From 1ddff468bc7f6fb5e068c2aabd2a147d252f92b9 Mon Sep 17 00:00:00 2001 From: Angel Fernando Quiroz Campos Date: Thu, 20 Apr 2023 17:47:47 -0500 Subject: [PATCH] Chat: Use security token when sending messages --- main/chat/chat.php | 1 + main/inc/ajax/course_chat.ajax.php | 20 +++++++- main/template/default/chat/chat.tpl | 77 +++++++++++++++++++++-------- 3 files changed, 75 insertions(+), 23 deletions(-) diff --git a/main/chat/chat.php b/main/chat/chat.php index 527227aff3..e5e03fc644 100755 --- a/main/chat/chat.php +++ b/main/chat/chat.php @@ -59,6 +59,7 @@ $view->assign('emoji_strategy', CourseChatUtils::getEmojiStrategy()); $view->assign('emoji_smile', \Emojione\Emojione::toImage(':smile:')); $view->assign('restrict_to_coach', api_get_configuration_value('course_chat_restrict_to_coach')); $view->assign('send_message_only_on_button', api_get_configuration_value('course_chat_send_message_only_on_button') === true ? 1 : 0); +$view->assign('course_chat_sec_token', Security::get_token('course_chat')); $template = $view->get_template('chat/chat.tpl'); $content = $view->fetch($template); diff --git a/main/inc/ajax/course_chat.ajax.php b/main/inc/ajax/course_chat.ajax.php index 561053c152..ca13c557c8 100644 --- a/main/inc/ajax/course_chat.ajax.php +++ b/main/inc/ajax/course_chat.ajax.php @@ -3,6 +3,10 @@ /** * Responses to AJAX calls for course chat. */ + +use Symfony\Component\HttpFoundation\JsonResponse as HttpResponse; +use Symfony\Component\HttpFoundation\Request as HttpRequest; + require_once __DIR__.'/../global.inc.php'; if (!api_protect_course_script(false)) { @@ -15,8 +19,17 @@ $sessionId = api_get_session_id(); $groupId = api_get_group_id(); $json = ['status' => false]; +$httpRequest = HttpRequest::createFromGlobals(); +$httpResponse = HttpResponse::create(); + $courseChatUtils = new CourseChatUtils($courseId, $userId, $sessionId, $groupId); +$token = Security::getTokenFromSession('course_chat'); + +if ($httpRequest->headers->get('x-token') !== $token) { + $_REQUEST['action'] = 'error'; +} + switch ($_REQUEST['action']) { case 'chat_logout': $logInfo = [ @@ -78,5 +91,8 @@ switch ($_REQUEST['action']) { break; } -header('Content-Type: application/json'); -echo json_encode($json); +$token = Security::get_token('course_chat'); + +$httpResponse->headers->set('x-token', $token); +$httpResponse->setData($json); +$httpResponse->send(); diff --git a/main/template/default/chat/chat.tpl b/main/template/default/chat/chat.tpl index f923687dc4..530c975afa 100644 --- a/main/template/default/chat/chat.tpl +++ b/main/template/default/chat/chat.tpl @@ -71,16 +71,28 @@ $(function () { _historySize: -1, usersOnline: 0, currentFriend: 0, + xToken: '{{ course_chat_sec_token }}', call: false, track: function () { return $ - .get(ChChat._ajaxUrl, { - action: 'track', - size: ChChat._historySize, - users_online: ChChat.usersOnline, - friend: ChChat.currentFriend + .ajax({ + url: ChChat._ajaxUrl, + method: 'GET', + headers: { 'x-token': ChChat.xToken }, + data: { + action: 'track', + size: ChChat._historySize, + users_online: ChChat.usersOnline, + friend: ChChat.currentFriend + } }) - .done(function (response) { + .done(function (response, textStatus, jqXhr) { + ChChat.xToken = jqXhr.getResponseHeader('x-token'); + + if (!response.status) { + return; + } + try { if (response.data.history) { ChChat._historySize = response.data.oldFileSize; @@ -140,11 +152,18 @@ $(function () { $('#chat-users').html(html); }, onPreviewListener: function () { - $.post(ChChat._ajaxUrl, { - action: 'preview', - 'message': $('textarea#chat-writer').val() + $.ajax({ + url: ChChat._ajaxUrl, + method: 'POST', + headers: { 'x-token': ChChat.xToken }, + data: { + action: 'preview', + 'message': $('textarea#chat-writer').val() + } }) - .done(function (response) { + .done(function (response, textStatus, jqXhr) { + ChChat.xToken = jqXhr.getResponseHeader('x-token'); + if (!response.status) { return; } @@ -164,20 +183,29 @@ $(function () { var self = this; self.disabled = true; - $.post(ChChat._ajaxUrl, { - action: 'write', - message: textarea.val(), - friend: ChChat.currentFriend + $.ajax({ + method: 'POST', + url: ChChat._ajaxUrl, + headers: { 'x-token': ChChat.xToken }, + data: { + action: 'write', + message: textarea.val(), + friend: ChChat.currentFriend + } }) - .done(function (response) { + .done(function (response, textStatus, jqXhr) { self.disabled = false; + ChChat.xToken = jqXhr.getResponseHeader('x-token'); + + textarea.prop('disabled', false); + $(".emoji-wysiwyg-editor").prop('contenteditable', 'true'); + if (!response.status) { return; } - textarea.prop('disabled', false); + textarea.val(''); - $(".emoji-wysiwyg-editor").prop('contenteditable', 'true'); $(".emoji-wysiwyg-editor").html(''); }); }, @@ -186,11 +214,18 @@ $(function () { e.preventDefault(); return; } - $.get(ChChat._ajaxUrl, { - action: 'reset', - friend: ChChat.currentFriend + $.ajax({ + url: ChChat._ajaxUrl, + method: 'GET', + headers: { 'x-token': ChChat.xToken }, + data: { + action: 'reset', + friend: ChChat.currentFriend + } }) - .done(function (response) { + .done(function (response, textStatus, jqXhr) { + ChChat.xToken = jqXhr.getResponseHeader('x-token'); + if (!response.status) { return; }