Skip to content

Commit b670368

Browse files
committed
Add CSRF check and remove project_id form value for addUser/addGroup actions
1 parent f9260b7 commit b670368

File tree

3 files changed

+5
-3
lines changed

3 files changed

+5
-3
lines changed

Diff for: app/Controller/ProjectPermissionController.php

+5-1
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,8 @@ public function index(array $values = array(), array $errors = array())
6666
*/
6767
public function addUser()
6868
{
69+
$this->checkCSRFForm();
70+
6971
$project = $this->getProject();
7072
$values = $this->request->getValues();
7173

@@ -75,7 +77,7 @@ public function addUser()
7577

7678
if (empty($values['user_id'])) {
7779
$this->flash->failure(t('User not found.'));
78-
} elseif ($this->projectUserRoleModel->addUser($values['project_id'], $values['user_id'], $values['role'])) {
80+
} elseif ($this->projectUserRoleModel->addUser($project['id'], $values['user_id'], $values['role'])) {
7981
$this->flash->success(t('Project updated successfully.'));
8082
} else {
8183
$this->flash->failure(t('Unable to update this project.'));
@@ -144,6 +146,8 @@ public function changeUserRole()
144146
*/
145147
public function addGroup()
146148
{
149+
$this->checkCSRFForm();
150+
147151
$project = $this->getProject();
148152
$values = $this->request->getValues();
149153

Diff for: app/Template/project_permission/groups.php

-1
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,6 @@
3737
<div class="panel">
3838
<form method="post" action="<?= $this->url->href('ProjectPermissionController', 'addGroup', array('project_id' => $project['id'])) ?>" autocomplete="off" class="form-inline">
3939
<?= $this->form->csrf() ?>
40-
<?= $this->form->hidden('project_id', array('project_id' => $project['id'])) ?>
4140
<?= $this->form->hidden('group_id', $values) ?>
4241
<?= $this->form->hidden('external_id', $values) ?>
4342

Diff for: app/Template/project_permission/users.php

-1
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,6 @@
3535
<div class="panel">
3636
<form method="post" action="<?= $this->url->href('ProjectPermissionController', 'addUser', array('project_id' => $project['id'])) ?>" autocomplete="off" class="form-inline">
3737
<?= $this->form->csrf() ?>
38-
<?= $this->form->hidden('project_id', array('project_id' => $project['id'])) ?>
3938
<?= $this->form->hidden('user_id', $values) ?>
4039
<?= $this->form->hidden('username', $values) ?>
4140
<?= $this->form->hidden('external_id', $values) ?>

0 commit comments

Comments
 (0)