From 737c4361461f92c7c74eb3004a17dff6cf8b8d4d Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Thu, 25 Aug 2016 07:21:10 +1000 Subject: [PATCH 1/2] CRM-15928 Backport fix for CRM-15928 to 4.6 --- CRM/Admin/Form/Setting/Miscellaneous.php | 1 + CRM/Profile/Page/Router.php | 5 +++-- CRM/UF/Page/Group.php | 15 +++++++++------ CRM/Upgrade/Incremental/php/FourSix.php | 3 +++ settings/Core.setting.php | 18 +++++++++++++++++- .../CRM/Admin/Form/Setting/Miscellaneous.tpl | 13 ++++++++++--- 6 files changed, 43 insertions(+), 12 deletions(-) diff --git a/CRM/Admin/Form/Setting/Miscellaneous.php b/CRM/Admin/Form/Setting/Miscellaneous.php index 277c278fb90f..4b960ea964b7 100644 --- a/CRM/Admin/Form/Setting/Miscellaneous.php +++ b/CRM/Admin/Form/Setting/Miscellaneous.php @@ -51,6 +51,7 @@ class CRM_Admin_Form_Setting_Miscellaneous extends CRM_Admin_Form_Setting { 'doNotAttachPDFReceipt' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'secondDegRelPermissions' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'checksumTimeout' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, + 'remote_profile_submissions' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, ); public $_uploadMaxSize; diff --git a/CRM/Profile/Page/Router.php b/CRM/Profile/Page/Router.php index 511aee992bc5..88e802919098 100644 --- a/CRM/Profile/Page/Router.php +++ b/CRM/Profile/Page/Router.php @@ -97,11 +97,12 @@ public function run($args = NULL) { } if ($secondArg == 'edit' || $secondArg == 'create') { + $allowRemoteSubmit = CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'remote_profile_submissions'); if ($secondArg == 'edit') { $controller = new CRM_Core_Controller_Simple('CRM_Profile_Form_Edit', ts('Create Profile'), CRM_Core_Action::UPDATE, - FALSE, FALSE, TRUE + FALSE, FALSE, $allowRemoteSubmit ); $controller->set('edit', 1); $controller->process(); @@ -113,7 +114,7 @@ public function run($args = NULL) { ts('Create Profile'), array( 'mode' => CRM_Core_Action::ADD, - 'ignoreKey' => TRUE, + 'ignoreKey' => $allowRemoteSubmit, ) ); } diff --git a/CRM/UF/Page/Group.php b/CRM/UF/Page/Group.php index d08c024fc06a..95970c5f2d6e 100644 --- a/CRM/UF/Page/Group.php +++ b/CRM/UF/Page/Group.php @@ -111,12 +111,6 @@ public function &actionLinks() { 'qs' => 'action=delete&id=%%id%%', 'title' => ts('Delete CiviCRM Profile Group'), ), - CRM_Core_Action::PROFILE => array( - 'name' => ts('HTML Form Snippet'), - 'url' => 'civicrm/admin/uf/group', - 'qs' => 'action=profile&gid=%%id%%', - 'title' => ts('HTML Form Snippet for this Profile'), - ), CRM_Core_Action::COPY => array( 'name' => ts('Copy Profile'), 'url' => 'civicrm/admin/uf/group', @@ -125,6 +119,15 @@ public function &actionLinks() { 'extra' => 'onclick = "return confirm(\'' . $copyExtra . '\');"', ), ); + $allowRemoteSubmit = CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'remote_profile_submissions'); + if ($allowRemoteSubmit) { + self::$_actionLinks[CRM_Core_Action::PROFILE] = array( + 'name' => ts('HTML Form Snippet'), + 'url' => 'civicrm/admin/uf/group', + 'qs' => 'action=profile&gid=%%id%%', + 'title' => ts('HTML Form Snippet for this Profile'), + ); + } } return self::$_actionLinks; } diff --git a/CRM/Upgrade/Incremental/php/FourSix.php b/CRM/Upgrade/Incremental/php/FourSix.php index 89787b890759..0564ec34c4f2 100644 --- a/CRM/Upgrade/Incremental/php/FourSix.php +++ b/CRM/Upgrade/Incremental/php/FourSix.php @@ -75,6 +75,9 @@ public function setPostUpgradeMessage(&$postUpgradeMessage, $rev) { if ($rev == '4.6.alpha3') { $postUpgradeMessage .= '

' . ts('A new permission has been added for editing message templates. Previously, users needed the "administer CiviCRM" permission. Now, users need the new permission called "edit message templates." Please check your CMS permissions to ensure that users who should be able to edit message templates are assigned this new permission.'); } + if ($rev == '4.6.21') { + $postUpgradeMessage .= '

' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'"); + } } diff --git a/settings/Core.setting.php b/settings/Core.setting.php index 797818ad3ffc..6d3f79ca5c94 100644 --- a/settings/Core.setting.php +++ b/settings/Core.setting.php @@ -32,7 +32,8 @@ * $Id$ * */ -/* + +/** * Settings metadata file */ return array( @@ -176,6 +177,21 @@ 'description' => NULL, 'help_text' => NULL, ), + 'remote_profile_submissions' => array( + 'group_name' => 'CiviCRM Preferences', + 'group' => 'core', + 'name' => 'remote_profile_submissions', + 'type' => 'Boolean', + 'quick_form_type' => 'YesNo', + 'default' => FALSE, + 'html_type' => 'radio', + 'add' => '4.6', + 'title' => 'Accept profile submissions from external sites', + 'is_domain' => 1, + 'is_contact' => 0, + 'description' => 'If enabled, CiviCRM will permit submissions from external sites to profiles. This is disabled by default to limit abuse.', + 'help_text' => NULL, + ), 'editor_id' => array( 'group_name' => 'CiviCRM Preferences', 'group' => 'core', diff --git a/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl b/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl index f59963479bfd..c85f1d85bc80 100644 --- a/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl +++ b/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl @@ -113,9 +113,16 @@

{ts}If enabled, contacts with the permission to edit a related contact will inherit that contact's permission to edit other related contacts.{/ts}

- + + {$form.remote_profile_submissions_allowed.label} + {$form.remote_profile_submissions_allowed.html}
+

{ts}If enabled, CiviCRM will allow users to submit profiles from external sites. This is disabled by default to limit abuse.{/ts}

+ + -

{ts}reCAPTCHA Keys{/ts}

+ +

{ts}reCAPTCHA Keys{/ts}

+
{ts 1="https://www.google.com/recaptcha"}reCAPTCHA is a free service that helps prevent automated abuse of your site. To use reCAPTCHA on public-facing CiviCRM forms: sign up at Google's reCaptcha site; enter the provided public and private reCAPTCHA keys here; then enable reCAPTCHA under Advanced Settings in any Profile.{/ts}
@@ -164,4 +171,4 @@ }); }); -{/literal} \ No newline at end of file +{/literal} From 0e295350b38341b59aa715d21255b280bd5f1e8f Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Thu, 25 Aug 2016 16:51:40 +1000 Subject: [PATCH 2/2] Fix template variable --- templates/CRM/Admin/Form/Setting/Miscellaneous.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl b/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl index c85f1d85bc80..fcab5efc12cd 100644 --- a/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl +++ b/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl @@ -114,8 +114,8 @@ - {$form.remote_profile_submissions_allowed.label} - {$form.remote_profile_submissions_allowed.html}
+ {$form.remote_profile_submissions.label} + {$form.remote_profile_submissions.html}

{ts}If enabled, CiviCRM will allow users to submit profiles from external sites. This is disabled by default to limit abuse.{/ts}