Fix token for ajax call
This commit is contained in:
Laurent Destailleur
parent
3754c2c3c9
commit
61bd572a9c
@ -172,7 +172,8 @@ jQuery(document).ready(function() {
|
||||
var compphpstring;
|
||||
getphpurl = $.ajax({
|
||||
type: "GET",
|
||||
url: \''.DOL_URL_ROOT.'/index.php\',
|
||||
data: { token: \''.currentToken().'\' },
|
||||
url: \''.DOL_URL_ROOT.'/public/notice.php\',
|
||||
cache: false,
|
||||
/* async: false, */
|
||||
/* crossDomain: true,*/
|
||||
@ -211,10 +212,11 @@ jQuery(document).ready(function() {
|
||||
var compcssstring;
|
||||
getcssurl = $.ajax({
|
||||
type: "GET",
|
||||
data: { token: \'notrequired\' },
|
||||
url: \''.DOL_URL_ROOT.'/includes/jquery/css/base/jquery-ui.css\',
|
||||
cache: false,
|
||||
/* async: false, */
|
||||
/*crossDomain: true, */
|
||||
/* crossDomain: true, */
|
||||
success: function () {
|
||||
cachecssstring=getcssurl.getResponseHeader(\'Cache-Control\');
|
||||
/* alert(\'css:\'+getcssurl.getAllResponseHeaders()); */
|
||||
@ -250,10 +252,11 @@ jQuery(document).ready(function() {
|
||||
var compcssphpstring;
|
||||
getcssphpurl = $.ajax({
|
||||
type: "GET",
|
||||
data: { token: \''.currentToken().'\' },
|
||||
url: \''.DOL_URL_ROOT.'/theme/eldy/style.css.php\',
|
||||
cache: false,
|
||||
/* async: false, */
|
||||
/*crossDomain: true,*/
|
||||
/* crossDomain: true,*/
|
||||
success: function () {
|
||||
cachecssphpstring=getcssphpurl.getResponseHeader(\'Cache-Control\');
|
||||
/* alert(\'cssphp:\'+getcssphpurl.getAllResponseHeaders()); */
|
||||
@ -289,10 +292,11 @@ jQuery(document).ready(function() {
|
||||
var compimgstring;
|
||||
getimgurl = $.ajax({
|
||||
type: "GET",
|
||||
data: { token: \'notrequired\' },
|
||||
url: \''.DOL_URL_ROOT.'/theme/eldy/img/help.png\',
|
||||
cache: false,
|
||||
/* async: false, */
|
||||
/*crossDomain: true,*/
|
||||
/* crossDomain: true,*/
|
||||
success: function () {
|
||||
cacheimgstring=getimgurl.getResponseHeader(\'Cache-Control\');
|
||||
/* alert(\'img:\'+getimgurl.getAllResponseHeaders()); */
|
||||
@ -328,6 +332,7 @@ jQuery(document).ready(function() {
|
||||
var compjsstring;
|
||||
getjsurl = $.ajax({
|
||||
type: "GET",
|
||||
data: { token: \'notrequired\' },
|
||||
url: \''.DOL_URL_ROOT.'/core/js/lib_rare.js\',
|
||||
cache: false,
|
||||
/* async: false, */
|
||||
@ -367,6 +372,7 @@ jQuery(document).ready(function() {
|
||||
var compjsphpstring;
|
||||
getjsphpurl = $.ajax({
|
||||
type: "GET",
|
||||
data: { token: \''.currentToken().'\' },
|
||||
url: \''.DOL_URL_ROOT.'/core/js/lib_head.js.php\',
|
||||
cache: false,
|
||||
/* async: false, */
|
||||
|
||||
@ -613,8 +613,10 @@ jQuery(document).ready(function () {
|
||||
var fk_block = $(this).attr("data-blockid");
|
||||
|
||||
$.ajax({
|
||||
url:"../ajax/block-info.php?id="+fk_block
|
||||
,dataType:"html"
|
||||
method: "GET",
|
||||
data: { token: \''.currentToken().'\' },
|
||||
url: "'.DOL_URL_ROOT.'/blockedlog/ajax/block-info.php?id="+fk_block,
|
||||
dataType: "html"
|
||||
}).done(function(data) {
|
||||
jQuery("#dialogforpopup").html(data);
|
||||
});
|
||||
@ -630,10 +632,11 @@ if (!empty($conf->global->BLOCKEDLOG_USE_REMOTE_AUTHORITY) && !empty($conf->glob
|
||||
<script type="text/javascript">
|
||||
|
||||
$.ajax({
|
||||
url : "<?php echo dol_buildpath('/blockedlog/ajax/check_signature.php', 1) ?>"
|
||||
,dataType:"html"
|
||||
method: "GET",
|
||||
data: { token: '<?php echo currentToken() ?>' },
|
||||
url: '<?php echo DOL_URL_ROOT.'/blockedlog/ajax/check_signature.php' ?>',
|
||||
dataType: 'html'
|
||||
}).done(function(data) {
|
||||
|
||||
if(data == 'hashisok') {
|
||||
$('#blockchainstatus').html('<?php echo $langs->trans('AuthorityReconizeFingerprintConformity').' '.img_picto($langs->trans('SignatureOK'), 'on') ?>');
