Chat: Use security token when sending messages

Author: AngelFQC

main/chat/chat.php

@@ -59,6 +59,7 @@
 $view->assign('emoji_smile', \Emojione\Emojione::toImage(':smile:'));
 $view->assign('restrict_to_coach', api_get_configuration_value('course_chat_restrict_to_coach'));
 $view->assign('send_message_only_on_button', api_get_configuration_value('course_chat_send_message_only_on_button') === true ? 1 : 0);
+$view->assign('course_chat_sec_token', Security::get_token('course_chat'));
 
 $template = $view->get_template('chat/chat.tpl');
 $content = $view->fetch($template);

main/inc/ajax/course_chat.ajax.php

@@ -3,6 +3,10 @@
 /**
  * Responses to AJAX calls for course chat.
  */
+
+use Symfony\Component\HttpFoundation\JsonResponse as HttpResponse;
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
+
 require_once __DIR__.'/../global.inc.php';
 
 if (!api_protect_course_script(false)) {
@@ -15,8 +19,17 @@
 $groupId = api_get_group_id();
 $json = ['status' => false];
 
+$httpRequest = HttpRequest::createFromGlobals();
+$httpResponse = HttpResponse::create();
+
 $courseChatUtils = new CourseChatUtils($courseId, $userId, $sessionId, $groupId);
 
+$token = Security::getTokenFromSession('course_chat');
+
+if ($httpRequest->headers->get('x-token') !== $token) {
+    $_REQUEST['action'] = 'error';
+}
+
 switch ($_REQUEST['action']) {
     case 'chat_logout':
         $logInfo = [
@@ -78,5 +91,8 @@
         break;
 }
 
-header('Content-Type: application/json');
-echo json_encode($json);
+$token = Security::get_token('course_chat');
+
+$httpResponse->headers->set('x-token', $token);
+$httpResponse->setData($json);
+$httpResponse->send();

main/template/default/chat/chat.tpl

@@ -71,16 +71,28 @@ $(function () {
         _historySize: -1,
         usersOnline: 0,
         currentFriend: 0,
+        xToken: '{{ course_chat_sec_token }}',
         call: false,
         track: function () {
             return $
-                .get(ChChat._ajaxUrl, {
-                    action: 'track',
-                    size: ChChat._historySize,
-                    users_online: ChChat.usersOnline,
-                    friend: ChChat.currentFriend
+                .ajax({
+                    url: ChChat._ajaxUrl,
+                    method: 'GET',
+                    headers: { 'x-token': ChChat.xToken },
+                    data: {
+                        action: 'track',
+                        size: ChChat._historySize,
+                        users_online: ChChat.usersOnline,
+                        friend: ChChat.currentFriend
+                    }
                 })
-                .done(function (response) {
+                .done(function (response, textStatus, jqXhr) {
+                    ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
+                    if (!response.status) {
+                        return;
+                    }
+
                     try {
                         if (response.data.history) {
                             ChChat._historySize = response.data.oldFileSize;
@@ -140,11 +152,18 @@ $(function () {
             $('#chat-users').html(html);
         },
         onPreviewListener: function () {
-            $.post(ChChat._ajaxUrl, {
-                action: 'preview',
-                'message': $('textarea#chat-writer').val()
+            $.ajax({
+                url: ChChat._ajaxUrl,
+                method: 'POST',
+                headers: { 'x-token': ChChat.xToken },
+                data: {
+                    action: 'preview',
+                    'message': $('textarea#chat-writer').val()
+                }
             })
-            .done(function (response) {
+            .done(function (response, textStatus, jqXhr) {
+                ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
                 if (!response.status) {
                     return;
                 }
@@ -164,20 +183,29 @@ $(function () {
             var self = this;
             self.disabled = true;
 
-            $.post(ChChat._ajaxUrl, {
-                action: 'write',
-                message: textarea.val(),
-                friend: ChChat.currentFriend
+            $.ajax({
+                method: 'POST',
+                url: ChChat._ajaxUrl,
+                headers: { 'x-token': ChChat.xToken },
+                data: {
+                    action: 'write',
+                    message: textarea.val(),
+                    friend: ChChat.currentFriend
+                }
             })
-            .done(function (response) {
+            .done(function (response, textStatus, jqXhr) {
                 self.disabled = false;
 
+                ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
+                textarea.prop('disabled', false);
+                $(".emoji-wysiwyg-editor").prop('contenteditable', 'true');
+
                 if (!response.status) {
                     return;
                 }
-                textarea.prop('disabled', false);
+
                 textarea.val('');
-                $(".emoji-wysiwyg-editor").prop('contenteditable', 'true');
                 $(".emoji-wysiwyg-editor").html('');
             });
         },
@@ -186,11 +214,18 @@ $(function () {
                 e.preventDefault();
                 return;
             }
-            $.get(ChChat._ajaxUrl, {
-                action: 'reset',
-                friend: ChChat.currentFriend
+            $.ajax({
+                url: ChChat._ajaxUrl,
+                method: 'GET',
+                headers: { 'x-token': ChChat.xToken },
+                data: {
+                    action: 'reset',
+                        friend: ChChat.currentFriend
+                }
             })
-            .done(function (response) {
+            .done(function (response, textStatus, jqXhr) {
+                ChChat.xToken = jqXhr.getResponseHeader('x-token');
+
                 if (!response.status) {
                     return;
                 }