Change assetManager search to work like assetManager manage. Fixes bug #11272

Force all actions to be routed through asset methods with Csrf and
permission checks.

docs/changelog/7.x.x.txt

@@ -13,6 +13,7 @@
  - fixed #11177: Code editor steals focus on load
  - fixed #10888: Final touches on map point bugs
  - fixed #11274: Add attachment broken in template
+ - fixed #11272: Security issue with asset manager search
 
 7.8.5
  - added the EMS submission subsystem

lib/WebGUI/Asset.pm

@@ -1402,6 +1402,21 @@ sub getRoot {
 }
 
 
+#-------------------------------------------------------------------
+
+=head2 getSearchUrl ( )
+
+Returns the URL for the search screen of the asset manager.
+
+=cut
+
+sub getSearchUrl {
+	my $self = shift;
+	return $self->getUrl( 'op=assetManager;method=search' );
+}
+
+
+
 #-------------------------------------------------------------------
 
 =head2 getSeparator
@@ -2891,8 +2906,7 @@ sub www_editSave {
 
 =head2 www_manageAssets ( )
 
-Redirect to the asset manager content handler (for backwards 
+Redirect to the asset manager content handler (for backwards compatibility)
-compatibility)
 
 =cut
 
@@ -2904,6 +2918,21 @@ sub www_manageAssets {
 
 #-------------------------------------------------------------------
 
+=head2 www_searchAssets ( )
+
+Redirect to the asset manager content handler (for backwards 
+compatibility)
+
+=cut
+
+sub www_searchAssets {
+    my $self = shift;
+    $self->session->http->setRedirect( $self->getSearchUrl );
+    return "redirect";
+}
+
+#-------------------------------------------------------------------
+
 =head2 www_view ( )
 
 Returns the view() method of the asset object if the requestor canView.

lib/WebGUI/Content/AssetManager.pm

@@ -19,17 +19,20 @@ Gets a select box to choose a class name.
 
 sub getClassSelectBox {
     my $session     = shift;
+    my $i18n        = WebGUI::International->new($session, 'Asset');
     
     tie my %classes, "Tie::IxHash", (
-        ""  => "Any Class", 
+        ""  => $i18n->get("Any Class"), 
         $session->db->buildHash("select distinct(className) from asset"),
     );
     delete $classes{"WebGUI::Asset"}; # don't want to search for the root asset
 
+    my $className = $session->scratch->get('assetManagerSearchClassName') || $session->form->process("class","className");
+    $session->scratch->set('assetManagerSearchClassName', $className);
     return WebGUI::Form::selectBox( $session, {
-        name            => "class", 
+        name            => "class",
-        value           => $session->form->process("class","className"), 
+        value           => $className,
-        defaultValue    => "", 
+        defaultValue    => "",
         options         => \%classes,
     });
 }
@@ -142,8 +145,10 @@ sub getSearchPaginator {
         $queryString    .= ';class=' . $class;
     }
 
-    my $p           = $s->getPaginatorResultSet( $session->url->page( $queryString ) );
+    my $pageNumber  = $session->scratch->get('assetManagerSearchPageNumber') || $session->form->get('pn');
+    my $p           = $s->getPaginatorResultSet( $session->url->page( $queryString ), undef, $pageNumber );
 
+    $session->scratch->set('assetManagerSearchPageNumber', $pageNumber);
     return $p;
 }
 
@@ -533,64 +538,36 @@ sub www_search {
     $session->style->setScript( $session->url->extras( 'yui/build/yahoo-dom-event/yahoo-dom-event.js' ) );
     $session->style->setScript( $session->url->extras( 'yui-webgui/build/assetManager/assetManager.js' ) );
     $session->style->setScript( $session->url->extras( 'yui-webgui/build/form/form.js' ) );
+    my $keywords = $session->scratch->get('assetManagerSearchKeywords') || $session->form->get('keywords');
 
     ### Show the form
     $output     .= q{<form method="post" enctype="multipart/form-data" action="} . $currentAsset->getUrl . q{"><p>}
                 . q{<input type="hidden" name="op" value="assetManager" />}
                 . q{<input type="hidden" name="method" value="search" />}
-                . q{<input type="text" size="45" name="keywords" value="} . $session->form->get('keywords') . q{" />}
+                . q{<input type="text" size="45" name="keywords" value="} . $keywords . q{" />}
                 . getClassSelectBox( $session )
                 . q{<input type="submit" name="action" value="}.$i18n->get( "search" ).q{" />}
                 . q{</p></form>}
                 ;
 