|
||||
}
|
||||
|
||||
@ -375,13 +375,13 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = p.fk_pays";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = p.fk_soc";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_stcommcontact as st ON st.id = p.fk_stcommcontact";
|
||||
if (!empty($search_categ)) {
|
||||
if (!empty($search_categ) && $search_categ != '-1') {
|
||||
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_contact as cc ON p.rowid = cc.fk_socpeople"; // We need this table joined to the select in order to filter by categ
|
||||
}
|
||||
if (!empty($search_categ_thirdparty)) {
|
||||
if (!empty($search_categ_thirdparty) && $search_categ_thirdparty != '-1') {
|
||||
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_societe as cs ON s.rowid = cs.fk_soc"; // We need this table joined to the select in order to filter by categ
|
||||
}
|
||||
if (!empty($search_categ_supplier)) {
|
||||
if (!empty($search_categ_supplier) && $search_categ_supplier != '-1') {
|
||||
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_fournisseur as cs2 ON s.rowid = cs2.fk_soc"; // We need this table joined to the select in order to filter by categ
|
||||
}
|
||||
if (!$user->rights->societe->client->voir && !$socid) {
|
||||
|
||||
@ -48,9 +48,7 @@ $hash_algo = GETPOST('hash_algo', 'alpha');
|
||||
|
||||
|
||||
// Security check
|
||||
if (!empty($user->socid)) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
// None.
|
||||
|
||||
$now = dol_now();
|
||||
|
||||
|
||||
@ -8628,14 +8628,11 @@ class Form
|
||||
|
||||
if ($("select[name='.$target.']").val() == '.$obj->id.') {
|
||||
// get price of kilometer to fill the unit price
|
||||
var data = '.json_encode($params).';
|
||||
data.fk_c_exp_tax_cat = $(this).val();
|
||||
|
||||
$.ajax({
|
||||
method: "POST",
|
||||
dataType: "json",
|
||||
data: data,
|
||||
url: "'.(DOL_URL_ROOT.'/expensereport/ajax/ajaxik.php').'",
|
||||
data: { fk_c_exp_tax_cat: $(this).val(), token: \''.currentToken().'\' },
|
||||
url: "'.(DOL_URL_ROOT.'/expensereport/ajax/ajaxik.php?'.$params).'",
|
||||
}).done(function( data, textStatus, jqXHR ) {
|
||||
console.log(data);
|
||||
if (typeof data.up != "undefined") {
|
||||
|
||||
@ -153,7 +153,7 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP
|
||||
// Update status of all notifications we sent on browser (listofreminderids)
|
||||
console.log("Flag notification as done for listofreminderids="+listofreminderids);
|
||||
$.ajax("<?php print DOL_URL_ROOT.'/core/ajax/check_notifications.php?action=stopreminder&listofreminderids='; ?>"+listofreminderids, {
|
||||
type: "post", // Usually post or get
|
||||
type: "POST", // Usually post or get
|
||||
async: true,
|
||||
data: { time_js_next_test: time_js_next_test, token: 'notrequired' }
|
||||
});
|
||||
|
||||
@ -63,8 +63,11 @@ $(function () {
|
||||
"<?php echo $langs->trans('Ok'); ?>": function() {
|
||||
$( "#confirm-delete" ).dialog( "close" );
|
||||
if (data.url) {
|
||||
$.ajax(data)
|
||||
.success(function (data) {
|
||||
$.ajax({
|
||||
method: "POST",
|
||||
data: { token: '<?php echo currentToken(); ?>' },
|
||||
url: data.url
|
||||
}).success(function (data) {
|
||||
if (data) {
|
||||
that._adjustMaxNumberOfFiles(1);
|
||||
$(this).fadeOut(function () {
|
||||
|
||||
@ -196,9 +196,10 @@ $(document).ready(function() {
|
||||
var capital=price2numjs($(idcap).val());
|
||||
console.log("Change montly amount echeance="+echeance+" idcap="+idcap+" capital="+capital);
|
||||
$.ajax({
|
||||
method: "GET",
|
||||
dataType: 'json',
|
||||
url: 'calcmens.php',
|
||||
data: { echeance: echeance, mens: mens, capital:capital, rate:<?php echo $object->rate / 100; ?> , nbterm : <?php echo $object->nbterm; ?>},
