chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Social: Secure requests to delete posts and comments

Browse Source
pull/4808/head
Angel Fernando Quiroz Campos 2 years ago
parent a968231237
commit 3650e4463d
2 changed files with 44 additions and 51 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 9
      main/inc/ajax/social.ajax.php
  2. 86
      main/inc/lib/social.lib.php

9
main/inc/ajax/social.ajax.php
Unescape View File

@ -245,6 +245,10 @@ switch ($action) {
exit; exit;
} }
if (!Security::check_token('get', null, 'social')) {
exit;
}
$userId = api_get_user_id(); $userId = api_get_user_id();
$messageInfo = MessageManager::get_message_by_id($messageId); $messageInfo = MessageManager::get_message_by_id($messageId);
if (!empty($messageInfo)) { if (!empty($messageInfo)) {
@ -252,7 +256,10 @@ switch ($action) {
empty($messageInfo['group_id']); empty($messageInfo['group_id']);
if ($canDelete || api_is_platform_admin()) { if ($canDelete || api_is_platform_admin()) {
SocialManager::deleteMessage($messageId); SocialManager::deleteMessage($messageId);
echo Display::return_message(get_lang('MessageDeleted')); echo json_encode([
'message' => Display::return_message(get_lang('MessageDeleted')),
'secToken' => Security::get_token('social')
]);
break; break;
} }
} }

86
main/inc/lib/social.lib.php
Unescape View File

@ -1963,14 +1963,16 @@ class SocialManager extends UserManager
$isOwnWall = $currentUserId == $userIdLoop || $currentUserId == $receiverId; $isOwnWall = $currentUserId == $userIdLoop || $currentUserId == $receiverId;
if ($isOwnWall) { if ($isOwnWall) {
$comment .= Display::url( $comment .= Display::button(
Display::returnFontAwesomeIcon('trash', '', true), '',
'javascript:void(0)', Display::returnFontAwesomeIcon('trash', '', true),
[ [
'id' => 'message_'.$message['id'], 'id' => 'message_'.$message['id'],
'title' => get_lang('SocialMessageDelete'), 'title' => get_lang('SocialMessageDelete'),
'onclick' => 'deleteComment('.$message['id'].')', 'type' => 'button',
'class' => 'btn btn-default', 'class' => 'btn btn-default btn-delete-social-comment',
'data-id' => $message['id'],
'data-sectoken' => Security::get_existing_token('social'),
] ]
); );
} }
@ -3017,30 +3019,6 @@ class SocialManager extends UserManager
} }
$htmlHeadXtra[] = '<script> $htmlHeadXtra[] = '<script>
function deleteMessage(id)
{
$.ajax({
url: "'.$socialAjaxUrl.'?a=delete_message" + "&id=" + id,
success: function (result) {
if (result) {
$("#message_" + id).parent().parent().parent().parent().html(result);
}
}
});
}
function deleteComment(id)
{
$.ajax({
url: "'.$socialAjaxUrl.'?a=delete_message" + "&id=" + id,
success: function (result) {
if (result) {
$("#message_" + id).parent().parent().parent().html(result);
}
}
});
}
function submitComment(messageId) function submitComment(messageId)
{ {
var data = $("#form_comment_"+messageId).serializeArray(); var data = $("#form_comment_"+messageId).serializeArray();
@ -3069,33 +3047,39 @@ class SocialManager extends UserManager
$(function() { $(function() {
timeAgo(); timeAgo();
/*$(".delete_message").on("click", function() { $("body").on("click", ".btn-delete-social-message", function () {
var id = $(this).attr("id"); var id = $(this).data("id");
id = id.split("_")[1]; var secToken = $(this).data("sectoken");
$.ajax({
url: "'.$socialAjaxUrl.'?a=delete_message" + "&id=" + id, $.getJSON(
success: function (result) { "'.$socialAjaxUrl.'",
{ a: "delete_message", id: id, social_sec_token: secToken },
function (result) {
if (result) { if (result) {
$("#message_" + id).parent().parent().parent().parent().html(result); $("#message_" + id).parent().parent().parent().parent().html(result.message);
$(".btn-delete-social-message").data("sectoken", result.secToken);
} }
} }
}); );
}); });
$("body").on("click", ".btn-delete-social-comment", function () {
var id = $(this).data("id");
var secToken = $(this).data("sectoken");
$(".delete_comment").on("click", function() { $.getJSON(
var id = $(this).attr("id"); "'.$socialAjaxUrl.'",
id = id.split("_")[1]; { a: "delete_message", id: id, social_sec_token: secToken },
$.ajax({ function (result) {
url: "'.$socialAjaxUrl.'?a=delete_message" + "&id=" + id,
success: function (result) {
if (result) { if (result) {
$("#message_" + id).parent().parent().parent().html(result); $("#message_" + id).parent().parent().parent().html(result.message);
$(".btn-delete-social-comment").data("sectoken", result.secToken);
} }
} }
}); );
}); });
*/
}); });
function timeAgo() { function timeAgo() {
@ -3467,14 +3451,16 @@ class SocialManager extends UserManager
); );
if ($canEdit) { if ($canEdit) {
$htmlDelete = Display::url( $htmlDelete = Display::button(
'',
Display::returnFontAwesomeIcon('trash', '', true), Display::returnFontAwesomeIcon('trash', '', true),
'javascript:void(0)',
[ [
'id' => 'message_'.$message['id'], 'id' => 'message_'.$message['id'],
'title' => get_lang('SocialMessageDelete'), 'title' => get_lang('SocialMessageDelete'),
'onclick' => 'deleteMessage('.$message['id'].')', 'type' => 'button',
'class' => 'btn btn-default', 'class' => 'btn btn-default btn-delete-social-message',
'data-id' => $message['id'],
'data-sectoken' => Security::get_existing_token('social'),
] ]
); );

Write Preview
Loading…
Cancel
Save