From 1f73e7fcbc2c06505178200567ac905ae8570326 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis <alextselegidis@gmail.com>
Date: Wed, 27 May 2015 23:06:48 +0200
Subject: [PATCH] Added CSRF protection to frontend (reported by Henri Salo)

---
 src/application/config/config.php           | 6 +++---
 src/application/views/appointments/book.php | 1 +
 src/assets/js/frontend_book.js              | 2 ++
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/application/config/config.php b/src/application/config/config.php
index 04b07f34..4455a50e 100644
--- a/src/application/config/config.php
+++ b/src/application/config/config.php
@@ -330,9 +330,9 @@ $config['global_xss_filtering'] = TRUE;
 | 'csrf_cookie_name' = The cookie name
 | 'csrf_expire' = The number in seconds the token should expire.
 */
-$config['csrf_protection'] = FALSE;
-$config['csrf_token_name'] = 'csrf_test_name';
-$config['csrf_cookie_name'] = 'csrf_cookie_name';
+$config['csrf_protection'] = TRUE;
+$config['csrf_token_name'] = 'csrfToken';
+$config['csrf_cookie_name'] = 'csrfCookie';
 $config['csrf_expire'] = 7200;
 
 /*
diff --git a/src/application/views/appointments/book.php b/src/application/views/appointments/book.php
index bfca7d3c..2ae7beb5 100644
--- a/src/application/views/appointments/book.php
+++ b/src/application/views/appointments/book.php
@@ -78,6 +78,7 @@
             appointmentData     : <?php echo json_encode($appointment_data); ?>,
             providerData        : <?php echo json_encode($provider_data); ?>,
             customerData        : <?php echo json_encode($customer_data); ?>,
+            csrfToken           : <?php echo json_encode($this->security->get_csrf_hash()); ?>
         };
 
         var EALang = <?php echo json_encode($this->lang->language); ?>;
diff --git a/src/assets/js/frontend_book.js b/src/assets/js/frontend_book.js
index edd17d63..d8d6c0a5 100644
--- a/src/assets/js/frontend_book.js
+++ b/src/assets/js/frontend_book.js
@@ -247,6 +247,7 @@ var FrontendBook = {
             var formData = jQuery.parseJSON($('input[name="post_data"]').val());
             
             var postData = {
+                'csrfToken': GlobalVariables.csrfToken,
                 'id_users_provider': formData['appointment']['id_users_provider'],
                 'id_services': formData['appointment']['id_services'],
                 'start_datetime': formData['appointment']['start_datetime'],
@@ -309,6 +310,7 @@ var FrontendBook = {
                 ? GlobalVariables.appointmentData['id'] : undefined;
 
         var postData = {
+            'csrfToken': GlobalVariables.csrfToken,
             'service_id': $('#select-service').val(),
             'provider_id': $('#select-provider').val(),
             'selected_date': selDate,