|
||||
data: { echeance: echeance, mens: mens, capital:capital, rate:<?php echo $object->rate / 100; ?>, nbterm: <?php echo $object->nbterm; ?>, token: '<?php echo currentToken(); ?>' },
|
||||
success: function(data) {
|
||||
$.each(data, function(index, element) {
|
||||
var idcap_res='#hi_capital'+index;
|
||||
|
||||
@ -469,13 +469,15 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
|
||||
$sensitiveget = true;
|
||||
}
|
||||
|
||||
// Check all cases that need a mandatory token (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
|
||||
// Check a token is provided for all cases that need a mandatory token
|
||||
// (all POST actions + all login, actions and mass actions on pages with CSRFCHECK_WITH_TOKEN set + all sensitive GET actions)
|
||||
if (
|
||||
$_SERVER['REQUEST_METHOD'] == 'POST' ||
|
||||
$sensitiveget ||
|
||||
((GETPOSTISSET('actionlogin') || GETPOSTISSET('action') || GETPOSTISSET('massaction')) && defined('CSRFCHECK_WITH_TOKEN'))
|
||||
) {
|
||||
if (!GETPOST('token', 'alpha')) { // If token is not provided or empty
|
||||
// If token is not provided or empty, error (we are in case it is mandatory)
|
||||
if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
|
||||
if (GETPOST('uploadform', 'int')) {
|
||||
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large.");
|
||||
$langs->loadLangs(array("errors", "install"));
|
||||
@ -497,7 +499,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl
|
||||
|
||||
$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
|
||||
// TODO Get the sessiontokenforthisurl into the array of session token
|
||||
if (GETPOSTISSET('token') && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
|
||||
if (GETPOSTISSET('token') && GETPOST('token') != 'notrequired' && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
|
||||
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
|
||||
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
|
||||
setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');
|
||||
@ -3205,16 +3207,17 @@ if (!function_exists("llxFooter")) {
|
||||
country_code: '<?php echo $mysoc->country_code ? dol_escape_js($mysoc->country_code) : 'unknown'; ?>',
|
||||
php_version: '<?php echo dol_escape_js(phpversion()); ?>',
|
||||
os_version: '<?php echo dol_escape_js(version_os('smr')); ?>',
|
||||
distrib: '<?php echo $distrib ? dol_escape_js($distrib) : 'unknown'; ?>'
|
||||
distrib: '<?php echo $distrib ? dol_escape_js($distrib) : 'unknown'; ?>',
|
||||
token: 'notrequired'
|
||||
},
|
||||
success: function (data, status, xhr) { // success callback function (data contains body of response)
|
||||
console.log("Ping ok");
|
||||
console.log("Ping ok");
|
||||
$.ajax({
|
||||
method: 'GET',
|
||||
url: '<?php echo DOL_URL_ROOT.'/core/ajax/pingresult.php'; ?>',
|
||||
timeout: 500, // timeout milliseconds
|
||||
cache: false,
|
||||
data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingok' }, // for update
|
||||
data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingok', token: 'notrequired' }, // for update
|
||||
});
|
||||
},
|
||||
error: function (data,status,xhr) { // error callback function
|
||||
@ -3224,7 +3227,7 @@ if (!function_exists("llxFooter")) {
|
||||
url: '<?php echo DOL_URL_ROOT.'/core/ajax/pingresult.php'; ?>',
|
||||
timeout: 500, // timeout milliseconds
|
||||
cache: false,
|
||||
data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingko' },
|
||||
data: { hash_algo: 'md5', hash_unique_id: '<?php echo dol_escape_js($hash_unique_id); ?>', action: 'firstpingko', token: 'notrequired' },
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
@ -18,7 +18,7 @@
|
||||
/**
|
||||
* \file htdocs/public/notice.php
|
||||
* \brief Dolibarr page to show a notice.
