The delete fails on jrCore_validate_location_url(); so I’ve temporarily copied that function to ujModule_validate_location_url(); whilst figuring out why. If I comment out the validate_location_url check everything works fine, but it looks like I need a check for CSRF purposes?
It fails because $_COOKIE['jr_location_url'] {1} doesn’t exist. $_COOKIE looks like this:
Quote: (2014-02-13T13:09:09+00:00 0.07493000)-(mem: 9699328)-(pid: 31410)-(uri: /mymodule/section_delete/id=14)
Array
(
[sessb00dfd089f00] => d1i2n3fop8tuvg675r821qv5g7
[autob00dfd089f00] => 1-d2128387086991cc3398b8310c732a9d
)
Is jr_location_url missing because I am not on a profile?Array
(
[sessb00dfd089f00] => d1i2n3fop8tuvg675r821qv5g7
[autob00dfd089f00] => 1-d2128387086991cc3398b8310c732a9d
)
How do I get jr_location_url into the cookie? Or should I be looking at another way around?
Thanks!
The delete function and jrCore_validate_location_url functions pasted below, but they are standard.
//------------------------------
// section_delete
//------------------------------
function view_ujModule_section_delete($_post, $_user, $_conf)
{
// Must be logged in
jrUser_session_require_login();
ujModule_validate_location_url();
jrUser_check_quota_access('ujModule');
// Make sure we get a good id
if (!isset($_post['id']) || !jrCore_checktype($_post['id'], 'number_nz')) {
jrCore_notice_page('error', 'Invalid ID');
jrCore_form_result('referrer');
}
$_rt = jrCore_db_get_item('ujModule', $_post['id']);
// Make sure the calling user has permission to delete this item
if (!jrUser_can_edit_item($_rt)) {
jrUser_not_authorized();
}
jrCore_db_delete_item('ujModule', $_post['id']);
jrProfile_reset_cache();
jrCore_form_result('delete_referrer');
}
/**
* Validate a window.location redirect URL has been set for CSRF purposes
* @return bool
*/
function ujModule_validate_location_url(){
fdebug($_COOKIE,$_SERVER);
if (isset($_COOKIE['jr_location_url']{1})) {
// Make sure we've come from the correct URL
if (!strpos($_COOKIE['jr_location_url'], $_SERVER['REQUEST_URI'])) {
// Check QUERY_STRING - normally this is not needed, but on some
// redirects the params can get double encoded - QUERY_STRING will have it right
// [QUERY_STRING] => _uri=networklicense/host_remove/aHR0cDovL3d3dy5wcm94aW1hY29yZS5jb20%253D
if (isset($_SERVER['QUERY_STRING']) && strpos($_SERVER['QUERY_STRING'], '_uri=') === 0) {
list(, $uri) = explode('=', $_SERVER['QUERY_STRING']);
if (strpos($_COOKIE['jr_location_url'], $uri)) {
return true;
}
}
jrCore_notice_page('error', 'invalid location redirect token received - please try again');
return false;
}
return true;
}
jrCore_notice_page('error', 'invalid location redirect token received - please try again (2)');
return false;
}
--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)
updated by @ultrajam: 03/19/14 02:33:05AM
