Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#21792] - [4.0] Ajax use sessiontoken

? Pending

User tests: Successful: Unsuccessful:

avatar brianteeman
brianteeman
21 Aug 2018

Make sure that we always use a sessiontoken

avatar brianteeman brianteeman - open - 21 Aug 2018
avatar brianteeman brianteeman - change - 21 Aug 2018
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 21 Aug 2018
Category Administration com_content com_fields com_languages com_users
avatar wilsonge wilsonge - close - 21 Aug 2018
avatar wilsonge wilsonge - merge - 21 Aug 2018
avatar wilsonge wilsonge - change - 21 Aug 2018
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2018-08-21 12:04:22
Closed_By wilsonge
Labels Added: ?
avatar wilsonge
wilsonge - comment - 21 Aug 2018

Nice one - thanks!

avatar ggppdk
ggppdk - comment - 21 Aug 2018

Nice to have form token check for AJAX reordering too

But can i ask
if the token is really needed to be added in the URLs ?

it seems to me that the token is already there

The reordering JS will post the full form and the token is already included
in the form of all of the 5 modified template files by this PR

<?php echo HTMLHelper::_('form.token'); ?>

if we want to have the token check to be activated
then we would only need to add missing check at the corresponding controller task, right ?

https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/MVC/Controller/AdminController.php#L396

or am i missing something here ?

avatar mbabker
mbabker - comment - 21 Aug 2018

The token is in the HTML form element. Idea the AJAX submission isn’t
submitting the full form then there will be no token. Likewise, I guess
it’s possible the JS handing that action grabs the token from the form.

Long and short, just looking at this PR you have an incomplete answer and
there are other places you should check as well.

On Tue, Aug 21, 2018 at 5:29 PM Georgios Papadakis notifications@github.com
wrote:

Nice to have form token check for AJAX reordering too

But can i ask
if the token is really needed to be added in the URLs ?

it seems to me that the token is already there

The reordering JS will post the full form and the token is already included
in the form of all of the 5 modified template files by this PR

if we want to have the token check to be activated
then we would only need to add missing check at the corresponding
controller task, right ?

https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/MVC/Controller/AdminController.php#L398

or am i missing something here ?


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#21792 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAWfoaBKKK_eXsoERjUeqd5a6KjzKbUfks5uTImwgaJpZM4WFjpg
.

--

  • Michael Please pardon any errors, this message was sent from my iPhone.
avatar ggppdk
ggppdk - comment - 21 Aug 2018

Long and short, just looking at this PR you have an incomplete answer and there are other places you should check as well.

yes, will test tomorrow

the bonus is,
that if the token is already in the ajax save order request as i suspect,
and we only need to update the controller task

then this change to the controller task,
will not require 3rd party extensions to change anything for J4
(99% of their forms already included the token)

Add a Comment

Login with GitHub to post a comment