diff --git a/js/modules/Forms/Condition/Engine.js b/js/modules/Forms/Condition/Engine.js
index d08ae224926..051a99235ed 100644
--- a/js/modules/Forms/Condition/Engine.js
+++ b/js/modules/Forms/Condition/Engine.js
@@ -107,13 +107,6 @@ export class GlpiFormConditionEngine
form_data.append(`answers[${entry[0]}]`, entry[1]);
}
- // Included direct access token if needed.
- // Not great to have to do this normally, TOOD: find a better way.
- const url_params = new URLSearchParams(window.location.search);
- if (url_params.has('token')) {
- form_data.append('token', url_params.get('token'));
- }
-
// Send request
const url = `${CFG_GLPI.root_doc}/Form/Condition/Engine`;
const response = await fetch(url, {
diff --git a/phpunit/functional/Glpi/Form/AccessControl/ControlType/AllowListTest.php b/phpunit/functional/Glpi/Form/AccessControl/ControlType/AllowListTest.php
index fcbb99e8eb9..1035f127b94 100644
--- a/phpunit/functional/Glpi/Form/AccessControl/ControlType/AllowListTest.php
+++ b/phpunit/functional/Glpi/Form/AccessControl/ControlType/AllowListTest.php
@@ -40,6 +40,7 @@
use Glpi\Form\AccessControl\AccessVote;
use Glpi\Form\AccessControl\ControlType\AllowList;
use Glpi\Form\AccessControl\FormAccessParameters;
+use Glpi\Form\Form;
use Glpi\Tests\FormBuilder;
use Glpi\Tests\FormTesterTrait;
use Glpi\Form\AccessControl\ControlType\AllowListConfig;
@@ -199,7 +200,7 @@ public function testCanAnswer(
$allow_list = new AllowList();
$this->assertEquals(
$expected,
- $allow_list->canAnswer($config, $parameters)
+ $allow_list->canAnswer(new Form(), $config, $parameters)
);
}
diff --git a/phpunit/functional/Glpi/Form/AccessControl/ControlType/DirectAccessTest.php b/phpunit/functional/Glpi/Form/AccessControl/ControlType/DirectAccessTest.php
index 7ba08fee843..95bae837afb 100644
--- a/phpunit/functional/Glpi/Form/AccessControl/ControlType/DirectAccessTest.php
+++ b/phpunit/functional/Glpi/Form/AccessControl/ControlType/DirectAccessTest.php
@@ -39,6 +39,7 @@
use Glpi\Form\AccessControl\AccessVote;
use Glpi\Form\AccessControl\ControlType\DirectAccess;
use Glpi\Form\AccessControl\FormAccessParameters;
+use Glpi\Form\Form;
use Glpi\Tests\FormBuilder;
use Glpi\Tests\FormTesterTrait;
use Glpi\Form\AccessControl\ControlType\DirectAccessConfig;
@@ -251,7 +252,7 @@ public function testCanAnswer(
$direct_access = new DirectAccess();
$this->assertEquals(
$expected,
- $direct_access->canAnswer($config, $parameters)
+ $direct_access->canAnswer(new Form(), $config, $parameters)
);
}
diff --git a/src/Glpi/Controller/Form/RendererController.php b/src/Glpi/Controller/Form/RendererController.php
index 2c370097298..71dc119614d 100644
--- a/src/Glpi/Controller/Form/RendererController.php
+++ b/src/Glpi/Controller/Form/RendererController.php
@@ -103,10 +103,6 @@ public function __invoke(Request $request): Response
'my_tickets_url_param' => http_build_query($my_tickets_criteria),
'visibility_engine_output' => $visibility_engine_output,
'params' => $request->query->all(),
-
- // Direct access token must be included in the form data as it will
- // be checked in the submit answers controller.
- 'token' => $request->query->getString('token'),
]);
}
diff --git a/src/Glpi/Controller/Form/Utils/CanCheckAccessPolicies.php b/src/Glpi/Controller/Form/Utils/CanCheckAccessPolicies.php
index c3fbb1ec85e..a40e6adb5ee 100644
--- a/src/Glpi/Controller/Form/Utils/CanCheckAccessPolicies.php
+++ b/src/Glpi/Controller/Form/Utils/CanCheckAccessPolicies.php
@@ -51,12 +51,7 @@ protected function checkFormAccessPolicies(Form $form, Request $request): void
// Form administrators can bypass restrictions while previewing forms.
