From a94777231b4bca4ef1a2f0088a287cb8f7d04c4e Mon Sep 17 00:00:00 2001 From: iglocska Date: Tue, 23 May 2023 10:46:54 +0200 Subject: [PATCH] fix: [templates controller] remove CSRF protection from the rearranging - worst case an attacker messes with the order of a template's fields via CSRF, don't think anyone will ever care - removes the annoying blackholing for the drag and drop --- app/Controller/TemplatesController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Controller/TemplatesController.php b/app/Controller/TemplatesController.php index 2ea4e9108..05dbd8879 100644 --- a/app/Controller/TemplatesController.php +++ b/app/Controller/TemplatesController.php @@ -18,7 +18,7 @@ class TemplatesController extends AppController public function beforeFilter() { // TODO REMOVE parent::beforeFilter(); - $this->Security->unlockedActions = array('uploadFile', 'deleteTemporaryFile'); + $this->Security->unlockedActions = array('uploadFile', 'deleteTemporaryFile', 'saveElementSorting'); } public function index() @@ -188,7 +188,7 @@ class TemplatesController extends AppController $this->request->onlyAllow('ajax'); $orderedElements = $this->request->data; foreach ($orderedElements as $key => $e) { - $orderedElements[$key] = ltrim($e, 'id_'); + $orderedElements[$key] = (int)ltrim($e, 'id_'); } $extractedIds = array(); foreach ($orderedElements as $element) {