Index: lams_central/conf/security/Owasp.CsrfGuard.properties =================================================================== diff -u -re2231bbf9bfe3cc5543908b808bbc60fe914a258 -r5bce4b0fa8cea7d6e15c7373ef618506f6e80533 --- lams_central/conf/security/Owasp.CsrfGuard.properties (.../Owasp.CsrfGuard.properties) (revision e2231bbf9bfe3cc5543908b808bbc60fe914a258) +++ lams_central/conf/security/Owasp.CsrfGuard.properties (.../Owasp.CsrfGuard.properties) (revision 5bce4b0fa8cea7d6e15c7373ef618506f6e80533) @@ -56,6 +56,14 @@ org.owasp.csrfguard.protected.centralSetDaysToFinish=/lams/lessonConditions/setDaysToLessonFinish.do org.owasp.csrfguard.protected.centralDelLessonDependency=/lams/lessonConditions/removeLessonDependency.do +#Author +org.owasp.csrfguard.protected.centralAuthorSaveLearningDesign=/lams/authoring/saveLearningDesign.do +org.owasp.csrfguard.protected.centralAuthorDeleteResource=/lams/workspace/deleteResource.do +org.owasp.csrfguard.protected.centralAuthorCreateFolder=/lams/workspace/createFolder.do +org.owasp.csrfguard.protected.centralAuthorRenameResource=/lams/workspace/renameResource.do +org.owasp.csrfguard.protected.centralAuthorCopyResource=/lams/workspace/copyResource.do +org.owasp.csrfguard.protected.centralAuthorMoveResource=/lams/workspace/moveResource.do + org.owasp.csrfguard.protected.gradebookExportExcelCourse=/lams/gradebook/gradebookMonitoring/exportExcelCourseGradebook.do org.owasp.csrfguard.protected.gradebookExportExcelLesson=/lams/gradebook/gradebookMonitoring/exportExcelLessonGradebook.do org.owasp.csrfguard.protected.gradebookExportExcelSelectedLessons=/lams/gradebook/gradebookMonitoring/exportExcelSelectedLessons.do Index: lams_central/src/java/org/lamsfoundation/lams/workspace/web/WorkspaceController.java =================================================================== diff -u -r10407509921c1b1233270863d7549ce68cc38c5c -r5bce4b0fa8cea7d6e15c7373ef618506f6e80533 --- lams_central/src/java/org/lamsfoundation/lams/workspace/web/WorkspaceController.java (.../WorkspaceController.java) (revision 10407509921c1b1233270863d7549ce68cc38c5c) +++ lams_central/src/java/org/lamsfoundation/lams/workspace/web/WorkspaceController.java (.../WorkspaceController.java) (revision 5bce4b0fa8cea7d6e15c7373ef618506f6e80533) @@ -45,6 +45,7 @@ import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; /** @@ -104,7 +105,7 @@ * @throws UserException */ @ResponseBody - @RequestMapping("/createFolder") + @RequestMapping(path = "/createFolder", method = RequestMethod.POST) public void createFolder(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, UserException, WorkspaceFolderException { Integer parentFolderID = WebUtil.readIntParam(request, "parentFolderID", false); @@ -127,7 +128,7 @@ * @throws IOException */ @ResponseBody - @RequestMapping("/deleteResource") + @RequestMapping(path = "/deleteResource", method = RequestMethod.POST) public void deleteResource(HttpServletRequest request) throws ServletException, IOException { Long resourceID = new Long(WebUtil.readLongParam(request, WorkspaceController.RESOURCE_ID)); String resourceType = WebUtil.readStrParam(request, WorkspaceController.RESOURCE_TYPE); @@ -155,7 +156,7 @@ * @throws LearningDesignException */ @ResponseBody - @RequestMapping("/copyResource") + @RequestMapping(path = "/copyResource", method = RequestMethod.POST) public void copyResource(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException, LearningDesignException, UserException, WorkspaceFolderException { Long resourceID = WebUtil.readLongParam(request, WorkspaceController.RESOURCE_ID, false); @@ -173,7 +174,7 @@ } @ResponseBody - @RequestMapping("/moveResource") + @RequestMapping(path = "/moveResource", method = RequestMethod.POST) public void moveResource(HttpServletRequest request, HttpServletResponse response) throws IOException { Long resourceID = WebUtil.readLongParam(request, WorkspaceController.RESOURCE_ID, false); String resourceType = WebUtil.readStrParam(request, WorkspaceController.RESOURCE_TYPE, false); @@ -193,7 +194,7 @@ } @ResponseBody - @RequestMapping("/renameResource") + @RequestMapping(path = "/renameResource", method = RequestMethod.POST) public void renameResource(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException, UserException, WorkspaceFolderException { Integer userID = getUserId(); @@ -208,4 +209,4 @@ workspaceManagementService.renameResource(resourceID, resourceType, name, userID); } -} \ No newline at end of file +} Index: lams_central/web/authoring/authoring.jsp =================================================================== diff -u -r43bf0491691407c7567febca64ac9754dd959033 -r5bce4b0fa8cea7d6e15c7373ef618506f6e80533 --- lams_central/web/authoring/authoring.jsp (.../authoring.jsp) (revision 43bf0491691407c7567febca64ac9754dd959033) +++ lams_central/web/authoring/authoring.jsp (.../authoring.jsp) (revision 5bce4b0fa8cea7d6e15c7373ef618506f6e80533) @@ -2,9 +2,7 @@ <%@ page