mirivlad
/
bp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CSRF token validation for consecutive AJAX requests 

- Add CSRF token to all AJAX requests
- Fix addSubtask, toggleSubtask, deleteSubtask to include CSRF
This commit is contained in:
Vladimir Tomashevskiy 2026-02-08 15:20:36 +00:00
parent 5bf25d9505
commit 85a920b49a
1 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
app/Modules/Tasks/Views/tasks/show.twig
View File

@ -227,6 +227,27 @@
{% block scripts %} {% block scripts %}
{{ parent() }} {{ parent() }}
<script> <script>
function updateCsrfToken() {
// Обновляем CSRF токен в форме подзадач
fetch('/')
.then(response => response.text())
.then(html => {
const parser = new DOMParser();
const doc = parser.parseFromString(html, 'text/html');
const newToken = doc.querySelector('input[name="<?= csrf_token() ?>"]');
const newHash = doc.querySelector('input[name="<?= csrf_hash() ?>"]');
if (newToken && newHash) {
document.querySelectorAll('.subtask-form input[name="<?= csrf_token() ?>"]').forEach(input => {
input.value = newToken.value;
});
document.querySelectorAll('.subtask-form input[name="<?= csrf_hash() ?>"]').forEach(input => {
input.value = newHash.value;
});
}
});
}
function addSubtask(event, taskId) { function addSubtask(event, taskId) {
event.preventDefault(); event.preventDefault();
const form = event.target; const form = event.target;
@ -290,11 +311,17 @@ function updateSubtasksCount() {
} }
function toggleSubtask(taskId, subtaskId) { function toggleSubtask(taskId, subtaskId) {
// Получаем актуальный CSRF токен из формы
const csrfToken = document.querySelector('input[name="<?= csrf_token() ?>"]').value;
const csrfHash = document.querySelector('input[name="<?= csrf_hash() ?>"]').value;
fetch(`/tasks/${taskId}/subtasks/${subtaskId}/toggle`, { fetch(`/tasks/${taskId}/subtasks/${subtaskId}/toggle`, {
method: 'POST', method: 'POST',
headers: { headers: {
'X-Requested-With': 'XMLHttpRequest', 'X-Requested-With': 'XMLHttpRequest',
} 'Content-Type': 'application/x-www-form-urlencoded',
},
body: `<?= csrf_token() ?>=${csrfToken}&<?= csrf_hash() ?>=${csrfHash}`
}) })
.then(response => response.json()) .then(response => response.json())
.then(data => { .then(data => {
@ -315,11 +342,17 @@ function toggleSubtask(taskId, subtaskId) {
function deleteSubtask(taskId, subtaskId) { function deleteSubtask(taskId, subtaskId) {
if (!confirm('Удалить подзадачу?')) return; if (!confirm('Удалить подзадачу?')) return;
// Получаем актуальный CSRF токен из формы
const csrfToken = document.querySelector('input[name="<?= csrf_token() ?>"]').value;
const csrfHash = document.querySelector('input[name="<?= csrf_hash() ?>"]').value;
fetch(`/tasks/${taskId}/subtasks/${subtaskId}/delete`, { fetch(`/tasks/${taskId}/subtasks/${subtaskId}/delete`, {
method: 'POST', method: 'POST',
headers: { headers: {
'X-Requested-With': 'XMLHttpRequest', 'X-Requested-With': 'XMLHttpRequest',
} 'Content-Type': 'application/x-www-form-urlencoded',
},
body: `<?= csrf_token() ?>=${csrfToken}&<?= csrf_hash() ?>=${csrfHash}`
}) })
.then(response => response.json()) .then(response => response.json())
.then(data => { .then(data => {