Skip to content
Permalink
Browse files

* [Security/CSRF] Fixed a medium risk CSRF (cross-site request forger…

…y) vulnerability reported by High-Tech Bridge (HTB23269). We don't have any evidence of this having taken place in the wild, but we were able to reproduce the results with the proof-of-concept in the advisory. A logged in worker could be tricked into visiting a URL that could perform certain actions in their browser session. Cerb now uses the Synchronizer pattern: a session-based token included with every HTML FORM and Ajax request that is compared to the active session. This verifies that such requests are coming from an existing Cerb page rather than an external source. When a potential CSRF attack is detected, the event is now logged in the PHP log as a warning.
  • Loading branch information...
jstanden committed Aug 13, 2015
1 parent f911b25 commit 12de87ff9961a4f3ad2946c8f47dd0c260607144
Showing with 308 additions and 17 deletions.
  1. +3 −0 features/cerberusweb.core/api/uri/login.php
  2. +1 −0 features/cerberusweb.core/templates/configuration/section/acl/edit_role.tpl
  3. +1 −0 features/cerberusweb.core/templates/configuration/section/branding/index.tpl
  4. +1 −0 features/cerberusweb.core/templates/configuration/section/cache/peek.tpl
  5. +1 −0 features/cerberusweb.core/templates/configuration/section/license/index.tpl
  6. +1 −0 features/cerberusweb.core/templates/configuration/section/localization/index.tpl
  7. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_failed/peek.tpl
  8. +2 −0 features/cerberusweb.core/templates/configuration/section/mail_failed/view.tpl
  9. +3 −1 features/cerberusweb.core/templates/configuration/section/mail_filtering/index.tpl
  10. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_from/index.tpl
  11. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_from/peek.tpl
  12. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_html/peek.tpl
  13. +2 −0 features/cerberusweb.core/templates/configuration/section/mail_html/view.tpl
  14. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_import/index.tpl
  15. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_incoming/index.tpl
  16. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_relay/index.tpl
  17. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_routing/index.tpl
  18. +1 −0 features/cerberusweb.core/templates/configuration/section/mail_routing/peek.tpl
  19. +1 −8 features/cerberusweb.core/templates/configuration/section/plugin_library/download_popup.tpl
  20. +2 −0 features/cerberusweb.core/templates/configuration/section/plugin_library/view.tpl
  21. +1 −0 features/cerberusweb.core/templates/configuration/section/plugins/popup.tpl
  22. +2 −0 features/cerberusweb.core/templates/configuration/section/plugins/view.tpl
  23. +1 −0 features/cerberusweb.core/templates/configuration/section/portal/tabs/settings/index.tpl
  24. +1 −0 features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/add.tpl
  25. +1 −0 features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/bulk.tpl
  26. +1 −0 features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/export.tpl
  27. +1 −0 features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/import.tpl
  28. +1 −0 features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/peek.tpl
  29. +2 −0 features/cerberusweb.core/templates/configuration/section/portal/tabs/templates/view.tpl
  30. +1 −0 features/cerberusweb.core/templates/configuration/section/portals/add.tpl
  31. +2 −0 features/cerberusweb.core/templates/configuration/section/portals/view.tpl
  32. +1 −0 features/cerberusweb.core/templates/configuration/section/scheduler/job_edit.tpl
  33. +1 −0 features/cerberusweb.core/templates/configuration/section/search/peek.tpl
  34. +1 −0 features/cerberusweb.core/templates/configuration/section/security/index.tpl
  35. +1 −0 features/cerberusweb.core/templates/configuration/section/sessions/bulk.tpl
  36. +2 −0 features/cerberusweb.core/templates/configuration/section/sessions/view.tpl
  37. +1 −0 features/cerberusweb.core/templates/configuration/section/storage_attachments/bulk.tpl
  38. +2 −0 features/cerberusweb.core/templates/configuration/section/storage_attachments/view.tpl
  39. +1 −0 features/cerberusweb.core/templates/configuration/section/storage_content/index.tpl
