Closed (fixed)
Project:
Webform
Version:
6.x-3.6
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
26 Jan 2011 at 01:30 UTC
Updated:
3 Mar 2011 at 04:51 UTC
Jump to comment: Most recent file
Comments
Comment #1
markhalliwellGotta love long work days and misspelled titles lol
Comment #2
quicksketchThanks for the patch. I think this could use a little more work in the way that e-mails are sent. The biggest problem I see is that the
node/[nid]/submission/[sid]/resendpath is vulnerable to CSRF attacks. If a URL performs an action directly, it needs to be protected by a unique token or hash of some kind. I definitely like the splitting out of the e-mail functionality into its own function, that's been on my clean-up list for a long time.Rather than having the
node/[nid]/submission/[sid]/resendURL send e-mails directly, I think it may be a good idea to change this URL into a form. Then the CSRF problem is fixed by Form API, and it gives you the flexibility necessary to handle sending multiple e-mails. I imagine that users may want to resend the e-mail to only one address rather than sending it to both the end user and the administrators (say if you have set up multiple e-mails under the Webform e-mail configuration). Perhaps a list of checkboxes that shows which e-mails it will be sent to?Comment #3
markhalliwellI don't see how it's vulnerable to a CSRF attack when that menu item access is checked to see if the user has permissions, which in this case it's simply the same as the report view. Could you explain?
That being said, I do like the idea of being able to select which emails you can resend it to instead of just going to town on all of them. So perhaps a simple checklist form would be more appropriate.
Comment #4
quicksketchA cross-site request forgery is done by having a user that *is already authenticated* hit that URL unintentionally. Say for example I were to put on this page an image like this:
<img src="http://yoursite.com/node/10/submission/20/resend" />and you were logged into yoursite.com. I would make it so that you would unintentionally resend the e-mail just by viewing this page, since your browser would send your session information to that URL.Comment #5
markhalliwellAhhh, Ok. Well here's a new patch :) This is actually a better implementation anyway. One thing that I did forget to put in was some doxygen above the new functions.
Comment #6
markhalliwellComment #7
quicksketchHeh, easy there cowboy. ;)
Comment #8
markhalliwellSorry
Comment #9
quicksketchI'm reviewing this patch now, so far so good. There are a few things that I'd like to correct while we're "under the hood" on this particular topic. I'm planning on moving the e-mail submission code from webform.module to webform.submissions.inc, since this file is already loaded at the time submissions are being sent. That should save us around 100 lines of code that doesn't need to be parsed on every single Drupal request.
FYI, the only real "gotcha" I've found so far is that you used $form['#post'] instead of $form_state['values'], which is a huge no-no, since raw POST requests can be spoofed making it so that the user could utilized your server to send e-mails other than the ones specified in the form.
I'll continue looking over this and I expect I'll put up a revised patch (and a likely commit) after I get it polished. Thanks!
Comment #10
quicksketchAlright I've committed this patch which makes the following rather large-scale changes:
- E-mail submission code is moved to webform.submissions.inc from webform.module.
- All submission links other than view, edit, and delete have been remove from the submission listing. Instead things like print, download PDF, and this new "Resend e-mails" actions are now only accessible when viewing or editing a submission. This reduces the confusion on the overall listing of submissions, which was looking pretty silly when you had all these links at the same time.
- I added a new hook: hook_webform_submission_actions(), so any module can add additional actions to be performed on submissions. Hopefully we'll be able to move our print module integration out into print module utilizing this new hook, since I'm sort of regretting having such 3rd party code directly in the module.
Thanks Mark Carver for your work on this issue. I think this will be a valuable feature and it certainly wouldn't have happened without your effort.
Comment #11
markhalliwellAwesome :) Just glad I could help!