer $id the ID of the model to be deleted
*/
public function delete($id)
public function delete($id=null)
{
$id = App()->request->getPost('id',$id);
if (!Permission::model()->hasGlobalPermission('settings', 'update')) {
Yii::app()->session['flashmessage'] = gT('Access denied!');
$this->getController()->redirect($this->createUrl("/admin/homepagesettings"));
@@ -135,9 +135,16 @@ public function getbuttons()
$url .= '/'.$this->id;
$button = '<a class="btn btn-default" href="'.$url.'" role="button"><span class="fa fa-pencil" ></span></a>';
$url = Yii::app()->createUrl("/admin/homepagesettings/sa/delete/id/");
$url .= '/'.$this->id;
$button .= '<a class="btn btn-default" href="'.$url.'" role="button" data-confirm="'.gT('Are you sure you want to delete this box ?').'"><span class="text-danger fa fa-trash" ></span></a>';
$url = Yii::app()->createUrl("/admin/homepagesettings/sa/delete");
//$url .= '/'.$this->id;
$button .= '<a class="btn btn-default selector--ConfirmModal"'
.' data-button-no="'.gT('No, cancel').'"'
.' data-button-yes="'.gT('Yes, delete').'"'
.' href="'.$url.'"'
.' title="'.gT("Delete Box").'"'
.' role="button" data-post=\''.json_encode(['id' => $this->id]).'\''
.' data-text="'.gT('Are you sure you want to delete this box ?').'"'
.'><span class="text-danger fa fa-trash" ></span></a>';
return $button;
}

0 comments on commit d36a92d

Please sign in to comment.
You can’t perform that action at this time.