|
||||
* Default notice is a message to say network connection is off.
|
||||
* Default notice is a message to say network connection is off or show another message.
|
||||
* You can also call this page with URL:
|
||||
* /public/notice.php?lang=xx_XX&transkey=translation_key (key must be inside file main.lang, error.lang or other.lang)
|
||||
* /public/notice.php?transphrase=url_encoded_sentence_to_show
|
||||
|
||||
@ -154,10 +154,10 @@ function updateplace(idplace, left, top) {
|
||||
console.log("updateplace idplace="+idplace+" left="+left+" top="+top);
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: "floors.php",
|
||||
data: { action: "update", left: left, top: top, place: idplace }
|
||||
}).done(function( msg ) {
|
||||
window.location.href='floors.php?mode=edit&floor=<?php echo $floor; ?>';
|
||||
url: "<?php echo DOL_URL_ROOT.'/takepos/floors.php'; ?>",
|
||||
data: { action: "update", left: left, top: top, place: idplace, token: '<?php echo currentToken(); ?>' }
|
||||
}).done(function( msg ) {
|
||||
window.location.href='floors.php?mode=edit&floor=<?php echo urlencode($floor); ?>';
|
||||
});
|
||||
}
|
||||
|
||||
@ -166,12 +166,12 @@ function updatename(rowid) {
|
||||
console.log("updatename rowid="+rowid+" after="+after);
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: "floors.php",
|
||||
data: { action: "updatename", place: rowid, newname: after }
|
||||
}).done(function( msg ) {
|
||||
window.location.href='floors.php?mode=edit&floor=<?php echo $floor; ?>';
|
||||
});
|
||||
}
|
||||
url: "<?php echo DOL_URL_ROOT.'/takepos/floors.php'; ?>",
|
||||
data: { action: "updatename", place: rowid, newname: after, token: '<?php echo currentToken(); ?>' }
|
||||
}).done(function( msg ) {
|
||||
window.location.href='floors.php?mode=edit&floor=<?php echo urlencode($floor); ?>';
|
||||
});
|
||||
}
|
||||
|
||||
function LoadPlace(place){
|
||||
parent.location.href='index.php?place='+place;
|
||||
|
||||
@ -705,6 +705,7 @@ function OpenDrawer(){
|
||||
console.log("OpenDrawer call ajax url http://<?php print $conf->global->TAKEPOS_PRINT_SERVER; ?>:8111/print");
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
data: { token: 'notrequired' },
|
||||
<?php
|
||||
if (filter_var($conf->global->TAKEPOS_PRINT_SERVER, FILTER_VALIDATE_URL) == true) {
|
||||
echo "url: '".$conf->global->TAKEPOS_PRINT_SERVER."/printer/drawer.php',";
|
||||
@ -717,10 +718,11 @@ function OpenDrawer(){
|
||||
}
|
||||
|
||||
function DolibarrOpenDrawer() {
|
||||
console.log("DolibarrOpenDrawer call ajax url /takepos/ajax/ajax.php?action=opendrawer&term=<?php print $_SESSION["takeposterminal"] ?>");
|
||||
console.log("DolibarrOpenDrawer call ajax url /takepos/ajax/ajax.php?action=opendrawer&term=<?php print urlencode($_SESSION["takeposterminal"]); ?>");
|
||||
$.ajax({
|
||||
type: "GET",
|
||||
url: "<?php print dol_buildpath('/takepos/ajax/ajax.php', 1).'?action=opendrawer&term='.$_SESSION["takeposterminal"]; ?>",
|
||||
data: { token: '<?php echo currentToken(); ?>' },
|
||||
url: "<?php print DOL_URL_ROOT.'/takepos/ajax/ajax.php?action=opendrawer&term='.urlencode($_SESSION["takeposterminal"]); ?>",