import="org.lamsfoundation.lams.util.Configuration"%> <%@ page import="org.lamsfoundation.lams.util.ConfigurationKeys"%> -<%@ taglib uri="tags-lams" prefix="lams"%> -<%@ taglib uri="tags-core" prefix="c"%> -<%@ taglib uri="tags-fmt" prefix="fmt"%> +<%@ include file="/common/taglibs.jsp"%> @@ -291,7 +289,9 @@ initContentFolderID = '${contentFolderID}', initLearningDesignID = '${param.learningDesignID}', learningLibraryGroups = ${learningLibraryGroups}, - initAccess = ${access}; + initAccess = ${access}, + csrfTokenName = '', + csrfTokenValue = ''; Index: lams_central/web/includes/javascript/authoring/authoringGeneral.js =================================================================== diff -u -r43bf0491691407c7567febca64ac9754dd959033 -r5bce4b0fa8cea7d6e15c7373ef618506f6e80533 --- lams_central/web/includes/javascript/authoring/authoringGeneral.js (.../authoringGeneral.js) (revision 43bf0491691407c7567febca64ac9754dd959033) +++ lams_central/web/includes/javascript/authoring/authoringGeneral.js (.../authoringGeneral.js) (revision 5bce4b0fa8cea7d6e15c7373ef618506f6e80533) @@ -346,17 +346,19 @@ if (!title) { return; } - - + var data = { + 'name' : title, + 'parentFolderID' : parentFolder.data.folderID + }; + data[csrfTokenName] = csrfTokenValue; + $.ajax({ + type : 'POST', cache : false, async : true, url : LAMS_URL + "workspace/createFolder.do", dataType : 'text', - data : { - 'name' : title, - 'parentFolderID' : parentFolder.data.folderID - }, + data : data, success : function() { tree.removeChildren(parentFolder); parentFolder.expand(); @@ -411,16 +413,20 @@ } } + var data = { + 'targetFolderID' : folderNode.data.folderID, + 'resourceID' : copiedResource.isFolder ? copiedResource.resourceNode.data.folderID + : copiedResource.resourceNode.data.learningDesignId , + 'resourceType' : copiedResource.isFolder ? 'Folder' : 'LearningDesign' + }; + data[csrfTokenName] = csrfTokenValue; + $.ajax({ + type : 'POST', cache : false, url : copiedResource.isCut ? LAMS_URL + "workspace/moveResource.do" : LAMS_URL + "workspace/copyResource.do", dataType : 'text', - data : { - 'targetFolderID' : folderNode.data.folderID, - 'resourceID' : copiedResource.isFolder ? copiedResource.resourceNode.data.folderID - : copiedResource.resourceNode.data.learningDesignId , - 'resourceType' : copiedResource.isFolder ? 'Folder' : 'LearningDesign' - }, + data : data, success : function() { if (copiedResource.isCut) { tree.removeNode(copiedResource.resourceNode, true); @@ -451,16 +457,18 @@ if (!confirm(LABELS.DELETE_NODE_CONFIRM + (isFolder ? LABELS.FOLDER : LABELS.SEQUENCE) + '?')) { return; } - + var data = { + 'resourceID' : isFolder? ldNode.data.folderID : ldNode.data.learningDesignId, + 'resourceType' : isFolder ? 'Folder' : 'LearningDesign' + } + data[csrfTokenName] = csrfTokenValue; $.ajax({ + type : 'POST', cache : false, async : true, url : LAMS_URL + "workspace/deleteResource.do", dataType : 'text', - data : { - 'resourceID' : isFolder? ldNode.data.folderID : ldNode.data.learningDesignId, - 'resourceType' : isFolder ? 'Folder' : 'LearningDesign' - }, + data : data, success : function() { var parentFolder = ldNode.parent; tree.removeChildren(parentFolder); @@ -505,17 +513,21 @@ if (!title) { return; } - + + var data = { + 'name' : title, + 'resourceID' : isFolder? ldNode.data.folderID : ldNode.data.learningDesignId, + 'resourceType' : isFolder ? 'Folder' : 'LearningDesign' + }; + data[csrfTokenName] = csrfTokenValue; + $.ajax({ + type : 'POST', cache : false, async : true, url : LAMS_URL + "workspace/renameResource.do", dataType : 'text', - data : { - 'name' : title, - 'resourceID' : isFolder? ldNode.data.folderID : ldNode.data.learningDesignId, - 'resourceType' : isFolder ? 'Folder' : 'LearningDesign' - }, + data : data, success : function(response) { if (isFolder) { ldNode.data.label = title; @@ -847,6 +859,7 @@ // tool content ID can be null if the activity had the default content, i.e. was not edited yet if (activity.toolContentID) { $.ajax({ + type : 'POST', cache : false, async : false, url : LAMS_URL + "authoring/copyToolContent.do", @@ -1727,6 +1740,7 @@ } // get LD details $.ajax({ + type : 'POST', async : true, cache : false, url : LAMS_URL + "authoring/openLearningDesign.do", @@ -2876,16 +2890,18 @@ ? 1 : 0; ld.readOnly = readOnly; ld.systemGate = null; + var data = { + 'ld' : JSON.stringify(ld) + }; + data[csrfTokenName] = csrfTokenValue; $.ajax({ type : 'POST', cache : false, async : false, url : LAMS_URL + "authoring/saveLearningDesign.do", dataType : 'json', - data : { - 'ld' : JSON.stringify(ld) - }, + data : data, success : function(response) { layout.ld.folderID = folderID; layout.ld.title = title; @@ -3120,6 +3136,7 @@ // load the thumbnail $.ajax({ + type : 'POST', dataType : 'text', url : LD_THUMBNAIL_URL_BASE + learningDesignID, cache : false, @@ -3295,4 +3312,4 @@ validateName : function(name) { return name && GeneralLib.nameValidator.test(name); } -}; \ No newline at end of file +};