  40. +1 −0 features/cerberusweb.core/templates/configuration/section/storage_content/peek.tpl
  41. +1 −0 features/cerberusweb.core/templates/configuration/section/storage_profiles/peek.tpl
  42. +2 −0 features/cerberusweb.core/templates/configuration/section/storage_profiles/view.tpl
  43. +1 −0 features/cerberusweb.core/templates/configuration/section/workers/bulk.tpl
  44. +1 −0 features/cerberusweb.core/templates/configuration/section/workers/peek.tpl
  45. +1 −0 features/cerberusweb.core/templates/contacts/addresses/bulk.tpl
  46. +1 −0 features/cerberusweb.core/templates/contacts/addresses/peek.tpl
  47. +2 −0 features/cerberusweb.core/templates/contacts/addresses/view.tpl
  48. +1 −0 features/cerberusweb.core/templates/contacts/orgs/bulk.tpl
  49. +1 −0 features/cerberusweb.core/templates/contacts/orgs/org_merge_continue_peek.tpl
  50. +1 −0 features/cerberusweb.core/templates/contacts/orgs/org_merge_peek.tpl
  51. +1 −0 features/cerberusweb.core/templates/contacts/orgs/peek.tpl
  52. +2 −0 features/cerberusweb.core/templates/contacts/orgs/view.tpl
  53. +1 −0 features/cerberusweb.core/templates/contacts/people/bulk.tpl
  54. +1 −0 features/cerberusweb.core/templates/contacts/people/peek.tpl
  55. +2 −0 features/cerberusweb.core/templates/contacts/people/view.tpl
  56. +1 −0 features/cerberusweb.core/templates/context_links/choosers/__file.tpl
  57. +1 −0 features/cerberusweb.core/templates/context_links/choosers/__generic.tpl
  58. +1 −0 features/cerberusweb.core/templates/display/modules/conversation/message.tpl
  59. +2 −0 features/cerberusweb.core/templates/display/modules/history/index.tpl
  60. +1 −0 features/cerberusweb.core/templates/display/rpc/add_note.tpl
  61. +1 −0 features/cerberusweb.core/templates/display/rpc/merge_panel.tpl
  62. +1 −0 features/cerberusweb.core/templates/display/rpc/relay_message.tpl
  63. +2 −0 features/cerberusweb.core/templates/display/rpc/reply.tpl
  64. +1 −0 features/cerberusweb.core/templates/display/rpc/requester_panel.tpl
  65. +1 −0 features/cerberusweb.core/templates/groups/peek.tpl
  66. +2 −0 features/cerberusweb.core/templates/groups/view.tpl
  67. +1 −0 features/cerberusweb.core/templates/header.tpl
  68. +2 −0 features/cerberusweb.core/templates/internal/activity_log/view.tpl
  69. +1 −0 features/cerberusweb.core/templates/internal/bucket/peek.tpl
  70. +2 −0 features/cerberusweb.core/templates/internal/bucket/view.tpl
  71. +1 −0 features/cerberusweb.core/templates/internal/calendar/peek.tpl
  72. +3 −1 features/cerberusweb.core/templates/internal/calendar/tab_availability.tpl
  73. +2 −0 features/cerberusweb.core/templates/internal/calendar/view.tpl
  74. +1 −0 features/cerberusweb.core/templates/internal/calendar_event/peek.tpl
  75. +2 −0 features/cerberusweb.core/templates/internal/calendar_event/view.tpl
  76. +1 −0 features/cerberusweb.core/templates/internal/calendar_recurring_profile/peek.tpl
  77. +2 −0 features/cerberusweb.core/templates/internal/calendar_recurring_profile/view.tpl
  78. +1 −0 features/cerberusweb.core/templates/internal/comments/peek.tpl
  79. +2 −0 features/cerberusweb.core/templates/internal/comments/view.tpl
  80. +1 −0 features/cerberusweb.core/templates/internal/custom_fieldsets/peek.tpl
  81. +2 −0 features/cerberusweb.core/templates/internal/custom_fieldsets/view.tpl
  82. +1 −0 features/cerberusweb.core/templates/internal/decisions/editors/_move.tpl
  83. +1 −0 features/cerberusweb.core/templates/internal/decisions/editors/_reorder.tpl
  84. +3 −0 features/cerberusweb.core/templates/internal/decisions/editors/action.tpl
  85. +3 −0 features/cerberusweb.core/templates/internal/decisions/editors/outcome.tpl
  86. +1 −0 features/cerberusweb.core/templates/internal/decisions/editors/simulate.tpl
  87. +1 −0 features/cerberusweb.core/templates/internal/decisions/editors/switch.tpl
  88. +2 −0 features/cerberusweb.core/templates/internal/decisions/editors/trigger.tpl
  89. +1 −0 features/cerberusweb.core/templates/internal/file_bundle/peek.tpl
  90. +2 −0 features/cerberusweb.core/templates/internal/file_bundle/view.tpl
  91. +1 −0 features/cerberusweb.core/templates/internal/import/popup_mapping.tpl
  92. +1 −0 features/cerberusweb.core/templates/internal/import/popup_upload.tpl
  93. +1 −0 features/cerberusweb.core/templates/internal/macros/display/scheduler_popup.tpl
