Skip to content

fix(core): validate portal layout CSRF with session checkToken#169

Merged
TDannhauer merged 2 commits into
FRAMEWORK_6_0from
fix/portal-layout-csrf-token
Jun 19, 2026
Merged

fix(core): validate portal layout CSRF with session checkToken#169
TDannhauer merged 2 commits into
FRAMEWORK_6_0from
fix/portal-layout-csrf-token

Conversation

@TDannhauer

@TDannhauer TDannhauer commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Use Horde_Session::checkToken() for portal block layout save actions
  • Align CSRF validation with the token generated by getToken() in the edit form
  • Inject Horde_Session into the layout manager instead of reading globals or calling the Token service directly

Motivation

Classic portal block layout saves could fail silently because the layout manager validated CSRF tokens through a different code path than the portal edit form uses to generate them.

Changes

  • lib/Horde/Core/Block/Layout/Manager.php: accept an optional Horde_Session and call checkToken() on save / save-resume; drop the direct Horde\Token\Token injector path that rejected valid submissions
  • lib/Horde/Core/Block/Collection.php: pass a session into the layout manager, resolving it from the injector when callers do not supply one

Test plan

  • Open /horde/services/portal/edit.php, add or move a block, click Save
  • Confirm the block appears on /horde/services/portal/
  • Confirm invalid or missing tokens still show an error notification

@TDannhauer
fix(core): validate portal layout CSRF with session checkToken
aaa78f9 
Use Horde_Session::checkToken() for portal block layout saves so the
token matches the value generated by getToken() in the edit form.
Drop the Token injector path that rejected valid submissions.
@TDannhauer TDannhauer requested a review from Copilot June 19, 2026 10:09
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes CSRF validation for classic portal block layout save actions by switching the validation path to the session’s CSRF token checker, matching the token generated by the portal edit form.

Changes:

  • Replace injector-based Horde\Token\Token::isValid() validation with $GLOBALS['session']->checkToken() for the save / save-resume actions.
  • Remove no-longer-needed Token/TokenException/HordeSession imports from the layout manager.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TDannhauer
refactor(core): inject session for portal layout CSRF check
42b54a0 
Pass Horde_Session into the block layout manager instead of reading
$GLOBALS['session']. Collection resolves the session from the
injector when callers do not supply one.

Keeps checkToken() on the same code path as getToken() in the portal
edit form while avoiding new global access in Manager.
@TDannhauer TDannhauer merged commit 7a2ca4d into FRAMEWORK_6_0 Jun 19, 2026
0 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TDannhauer