fix: add CSRF token to category restrictions save endpoint

The POST endpoint lacked CSRF protection. Added token generation in
the admin GroupController template vars, a data attribute on the
template, passing the token through the TypeScript API call, and
server-side verification via Token::verifyToken in the API controller.

Author: thorsten

phpmyfaq/admin/assets/src/api/group.test.ts

@@ -215,7 +215,7 @@ describe('saveGroupCategoryRestrictions', () => {
     const mockResponse = { ok: true, status: 200 } as Response;
     vi.spyOn(fetchWrapperModule, 'fetchWrapper').mockResolvedValue(mockResponse);
 
-    const result = await saveGroupCategoryRestrictions('5', '1', [10, 20]);
+    const result = await saveGroupCategoryRestrictions('5', '1', [10, 20], 'test-csrf-token');
 
     expect(result).toEqual(mockResponse);
     expect(fetchWrapperModule.fetchWrapper).toHaveBeenCalledWith('./api/group/category-restrictions', {
@@ -224,7 +224,7 @@ describe('saveGroupCategoryRestrictions', () => {
       headers: {
         'Content-Type': 'application/json',
       },
-      body: JSON.stringify({ groupId: 5, rightId: 1, categoryIds: [10, 20] }),
+      body: JSON.stringify({ groupId: 5, rightId: 1, categoryIds: [10, 20], csrfToken: 'test-csrf-token' }),
       redirect: 'follow',
       referrerPolicy: 'no-referrer',
     });

phpmyfaq/admin/assets/src/api/group.ts

@@ -91,15 +91,16 @@ export const fetchGroupCategoryRestrictions = async (groupId: string): Promise<C
 export const saveGroupCategoryRestrictions = async (
   groupId: string,
   rightId: string,
-  categoryIds: number[]
+  categoryIds: number[],
+  csrfToken: string
 ): Promise<Response> => {
   return await fetchWrapper('./api/group/category-restrictions', {
     method: 'POST',
     cache: 'no-cache',
     headers: {
       'Content-Type': 'application/json',
     },
-    body: JSON.stringify({ groupId: parseInt(groupId), rightId: parseInt(rightId), categoryIds }),
+    body: JSON.stringify({ groupId: parseInt(groupId), rightId: parseInt(rightId), categoryIds, csrfToken }),
     redirect: 'follow',
     referrerPolicy: 'no-referrer',
   });

phpmyfaq/admin/assets/src/group/groups.ts

@@ -399,6 +399,7 @@ export const handleCategoryRestrictionsSave = async (): Promise<void> => {
     return;
   }
 
+  const csrfToken = container.dataset.csrfToken || '';
   const selects = container.querySelectorAll<HTMLSelectElement>('select[data-right-id]');
 
   for (const select of selects) {
@@ -411,6 +412,6 @@ export const handleCategoryRestrictionsSave = async (): Promise<void> => {
       .filter((option: HTMLOptionElement): boolean => option.selected)
       .map((option: HTMLOptionElement): number => parseInt(option.value));
 
-    await saveGroupCategoryRestrictions(groupId, rightId, selectedCategoryIds);
+    await saveGroupCategoryRestrictions(groupId, rightId, selectedCategoryIds, csrfToken);
   }
 };

phpmyfaq/assets/templates/admin/user/group.twig

@@ -211,7 +211,8 @@
         </h5>
         <div class="card-body" id="categoryRestrictionsBody"
              data-msg-empty="{{ 'ad_group_no_permissions' | translate }}"
-             data-msg-help="{{ 'ad_group_category_restrictions_select' | translate }}">
+             data-msg-help="{{ 'ad_group_category_restrictions_select' | translate }}"
+             data-csrf-token="{{ csrfTokenCategoryRestrictions }}">
           <p class="text-muted">{{ 'ad_group_category_restrictions_help' | translate }}</p>
         </div>
         <div class="card-footer">

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/GroupController.php

@@ -22,6 +22,7 @@
 use phpMyFAQ\Administration\Category;
 use phpMyFAQ\Core\Exception;
 use phpMyFAQ\Permission\MediumPermission;
+use phpMyFAQ\Session\Token;
 use phpMyFAQ\User\CurrentUser;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -173,6 +174,10 @@ public function saveCategoryRestrictions(Request $request): JsonResponse
             return $this->json(['error' => 'Invalid JSON payload.'], Response::HTTP_BAD_REQUEST);
         }
 
+        if (!Token::getInstance($this->session)->verifyToken('save-category-restrictions', $data['csrfToken'] ?? '')) {
+            return $this->json(['error' => 'Invalid CSRF token.'], Response::HTTP_FORBIDDEN);
+        }
+
         $groupId = (int) ($data['groupId'] ?? 0);
         $rightId = (int) ($data['rightId'] ?? 0);
 

phpmyfaq/src/phpMyFAQ/Controller/Administration/GroupController.php

@@ -340,6 +340,9 @@ private function getBaseTemplateVars(): array
     {
         return [
             'rightData' => $this->user->perm->getAllRightsData(),
+            'csrfTokenCategoryRestrictions' => Token::getInstance($this->session)->getTokenString(
+                'save-category-restrictions',
+            ),
         ];
     }
 }