CRM-15928 Backport fix for CRM-15928 to 4.6

CRM/Admin/Form/Setting/Miscellaneous.php

@@ -51,6 +51,7 @@ class CRM_Admin_Form_Setting_Miscellaneous extends CRM_Admin_Form_Setting {
     'doNotAttachPDFReceipt' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
     'secondDegRelPermissions' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
     'checksumTimeout' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
+    'remote_profile_submissions' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
   );
 
   public $_uploadMaxSize;

CRM/Profile/Page/Router.php

@@ -97,11 +97,12 @@ public function run($args = NULL) {
     }
 
     if ($secondArg == 'edit' || $secondArg == 'create') {
+      $allowRemoteSubmit = CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'remote_profile_submissions');
       if ($secondArg == 'edit') {
         $controller = new CRM_Core_Controller_Simple('CRM_Profile_Form_Edit',
           ts('Create Profile'),
           CRM_Core_Action::UPDATE,
-          FALSE, FALSE, TRUE
+          FALSE, FALSE, $allowRemoteSubmit
         );
         $controller->set('edit', 1);
         $controller->process();
@@ -113,7 +114,7 @@ public function run($args = NULL) {
           ts('Create Profile'),
           array(
             'mode' => CRM_Core_Action::ADD,
-            'ignoreKey' => TRUE,
+            'ignoreKey' => $allowRemoteSubmit,
           )
         );
       }

CRM/UF/Page/Group.php

@@ -111,12 +111,6 @@ public function &actionLinks() {
           'qs' => 'action=delete&id=%%id%%',
           'title' => ts('Delete CiviCRM Profile Group'),
         ),
-        CRM_Core_Action::PROFILE => array(
-          'name' => ts('HTML Form Snippet'),
-          'url' => 'civicrm/admin/uf/group',
-          'qs' => 'action=profile&gid=%%id%%',
-          'title' => ts('HTML Form Snippet for this Profile'),
-        ),
         CRM_Core_Action::COPY => array(
           'name' => ts('Copy Profile'),
           'url' => 'civicrm/admin/uf/group',
@@ -125,6 +119,15 @@ public function &actionLinks() {
           'extra' => 'onclick = "return confirm(\'' . $copyExtra . '\');"',
         ),
       );
+      $allowRemoteSubmit = CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'remote_profile_submissions');
+      if ($allowRemoteSubmit) {
+        self::$_actionLinks[CRM_Core_Action::PROFILE] = array(
+          'name' => ts('HTML Form Snippet'),
+          'url' => 'civicrm/admin/uf/group',
+          'qs' => 'action=profile&gid=%%id%%',
+          'title' => ts('HTML Form Snippet for this Profile'),
+        );
+      }
     }
     return self::$_actionLinks;
   }

CRM/Upgrade/Incremental/php/FourSix.php

@@ -75,6 +75,9 @@ public function setPostUpgradeMessage(&$postUpgradeMessage, $rev) {
     if ($rev == '4.6.alpha3') {
       $postUpgradeMessage .= '<br /><br />' . ts('A new permission has been added for editing message templates. Previously, users needed the "administer CiviCRM" permission. Now, users need the new permission called "edit message templates." Please check your CMS permissions to ensure that users who should be able to edit message templates are assigned this new permission.');
     }
+    if ($rev == '4.6.21') {
+      $postUpgradeMessage .= '<br /><br />' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'");
+    }
   }
 
 

settings/Core.setting.php

@@ -32,7 +32,8 @@
  * $Id$
  *
  */
-/*
+
+/**
  * Settings metadata file
  */
 return array(
@@ -176,6 +177,21 @@
     'description' => NULL,
     'help_text' => NULL,
   ),
+  'remote_profile_submissions' => array(
+    'group_name' => 'CiviCRM Preferences',
+    'group' => 'core',
+    'name' => 'remote_profile_submissions',
+    'type' => 'Boolean',
+    'quick_form_type' => 'YesNo',
+    'default' => FALSE,
+    'html_type' => 'radio',
+    'add' => '4.6',
+    'title' => 'Accept profile submissions from external sites',
+    'is_domain' => 1,
+    'is_contact' => 0,
+    'description' => 'If enabled, CiviCRM will permit submissions from external sites to profiles. This is disabled by default to limit abuse.',
+    'help_text' => NULL,
+  ),
   'editor_id' => array(
     'group_name' => 'CiviCRM Preferences',
     'group' => 'core',

templates/CRM/Admin/Form/Setting/Miscellaneous.tpl

@@ -113,9 +113,16 @@
                 <p class="description">{ts}If enabled, contacts with the permission to edit a related contact will inherit that contact's permission to edit other related contacts.{/ts}</p>
             </td>
         </tr>
-
+        <tr class="crm-miscellaneous-form-block-remote_profile_submissions_allowed">
+          <td class="label">{$form.remote_profile_submissions.label}</td>
+          <td>{$form.remote_profile_submissions.html}<br />
+            <p class="description">{ts}If enabled, CiviCRM will allow users to submit profiles from external sites. This is disabled by default to limit abuse.{/ts}</p>
+          </td>
+        </tr>
     </table>
-<h3>{ts}reCAPTCHA Keys{/ts}</h3>
+
+    <h3>{ts}reCAPTCHA Keys{/ts}</h3>
+
     <div class="description">
         {ts 1="https://www.google.com/recaptcha"}reCAPTCHA is a free service that helps prevent automated abuse of your site. To use reCAPTCHA on public-facing CiviCRM forms: sign up at <a href="%1" "target=_blank">Google's reCaptcha site</a>; enter the provided public and private reCAPTCHA keys here; then enable reCAPTCHA under Advanced Settings in any Profile.{/ts}
     </div>
@@ -164,4 +171,4 @@
     });
   });
 </script>
-{/literal}
+{/literal}