Fixed issue #19142: [security] CSRF in Save Box Settings (#3516)

Co-authored-by: Lapiu Dev <devgit@lapiu.biz>
LimeSurvey · Oct 9, 2023 · ffb66e3 · ffb66e3
1 parent a738d14
commit ffb66e3
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/application/controllers/HomepageSettingsController.php b/application/controllers/HomepageSettingsController.php
@@ -33,7 +33,7 @@ public function accessRules()
     public function filters()
     {
         return [
-            'postOnly + resetAllBoxes', // Only allow resetAllBoxes via POST request
+            'postOnly + resetAllBoxes, updateBoxesSettings', // Only allow resetAllBoxes via POST request
         ];
     }
 

diff --git a/assets/scripts/admin/homepagesettings.js b/assets/scripts/admin/homepagesettings.js
@@ -116,7 +116,8 @@ $(document).on('ready  pjax:scriptcomplete', function(){
         $errorMessage = $('#boxeserrormessage').data('ajaxerrormessage');
         $.ajax({
             url : $url+'/boxesbyrow/'+$iBoxesByRow+'/boxesoffset/'+$iBoxesOffset,
-            type : 'GET',
+            method: "POST",
+            data: "",
             dataType : 'html',
             // html contains the buttons
             success : function(html, statut){