Skip to content

Commit

Permalink
LPS-127977 Add p_auth token check to Terms of Use page
Browse files Browse the repository at this point in the history
  • Loading branch information
jesseyeh-liferay authored and brianchandotcom committed Feb 18, 2021
1 parent bc070d0 commit 1295dcd
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@

package com.liferay.portal.action;

import com.liferay.portal.kernel.security.auth.AuthTokenUtil;
import com.liferay.portal.kernel.service.UserServiceUtil;
import com.liferay.portal.kernel.util.PortalUtil;
import com.liferay.portal.struts.Action;
Expand All @@ -35,6 +36,9 @@ public ActionForward execute(
HttpServletResponse httpServletResponse)
throws Exception {

AuthTokenUtil.checkCSRFToken(
httpServletRequest, UpdateTermsOfUseAction.class.getName());

UserServiceUtil.updateAgreedToTermsOfUse(
PortalUtil.getUserId(httpServletRequest), true);

Expand Down
1 change: 1 addition & 0 deletions portal-impl/src/portal.properties
Original file line number Diff line number Diff line change
Expand Up @@ -3955,6 +3955,7 @@
#auth.token.ignore.origins=\
# com.liferay.portal.action.JSONServiceAction:com.liferay.portlet.expando.service.ExpandoValueServiceUtil#getJSONData,\
# com.liferay.portal.action.LoginAction,\
# com.liferay.portal.action.UpdateTermsOfUseAction,\
# com.liferay.portal.jsonwebservice.JSONWebServiceServiceAction:/classname/,\
# com.liferay.portal.jsonwebservice.JSONWebServiceServiceAction:/user/get-user-by-email-address,\
# com.liferay.portlet.asset.action.GetCategoriesAction,\
Expand Down
1 change: 1 addition & 0 deletions portal-web/docroot/html/portal/terms_of_use.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ TermsOfUseContentProvider termsOfUseContentProvider = TermsOfUseContentProviderU
<aui:form action='<%= themeDisplay.getPathMain() + "/portal/update_terms_of_use" %>' name="fm">
<aui:input name="doAsUserId" type="hidden" value="<%= themeDisplay.getDoAsUserId() %>" />
<aui:input name="<%= WebKeys.REFERER %>" type="hidden" value="<%= referer %>" />
<aui:input name="p_auth" type="hidden" value="<%= AuthTokenUtil.getToken(request) %>" />

<div class="sheet-text">
<c:choose>
Expand Down

0 comments on commit 1295dcd

Please sign in to comment.