FGFS-4.1/phpvms
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

include csrf token and fix escaping for admin scripts

Browse Source
This commit is contained in:
Nabeel Shahzad
2018-03-13 01:48:47 -05:00
parent bff80c2dc7
commit 684ee545cf
9 changed files with 110 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Routes/admin.php
View File

@@ -9,7 +9,7 @@ Route::group([
], function () {
Route::resource('airlines', 'AirlinesController');
Route::match(['get', 'put'], 'airports/fuel', 'AirportController@fuel');
Route::match(['get', 'post', 'put'], 'airports/fuel', 'AirportController@fuel');
Route::resource('airports', 'AirportController');
Route::match(['get', 'post', 'put', 'delete'], 'airports/{id}/expenses', 'AirportController@expenses');

2
public/js/admin/app.js
View File

File diff suppressed because one or more lines are too long

2
public/js/frontend/app.js
View File

File diff suppressed because one or more lines are too long

4
public/mix-manifest.json
View File

@@ -1,6 +1,6 @@
{
"/js/admin/app.js": "/js/admin/app.js?id=ef1dc6565068527473d9",
"/js/frontend/app.js": "/js/frontend/app.js?id=aaeb7d6b95393bb168bd",
"/js/admin/app.js": "/js/admin/app.js?id=3ed3c345656238c8deb3",
"/js/frontend/app.js": "/js/frontend/app.js?id=e9d1f6af5d93ee637b97",
"/assets/admin/vendor/paper-dashboard.css": "/assets/admin/vendor/paper-dashboard.css?id=3bbf7dd2a80739ab63b9",
"/assets/frontend/css/now-ui-kit.css": "/assets/frontend/css/now-ui-kit.css?id=9923ce002ceafb1d740a",
"/js/admin/vendor.js": "/js/admin/vendor.js?id=1c5ddb087f24b16da40f",

3
resources/js/bootstrap.js vendored
View File

@@ -24,6 +24,9 @@ const token = document.head.querySelector('meta[name="csrf-token"]');
if (token) {
window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
window.jquery.ajaxSetup({
'X-CSRF-TOKEN': token.content
})
} else {
console.error('CSRF token not found: https://laravel.com/docs/csrf#csrf-x-csrf-token');
}

23
resources/views/admin/aircraft/script.blade.php
View File

@@ -1,14 +1,24 @@
@section('scripts')
<script>
function setEditable() {
const token = $('meta[name="csrf-token"]').attr('content');
@if(isset($aircraft))
$('#expenses a.text').editable({
emptytext: '0',
url: '{{ url('/admin/aircraft/'.$aircraft->id.'/expenses') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': token,
}
},
params: function (params) {
return {
_method: 'put',
expense_id: params.pk,
name: params.name,
value: params.value
@@ -19,12 +29,19 @@ function setEditable() {
$('#expenses a.dropdown').editable({
type: 'select',
emptytext: '0',
source: {{ json_encode(list_to_editable(\App\Models\Enums\ExpenseType::select())) }},
source: {!! json_encode(list_to_editable(\App\Models\Enums\ExpenseType::select())) !!},
url: '{{ url('/admin/aircraft/'.$aircraft->id.'/expenses') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': token,
}
},
params: function (params) {
return {
_method: 'put',
expense_id: params.pk,
name: params.name,
value: params.value

35
resources/views/admin/airports/script.blade.php
View File

@@ -1,14 +1,24 @@
@section('scripts')
<script>
function setEditable() {
const csrf_token = $('meta[name="csrf-token"]').attr('content');
@if(isset($airport))
$('#airport-expenses a.text').editable({
emptytext: '0',
url: '{{ url('/admin/airports/'.$airport->id.'/expenses') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': csrf_token
}
},
params: function (params) {
return {
_method: 'put',
expense_id: params.pk,
name: params.name,
value: params.value
@@ -19,12 +29,19 @@ function setEditable() {
$('#airport-expenses a.dropdown').editable({
type: 'select',
emptytext: '0',
source: {{ json_encode(list_to_editable(\App\Models\Enums\ExpenseType::select())) }},
source: {!! json_encode(list_to_editable(\App\Models\Enums\ExpenseType::select())) !!},
url: '{{ url('/admin/airports/'.$airport->id.'/expenses') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': csrf_token
}
},
params: function (params) {
return {
_method: 'put',
expense_id: params.pk,
name: params.name,
value: params.value
@@ -39,7 +56,8 @@ function phpvms_vacentral_airport_lookup(icao, callback) {
url: BASE_URL + '/api/airports/'+ icao + '/lookup',
method: 'GET',
headers: {
'x-api-key': PHPVMS_USER_API_KEY
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
}).done(function (data, status) {
callback(data.data);
@@ -56,9 +74,16 @@ $(document).ready(function() {
emptytext: '0',
url: '{{ url('/admin/airports/fuel') }}',
title: 'Enter price per unit of fuel',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
},
params: function(params) {
return {
_method: 'put',
id: params.pk,
name: params.name,
value: params.value

18
resources/views/admin/flights/scripts.blade.php
View File

@@ -8,9 +8,16 @@ function setEditable() {
emptytext: 'inherited',
url: '{{ url('/admin/flights/'.$flight->id.'/fares') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
},
params: function (params) {
return {
_method: 'put',
fare_id: params.pk,
name: params.name,
value: params.value
@@ -28,9 +35,16 @@ $(document).ready(function () {
mode: 'inline',
emptytext: '0',
url: '/admin/flights/{{ $flight->id }}/fields',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': $('meta[name="csrf-token"]').attr('content')
}
},
params: function (params) {
return {
_method: 'put',
field_id: params.pk,
name: params.name,
value: params.value

41
resources/views/admin/subfleets/script.blade.php
View File

@@ -1,15 +1,25 @@
@section('scripts')
<script>
function setEditable() {
const token = $('meta[name="csrf-token"]').attr('content');
$('#aircraft_fares a').editable({
type: 'text',
mode: 'inline',
emptytext: 'inherited',
url: '{{ url('/admin/subfleets/'.$subfleet->id.'/fares') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': token,
}
},
params: function (params) {
return {
_method: 'put',
fare_id: params.pk,
name: params.name,
value: params.value
@@ -23,9 +33,16 @@ function setEditable() {
emptytext: 'inherited',
url: '{{ url('/admin/subfleets/'.$subfleet->id.'/ranks') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': token,
}
},
params: function (params) {
return {
_method: 'put',
rank_id: params.pk,
name: params.name,
value: params.value
@@ -37,9 +54,16 @@ function setEditable() {
emptytext: '0',
url: '{{ url('/admin/subfleets/'.$subfleet->id.'/expenses') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': token,
}
},
params: function (params) {
return {
_method: 'put',
expense_id: params.pk,
name: params.name,
value: params.value
@@ -50,13 +74,20 @@ function setEditable() {
$('#subfleet-expenses a.dropdown').editable({
type: 'select',
emptytext: '0',
source: {{ json_encode(list_to_editable(\App\Models\Enums\ExpenseType::select())) }},
source: {!! json_encode(list_to_editable(\App\Models\Enums\ExpenseType::select())) !!},
url: '{{ url('/admin/subfleets/'.$subfleet->id.'/expenses') }}',
title: 'Enter override value',
ajaxOptions: {'type': 'put'},
ajaxOptions: {
type: 'post',
headers: {
'x-api-key': '{{ Auth::user()->api_key }}',
'X-CSRF-TOKEN': token,
}
},
params: function (params) {
console.log(params);
return {
_method: 'put',
expense_id: params.pk,
name: params.name,
value: params.value