1: I want to add a hidden field which should appear in all the form objects
of iTop.I know that iTop has a class "Form". But, where should I start from?
2: Secondly, I want to check whether the field is present and has specific
value before the relevant object grabs the Form. Any help regarding this
would be much appreciated.
I am sorry. I didn't know that my email was converted into the post here and I didn't eve receive confirmation. Today, I saw it passing.
Actually, I want to implement anti-CSRF token. I would generate a value on the server-side and would place it in a hidden field. And, when the User hits submit, my code will grab it and will verify the value. If they don't match, it would halt the system.
So, one solution is to add a field for every class and then check it. But, it is much cumbersome.
So, the better solution is to add a field, on the fly, to "Form" class regardless of the specific object being called. And, then check it on the server side.
Also, what is the method to check the field on the server side? I mean what should I do with my custom extension.
Regards
Mushrraf Baig Ashraf
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have got the class in "application\transaction.class.inc.php".
It says:
** * This class records the pending "transactions" corresponding to forms that have not been
* submitted yet, in order to prevent double submissions. When created a transaction remains valid
* until the user's session expires. This class is actually a wrapper to the underlying implementation
* which choice is configured via the parameter 'transaction_storage'**
But, where can I get the clues for its use.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I mean that the Transaction ID works properly on the backend. So, if I change the value of "Transaction ID" from the browser "Inspection", iTop stops and shows the error message:
"Error: the object has already been created!"
This is correct and supposed to be like this.
But, when I do so on the "Request Creation Form" of "Standard Portal", it still continues to create the Reuqest. However, it is supposed to show the same error message. (Please view the attaached image)
I just tried to debug it and found that it in fact goes through the function which check the Transaction ID, but it doesn't stop the transaction (Transaction = Form Creation) which it should do it. It may be because that it is running through AJAX.
Many thanks for all the informations provided ! This indeed should be fixed, but we estimate that the impact is limited as by default and for the vast majority of our clients the user portal only allows access to a very limited set of data. So we aren't planning this fix before the next 2.7.4 iTop version (Combodo internal ref : N°3430).
Also, for next time, please follow iTop security policy for any security concern.
Best regards,
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello! Hopefully you are fine!
1: I want to add a hidden field which should appear in all the form objects
of iTop.I know that iTop has a class "Form". But, where should I start from?
2: Secondly, I want to check whether the field is present and has specific
value before the relevant object grabs the Form. Any help regarding this
would be much appreciated.
Regards
Mushrraf Baig Ashraf
Hello,
Can you explain a bit more of your needs ? This will help a lot to propose solutions !
As I understand it, you want to generate a value server side (based on what ?) and read it client side (to do what ?)
Hi "Pierre Goiffon "!
I am sorry. I didn't know that my email was converted into the post here and I didn't eve receive confirmation. Today, I saw it passing.
Actually, I want to implement anti-CSRF token. I would generate a value on the server-side and would place it in a hidden field. And, when the User hits submit, my code will grab it and will verify the value. If they don't match, it would halt the system.
So, one solution is to add a field for every class and then check it. But, it is much cumbersome.
So, the better solution is to add a field, on the fly, to "Form" class regardless of the specific object being called. And, then check it on the server side.
Also, what is the method to check the field on the server side? I mean what should I do with my custom extension.
Regards
Mushrraf Baig Ashraf
This is already done by iTop in all form generated.
Check privUITransaction class and children and their uses.
Thank you for reply.!
I have got the class in "application\transaction.class.inc.php".
It says:
But, where can I get the clues for its use.
O.K.
I was playing with it and noticed that it is working on all the forms perfectly, save "New Request" form on the Portal.
I just change the Transaction ID. But, still, it continues. Is there any clue regarding this?
I didn't understand ?? What do you mean change the transaction ID ? What continues ??
I mean that the Transaction ID works properly on the backend. So, if I change the value of "Transaction ID" from the browser "Inspection", iTop stops and shows the error message:
This is correct and supposed to be like this.
But, when I do so on the "Request Creation Form" of "Standard Portal", it still continues to create the Reuqest. However, it is supposed to show the same error message. (Please view the attaached image)
I just tried to debug it and found that it in fact goes through the function which check the Transaction ID, but it doesn't stop the transaction (Transaction = Form Creation) which it should do it. It may be because that it is running through AJAX.
So, is there is explanation for this behavior.
Regards
Mushrraf Baig Ashraf
Hello,
Sorry for this late reply...
Many thanks for all the informations provided ! This indeed should be fixed, but we estimate that the impact is limited as by default and for the vast majority of our clients the user portal only allows access to a very limited set of data. So we aren't planning this fix before the next 2.7.4 iTop version (Combodo internal ref : N°3430).
Also, for next time, please follow iTop security policy for any security concern.
Best regards,