  94. +1 −0 features/cerberusweb.core/templates/internal/macros/reply/run_popup.tpl
  95. +1 −0 features/cerberusweb.core/templates/internal/mail_transport/peek.tpl
  96. +2 −0 features/cerberusweb.core/templates/internal/mail_transport/view.tpl
  97. +1 −0 features/cerberusweb.core/templates/internal/mailbox/peek.tpl
  98. +2 −0 features/cerberusweb.core/templates/internal/mailbox/view.tpl
  99. +1 −0 features/cerberusweb.core/templates/internal/messages/peek.tpl
  100. +1 −0 features/cerberusweb.core/templates/internal/recommendations/context_recommend_peek.tpl
  101. +1 −0 features/cerberusweb.core/templates/internal/responsibilities/peek_by_group_editable.tpl
  102. +1 −0 features/cerberusweb.core/templates/internal/skills/peek.tpl
  103. +2 −0 features/cerberusweb.core/templates/internal/skills/view.tpl
  104. +1 −0 features/cerberusweb.core/templates/internal/skillsets/chooser_popup.tpl
  105. +1 −0 features/cerberusweb.core/templates/internal/skillsets/peek.tpl
  106. +1 −0 features/cerberusweb.core/templates/internal/skillsets/tab_editable.tpl
  107. +2 −0 features/cerberusweb.core/templates/internal/skillsets/view.tpl
  108. +1 −0 features/cerberusweb.core/templates/internal/snippets/bulk.tpl
  109. +1 −0 features/cerberusweb.core/templates/internal/snippets/paste_placeholders.tpl
  110. +1 −0 features/cerberusweb.core/templates/internal/snippets/peek.tpl
  111. +2 −0 features/cerberusweb.core/templates/internal/snippets/views/default.tpl
  112. +1 −0 features/cerberusweb.core/templates/internal/tour/banner.tpl
  113. +1 −0 features/cerberusweb.core/templates/internal/va/peek.tpl
  114. +2 −0 features/cerberusweb.core/templates/internal/va/scheduled_behavior/view.tpl
  115. +2 −0 features/cerberusweb.core/templates/internal/va/view.tpl
  116. +1 −0 features/cerberusweb.core/templates/internal/views/copy.tpl
  117. +1 −0 features/cerberusweb.core/templates/internal/views/search_and_view.tpl
  118. +1 −0 features/cerberusweb.core/templates/internal/views/view_export.tpl
  119. +1 −0 features/cerberusweb.core/templates/internal/watchers/context_follow_peek.tpl
  120. +2 −0 features/cerberusweb.core/templates/internal/workspaces/tabs/calendar/tab.tpl
  121. +1 −0 features/cerberusweb.core/templates/internal/workspaces/tabs/worklists/tab.tpl
  122. +2 −0 features/cerberusweb.core/templates/internal/workspaces/widgets/add.tpl
  123. +2 −0 features/cerberusweb.core/templates/internal/workspaces/widgets/calendar/calendar.tpl
  124. +1 −0 features/cerberusweb.core/templates/internal/workspaces/widgets/export.tpl
  125. +1 −0 features/cerberusweb.core/templates/internal/workspaces/widgets/export_data.tpl
  126. +1 −0 features/cerberusweb.core/templates/internal/workspaces/widgets/peek.tpl
  127. +1 −0 features/cerberusweb.core/templates/mail/queue/bulk.tpl
  128. +1 −0 features/cerberusweb.core/templates/mail/queue/peek.tpl
  129. +2 −0 features/cerberusweb.core/templates/mail/queue/view.tpl
  130. +1 −0 features/cerberusweb.core/templates/mail/section/compose/peek.tpl
  131. +2 −0 features/cerberusweb.core/templates/messages/view.tpl
  132. +2 −0 features/cerberusweb.core/templates/pages/add_tabs.tpl
  133. +2 −0 features/cerberusweb.core/templates/pages/edit_workspace_page.tpl
  134. +1 −0 features/cerberusweb.core/templates/pages/edit_workspace_tab.tpl
  135. +1 −0 features/cerberusweb.core/templates/pages/page.tpl
  136. +2 −0 features/cerberusweb.core/templates/pages/view.tpl
  137. +1 −0 features/cerberusweb.core/templates/pages/wizard_popup.tpl
  138. +2 −0 features/cerberusweb.core/templates/preferences/modules/general.tpl
  139. +1 −0 features/cerberusweb.core/templates/preferences/modules/security.tpl
  140. +1 −0 features/cerberusweb.core/templates/preferences/tabs/notifications/bulk.tpl
  141. +2 −0 features/cerberusweb.core/templates/preferences/tabs/notifications/view.tpl
  142. +1 −0 features/cerberusweb.core/templates/preferences/tabs/watcher/index.tpl
  143. +1 −0 features/cerberusweb.core/templates/search/quick_search.tpl
  144. +1 −0 features/cerberusweb.core/templates/tasks/rpc/bulk.tpl
  145. +1 −0 features/cerberusweb.core/templates/tasks/rpc/peek.tpl
  146. +2 −0 features/cerberusweb.core/templates/tasks/view.tpl
  147. +1 −0 features/cerberusweb.core/templates/tickets/ajax/merge_confirm.tpl
  148. +1 −0 features/cerberusweb.core/templates/tickets/peek.tpl
  149. +1 −0 features/cerberusweb.core/templates/tickets/rpc/bulk.tpl
  150. +1 −0 features/cerberusweb.core/templates/tickets/rpc/ticket_view_assist.tpl
  151. +1 −0 features/cerberusweb.core/templates/tickets/rpc/ticket_view_assist_headers.tpl
  152. +2 −0 features/cerberusweb.core/templates/tickets/view.tpl
  153. +2 −0 features/cerberusweb.core/templates/workers/view.tpl
  154. +1 −0 features/cerberusweb.crm/templates/crm/opps/bulk.tpl
  155. +1 −0 features/cerberusweb.crm/templates/crm/opps/peek.tpl
  156. +2 −0 features/cerberusweb.crm/templates/crm/opps/view.tpl
  157. +1 −0 features/cerberusweb.feedback/templates/feedback/ajax/peek.tpl
  158. +1 −0 features/cerberusweb.feedback/templates/feedback/bulk.tpl
  159. +1 −0 features/cerberusweb.feedback/templates/feedback/view.tpl
  160. +1 −0 features/cerberusweb.kb/templates/kb/ajax/category_edit_panel.tpl
  161. +1 −0 features/cerberusweb.kb/templates/kb/bulk.tpl
  162. +1 −0 features/cerberusweb.kb/templates/kb/peek_edit.tpl
  163. +1 −0 features/cerberusweb.kb/templates/kb/peek_readonly.tpl
  164. +1 −0 features/cerberusweb.kb/templates/kb/tabs/articles/index.tpl
  165. +2 −0 features/cerberusweb.kb/templates/kb/view.tpl
  166. +1 −0 features/cerberusweb.reports/templates/reports/custom_fields/usage/index.tpl
  167. +1 −0 features/cerberusweb.reports/templates/reports/group/group_replies/index.tpl
  168. +1 −0 features/cerberusweb.reports/templates/reports/snippets/snippet_popularity/index.tpl
  169. +1 −0 features/cerberusweb.reports/templates/reports/ticket/closed_tickets/index.tpl
  170. +1 −0 features/cerberusweb.reports/templates/reports/ticket/new_tickets/index.tpl
  171. +1 −0 features/cerberusweb.reports/templates/reports/ticket/top_contacts_tickets/index.tpl
  172. +1 −0 features/cerberusweb.reports/templates/reports/va/va_usage/index.tpl
  173. +1 −0 features/cerberusweb.reports/templates/reports/worker/average_response_time/index.tpl
  174. +1 −0 features/cerberusweb.reports/templates/reports/worker/worker_history/index.tpl
  175. +1 −0 features/cerberusweb.restapi/templates/peek.tpl
  176. +2 −0 features/cerberusweb.restapi/templates/view.tpl
  177. +3 −0 features/cerberusweb.simulator/templates/setup/section.tpl
  178. +1 −0 features/cerberusweb.timetracking/templates/config/activities/edit_activity.tpl
  179. +1 −0 features/cerberusweb.timetracking/templates/config/activities/index.tpl
  180. +1 −0 features/cerberusweb.timetracking/templates/reports/time_spent_activity/index.tpl
  181. +1 −0 features/cerberusweb.timetracking/templates/reports/time_spent_org/index.tpl
  182. +1 −0 features/cerberusweb.timetracking/templates/reports/time_spent_worker/index.tpl
  183. +1 −0 features/cerberusweb.translators/templates/config/ajax/add_language_panel.tpl
  184. +1 −0 features/cerberusweb.translators/templates/config/ajax/find_strings_panel.tpl
  185. +1 −0 features/cerberusweb.translators/templates/config/ajax/import_strings_panel.tpl
  186. +1 −0 features/cerberusweb.translators/templates/config/section/view.tpl
  187. +3 −0 install/extras/sdk/devblocks-dao.php
  188. +1 −0 install/extras/sdk/examples/example.object/templates/example_object/bulk.tpl
  189. +1 −0 install/extras/sdk/examples/example.object/templates/example_object/peek.tpl
  190. +2 −0 install/extras/sdk/examples/example.object/templates/example_object/view.tpl
  191. +1 −0 install/extras/sdk/examples/example.report/templates/reports/example.tpl
  192. +27 −1 libs/devblocks/api/Engine.php
  193. +5 −1 libs/devblocks/api/Extension.php
  194. +5 −0 libs/devblocks/api/services/template.php
  195. +3 −0 libs/devblocks/framework.defaults.php
  196. +15 −5 libs/devblocks/resources/js/devblocks.js
@@ -304,6 +304,9 @@ private function _processAuthenticated($worker) { /* @var $worker Model_Worker *
$session->setVisit($visit);
// Generate a CSRF token for the session
$_SESSION['csrf_token'] = CerberusApplication::generatePassword(256);
if(isset($_SESSION['login_post_url'])) {
$redirect_path = explode('/', $_SESSION['login_post_url']);
@@ -4,6 +4,7 @@
<input type="hidden" name="action" value="saveRole">
<input type="hidden" name="id" value="{if !empty($role->id)}{$role->id}{else}0{/if}">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

