Fix CSRF validation for sorting in property tables

Author: raviks789

library/Director/Web/Form/PropertyTableSortForm.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Icinga\Module\Director\Web\Form;
+
+use ipl\Html\Form;
+use ipl\Html\ValidHtml;
+
+class PropertyTableSortForm extends Form
+{
+    /** @var string Name of the table using the form */
+    private $name;
+
+    /** @var string Table to sort */
+    private $table;
+
+    public function __construct(string $name, ValidHtml $table)
+    {
+        $this->name = $name;
+        $this->table = $table;
+    }
+
+    protected function assemble()
+    {
+        $this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]);
+        $this->addElement('hidden', '__FORM_CSRF', ['value' => CsrfToken::generate()]);
+        $this->addHtml($this->table);
+    }
+}

library/Director/Web/Table/PropertymodifierTable.php

@@ -10,6 +10,10 @@
 use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
 use gipfl\IcingaWeb2\Url;
+use Icinga\Module\Director\Web\Form\CsrfToken;
+use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use Icinga\Module\Director\Web\Form\QuickForm;
+use ipl\Html\HtmlString;
 
 class PropertymodifierTable extends ZfQueryBasedTable
 {
@@ -51,7 +55,24 @@ public function render()
         if ($this->readOnly) {
             return parent::render();
         }
-        return $this->renderWithSortableForm();
+
+        if ($this->request === null) {
+            return parent::render();
+        }
+
+        if ($this->request->isPost() && $this->hasBeenSent($this->request)) {
+            if (! CsrfToken::isValid($this->request->get(QuickForm::CSRF))) {
+                die('Invalid CSRF token provided');
+            }
+
+            $this->reallyHandleSortPriorityActions();
+        }
+
+        $url = $this->request->getUrl();
+        $form = (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
+            ->setAction($url->getAbsoluteUrl());
+
+        return $form->render();
     }
 
     protected function assemble()

library/Director/Web/Table/SyncpropertyTable.php

@@ -6,6 +6,11 @@
 use gipfl\IcingaWeb2\Link;
 use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
+use Icinga\Module\Director\Web\Form\CsrfToken;
+use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use Icinga\Module\Director\Web\Form\QuickForm;
+use ipl\Html\Form;
+use ipl\Html\HtmlString;
 
 class SyncpropertyTable extends ZfQueryBasedTable
 {
@@ -33,7 +38,23 @@ public static function create(SyncRule $rule)
 
     public function render()
     {
-        return $this->renderWithSortableForm();
+        if ($this->request === null) {
+            return parent::render();
+        }
+
+        if ($this->request->isPost() && $this->hasBeenSent($this->request)) {
+            if (! CsrfToken::isValid($this->request->get(QuickForm::CSRF))) {
+                die('Invalid CSRF token provided');
+            }
+
+            $this->reallyHandleSortPriorityActions();
+        }
+
+        $url = $this->request->getUrl();
+        $form = (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
+            ->setAction($url->getAbsoluteUrl());
+
+        return $form->render();
     }
 
     public function renderRow($row)