Use POST to make the ajax set/del constant
This commit is contained in:
Laurent Destailleur
parent
46eb78cd41
commit
b1985950a6
@ -395,7 +395,14 @@ foreach ($configfileparameters as $key => $value)
|
||||
|
||||
$valuetoshow = ${$newkey};
|
||||
if (empty($valuetoshow)) {
|
||||
print img_warning($langs->trans('SwitchThisForABetterSecurity'));
|
||||
print img_warning($langs->trans('SwitchThisForABetterSecurity', 1));
|
||||
}
|
||||
} elseif ($newkey == 'dolibarr_nocsrfcheck') {
|
||||
print ${$newkey};
|
||||
|
||||
$valuetoshow = ${$newkey};
|
||||
if (!empty($valuetoshow)) {
|
||||
print img_warning($langs->trans('SwitchThisForABetterSecurity', 0));
|
||||
}
|
||||
} else {
|
||||
print ${$newkey};
|
||||
|
||||
@ -235,6 +235,20 @@ if ($result)
|
||||
print $form->formconfirm($_SERVER["PHP_SELF"].'?noparam=noparam', $langs->trans('PurgeAuditEvents'), $langs->trans('ConfirmPurgeAuditEvents'), 'confirm_purge', $formquestion, 'no', 1);
|
||||
}
|
||||
|
||||
// Check some parameters
|
||||
// TODO Add a tab with this and other information
|
||||
/*
|
||||
global $dolibarr_main_prod, $dolibarr_nocsrfcheck;
|
||||
if (empty($dolibarr_main_prod)) {
|
||||
print $langs->trans("Warning").' dolibarr_main_prod = '.$dolibarr_main_prod;
|
||||
print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 1)).'<br>';
|
||||
}
|
||||
if (!empty($dolibarr_nocsrfcheck)) {
|
||||
print $langs->trans("Warning").' dolibarr_nocsrfcheck = '.$dolibarr_nocsrfcheck;
|
||||
print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 0)).'<br>';
|
||||
}
|
||||
*/
|
||||
|
||||
print '<div class="div-table-responsive">';
|
||||
print '<table class="liste centpercent">';
|
||||
|
||||
|
||||
@ -101,7 +101,7 @@ $eventfound = array();
|
||||
//dol_syslog('time='.$time.' $_SESSION[auto_ck_events_not_before]='.$_SESSION['auto_check_events_not_before']);
|
||||
|
||||
// TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when several tabs are opened.
|
||||
// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate (save is not done yet).
|
||||
// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate.
|
||||
if ($time >= $_SESSION['auto_check_events_not_before'] || GETPOST('forcechecknow', 'int'))
|
||||
{
|
||||
$time_update = (int) $conf->global->MAIN_BROWSER_NOTIFICATION_FREQUENCY; // Always defined
|
||||
|
||||
@ -46,7 +46,7 @@ top_httphead();
|
||||
|
||||
//print '<!-- Ajax page called with url '.dol_escape_htmltag($_SERVER["PHP_SELF"]).'?'.dol_escape_htmltag($_SERVER["QUERY_STRING"]).' -->'."\n";
|
||||
|
||||
// Registering the location of boxes
|
||||
// Registering the new value of constant
|
||||
if (!empty($action) && !empty($name))
|
||||
{
|
||||
$entity = GETPOST('entity', 'int');
|
||||
@ -62,4 +62,6 @@ if (!empty($action) && !empty($name))
|
||||
dolibarr_del_const($db, $name, $entity);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
http_response_code(403);
|
||||
}
|
||||
|
||||
@ -529,7 +529,7 @@ function hideMessage(fieldId,message) {
|
||||
* @param string token Token
|
||||
*/
|
||||
function setConstant(url, code, input, entity, strict, forcereload, userid, token) {
|
||||
$.get( url, {
|
||||
$.post( url, {
|
||||
action: "set",
|
||||
name: code,
|
||||
entity: entity,
|
||||
@ -585,7 +585,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke
|
||||
if (forcereload) {
|
||||
location.reload();
|
||||
}
|
||||
});
|
||||
}).fail(function(error) { location.reload(); }); /* When it fails, we always force reload to have setEventErrorMEssage in session visible */
|
||||
}
|
||||
|
||||
/*
|
||||
@ -602,7 +602,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke
|
||||
* @param string token Token
|
||||
*/
|
||||
function delConstant(url, code, input, entity, strict, forcereload, userid, token) {
|
||||
$.get( url, {
|
||||
$.post( url, {
|
||||
action: "del",
|
||||
name: code,
|
||||
entity: entity,
|
||||
@ -654,7 +654,7 @@ function delConstant(url, code, input, entity, strict, forcereload, userid, toke
|
||||
if (forcereload) {
|
||||
location.reload();
|
||||
}
|
||||
});
|
||||
}).fail(function(error) { location.reload(); }); /* When it fails, we always force reload to have setEventErrorMEssage in session visible */
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -518,7 +518,7 @@ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonof
|
||||
var userid = \''.$user->id.'\';
|
||||
var yesButton = \''.dol_escape_js($langs->transnoentities("Yes")).'\';
|
||||
var noButton = \''.dol_escape_js($langs->transnoentities("No")).'\';
|
||||
var token = \''.newToken().'\';
|
||||
var token = \''.currentToken().'\';
|
||||
|
||||
// Set constant
|
||||
$("#set_" + code).click(function() {
|
||||
|
||||
@ -2056,4 +2056,4 @@ TemplateAdded=Template added
|
||||
TemplateUpdated=Template updated
|
||||
TemplateDeleted=Template deleted
|
||||
MailToSendEventPush=Template for event reminder emails
|
||||
SwitchThisForABetterSecurity=Switching this value to 1 is recommended for more security
|
||||
SwitchThisForABetterSecurity=Switching this value to %s is recommended for more security
|
||||
|
||||
@ -348,10 +348,9 @@ if (!defined('NOTOKENRENEWAL'))
|
||||
$_SESSION['newtoken'] = $token;
|
||||
}
|
||||
|
||||
//var_dump(GETPOST('token').' '.$_SESSION['token'].' - '.newToken().' '.$_SERVER['SCRIPT_FILENAME']);
|
||||
//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']);
|
||||
//$dolibarr_nocsrfcheck=1;
|
||||
// Check token
|
||||
//var_dump((! defined('NOCSRFCHECK')).' '.empty($dolibarr_nocsrfcheck).' '.(! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)).' '.$_SERVER['REQUEST_METHOD'].' '.(! GETPOSTISSET('token')));
|
||||
if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN))
|
||||
|| defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set
|
||||
{
|
||||
@ -939,8 +938,7 @@ if (!defined('NOLOGIN'))
|
||||
$user->getrights();
|
||||
}
|
||||
|
||||
|
||||
dol_syslog("--- Access to ".$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09'));
|
||||
dol_syslog("--- Access to ".$_SERVER["REQUEST_METHOD"].' '.$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09'));
|
||||
//Another call for easy debugg
|
||||
//dol_syslog("Access to ".$_SERVER["PHP_SELF"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST));
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user