Security: Refactor cookie warning to avoid CSRF - refs BT#21289

2 years ago · ca2e7a58ac
parent f2df5d3c9c
commit ca2e7a58ac
6 changed files with 50 additions and 50 deletions
--- a/index.php
+++ b/index.php
@ -126,15 +126,13 @@ $announcements_block = '';
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
        api_set_site_use_cookie_warning_cookie();
    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
        if (Template::isToolBarDisplayedForUser()) {
            $controller->tpl->assign('toolBarDisplayed', true);
        } else {
            $controller->tpl->assign('toolBarDisplayed', false);
        }
-        $controller->tpl->assign('displayCookieUsageWarning', true);
+        $controller->tpl->enableCookieUsageWarning();
    }
 }
 // When loading a chamilo page do not include the hot courses and news
--- a/main/admin/index.php
+++ b/main/admin/index.php
@ -1018,15 +1018,13 @@ $tpl = new Template();
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
        api_set_site_use_cookie_warning_cookie();
    } elseif (!api_site_use_cookie_warning_cookie_exist()) {
        if (Template::isToolBarDisplayedForUser()) {
            $tpl->assign('toolBarDisplayed', true);
        } else {
            $tpl->assign('toolBarDisplayed', false);
        }
-        $tpl->assign('displayCookieUsageWarning', true);
+        $tpl->enableCookieUsageWarning();
    }
 }
--- a/main/inc/lib/template.lib.php
+++ b/main/inc/lib/template.lib.php
@ -1317,6 +1317,42 @@ class Template
        return $html;
    }
    public function enableCookieUsageWarning()
    {
        $form = new FormValidator(
            'cookiewarning',
            'post',
            '',
            '',
            [
                //'onsubmit' => "$(this).toggle('show')",
            ],
            FormValidator::LAYOUT_BOX_NO_LABEL
        );
        $form->addHidden('acceptCookies', '1');
        $form->addHtml(
            '<div class="cookieUsageValidation">
                '.get_lang('YouAcceptCookies').'
                <button class="btn btn-link" onclick="$(this).next().toggle(\'slow\'); $(this).toggle(\'slow\')" type="button">
                    ('.get_lang('More').')
                </button>
                <div style="display:none; margin:20px 0;">
                    '.get_lang('HelpCookieUsageValidation').'
                </div>
                <button class="btn btn-link" onclick="$(this).parents(\'form\').submit()" type="button">
                    ('.get_lang('Accept').')
                </button>
            </div>'
        );
        if ($form->validate()) {
            api_set_site_use_cookie_warning_cookie();
        } else {
            $form->protect();
            $this->assign('frmDisplayCookieUsageWarning', $form->returnForm());
        }
    }
    /**
     * Returns the tutors names for the current course in session
     * Function to use in Twig templates.
--- a/main/template/default/layout/page.tpl
+++ b/main/template/default/layout/page.tpl
@ -14,24 +14,10 @@
    <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
    <noscript>{{ "NoJavascript"|get_lang }}</noscript>
-            {% if displayCookieUsageWarning == true %}
+            {% if frmDisplayCookieUsageWarning %}
                <!-- START DISPLAY COOKIES VALIDATION -->
                <div class="toolbar-cookie alert-warning">
-                    <form onSubmit="$(this).toggle('slow')" action="" method="post">
+                    {{ frmDisplayCookieUsageWarning }}
                        <input value=1 type="hidden" name="acceptCookies"/>
                        <div class="cookieUsageValidation">
                            {{ 'YouAcceptCookies' | get_lang }}
                            <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
                                ({{"More" | get_lang }})
                            </span>
                            <div style="display:none; margin:20px 0;">
                                {{ "HelpCookieUsageValidation" | get_lang}}
                            </div>
                            <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
                                ({{"Accept" | get_lang }})
                            </span>
                        </div>
                    </form>
                </div>
                <!-- END DISPLAY COOKIES VALIDATION -->
            {% endif %}
--- a/main/template/default/layout/show_header.tpl
+++ b/main/template/default/layout/show_header.tpl
@ -14,24 +14,10 @@
 <!-- START MAIN -->
 <main id="main" dir="{{ text_direction }}" class="{{ section_name }} {{ login_class }}">
    <noscript>{{ "NoJavascript"|get_lang }}</noscript>
-    {% if displayCookieUsageWarning == true %}
+    {% if frmDisplayCookieUsageWarning %}
        <!-- START DISPLAY COOKIES VALIDATION -->
        <div class="toolbar-cookie alert-warning">
-            <form onSubmit="$(this).toggle('slow')" action="" method="post">
+            {{ frmDisplayCookieUsageWarning }}
                <input value=1 type="hidden" name="acceptCookies"/>
                <div class="cookieUsageValidation">
                    {{ 'YouAcceptCookies' | get_lang }}
                    <span style="margin-left:20px;" onclick="$(this).next().toggle('slow'); $(this).toggle('slow')">
                                ({{"More" | get_lang }})
                            </span>
                    <div style="display:none; margin:20px 0;">
                        {{ "HelpCookieUsageValidation" | get_lang}}
                    </div>
                    <span style="margin-left:20px;" onclick="$(this).parent().parent().submit()">
                                ({{"Accept" | get_lang }})
                            </span>
                </div>
            </form>
        </div>
        <!-- END DISPLAY COOKIES VALIDATION -->
    {% endif %}
--- a/user_portal.php
+++ b/user_portal.php
@ -295,17 +295,13 @@ $controller->tpl->assign('content', $courseAndSessions['html']);
 // Display the Site Use Cookie Warning Validation
 $useCookieValidation = api_get_setting('cookie_warning');
 if ($useCookieValidation === 'true') {
-    if (isset($_POST['acceptCookies'])) {
+    if (!api_site_use_cookie_warning_cookie_exist()) {
-        api_set_site_use_cookie_warning_cookie();
+        if (Template::isToolBarDisplayedForUser()) {
-    } else {
+            $controller->tpl->assign('toolBarDisplayed', true);
-        if (!api_site_use_cookie_warning_cookie_exist()) {
+        } else {
-            if (Template::isToolBarDisplayedForUser()) {
+            $controller->tpl->assign('toolBarDisplayed', false);
                $controller->tpl->assign('toolBarDisplayed', true);
            } else {
                $controller->tpl->assign('toolBarDisplayed', false);
            }
            $controller->tpl->assign('displayCookieUsageWarning', true);
        }
        $controller->tpl->enableCookieUsageWarning();
    }
 }