Chat: Use security token when sending messages

3 years ago · 1ddff468bc
parent 19af444d2d
commit 1ddff468bc
3 changed files with 75 additions and 23 deletions
--- a/main/chat/chat.php
+++ b/main/chat/chat.php
@ -59,6 +59,7 @@ $view->assign('emoji_strategy', CourseChatUtils::getEmojiStrategy());
 $view->assign('emoji_smile', \Emojione\Emojione::toImage(':smile:'));
 $view->assign('restrict_to_coach', api_get_configuration_value('course_chat_restrict_to_coach'));
 $view->assign('send_message_only_on_button', api_get_configuration_value('course_chat_send_message_only_on_button') === true ? 1 : 0);
+$view->assign('course_chat_sec_token', Security::get_token('course_chat'));

 $template = $view->get_template('chat/chat.tpl');
 $content = $view->fetch($template);
--- a/main/inc/ajax/course_chat.ajax.php
+++ b/main/inc/ajax/course_chat.ajax.php
@ -3,6 +3,10 @@
 /**
 * Responses to AJAX calls for course chat.
 */
+
+use Symfony\Component\HttpFoundation\JsonResponse as HttpResponse;
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
+
 require_once __DIR__.'/../global.inc.php';

 if (!api_protect_course_script(false)) {
@ -15,8 +19,17 @@ $sessionId = api_get_session_id();
 $groupId = api_get_group_id();
 $json = ['status' => false];

+$httpRequest = HttpRequest::createFromGlobals();
+$httpResponse = HttpResponse::create();
+
 $courseChatUtils = new CourseChatUtils($courseId, $userId, $sessionId, $groupId);

+$token = Security::getTokenFromSession('course_chat');
+
+if ($httpRequest->headers->get('x-token') !== $token) {
+    $_REQUEST['action'] = 'error';
+}
+
 switch ($_REQUEST['action']) {
    case 'chat_logout':
        $logInfo = [
@ -78,5 +91,8 @@ switch ($_REQUEST['action']) {
        break;
 }

-header('Content-Type: application/json');
-echo json_encode($json);
+$token = Security::get_token('course_chat');
+
+$httpResponse->headers->set('x-token', $token);
+$httpResponse->setData($json);
+$httpResponse->send();
--- a/main/template/default/chat/chat.tpl
+++ b/main/template/default/chat/chat.tpl
@ -71,16 +71,28 @@ $(function () {
        _historySize: -1,
        usersOnline: 0,
        currentFriend: 0,
+        xToken: '{{ course_chat_sec_token }}',
        call: false,
        track: function () {
            return $
-                .get(ChChat._ajaxUrl, {
-                    action: 'track',
-                    size: ChChat._historySize,
-                    users_online: ChChat.usersOnline,
-                    friend: ChChat.currentFriend
+                .ajax({
+                    url: ChChat._ajaxUrl,
+                    method: 'GET',
+                    headers: { 'x-token': ChChat.xToken },
+                    data: {
+                        action: 'track',
+                        size: ChChat._historySize,
+                        users_online: ChChat.usersOnline,
+                        friend: ChChat.currentFriend
+                    }
                })
-                .done(function (response) {
+                .done(function (response, textStatus, jqXhr) {
+                    ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
+                    if (!response.status) {
+                        return;
+                    }
+
                    try {
                        if (response.data.history) {
                            ChChat._historySize = response.data.oldFileSize;
@ -140,11 +152,18 @@ $(function () {
            $('#chat-users').html(html);
        },
        onPreviewListener: function () {
-            $.post(ChChat._ajaxUrl, {
-                action: 'preview',
-                'message': $('textarea#chat-writer').val()
+            $.ajax({
+                url: ChChat._ajaxUrl,
+                method: 'POST',
+                headers: { 'x-token': ChChat.xToken },
+                data: {
+                    action: 'preview',
+                    'message': $('textarea#chat-writer').val()
+                }
            })
-            .done(function (response) {
+            .done(function (response, textStatus, jqXhr) {
+                ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
                if (!response.status) {
                    return;
                }
@ -164,20 +183,29 @@ $(function () {
            var self = this;
            self.disabled = true;

-            $.post(ChChat._ajaxUrl, {
-                action: 'write',
-                message: textarea.val(),
-                friend: ChChat.currentFriend
+            $.ajax({
+                method: 'POST',
+                url: ChChat._ajaxUrl,
+                headers: { 'x-token': ChChat.xToken },
+                data: {
+                    action: 'write',
+                    message: textarea.val(),
+                    friend: ChChat.currentFriend
+                }
            })
-            .done(function (response) {
+            .done(function (response, textStatus, jqXhr) {
                self.disabled = false;

+                ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
+                textarea.prop('disabled', false);
+                $(".emoji-wysiwyg-editor").prop('contenteditable', 'true');
+
                if (!response.status) {
                    return;
                }
-                textarea.prop('disabled', false);
+
                textarea.val('');
-                $(".emoji-wysiwyg-editor").prop('contenteditable', 'true');
                $(".emoji-wysiwyg-editor").html('');
            });
        },
@ -186,11 +214,18 @@ $(function () {
                e.preventDefault();
                return;
            }
-            $.get(ChChat._ajaxUrl, {
-                action: 'reset',
-                friend: ChChat.currentFriend
+            $.ajax({
+                url: ChChat._ajaxUrl,
+                method: 'GET',
+                headers: { 'x-token': ChChat.xToken },
+                data: {
+                    action: 'reset',
+                        friend: ChChat.currentFriend
+                }
            })
-            .done(function (response) {
+            .done(function (response, textStatus, jqXhr) {
+                ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
                if (!response.status) {
                    return;
                }