function createtask_POST(Web &$w) { $w->Task->navigation($w, "Create Task"); // unserialise input from step I and store in array: arr_req $arr_req = unserialize($w->request('formone')); // set relevant dt variables with: Today. $arr_req['dt_assigned'] = Date('c'); $arr_req['dt_first_assigned'] = Date('c'); // insert Task into database $task = new Task($w); $task->fill($arr_req); $task->insert(); // if insert is successful, store additional fields as task data // we do not want to store data from step I, the task_id (as a key=>value pair) nor the FLOW_SID if ($task->id) { foreach ($_POST as $name => $value) { if ($name != "formone" && $name != "FLOW_SID" && $name != "task_id" && $name !== CSRF::getTokenID()) { $tdata = new TaskData($w); $arr = array("task_id" => $task->id, "key" => $name, "value" => $value); $tdata->fill($arr); $tdata->insert(); unset($arr); } } // return to task dashboard $w->msg("Task " . $task->title . " added", "/task/viewtask/" . $task->id); } else { // if task insert was unsuccessful, say as much $w->msg("The Task could not be created. Please inform the IT Group", "/task/index/"); } }
function configwidget_POST(Web $w) { $p = $w->pathMatch("origin", "id"); // "origin", "source", "widget"); // $widget = $w->Widget->getWidget($p["origin"], $p["source"], $p["widget"]); $widget = $w->Widget->getWidgetById($p["id"]); // $widgetname = $p["widget"]; if (empty($widget->id)) { $w->error("Widget not found", "/{$p['origin']}"); } $vars = $_POST; unset($vars[CSRF::getTokenID()]); $widget->custom_config = json_encode($vars); $widget->update(); $w->msg("Widget updated", "/{$p['origin']}"); }
function editsettings_POST(Web $w) { $w->setLayout(null); $p = $w->pathMatch("id"); $id = $p["id"]; if (!$id) { $w->error("Missing parameter in request", "/channels/listprocessors"); } // Remove CSRF token from request $post = $_POST; if (!empty($post[CSRF::getTokenID()])) { unset($post[CSRF::getTokenID()]); } $processor = $w->Channel->getProcessor($id); if (empty($processor->id)) { $w->error("Invalid processor ID", "/channels/listprocessors"); } $processor->settings = json_encode($post); $processor->update(); $w->msg("Processor settings saved", "/channels/listprocessors"); }
function starttimelog_ALL(Web &$w) { $p = $w->pathMatch("id"); if (!empty($_POST['started']) && $_POST["started"] == "yes") { // get time log $log = $w->Task->getTimeLogEntry($_POST['logid']); // update time log entry $log->dt_end = date("Y-m-d G:i"); $log->update(); // set page variables $start = date("Y-m-d G:i", $log->dt_start); $end = $log->dt_end; $taskid = $_POST['taskid']; $tasktitle = $_POST['tasktitle']; $logid = $_POST['logid']; } else { // get the task $task = $w->Task->getTask($p['id']); // set time log values $arr["task_id"] = $task->id; $arr["creator_id"] = $_SESSION["user_id"]; $arr["dt_created"] = date("d/m/Y"); $arr["user_id"] = $_SESSION["user_id"]; // format start and end times for database $start = $arr["dt_start"] = date("Y-m-d G:i"); $end = $arr["dt_end"] = date("Y-m-d G:i"); // add time log entry $log = new TaskTime($w); $log->fill($arr); $log->insert(); // set page variables $taskid = $task->id; $tasktitle = $task->title; $logid = $log->id; } // create page $html = "<html><head><title>Task Time Log - " . $task->title . "</title>" . "<style type=\"text/css\">" . "body { background-color: #8ad228; }" . "td { background-color: #ffffff; color: #000000; font-family: verdana, arial; font-weight: bold; font-size: .8em; }" . "td.startend { background-color: #d2efab; color: #000000; font-family: verdana, arial; font-weight: bold; font-size: .9em; }" . "td.timelog { background-color: #75ba4d; color: #000000; font-family: verdana, arial; font-weight: bold; font-size: .9em; }" . "td.tasktitle { background-color: #9fea72; color: #000000; font-family: verdana, arial; font-weight: bold; font-size: .8em; }" . "a { text-decoration: none; } " . "a:hover { color: #ffffff; } " . "</style>" . "<script language=\"javascript\">" . "var thedate = new Date();" . "thedate.setDate(thedate.getDate()+1);" . "document.cookie = \"thiswin=true;expires=\" + thedate.toGMTString() + \";path=/\";" . "function doUnLoading() {" . "\tvar thedate = new Date();" . "\tthedate.setDate(thedate.getDate()-1);" . "\tdocument.cookie = \"thiswin=true;expires=\" + thedate.toGMTString() + \";path=/\";" . "\tdocument.theForm.action = \"/task/endtimelog\";" . "\tdocument.theForm.submit();" . "}" . "function beforeUnLoading() {" . "\tdocument.theForm.restart.value = \"yes\";" . "\tdoUnLoading();" . "}" . "function goTask() {" . "\twindow.opener.location.href = \"/task/edit/" . $taskid . "\";" . "}" . "</script></head><body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 onbeforeunload=\"javascript: doUnLoading();\">" . "<form name=theForm action=\"/task/starttimelog\" method=POST>" . "<input type=\"hidden\" name=\"" . CSRF::getTokenID() . "\" value=\"" . CSRF::getTokenValue() . "\" />" . "<table cellpadding=2 cellspacing=2 border=0 width=100%>" . "<tr align=center><td colspan=2 class=timelog>Task Time Log</td></tr>" . "<tr align=center><td colspan=2 class=tasktitle><a title=\"View Task\" href=\"javascript: goTask();\">" . $tasktitle . "</a></td></tr>" . "<tr align=center><td width=50% class=startend>Start</td><td width=50% class=startend>Stop</td></tr>" . "<tr align=center><td>" . date("g:i a", strtotime($start)) . "</td><td>" . date("g:i a", strtotime($end)) . "</td></tr>" . "<tr align=center><td colspan=2 class=timelog> </td></tr>" . "<tr><td colspan=2 class=startend>Comments</td></tr>" . "<tr><td colspan=2 align=center><textarea name=comments rows=4 cols=40>" . (!empty($_POST['comments']) ? $_POST['comments'] : '') . "</textarea></td></tr>" . "<tr align=center>" . "<td class=timelog align=right><button id=end onClick=\"javascript: beforeUnLoading();\">Save Comments</button></td>" . "<td class=timelog align=left><button id=end onClick=\"javascript: doUnLoading();\">Stop Time Now</button></td>" . "</tr>" . "</table>" . "<input type=hidden name=started value=\"yes\">" . "<input type=hidden name=restart value=\"no\">" . "<input type=hidden name=taskid value=\"" . $taskid . "\">" . "<input type=hidden name=tasktitle value=\"" . $tasktitle . "\">" . "<input type=hidden name=logid value=\"" . $logid . "\">" . "</form>" . "<script language=javascript>" . "document.theForm.comments.focus();" . "var r = setTimeout('theForm.submit()',1000*60*5);" . "</script>" . "</body></html>"; // output page $w->setLayout(null); $w->out($html); }
/** * start processing of request * 1. look at the request parameter if the action parameter was set * 2. if not set, look at the pathinfo and use first */ function start() { $this->initDB(); // start the session // $sess = new SessionManager($this); session_name(SESSION_NAME); session_start(); // Initialise the logger (needs to log "info" to include the request data, see LogService __call function) $this->Log->info("info"); // Generate CSRF tokens and store them in the $_SESSION CSRF::getTokenID(); CSRF::getTokenValue(); $_SESSION['last_request'] = time(); //$this->debug("Start processing: ".$_SERVER['REQUEST_URI']); // find out which module to use $module_found = false; $action_found = false; $this->_paths = $this->_getCommandPath(); // based on request domain we can route everything to a frontend module // look into the domain routing and prepend the module $routing = Config::get('domain.route'); $domainmodule = isset($routing[$_SERVER['HTTP_HOST']]) ? $routing[$_SERVER['HTTP_HOST']] : null; if (!empty($domainmodule)) { $this->_loginpath = "auth"; $this->_isFrontend = true; // now we have to decide whether the path points to // a) a single top level action // b) an action on a submodule // but we need to make sure not to mistake a path paramater for a submodule or an action! $domainsubmodules = $this->getSubmodules($domainmodule); $action_or_module = !empty($this->_paths[0]) ? $this->_paths[0] : null; if (!empty($domainsubmodules) && !empty($action_or_module) && array_search($action_or_module, $domainsubmodules) !