Apply CSRF fixes from #4176 to develop (#4178)

* Apply CSRF fixes from #4176 to develop

* Don't call parent view

* Add CSRF to job scheduling

* Add CSRF token to job reset


Former-commit-id: 1841ef9
Former-commit-id: 1c6378e39e278ee820adf822c353ad73dd1bd3bd

concrete/controllers/single_page/dashboard/pages/themes.php

@@ -36,6 +36,11 @@ public function view()
 
     public function save_mobile_theme()
     {
+        if (!$this->token->validate('save_mobile_theme')) {
+            $this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+            return $this->view();
+        }
+
         $pt = PageTheme::getByID($this->post('MOBILE_THEME_ID'));
         if (is_object($pt)) {
             Config::save('concrete.misc.mobile_theme_id', $pt->getThemeID());

concrete/controllers/single_page/dashboard/system/attributes/types.php

@@ -19,6 +19,11 @@ public function add_attribute_type()
 
     public function save_attribute_type_associations()
     {
+        if (!$this->token->validate('save_attribute_type_associations')) {
+            $this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+            return;
+        }
+
         $manager = \ORM::entityManager();
         $list = Category::getList();
         foreach ($list as $cat) {

concrete/controllers/single_page/dashboard/system/basics/accessibility.php

@@ -22,6 +22,10 @@ public function saved()
 
     public function save()
     {
+        if (!$this->token->validate('accessibility')) {
+            $this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+            return $this->view();
+        }
         Config::save('concrete.accessibility.toolbar_titles', (bool) Request::post('show_titles', false));
         Config::save('concrete.accessibility.toolbar_large_font', (bool) Request::post('increase_font_size', false));
         Config::save('concrete.accessibility.display_help_system', (bool) Request::post('display_help', false));

concrete/controllers/single_page/dashboard/system/conversations/points.php

@@ -19,14 +19,22 @@ public function success()
     }
     public function save()
     {
-        $db = Loader::db();
-        foreach (ConversationRatingType::getList() as $crt) {
-            $rtID = $crt->getConversationRatingTypeID();
-            $rtPoints = $this->post('rtPoints_' . $rtID);
-            if (is_string($rtPoints) && is_numeric($rtPoints)) {
-                $db->Execute('UPDATE ConversationRatingTypes SET cnvRatingTypeCommunityPoints = ? WHERE cnvRatingTypeID = ? LIMIT 1', array($rtPoints, $rtID));
+
+        if ($this->token->validate('conversation_points')) {
+
+            $db = Loader::db();
+            foreach (ConversationRatingType::getList() as $crt) {
+                $rtID = $crt->getConversationRatingTypeID();
+                $rtPoints = $this->post('rtPoints_' . $rtID);
+                if (is_string($rtPoints) && is_numeric($rtPoints)) {
+                    $db->Execute('UPDATE ConversationRatingTypes SET cnvRatingTypeCommunityPoints = ? WHERE cnvRatingTypeID = ? LIMIT 1',
+                        array($rtPoints, $rtID));
+                }
             }
+            $this->redirect('/dashboard/system/conversations/points', 'success');
+        } else {
+            $this->error->add(t('Invalid CSRF token. Please refresh and try again.'));
+            $this->view();
         }
-        $this->redirect('/dashboard/system/conversations/points', 'success');
     }
 }

concrete/controllers/single_page/dashboard/system/optimization/jobs.php

@@ -42,8 +42,14 @@ public function install($handle = null)
         $this->view();
     }
 
-    public function uninstall($job_id = null)
+    public function uninstall($job_id = null, $token = null)
     {
+
+        if (!$this->token->validate('uninstall_job', $token)) {
+            $this->error->add(t('Invalid CSRF Token.'));
+            return $this->view();
+        }
+
         if ($job_id) {
             $job = Job::getByID((int) $job_id);
             if ($job) {
@@ -74,8 +80,13 @@ public function job_installed()
         $this->view();
     }
 
