PHRAS-3857 Check CSRF token on Prod and Admin forms (#4361)

* csrf token form * add csrf token * add csrf * add csrf * add csrf * test * test * test * add form token in report * csrf token upload * lazaret csrf form * upload test * lazaret test * add csrf token * fix test * fix set cover publication --------- Co-authored-by: jygaulier <gaulier@alchemy.fr>
2025-10-17 23:13:15 +00:00 · 2023-10-03 17:28:33 +03:00
parent 78a36aec21
commit b6a5f90fd3
71 changed files with 567 additions and 100 deletions
--- a/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php
+++ b/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php
@@ -37,6 +37,10 @@ class ProdOrderController extends BaseOrderController
     */
    public function createOrder(Request $request)
    {
+        if (!$this->isCrsfValid($request, 'prodExportOrder')) {
+            return $this->app->json(['message' => 'invalid export order form'], 403);
+        }
+
        $records = RecordsRequest::fromRequest($this->app, $request, true, [\ACL::CANCMD]);

        try {