diff options
| author | Jan-Hendrik Willms <tleilax+studip@gmail.com> | 2024-08-29 14:38:15 +0000 |
|---|---|---|
| committer | Jan-Hendrik Willms <tleilax+studip@gmail.com> | 2024-08-29 14:38:15 +0000 |
| commit | c5bdbd16af8a4b1f2dec09a47c31cd5d2d240264 (patch) | |
| tree | 15179224d934fb19c48a7470dd209df7a7e601c6 /app/controllers/materialien/files.php | |
| parent | bb5c21dcd0cf9ebb25c3dbbaf7094f55cda08466 (diff) | |
use csrf protection correctly, fixes #4545
Closes #4545
Merge request studip/studip!3341
Diffstat (limited to 'app/controllers/materialien/files.php')
| -rw-r--r-- | app/controllers/materialien/files.php | 31 |
1 files changed, 2 insertions, 29 deletions
diff --git a/app/controllers/materialien/files.php b/app/controllers/materialien/files.php index fc8b2aa..25fd5b2 100644 --- a/app/controllers/materialien/files.php +++ b/app/controllers/materialien/files.php @@ -449,7 +449,7 @@ class Materialien_FilesController extends MVVController public function delete_range_action($mvvfile_id, $range_id) { - CSRFProtection::verifyRequest(); + CSRFProtection::verifyUnsafeRequest(); if ($mvvfile_range = MvvFileRange::find([$mvvfile_id, $range_id])) { $vacant = $mvvfile_range->position; @@ -474,36 +474,9 @@ class Materialien_FilesController extends MVVController } } - public function delete_fileref_action($mvvfile_id, $fileref_id) - { - CSRFProtection::verifyRequest(); - - if ($mvv_file = MvvFile::find($mvvfile_id)) { - $vacant = $mvv_file->position; - $range_id = $mvv_file->range_id; - if ($mvv_file->delete()) { - foreach (MvvFile::findBySQL('range_id = ? ORDER BY position ASC',[$range_id]) as $other_file) { - if ($other_file->position > $vacant) { - $tmp = $other_file->position; - $other_file->position = $vacant; - $other_file->store(); - $vacant = $tmp; - } - } - PageLayout::postSuccess(_('Das Dokument wurde gelöscht.')); - } - } - $this->range_id = $range_id; - if (Request::isXhr()) { - $this->response->add_header('X-Dialog-Execute', 'STUDIP.MVV.Document.reload_documenttable("' . $range_id . '")'); - $this->response->add_header('X-Dialog-Close', 1); - $this->render_nothing(); - } - } - public function delete_all_dokument_action($mvvfile_id) { - CSRFProtection::verifyRequest(); + CSRFProtection::verifyUnsafeRequest(); MvvFile::deleteBySQL('mvvfile_id =?', [$mvvfile_id]); MvvFileRange::deleteBySQL('mvvfile_id =?', [$mvvfile_id]); |