-    public function reset()
+    public function reset($token = '')
     {
+        if (!$this->token->validate('reset_jobs', $token)) {
+            $this->error->add(t('Invalid CSRF Token.'));
+            return $this->view();
+        }
+
         $jobs = Job::getList();
         foreach ($jobs as $j) {
             $j->reset();
@@ -217,6 +228,11 @@ public function add_set()
 
     public function update_job_schedule()
     {
+        if (!$this->token->validate('update_job_schedule')) {
+            $this->error->add(t('Invalid CSRF Token.'));
+            return $this->view();
+        }
+
         $jID = $this->request->request->get('jID');
         $J = Job::getByID($jID);
         $J->setSchedule($this->post('isScheduled'), $this->post('unit'), max(0, (int) $this->post('value')));
@@ -231,6 +247,11 @@ public function job_scheduled()
 
     public function update_set_schedule()
     {
+        if (!$this->token->validate('update_set_schedule')) {
+            $this->error->add(t('Invalid CSRF Token.'));
+            return $this->view();
+        }
+
         $jsID = $this->post('jsID');
         $S = JobSet::getByID($jsID);
         $S->setSchedule($this->post('isScheduled'), $this->post('unit'), $this->post('value'));

concrete/controllers/single_page/dashboard/system/seo/bulk.php

@@ -88,9 +88,15 @@ public function view()
 
     public function saveRecord()
     {
+        $cID = $this->post('cID');
+
+        if (!$this->token->validate('save_seo_record_' . $cID)) {
+            $error = t('Invalid CSRF token. Please refresh and try again.');
+            return JsonResponse::create(array('message' => $error));
+        }
+
         $text = $this->app->make('helper/text');
         $success = t('success');
-        $cID = $this->post('cID');
         $c = Page::getByID($cID);
         if (!$c || $c->isError()) {
             throw new \RuntimeException(t('Unable to find the specified page'));

concrete/single_pages/dashboard/pages/themes/view.php

@@ -75,6 +75,9 @@
         }
     ?></table>
     <form method="post" action="<?=$view->action('save_mobile_theme')?>" class="form-inline">
+        <?php
+        $valt->output('save_mobile_theme');
+        ?>
         <h3><?=t('Mobile Theme')?></h3>
         <p><?=t('To use a separate theme for mobile browsers, specify it below.')?></p>
         <div class="control-group">

concrete/single_pages/dashboard/system/attributes/types.php

@@ -8,9 +8,11 @@
 $txt = Loader::helper('text');
 $form = Loader::helper('form');
 $interface = Loader::helper('concrete/ui');
+$valt = Core::make('token');
 
 echo Loader::helper('concrete/dashboard')->getDashboardPaneHeaderWrapper(t('Attribute Type Associations'), false, 'span10 offset1');?>
 <form method="post" class="" id="attribute_type_associations_form" action="<?=$view->action('save_attribute_type_associations')?>">
+	<?php $valt->output('save_attribute_type_associations'); ?>
 	<table border="0" cellspacing="1" cellpadding="0" border="0" class="table">
 		<tr>
 			<th><?=t('Name')?></th>

concrete/single_pages/dashboard/system/basics/accessibility.php

@@ -1,4 +1,7 @@
 <form action="<?= View::action('save') ?>" method="post">
+    <?php
+    Core::make('token')->output('accessibility');
+    ?>
     <div class="checkbox">
         <label>
             <input name="show_titles" value="1" type="checkbox" <?= $show_titles ? 'checked' : '' ?> />

concrete/single_pages/dashboard/system/conversations/points.php

@@ -1,10 +1,12 @@
 <?php defined('C5_EXECUTE') or die("Access Denied.");
 $form = Loader::helper('form');
+$token = Core::make('token');
 ?>
 <h4><?=t('Installed Rating Types')?></h4>
 <?php if (count($ratingTypes) > 0) {
     ?>
     <form action="<?=$view->action('save')?>" method="post">
+        <?php $token->output('conversation_points') ?>
         <table class="table">
             <thead>
             <tr>