== false) { // just add the module to the first path entry, eg. frontend-page/1 $this->_paths[0] = $domainmodule . "-" . $this->_paths[0]; } else { // add the module as an entry to the front of paths, eg. frontent/index array_unshift($this->_paths, $domainmodule); } } // continue as usual // first find the module file if ($this->_paths && sizeof($this->_paths) > 0) { $this->_module = array_shift($this->_paths); } // then find the action if ($this->_paths && sizeof($this->_paths) > 0) { $this->_action = array_shift($this->_paths); } if (!$this->_module) { $this->_module = $this->_defaultHandler; } // see if the module is a sub module // eg. /sales-report/showreport/1.. $hsplit = explode("-", $this->_module); $this->_module = array_shift($hsplit); $this->_submodule = array_shift($hsplit); // Check to see if the module is active (protect against main disabling) if (null !== Config::get("{$this->_module}.active") && !Config::get("{$this->_module}.active") && $this->_module !== "main") { $this->error("The {$this->_module} module is not active, you can change it's active state in it's config file.", "/"); } if (!$this->_action) { $this->_action = $this->_defaultAction; } // try to load the action file $reqpath = $this->getModuleDir($this->_module) . 'actions/' . ($this->_submodule ? $this->_submodule . '/' : '') . $this->_action . '.php'; if (!file_exists($reqpath)) { $reqpath = $this->getModuleDir($this->_module) . $this->_module . ($this->_submodule ? '.' . $this->_submodule : '') . ".actions.php"; } // try to find action for the request type // using <module>_<action>_<type>() // or just <action>_<type>() $this->_requestMethod = $_SERVER['REQUEST_METHOD']; $actionmethods[] = $this->_action . '_' . $this->_requestMethod; $actionmethods[] = $this->_action . '_ALL'; // Check/validate CSRF token $this->validateCSRF(); // Taking out the CSRF regeneration until more testing can be done // if ($this->_requestMethod == 'post') { // CSRF::regenerate(); // } // // if a module file for this url exists, then start processing // if (file_exists($reqpath)) { $this->ctx('webroot', $this->_webroot); $this->ctx('module', $this->_module); $this->ctx('submodule', $this->_module); $this->ctx('action', $this->_action); // CHECK ACCESS!! $this->checkAccess(); // will redirect if access denied! // load the module file require_once $reqpath; } else { $this->Log->error("System: No Action found for: " . $reqpath); $this->notFoundPage(); } foreach ($actionmethods as $action_method) { if (function_exists($action_method)) { $action_found = true; $this->_actionMethod = $action_method; break; } } if ($action_found) { $this->ctx("loggedIn", $this->Auth->loggedIn()); $this->ctx("error", $this->session('error')); $this->sessionUnset('error'); $this->ctx("msg", $this->session('msg')); $this->sessionUnset('msg'); $this->ctx("w", $this); try { // call hooks, generic to specific $this->_callWebHooks("before"); // Execute the action $method = $this->_actionMethod; $this->_action_executed = true; $method($this); // call hooks, generic to specific $this->_callWebHooks("after"); } catch (PermissionDeniedException $ex) { $this->error($ex->getMessage()); } // send headers first if ($this->_headers) { foreach ($this->_headers as $key => $val) { header($key . ': ' . $val); } } $body = null; // evaluate template only when buffer is empty if (sizeof($this->_buffer) == 0) { $body = $this->fetchTemplate(); } else { $body = $this->_buffer; } // but always check for layout // if ajax call don't do the layout if ($this->_layout && !$this->isAjax()) { $this->_buffer = null; $this->ctx($this->_layoutContentMarker, $body); $this->templateOut($this->_layout); } else { $this->_buffer = $body; } echo $this->_buffer; } else { $this->notFoundPage(); } exit; }
