Security: Refactor cookie warning to avoid CSRF - refs BT#21289

2 years ago · ca2e7a58ac
parent f2df5d3c9c
commit ca2e7a58ac
6 changed files with 50 additions and 50 deletions
--- a/index.php
+++ b/index.php
@ -126,15 +126,13 @@ $announcements_block = '';
 $useCookieValidation = api_get_setting('cookie_warning');

 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
        if (Template::isToolBarDisplayedForUser()) {
            $controller->tpl->assign('toolBarDisplayed', true);
        } else {
            $controller->tpl->assign('toolBarDisplayed', false);
        }
-        $controller->tpl->assign('displayCookieUsageWarning', true);
+        $controller->tpl->enableCookieUsageWarning();
    }
 }
 // When loading a chamilo page do not include the hot courses and news
--- a/main/admin/index.php
+++ b/main/admin/index.php
@ -1018,15 +1018,13 @@ $tpl = new Template();
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
        if (Template::isToolBarDisplayedForUser()) {
            $tpl->assign('toolBarDisplayed', true);
        } else {
            $tpl->assign('toolBarDisplayed', false);
        }
-        $tpl->assign('displayCookieUsageWarning', true);
+        $tpl->enableCookieUsageWarning();
    }
 }

--- a/main/inc/lib/template.lib.php
+++ b/main/inc/lib/template.lib.php
@ -1317,6 +1317,42 @@ class Template
        return $html;
    }

+    public function enableCookieUsageWarning()
+    {
+        $form = new FormValidator(
+            'cookiewarning',
+            'post',
+            '',
+            '',
+            [
+                //'onsubmit' => "$(this).toggle('show')",
+            ],
+            FormValidator::LAYOUT_BOX_NO_LABEL
+        );
+        $form->addHidden('acceptCookies', '1');
+        $form->addHtml(
+            '<div class="cookieUsageValidation">
+                '.get_lang('YouAcceptCookies').'
+                <button class="btn btn-link" onclick="$(this).next().toggle(\'slow\'); $(this).toggle(\'slow\')" type="button">
+                    ('.get_lang('More').')
+                </button>
+                <div style="display:none; margin:20px 0;">
+                    '.get_lang('HelpCookieUsageValidation').'
+                </div>
+                <button class="btn btn-link" onclick="$(this).parents(\'form\').submit()" type="button">
+                    ('.get_lang('Accept').')
+                </button>
+            </div>'
+        );
+
+        if ($form->validate()) {
+            api_set_site_use_cookie_warning_cookie();
+        } else {
+            $form->protect();
+            $this->assign('frmDisplayCookieUsageWarning', $form->returnForm());
+        }
+    }
+
    /**
     * Returns the tutors names for the current course in session
     * Function to use in Twig templates.
--- a/main/template/default/layout/page.tpl
+++ b/main/template/default/layout/page.tpl
@ -14,24 +14,10 @@
    <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
    <noscript>{{ "NoJavascript"|get_lang }}</noscript>

-            {% if displayCookieUsageWarning == true %}
+            {% if frmDisplayCookieUsageWarning %}
                <!-- START DISPLAY COOKIES VALIDATION -->
                <div class="toolbar-cookie alert-warning">
-                    <form onSubmit="$(this).toggle('slow')" action="" method="post">
-                        <input value=1 type="hidden" name="acceptCookies"/>
-                        <div class="cookieUsageValidation">
-                            {{ 'YouAcceptCookies' | get_lang }}
-                            <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
-                                ({{"More" | get_lang }})
-                            </span>
-                            <div style="display:none; margin:20px 0;">
-                                {{ "HelpCookieUsageValidation" | get_lang}}
-                            </div>
-                            <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
-                                ({{"Accept" | get_lang }})
-                            </span>
-                        </div>
-                    </form>
+                    {{ frmDisplayCookieUsageWarning }}
                </div>
                <!-- END DISPLAY COOKIES VALIDATION -->
            {% endif %}
--- a/main/template/default/layout/show_header.tpl
+++ b/main/template/default/layout/show_header.tpl
@ -14,24 +14,10 @@
 <!-- START MAIN -->
 <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
    <noscript>{{ "NoJavascript"|get_lang }}</noscript>
-    {% if displayCookieUsageWarning == true %}
+    {% if frmDisplayCookieUsageWarning %}
        <!-- START DISPLAY COOKIES VALIDATION -->
        <div class="toolbar-cookie alert-warning">
-            <form onSubmit="$(this).toggle('slow')" action="" method="post">
-                <input value=1 type="hidden" name="acceptCookies"/>
-                <div class="cookieUsageValidation">
-                    {{ 'YouAcceptCookies' | get_lang }}
-                    <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
-                                ({{"More" | get_lang }})
-                            </span>
-                    <div style="display:none; margin:20px 0;">
-                        {{ "HelpCookieUsageValidation" | get_lang}}
-                    </div>
-                    <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
-                                ({{"Accept" | get_lang }})
-                            </span>
-                </div>
-            </form>
+            {{ frmDisplayCookieUsageWarning }}
        </div>
        <!-- END DISPLAY COOKIES VALIDATION -->
    {% endif %}
--- a/user_portal.php
+++ b/user_portal.php
@ -295,17 +295,13 @@ $controller->tpl->assign('content', $courseAndSessions['html']);
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
-        api_set_site_use_cookie_warning_cookie();
-    } else {
-        if (!api_site_use_cookie_warning_cookie_exist()) {
-            if (Template::isToolBarDisplayedForUser()) {
-                $controller->tpl->assign('toolBarDisplayed', true);
-            } else {
-                $controller->tpl->assign('toolBarDisplayed', false);
-            }
-            $controller->tpl->assign('displayCookieUsageWarning', true);
+    if (!api_site_use_cookie_warning_cookie_exist()) {
+        if (Template::isToolBarDisplayedForUser()) {
+            $controller->tpl->assign('toolBarDisplayed', true);
+        } else {
+            $controller->tpl->assign('toolBarDisplayed', false);
        }
+        $controller->tpl->enableCookieUsageWarning();
    }
 }