{if $saved}
<div class="ui-widget">
@@ -5,6 +5,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="branding">
<input type="hidden" name="action" value="saveJson">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>Settings</legend>
@@ -3,6 +3,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="cache">
<input type="hidden" name="action" value="saveCachePeek">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

{foreach from=$engines item=engine key=engine_id}
<fieldset class="peek" style="margin-bottom:0;">
@@ -28,6 +28,7 @@
<input type="hidden" name="section" value="license">
<input type="hidden" name="action" value="saveJson">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>Update License</legend>
@@ -5,6 +5,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="localization">
<input type="hidden" name="action" value="saveJson">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>Date &amp; Time</legend>
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="savePeekPopup">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>storage/mail/fail/{$filename}:</b>
<div>
@@ -28,6 +28,8 @@
<input type="hidden" name="section" value="mail_failed">
<input type="hidden" name="action" value="">
<input type="hidden" name="explore_from" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -11,11 +11,13 @@
{/foreach}

{if !$has_atleast_one}
<form action="{devblocks_url}{/devblocks_url}">
<form action="{devblocks_url}{/devblocks_url}" method="POST">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="mail_filtering">
<input type="hidden" name="action" value="createDefaultVa">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<div class="help-box" style="padding:5px;border:0;">
<h1 style="margin-bottom:5px;text-align:left;">Create a global Virtual Attendant</h1>

