fix: [users] Avoid POSTing forms not linked to the login page resulting in unwanted actions

- As reported by Michael Kerscher
2020-09-15 11:55:50 +02:00 · 2020-09-15 11:55:50 +02:00 · 164963100a
parent 5d3dee3ba2
commit 164963100a
1 changed files with 4 additions and 1 deletions
--- a/app/View/Users/login.ctp
+++ b/app/View/Users/login.ctp
@ -81,7 +81,10 @@ function submitLoginForm() {
        $form[0].reportValidity()
    } else {
        fetchFormDataAjax(url, function(html) {
-            var formHTML = $(html).find('form')
+            var formHTML = $(html).find('form#UserLoginForm')
+            if (!formHTML.length) {
+                window.location = baseurl + '/users/login'
+            }
            $('body').append($('<div id="temp" style="display: none"/>').append(formHTML))
            var $tmpForm = $('#temp form')
            $tmpForm.find('#UserEmail').val(email)