Skip to content
Permalink
Browse files
Fixes 67 by amending edit phrases JS and added Repository function fo…
…r generating CSRF tokens.
  • Loading branch information
drn05r authored and EPrints Services committed Jun 1, 2020
1 parent d7ba01b commit 6968a5690ccd01f6ffe819a5a626ebe3b04c9ed1
Showing 4 changed files with 49 additions and 10 deletions.
@@ -75,7 +75,7 @@ function ep_phraseedit_addphrase( event, base_id )
return false;
}

function ep_phraseedit_save(base_id, phrase)
function ep_phraseedit_save(base_id, phrase, csrf_token='')
{
new Ajax.Request(
eprints_http_cgiroot+"/users/home",
@@ -115,7 +115,8 @@ function ep_phraseedit_save(base_id, phrase)
parameters: {
screen: "Admin::Phrases",
phraseid: base_id,
phrase: phrase
phrase: phrase,
csrf_token: csrf_token
}
}
);
@@ -139,7 +140,7 @@ function ep_phraseedit_enableform(form)
}
}

function ep_phraseedit_edit(div, phrases)
function ep_phraseedit_edit(div, phrases, csrf_token='')
{
var container = div.parentNode;
container.removeChild( div );
@@ -158,6 +159,15 @@ function ep_phraseedit_edit(div, phrases)
form.appendChild( textarea );

var input;
/* CSRF tokem */
if ( csrf_token !== '' )
{
input = document.createElement( 'input' );
input.setAttribute( 'type', 'hidden' );
input.value = csrf_token;
form.appendChild( input );
}

/* save */
input = document.createElement( 'input' );
input.setAttribute( 'type', 'button' );
@@ -166,7 +176,7 @@ function ep_phraseedit_edit(div, phrases)
var form = event.element().parentNode;
ep_phraseedit_disableform(form);
var textarea = form.firstChild;
ep_phraseedit_save(form._base_id, textarea.value);
ep_phraseedit_save(form._base_id, textarea.value, csrf_token);
});
form.appendChild( input );
/* reset */
@@ -503,7 +503,15 @@ sub render_row
}

# phrase editing widget
$div = $session->make_element( "div", id => "ep_phraseedit_$phraseid", class => "ep_phraseedit_widget", onclick => "ep_phraseedit_edit(this, ep_phraseedit_phrases);" );
if ( defined $session->config( "csrf_token_salt" ) && defined $session->current_user )
{
my $csrf_token = $session->get_csrf_token();
$div = $session->make_element( "div", id => "ep_phraseedit_$phraseid", class => "ep_phraseedit_widget", onclick => "ep_phraseedit_edit(this, ep_phraseedit_phrases, '$csrf_token');" );
}
else
{
$div = $session->make_element( "div", id => "ep_phraseedit_$phraseid", class => "ep_phraseedit_widget", onclick => "ep_phraseedit_edit(this, ep_phraseedit_phrases);" );
}
if( $xml ne $phrase->{xml} )
{
$div->setAttribute( class => "ep_phraseedit_widget ep_phraseedit_ref" );
@@ -5777,7 +5777,31 @@ sub flavour_has
}


######################################################################
=pod
=begin InternalDoc
=item $Boolean = $repository->get_csrf_token("")
return a string containg the CSRF token.
=end InternalDoc
=cut
######################################################################


sub get_csrf_token
{
my ($self) = @_;

use Digest::MD5;
my $ctx = Digest::MD5->new;
my $timestamp = time();
$ctx->add( $timestamp, $self->current_user->get_id, $self->config( "csrf_token_salt" ) );
return $timestamp . ":" . $ctx->hexdigest;
}


1;
@@ -145,15 +145,12 @@ sub form
# Add a CSRF token to the form if a salt has been set and there is a logged in user.
if ( defined $self->{repository}->config( "csrf_token_salt" ) && defined $self->{repository}->current_user )
{
use Digest::MD5;
my $ctx = Digest::MD5->new;
my $timestamp = time();
$ctx->add( $timestamp, $self->{repository}->current_user->get_id, $self->{repository}->config( "csrf_token_salt" ) );
my $csrf_token = $self->{repository}->get_csrf_token();
my $csrf_token_input = $self->{repository}->xml->create_element( "input",
id => "csrf_token",
name => "csrf_token",
type => "hidden",
value => $timestamp . ":" . $ctx->hexdigest,
value => $csrf_token,
);
$form->appendChild( $csrf_token_input );
}

0 comments on commit 6968a56

Please sign in to comment.