Closed jefft closed 4 months ago
The problems were introduced in https://github.com/tbar0970/jethro-pmm/commit/811a3142a65af2a5d2405534535dd8869017e594 when the csrf token was moved from $_SESSION['person_form_token']
to $_SESSION['person_form_token'][$this->id]
. When adding a Person, the Person#printForm()
method is called, but when adding a Family (plus person), Family#printForm()
is called, not Person#printForm()
, and so the csrf token is never initialized.
I don't see why person_form_token
would ever be different for different person IDs. When creating a new person, $this->id
is always null anyway.
For that matter, why is this csrf code in Person#printForm()
, and not in db_object#printForm()
?
Thanks for diagnosing.
I don't see why
person_form_token
would ever be different for different person IDs. When creating a new person,$this->id
is always null anyway.
You might edit differernt persons in different tabs at the same time. This token was only meant to apply for editing existing persons.
For that matter, why is this csrf code in
Person#printForm()
, and not indb_object#printForm()
?
Person record has mobile number, which now has security implications. I knew that different forms worked differently and didn't want to test/troubleshoot across the whole system. But I should have tested this one!
Using 2.35-RC3, if I go
Families
->Add
, the family+person is added but an error is logged:More seriously, if I: 1) add a Person to an existing Family 2) add a new Family, as above:
then I get
An error occurred. Please contact your system administrator for help.
, and a stacktrace: