PHRAS-3857 Check CSRF token on Prod and Admin forms (#4361)

* csrf token form * add csrf token * add csrf * add csrf * add csrf * test * test * test * add form token in report * csrf token upload * lazaret csrf form * upload test * lazaret test * add csrf token * fix test * fix set cover publication --------- Co-authored-by: jygaulier <gaulier@alchemy.fr>
2025-10-17 15:03:25 +00:00 · 2023-10-03 17:28:33 +03:00
parent 78a36aec21
commit b6a5f90fd3
71 changed files with 567 additions and 100 deletions
--- a/lib/Alchemy/Phrasea/Controller/Prod/QueryController.php
+++ b/lib/Alchemy/Phrasea/Controller/Prod/QueryController.php
@@ -21,6 +21,7 @@ use Alchemy\Phrasea\SearchEngine\SearchEngineOptions;
 use Alchemy\Phrasea\Utilities\StringHelper;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use unicode;

 class QueryController extends Controller
@@ -121,6 +122,10 @@ class QueryController extends Controller
     */
    public function query(Request $request)
    {
+        if (!$this->isCrsfValid($request, 'searchForm')) {
+            return $this->app->json(['message' => 'invalid search token'], 403);
+        }
+
        $query = (string) $request->request->get('qry');

        // since the query comes from a submited form, normalize crlf,cr,lf ...