<form method="POST" action="/auth/login"> <input type="hidden" name="<?php echo CSRF::getTokenID(); ?> " value="<?php echo CSRF::getTokenValue(); ?> " /> <label for="login">Login</label> <input id="login" name="login" type="text" placeholder="Your login" /> <label for="password">Password</label> <input id="password" name="password" type="password" placeholder="Your password" /> <button type="submit" class="button large-5 small-12">Login</button> <button type="button" onclick="window.location.href='/auth/forgotpassword';" class="button alert large-5 small-12 right">Forgot Password</button> </form>
function edit_POST($w) { $p = $w->pathMatch("id"); $task = !empty($p["id"]) ? $w->Task->getTask($p["id"]) : new Task($w); $taskdata = null; if (!empty($p["id"])) { $taskdata = $w->Task->getTaskData($p['id']); } $task->fill($_POST['edit']); $task->assignee_id = intval($_POST['edit']['assignee_id']); if (empty($task->dt_due)) { $task->dt_due = $w->Task->getNextMonth(); } $task->insertOrUpdate(); // Tell the template what the task id is (this post action is being called via ajax) $w->setLayout(null); $w->out($task->id); // Get existing task_data objects for this task and update them $existing_task_data = $w->Task->getTaskData($task->id); if (!empty($existing_task_data)) { foreach ($existing_task_data as $e_task_data) { foreach ($_POST["extra"] as $key => $data) { if ($key == \CSRF::getTokenId()) { unset($_POST["extra"][\CSRF::getTokenID()]); continue; } if ($e_task_data->data_key == $key) { $e_task_data->value = $data; $e_task_data->update(); unset($_POST["extra"][$key]); continue; } // If we get here then remove the existing data? // $e_task_data->delete(); } } } // Insert data that didn't exist above as new task_data objects if (!empty($_POST["extra"])) { foreach ($_POST["extra"] as $key => $data) { $tdata = new TaskData($w); $tdata->task_id = $task->id; $tdata->data_key = $key; $tdata->value = $data; $tdata->insert(); } } }
public function open() { $buffer = ""; $buffer .= "<form "; if (!empty($this->accept_charset)) { $buffer .= "accept-charset='{$this->accept_charset}' "; } if (!empty($this->action)) { $buffer .= "action='{$this->action}' "; } if (!empty($this->autocomplete)) { $buffer .= "autocomplete='{$this->autocomplete}' "; } if (!empty($this->enctype)) { $buffer .= "enctype='{$this->enctype}' "; } if (!empty($this->method)) { $buffer .= "method='{$this->method}' "; } if (!empty($this->name)) { $buffer .= "name='{$this->name}' "; } if (!empty($this->novalidate)) { $buffer .= "novalidate='{$this->novalidate}' "; } if (!empty($this->target)) { $buffer .= "target='{$this->target}' "; } if (!empty($this->id)) { $buffer .= "id='{$this->id}' "; } if (!empty($this->_class)) { $buffer .= "class='{$this->_class}' "; } $buffer .= " >"; // Automatically print CSRF token if (class_exists("CSRF") && !empty($this->method) && $this->method == "POST") { $buffer .= "<input type='hidden' name='" . \CSRF::getTokenID() . "' value='" . \CSRF::getTokenValue() . "' />"; } return $buffer; }
comment_section.append(replyForm); $("#textarea_comment").focus(); $('#comment_reply_form').submit(function() { $.ajax({ url : '/admin/ajaxSaveComment/' + comment_id, type : 'POST', data : { 'redirect': '<?php echo $redirect; ?> ', 'comment': $('#textarea_comment').val(), '<?php echo \CSRF::getTokenID(); ?> ': '<?php echo \CSRF::getTokenValue(); ?> ' }, complete: function(comment_response) { toggleModalLoading(); window.location.reload(); // cancelReply(replyForm); // replyForm.remove(); // delete replyForm; // // comment_section.append(comment_response.responseText);