|
||||
});
|
||||
}
|
||||
|
||||
@ -777,6 +779,7 @@ function WeighingScale(){
|
||||
console.log("Weighing Scale");
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
data: { token: 'notrequired' },
|
||||
url: '<?php print $conf->global->TAKEPOS_PRINT_SERVER; ?>/scale/index.php',
|
||||
})
|
||||
.done(function( editnumber ) {
|
||||
|
||||
@ -1000,7 +1000,7 @@ function TakeposPrinting(id){
|
||||
|
||||
function TakeposConnector(id){
|
||||
console.log("TakeposConnector" + id);
|
||||
$.get("ajax/ajax.php?action=printinvoiceticket&term=<?php echo $_SESSION["takeposterminal"]; ?>&id="+id, function(data, status){
|
||||
$.get("<?php echo DOL_URL_ROOT; ?>/takepos/ajax/ajax.php?action=printinvoiceticket&term=<?php echo urlencode($_SESSION["takeposterminal"]); ?>&id="+id+"&token=<?php echo currentToken(); ?>", function(data, status) {
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: '<?php print $conf->global->TAKEPOS_PRINT_SERVER; ?>/printer/index.php',
|
||||
@ -1013,7 +1013,8 @@ function DolibarrTakeposPrinting(id) {
|
||||
console.log("DolibarrTakeposPrinting Printing invoice ticket " + id)
|
||||
$.ajax({
|
||||
type: "GET",
|
||||
url: "<?php print DOL_URL_ROOT.'/takepos/ajax/ajax.php?action=printinvoiceticket&term='.$_SESSION["takeposterminal"].'&id='; ?>" + id,
|
||||
data: { token: '<?php echo currentToken(); ?>' },
|
||||
url: "<?php print DOL_URL_ROOT.'/takepos/ajax/ajax.php?action=printinvoiceticket&term='.urlencode($_SESSION["takeposterminal"]).'&id='; ?>" + id,
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@ -236,7 +236,10 @@ if ($conf->global->TAKEPOS_NUMPAD == 0) {
|
||||
window.open('sumupmerchant://pay/1.0?affiliate-key=<?php echo $conf->global->TAKEPOS_SUMUP_AFFILIATE ?>&app-id=<?php echo $conf->global->TAKEPOS_SUMUP_APPID ?>&total=' + amountpayed + '¤cy=EUR&title=' + invoiceid + '&callback=<?php echo DOL_MAIN_URL_ROOT ?>/takepos/smpcb.php');
|
||||
|
||||
var loop = window.setInterval(function () {
|
||||
$.ajax('<?php echo DOL_URL_ROOT ?>/takepos/smpcb.php?status').done(function (data) {
|
||||
$.ajax({
|
||||
method: 'POST',
|
||||
data: { token: '<?php echo currentToken(); ?>' },
|
||||
url: '<?php echo DOL_URL_ROOT ?>/takepos/smpcb.php?status' }).done(function (data) {
|
||||
console.log(data);
|
||||
if (data === "SUCCESS") {
|
||||
parent.$("#poslines").load("invoice.php?place=<?php echo $place; ?>&action=valid&pay=CB&amount=" + amountpayed + "&invoiceid=" + invoiceid, function () {
|
||||
|
||||
@ -97,7 +97,8 @@ top_htmlhead($head, $title, $disablejs, $disablehead, $arrayofjs, $arrayofcss);
|
||||
function SendMail() {
|
||||
$.ajax({
|
||||
type: "GET",
|
||||
url: "<?php print dol_buildpath('/takepos/send.php', 1).'?action=send&facid='.$facid.'&email='; ?>" + $("#email"). val(),
|
||||
data: { token: '<?php echo currentToken(); ?>' },
|
||||
url: "<?php print DOL_URL_ROOT.'/takepos/send.php?action=send&facid='.$facid.'&email='; ?>" + $("#email"). val(),
|
||||
});
|
||||
parent.$.colorbox.close();
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user