Index: lams_central/conf/security/Owasp.CsrfGuard.properties =================================================================== diff -u -r1ef1213820fe7ff7c6f4a9238b3f489a25012c63 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_central/conf/security/Owasp.CsrfGuard.properties (.../Owasp.CsrfGuard.properties) (revision 1ef1213820fe7ff7c6f4a9238b3f489a25012c63) +++ lams_central/conf/security/Owasp.CsrfGuard.properties (.../Owasp.CsrfGuard.properties) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -65,6 +65,14 @@ org.owasp.csrfguard.protected.monitoringUnsuspendLesson=/lams/monitoring/monitoring/unsuspendLesson.do org.owasp.csrfguard.protected.monitoringRemoveLesson=/lams/monitoring/monitoring/removeLesson.do org.owasp.csrfguard.protected.monitoringRenameLesson=/lams/monitoring/monitoring/renameLesson.do +org.owasp.csrfguard.protected.monitoringGradebookOnComplete=/lams/monitoring/monitoring/gradebookOnComplete.do +org.owasp.csrfguard.protected.monitoringPresenceAvailable=/lams/monitoring/monitoring/presenceAvailable.do +org.owasp.csrfguard.protected.monitoringPresenceImAvailable=/lams/monitoring/monitoring/presenceImAvailable.do +org.owasp.csrfguard.protected.monitoringEmailProgressDate=/lams/monitoring/emailProgress/updateEmailProgressDate.do +org.owasp.csrfguard.protected.monitoringSendEmail=/lams/emailUser/send.do +org.owasp.csrfguard.protected.monitoringUpdateLessonClass=/lams/monitoring/monitoring/updateLessonClass.do +org.owasp.csrfguard.protected.monitoringEmailNotificationsEmailUsers=/lams/monitoring/emailNotifications/emailUsers.do +org.owasp.csrfguard.protected.monitoringEmailNotificationsDel=/lams/monitoring/emailNotifications/deleteNotification.do org.owasp.csrfguard.protected.assessmentAuthoringSave=/lams/tool/laasse10/authoring/updateContent.do org.owasp.csrfguard.protected.assessmentAuthoringDefineLater=/lams/tool/laasse10/authoring/definelater.do Index: lams_central/src/java/org/lamsfoundation/lams/web/EmailUserController.java =================================================================== diff -u -r29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_central/src/java/org/lamsfoundation/lams/web/EmailUserController.java (.../EmailUserController.java) (revision 29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5) +++ lams_central/src/java/org/lamsfoundation/lams/web/EmailUserController.java (.../EmailUserController.java) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -47,6 +47,7 @@ import org.springframework.util.MultiValueMap; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; /** @@ -91,7 +92,7 @@ } @ResponseBody - @RequestMapping("/send") + @RequestMapping(path = "/send", method = RequestMethod.POST) public void send(@ModelAttribute EmailForm emailForm, HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO currentUser = (UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER); @@ -163,4 +164,4 @@ return result; } -} \ No newline at end of file +} Index: lams_central/web/emailuser.jsp =================================================================== diff -u -rae9912edeb82523d71d1e18df67ec5ee7e6301a8 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_central/web/emailuser.jsp (.../emailuser.jsp) (revision ae9912edeb82523d71d1e18df67ec5ee7e6301a8) +++ lams_central/web/emailuser.jsp (.../emailuser.jsp) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -5,6 +5,7 @@ <%@ taglib uri="tags-lams" prefix="lams"%> <%@ taglib uri="tags-fmt" prefix="fmt"%> <%@ taglib uri="tags-core" prefix="c"%> +<%@ taglib uri="csrfguard" prefix="csrf" %> <fmt:message key="title.admin.window" />
+ @@ -146,4 +148,4 @@ - \ No newline at end of file + Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsController.java =================================================================== diff -u -rd471fb4d4ad60b6568b9f3cb4ec9cd82c6fbe495 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsController.java (.../EmailNotificationsController.java) (revision d471fb4d4ad60b6568b9f3cb4ec9cd82c6fbe495) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsController.java (.../EmailNotificationsController.java) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -87,6 +87,7 @@ import org.springframework.util.Assert; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseStatus; import com.fasterxml.jackson.databind.node.ArrayNode; @@ -363,7 +364,7 @@ * * @throws JSONException */ - @RequestMapping("/deleteNotification") + @RequestMapping(path = "/deleteNotification", method = RequestMethod.POST) @ResponseBody public String deleteNotification(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException, SchedulerException { @@ -471,7 +472,7 @@ /** * Method called via Ajax. It either emails selected users or schedules these emails to be sent on specified date. */ - @RequestMapping("/emailUsers") + @RequestMapping(path = "/emailUsers", method = RequestMethod.POST) @ResponseBody public String emailUsers(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailProgressController.java =================================================================== diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailProgressController.java (.../EmailProgressController.java) (revision f2ad75cef0c507a64877942631fee13efbc6ed50) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailProgressController.java (.../EmailProgressController.java) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -57,6 +57,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; import com.fasterxml.jackson.databind.node.ArrayNode; @@ -170,7 +171,7 @@ /** * Add or remove a date for the email progress */ - @RequestMapping("/updateEmailProgressDate") + @RequestMapping(path = "/updateEmailProgressDate", method = RequestMethod.POST) @ResponseBody public String updateEmailProgressDate(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); @@ -245,7 +246,7 @@ return dateJSON.toString(); } - @RequestMapping("/sendLessonProgressEmail") + @RequestMapping(path = "/sendLessonProgressEmail", method = RequestMethod.POST) @ResponseBody public String sendLessonProgressEmail(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { @@ -287,4 +288,4 @@ HttpSession ss = SessionManager.getSession(); return (UserDTO) ss.getAttribute(AttributeNames.USER); } -} \ No newline at end of file +} Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringController.java =================================================================== diff -u -rae4e7fd3d6b21cb7f41a733565442950cdd9d232 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringController.java (.../MonitoringController.java) (revision ae4e7fd3d6b21cb7f41a733565442950cdd9d232) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringController.java (.../MonitoringController.java) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -803,7 +803,7 @@ /** * Adds/removes learners and monitors to/from lesson class. */ - @RequestMapping("/updateLessonClass") + @RequestMapping(path = "/updateLessonClass", method = RequestMethod.POST) public void updateLessonClass(HttpServletRequest request, HttpServletResponse response) throws IOException { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); if (!securityService.isLessonMonitor(lessonId, getUserId(), "update lesson class", false)) { @@ -1535,7 +1535,7 @@ * Set whether or not the presence available button is available in learner. Expects parameters lessonID and * presenceAvailable. */ - @RequestMapping("/presenceAvailable") + @RequestMapping(path = "/presenceAvailable", method = RequestMethod.POST) public String presenceAvailable(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { @@ -1559,7 +1559,7 @@ * Set whether or not the presence available button is available in learner. Expects parameters lessonID and * presenceImAvailable. */ - @RequestMapping("/presenceImAvailable") + @RequestMapping(path = "/presenceImAvailable", method = RequestMethod.POST) public String presenceImAvailable(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { Long lessonID = new Long(WebUtil.readLongParam(request, "lessonID")); @@ -1578,7 +1578,7 @@ * Set whether or not the activity scores / gradebook values are shown to the learner at the end of the lesson. * Expects parameters lessonID and presenceAvailable. */ - @RequestMapping("/gradebookOnComplete") + @RequestMapping(path = "/gradebookOnComplete", method = RequestMethod.POST) public String gradebookOnComplete(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { @@ -1702,4 +1702,4 @@ } return updatedLatestLearners; } -} \ No newline at end of file +} Index: lams_monitoring/web/emailnotifications/courseNotifications.jsp =================================================================== diff -u -rd78b17ae7328f22f9e9425434ec68c06511013ad -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/web/emailnotifications/courseNotifications.jsp (.../courseNotifications.jsp) (revision d78b17ae7328f22f9e9425434ec68c06511013ad) +++ lams_monitoring/web/emailnotifications/courseNotifications.jsp (.../courseNotifications.jsp) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -145,7 +145,7 @@ scheduleDate = (scheduleDate == null) ? "" : scheduleDate.getTime(); $.ajax({ async: false, - url: '', + url: '?', data: "emailBody=" + emailBody + params, dataType: 'json', type: 'post', Index: lams_monitoring/web/emailnotifications/lessonNotifications.jsp =================================================================== diff -u -rd78b17ae7328f22f9e9425434ec68c06511013ad -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/web/emailnotifications/lessonNotifications.jsp (.../lessonNotifications.jsp) (revision d78b17ae7328f22f9e9425434ec68c06511013ad) +++ lams_monitoring/web/emailnotifications/lessonNotifications.jsp (.../lessonNotifications.jsp) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -122,7 +122,7 @@ $.ajax({ async: false, - url: '', + url: '?', data: "emailBody=" + emailBody + params, dataType: 'json', type: 'post', Index: lams_monitoring/web/emailnotifications/scheduledEmailList.jsp =================================================================== diff -u -rd78b17ae7328f22f9e9425434ec68c06511013ad -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/web/emailnotifications/scheduledEmailList.jsp (.../scheduledEmailList.jsp) (revision d78b17ae7328f22f9e9425434ec68c06511013ad) +++ lams_monitoring/web/emailnotifications/scheduledEmailList.jsp (.../scheduledEmailList.jsp) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -36,7 +36,7 @@ if (confirm(msg+'\n\n'+deleteConfirmationMessage2)) { $.ajax({ async : false, - url : 'deleteNotification.do', + url : 'deleteNotification.do?', data : '${deleteUrlParams}&triggerName=' + triggerName, type : "POST", success : function(json) { @@ -82,7 +82,7 @@ ${tDate}
- Index: lams_monitoring/web/includes/javascript/monitorLesson.js =================================================================== diff -u -rae4e7fd3d6b21cb7f41a733565442950cdd9d232 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/web/includes/javascript/monitorLesson.js (.../monitorLesson.js) (revision ae4e7fd3d6b21cb7f41a733565442950cdd9d232) +++ lams_monitoring/web/includes/javascript/monitorLesson.js (.../monitorLesson.js) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -46,13 +46,16 @@ // sets presence availability. buttons may be temporarily disable by the tour. $('#presenceButton').click(function(){ var checked = $(this).toggleClass('btn-success').hasClass('btn-success'); + var data = { + 'presenceAvailable' : checked, + 'lessonID' : lessonId + }; + data[csrfTokenName] = csrfTokenValue; $.ajax({ url : LAMS_URL + 'monitoring/monitoring/presenceAvailable.do', + type : 'POST', cache : false, - data : { - 'presenceAvailable' : checked, - 'lessonID' : lessonId - }, + data : data, success : function() { updatePresenceAvailableCount(); if (checked) { @@ -70,13 +73,16 @@ // sets instant messaging availability $('#imButton').click(function(){ var checked = $(this).toggleClass('btn-success').hasClass('btn-success'); + var data = { + 'presenceImAvailable' : checked, + 'lessonID' : lessonId + }; + data[csrfTokenName] = csrfTokenValue; $.ajax({ url : LAMS_URL + 'monitoring/monitoring/presenceImAvailable.do', + type : 'POST', cache : false, - data : { - 'presenceImAvailable' : checked, - 'lessonID' : lessonId - }, + data : data, success : function() { if (checked) { $('#openImButton').show(); @@ -198,13 +204,16 @@ // sets gradebook on complete functionality $('#gradebookOnCompleteButton').click(function(){ var checked = $(this).toggleClass('btn-success').hasClass('btn-success'); + var data = { + 'gradebookOnComplete' : checked, + 'lessonID' : lessonId + }; + data[csrfTokenName] = csrfTokenValue; $.ajax({ url : LAMS_URL + 'monitoring/monitoring/gradebookOnComplete.do', + type : 'POST', cache : false, - data : { - 'gradebookOnComplete' : checked, - 'lessonID' : lessonId - }, + data : data, success : function() { if (checked) { alert(LABELS.LESSON_ACTIVITY_SCORES_ENABLE_ALERT); @@ -667,16 +676,17 @@ function editEmailProgressDate(dateCheckbox){ var dateid = dateCheckbox.parent().attr('dateid'), add = dateCheckbox.is(':checked'); - + var data = { + 'lessonID' : lessonId, + 'id' : dateid, + 'add' : add + }; + data[csrfTokenName] = csrfTokenValue; $.ajax({ url : LAMS_URL + 'monitoring/emailProgress/updateEmailProgressDate.do', type : 'POST', cache : false, - data : { - 'lessonID' : lessonId, - 'id' : dateid, - 'add' : add - }, + data : data, success : function( dateObj ) { dateCheckbox.parent().attr('dateid', dateObj.id); dateCheckbox.parent().attr('datems', dateObj.ms); @@ -1863,20 +1873,19 @@ * Adds/removes a Learner/Monitor to/from the class. */ function editClassMember(userCheckbox){ - var userID = userCheckbox.parent().attr('userId'), - role = userCheckbox.closest('table').is('#classMonitorTable') ? 'MONITOR' : 'LEARNER', - add = userCheckbox.is(':checked'); - + var data={ + 'lessonID' : lessonId, + 'userID' : userCheckbox.parent().attr('userId'), + 'role' : userCheckbox.closest('table').is('#classMonitorTable') ? 'MONITOR' : 'LEARNER', + 'add' : userCheckbox.is(':checked') + }; + data[csrfTokenName] = csrfTokenValue; + $.ajax({ url : LAMS_URL + 'monitoring/monitoring/updateLessonClass.do', type : 'POST', cache : false, - data : { - 'lessonID' : lessonId, - 'userID' : userID, - 'role' : role, - 'add' : add - } + data : data }); } Index: lams_monitoring/web/monitor.jsp =================================================================== diff -u -rae4e7fd3d6b21cb7f41a733565442950cdd9d232 -r328b2d5068eb7b9c271f43e55b3f19a05733312b --- lams_monitoring/web/monitor.jsp (.../monitor.jsp) (revision ae4e7fd3d6b21cb7f41a733565442950cdd9d232) +++ lams_monitoring/web/monitor.jsp (.../monitor.jsp) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) @@ -43,6 +43,9 @@ sequenceTabShowInfo = ${sequenceTabShowInfo eq true}, tourInProgress = false, LAMS_URL = '', + csrfToken = ' : ', + csrfTokenName = '', + csrfTokenValue = '', decoderDiv = $('
'), LABELS = {