@@ -5,6 +5,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="mail_from">
<input type="hidden" name="action" value="saveJson">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<div style="margin-bottom:10px;">
<button type="button" onclick="genericAjaxPopup('peek','c=config&a=handleSectionAction&section=mail_from&action=peek&id=0',null,false,'550');"><span class="glyphicons glyphicons-circle-plus" style="color:rgb(0,180,0);"></span> {'common.add'|devblocks_translate|capitalize}</button>
@@ -4,6 +4,7 @@
<input type="hidden" name="section" value="mail_from">
<input type="hidden" name="action" value="savePeek">
<input type="hidden" name="id" value="{$address->address_id}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset class="peek">
<legend>Send worker replies as:</legend>
@@ -6,6 +6,7 @@
<input type="hidden" name="view_id" value="{$view_id}">
{if !empty($model) && !empty($model->id)}<input type="hidden" name="id" value="{$model->id}">{/if}
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<div id="mailTemplateTabs">
<ul>
@@ -33,6 +33,8 @@
<input type="hidden" name="section" value="html_template">
<input type="hidden" name="action" value="">
<input type="hidden" name="explore_from" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="5" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -5,6 +5,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="mail_import">
<input type="hidden" name="action" value="parseMessageJson">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Paste a message source:</b>
<div>
@@ -5,6 +5,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="mail_incoming">
<input type="hidden" name="action" value="saveJson">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>{'common.settings'|devblocks_translate|capitalize}</legend>
@@ -5,6 +5,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="mail_relay">
<input type="hidden" name="action" value="saveJson">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<p>
The email relay enables workers to respond to messages from external mail applications (e.g. Gmail, mobile phones, Outlook, etc) instead of always requiring them to use Cerb in the web browser.
@@ -12,6 +12,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="mail_routing">
<input type="hidden" name="action" value="saveRouting">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Which group should receive any unrouted new mail?</b><br>
<select name="default_group_id">
@@ -4,6 +4,7 @@
<input type="hidden" name="section" value="mail_routing">
<input type="hidden" name="action" value="saveMailRoutingRuleAdd">
<input type="hidden" name="id" value="{$rule->id}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Rule Name:</b> (e.g. ProductX Support)<br>
<input type="text" name="name" value="{$rule->name}" size="45" style="width:95%;"><br>
@@ -1,12 +1,5 @@
<form action="{devblocks_url}{/devblocks_url}" method="POST" id="frmCerb6PluginDownload">
{*
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="plugin_library">
<input type="hidden" name="action" value="saveDownloadPopup">
<input type="hidden" name="plugin_id" value="{$plugin->id}">
<input type="hidden" name="view_id" value="{$view_id}">
*}
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>{$plugin->name}</b><br>
<br>
@@ -26,6 +26,8 @@
<input type="hidden" name="context_id" value="">
<input type="hidden" name="id" value="{$view->id}">
<input type="hidden" name="explore_from" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -6,6 +6,7 @@
<input type="hidden" name="plugin_id" value="{$plugin->id}">
<input type="hidden" name="view_id" value="{$view_id}">
{if $is_uninstallable}<input type="hidden" name="uninstall" value="0">{/if}
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<div>
<b>{'common.status'|devblocks_translate|capitalize}:</b>
@@ -26,6 +26,8 @@
<input type="hidden" name="context_id" value="">
<input type="hidden" name="id" value="{$view->id}">
<input type="hidden" name="explore_from" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="saveTabSettings">
<input type="hidden" name="portal" value="{$instance->code}">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Portal Name:</b> ("Support Portal", "Contact Form", "ProductX FAQ")<br>
<input type="text" name="portal_name" value="{if !empty($instance->name)}{$instance->name}{else}{$instance->manifest->name}{/if}" size="65"><br>
@@ -7,6 +7,7 @@
<input type="hidden" name="action" value="saveAddTemplatePeek">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="portal" value="{$portal}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Template:</b><br>
<select name="template">
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="doTemplatesBulkUpdate">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="ids" value="{$ids}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="saveExportTemplatesPeek">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="portal" value="{$portal}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Filename:</b> (.xml)<br>
<input type="text" name="filename" size="45" value="cerb_portal_templates_{$smarty.const.APP_BUILD}.xml"><br>
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="saveImportTemplatesPeek">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="portal" value="{$portal}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Import File:</b> (.xml)<br>
<input type="file" name="import_file" size="45"><br>
@@ -6,6 +6,7 @@
<input type="hidden" name="id" value="{$template->id}">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>{$template->path}:</b><br>
<textarea name="content" wrap="off" style="height:300px;width:98%;">{$template->content}</textarea><br>
@@ -20,6 +20,8 @@
<input type="hidden" name="view_id" value="{$view->id}">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -4,6 +4,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="portals">
<input type="hidden" name="action" value="saveAddPortalPeek">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>Portal Name:</b> ("Support Portal", "Contact Form", "ProductX FAQ")<br>
<input type="text" name="name" value="" style="width:98%;" autofocus="true"><br>
@@ -21,6 +21,8 @@
<input type="hidden" name="view_id" value="{$view->id}">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -14,6 +14,7 @@
<input type="hidden" name="section" value="scheduler">
<input type="hidden" name="action" value="saveJobJson">
<input type="hidden" name="id" value="{$job->manifest->id}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<label><input type="checkbox" name="enabled" value="1" {if $enabled}checked{/if}> <b>Enabled</b></label>