-    ### Actions
-    if ( my $action = lc $session->form->get( 'action' ) ) {
-        my @assetIds = $session->form->get( 'assetId' );
-
-        if ( $action eq "delete" ) { ##aka trash
-            for my $assetId ( @assetIds ) {
-                my $asset       = WebGUI::Asset->newByDynamicClass( $session, $assetId );
-                next unless $asset;
-                $asset->trash;
-            }
-        }
-        elsif ( $action eq "cut" ) {
-            for my $assetId ( @assetIds ) {
-                my $asset       = WebGUI::Asset->newByDynamicClass( $session, $assetId );
-                next unless $asset;
-                $asset->cut;
-            }
-        }
-        elsif ( $action eq "copy" ) {
-            for my $assetId ( @assetIds ) {
-                # Copy == Duplicate + Cut
-		my $asset       = WebGUI::Asset->newByDynamicClass( $session, $assetId);
-                my $newAsset    = $asset->duplicate( { skipAutoCommitWorkflows => 1 } );
-                $newAsset->update( { title => $newAsset->getTitle . ' (copy)' } );
-                $newAsset->cut;
-            }
-        }
-    }
-
     ### Run the search
-    if ( $session->form->get( 'keywords' ) || $session->form->get( 'class' ) ) {
+    if ( $keywords || $session->form->get( 'class' ) ) {
-        my $keywords        = $session->form->get( 'keywords' );
+        my @classes          = $session->form->get( 'class' );
-        my @classes         = $session->form->get( 'class' );
+        my $keywordsScrubbed = $keywords;
 
         # Detect a helper word key
         my @assetIds        = ($keywords =~ /assetid:\s*([^\s]+)/gi);
 
         # purge helper word keys
         if (@assetIds) {
-            $keywords =~ s/\bassetid:\s*[^\s]+//gi;
+            $keywordsScrubbed =~ s/\bassetid:\s*[^\s]+//gi;
         }
-        $keywords =~ s/^\s+//g;
+        $keywordsScrubbed =~ s/^\s+//g;
-        $keywords =~ s/\s+$//g;
+        $keywordsScrubbed =~ s/\s+$//g;
 
         my $p       = getSearchPaginator( $session, {
             assetIds            => \@assetIds,
-            keywords            => $keywords,
+            keywords            => $keywordsScrubbed,
             classes             => \@classes,
             orderByColumn       => $session->form->get( 'orderByColumn' ),
             orderByDirection    => $session->form->get( 'orderByDirection' ),
@@ -601,9 +578,10 @@ sub www_search {
         }
         else {
             ### Display the search results 
-            $output         .= q{<form method="post" enctype="multipart/form-data">}
+            $output         .= q{<form method="post" enctype="multipart/form-data" action="}.$currentAsset->getUrl.q{">}
-                            . q{<input type="hidden" name="op" value="assetManager" />}
+                            . q{<input type="hidden" name="func"    value="searchAssets" />}
-                            . q{<input type="hidden" name="method" value="search" />}
+                            . q{<input type="hidden" name="proceed" value="searchAssets" />}
+                            . WebGUI::Form::CsrfToken->new($session)->toHtml
                             . q{<input type="hidden" name="pn" value="} . $session->form->get('pn') . q{" />}
                             . q{<input type="hidden" name="keywords" value="} . $keywords . q{" />}
                             ;
@@ -707,9 +685,9 @@ sub www_search {
             $output     .= q{</tbody>}
                         . q{</table>}
                         . q{<p class="actions">} . $i18n->get( 'with selected' )
-                        . q{<input type="submit" name="action" value="}.$i18n->get( 'delete' ) . q{" />}
+                        . q{<input type="submit" name="action" value="}.$i18n->get( 'delete' ) . q[" onclick="if(confirm('].$i18n->get('43').q[')){this.form.func.value='deleteList'; this.form.submit();}{ return false; }" />]
-                        . q{<input type="submit" name="action" value="}.$i18n->get( "cut" )    . q{" />}
+                        . q{<input type="submit" name="action" value="}.$i18n->get( "cut" )    . q{" onclick="this.form.func.value='cutList'; this.form.submit();" />}
-                        . q{<input type="submit" name="action" value="}.$i18n->get( "Copy" )    .q{" />}
+                        . q{<input type="submit" name="action" value="}.$i18n->get( "Copy" )    .q{" onclick="this.form.func.value='copyList'; this.form.submit();" />}
                         . q{</p>}
                         . q{</form>}
                         ;
@@ -730,6 +708,7 @@ sub www_search {
 
     $output         .= '</div>';
 
+    $session->scratch->set('assetManagerSearchKeywords',  $keywords);
     return $ac->render( $output );
 }
 

lib/WebGUI/i18n/English/Asset.pm

@@ -1392,6 +1392,12 @@ Couldn't open %-s because %-s <br />
         context     => q{},
     },
 
+    'Any Class' => {
+        message     => q{Any Class},
+        lastUpdated => 0,
+        context     => q{Class, as in name of class, or type of asset},
+    },
+
 };
 
 1;