@@ -4,6 +4,7 @@
<input type="hidden" name="section" value="search">
<input type="hidden" name="action" value="saveSearchSchemaPeek">
<input type="hidden" name="schema_extension_id" value="{$schema->id}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

{foreach from=$search_engines item=engine key=engine_id}
<fieldset class="peek">
@@ -5,6 +5,7 @@
<input type="hidden" name="a" value="handleSectionAction">
<input type="hidden" name="section" value="security">
<input type="hidden" name="action" value="saveJson">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>Remote Administration</legend>
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="doSessionsBulkUpdate">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="ids" value="{$ids}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>
@@ -21,6 +21,8 @@
<input type="hidden" name="view_id" value="{$view->id}">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="3" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="doAttachmentsBulkUpdate">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="ids" value="{$ids}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>
@@ -21,6 +21,8 @@
<input type="hidden" name="view_id" value="{$view->id}">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -3,6 +3,7 @@
<form action="{devblocks_url}{/devblocks_url}" method="POST" style="margin-bottom:5px;">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset>
<legend>Database</legend>
@@ -4,6 +4,7 @@
<input type="hidden" name="section" value="storage_content">
<input type="hidden" name="action" value="saveStorageSchemaPeek">
<input type="hidden" name="ext_id" value="{$schema->manifest->id}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

{$schema->renderConfig()}

@@ -14,6 +14,7 @@
<input type="hidden" name="id" value="{$profile->id}">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<b>{'common.name'|devblocks_translate|capitalize}:</b><br>
<input type="text" name="name" value="{$profile->name}" style="width:98%;" autofocus="true"><br>
@@ -19,6 +19,8 @@
<input type="hidden" name="view_id" value="{$view->id}">
<input type="hidden" name="c" value="config">
<input type="hidden" name="a" value="">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<table cellpadding="1" cellspacing="0" border="0" width="100%" class="worklistBody">

{* Column Headers *}
@@ -5,6 +5,7 @@
<input type="hidden" name="action" value="doWorkersBulkUpdate">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="ids" value="{$ids}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset class="peek">
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>
@@ -6,6 +6,7 @@
<input type="hidden" name="id" value="{$worker->id}">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="do_delete" value="0">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset class="peek">
<legend>{'common.properties'|devblocks_translate|capitalize}</legend>
@@ -3,6 +3,7 @@
<input type="hidden" name="a" value="doAddressBatchUpdate">
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="ids" value="{$ids}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset class="peek">
<legend>{'common.bulk_update.with'|devblocks_translate|capitalize}</legend>
@@ -7,6 +7,7 @@
<input type="hidden" name="link_context_id" value="{$link_context_id}">
{/if}
<input type="hidden" name="view_id" value="{$view_id}">
<input type="hidden" name="_csrf_token" value="{$session.csrf_token}">

<fieldset class="peek">
<legend>{'common.properties'|devblocks_translate}</legend>

0 comments on commit 12de87f

Please sign in to comment.
You can’t perform that action at this time.