$parameters = new FormAccessParameters(bypass_restriction: true);
} else {
- // URL parameters might be sent in GET or POST requests due to some
- // technical limitations.
- $url_parameters = $request->isMethod('POST')
- ? $request->request->all()
- : $request->query->all()
- ;
+ $url_parameters = $request->query->all();
// Load current user session info and URL parameters.
$parameters = new FormAccessParameters(
diff --git a/src/Glpi/Form/AccessControl/ControlType/AllowList.php b/src/Glpi/Form/AccessControl/ControlType/AllowList.php
index 0b48f93e4df..ab2ad3c99ec 100644
--- a/src/Glpi/Form/AccessControl/ControlType/AllowList.php
+++ b/src/Glpi/Form/AccessControl/ControlType/AllowList.php
@@ -110,6 +110,7 @@ public function createConfigFromUserInput(array $input): AllowListConfig
#[Override]
public function canAnswer(
+ Form $form,
JsonFieldInterface $config,
FormAccessParameters $parameters
): AccessVote {
diff --git a/src/Glpi/Form/AccessControl/ControlType/ControlTypeInterface.php b/src/Glpi/Form/AccessControl/ControlType/ControlTypeInterface.php
index 30fdffc5fe2..4a439cae81b 100644
--- a/src/Glpi/Form/AccessControl/ControlType/ControlTypeInterface.php
+++ b/src/Glpi/Form/AccessControl/ControlType/ControlTypeInterface.php
@@ -101,13 +101,9 @@ public function createConfigFromUserInput(array $input): JsonFieldInterface;
/**
* Check if the current user can answer the given form.
- *
- * @param JsonFieldInterface $config
- * @param FormAccessParameters $parameters
- *
- * @return AccessVote
*/
public function canAnswer(
+ Form $form,
JsonFieldInterface $config,
FormAccessParameters $parameters
): AccessVote;
diff --git a/src/Glpi/Form/AccessControl/ControlType/DirectAccess.php b/src/Glpi/Form/AccessControl/ControlType/DirectAccess.php
index 7a04f2bde8f..e97765dae7d 100644
--- a/src/Glpi/Form/AccessControl/ControlType/DirectAccess.php
+++ b/src/Glpi/Form/AccessControl/ControlType/DirectAccess.php
@@ -130,6 +130,7 @@ public function createConfigFromUserInput(array $input): DirectAccessConfig
#[Override]
public function canAnswer(
+ Form $form,
JsonFieldInterface $config,
FormAccessParameters $parameters
): AccessVote {
@@ -141,7 +142,7 @@ public function canAnswer(
return AccessVote::Abstain;
}
- if (!$this->validateToken($config, $parameters)) {
+ if (!$this->validateToken($form, $config, $parameters)) {
return AccessVote::Abstain;
};
@@ -160,12 +161,26 @@ private function validateSession(
}
private function validateToken(
+ Form $form,
DirectAccessConfig $config,
FormAccessParameters $parameters,
): bool {
+ // Note: it is easy to validate the token when an user is accesing the
+ // form for the first time through the /Form/Render/{id} page as the
+ // link will contain the token as a GET parameter.
+ // However, for any subsequent AJAX requests, the token is not present
+ // in the URL. Therefore, we must rely on the session to store the token
+ // and validate it on each request.
$token = $parameters->getUrlParameters()['token'] ?? null;
if ($token === null) {
- return false;
+ $session_token = $_SESSION['helpdesk_form_access_control'][$form->getId()] ?? null;
+ if ($session_token === null) {
+ return false;
+ } else {
+ $token = $session_token;
+ }
+ } else {
+ $_SESSION['helpdesk_form_access_control'][$form->getId()] = $token;
}
return hash_equals($config->getToken(), $token);
diff --git a/src/Glpi/Form/AccessControl/FormAccessControlManager.php b/src/Glpi/Form/AccessControl/FormAccessControlManager.php
index 7e1bc91c304..aa964b08827 100644
--- a/src/Glpi/Form/AccessControl/FormAccessControlManager.php
+++ b/src/Glpi/Form/AccessControl/FormAccessControlManager.php
@@ -132,6 +132,7 @@ public function canAnswerForm(
}
return $this->validateAccessControlsPolicies(
+ $form,
$access_controls_policies,
$parameters
);
@@ -203,6 +204,7 @@ private function addWarningIfFormHasNoActivePolicies(
}
private function validateAccessControlsPolicies(
+ Form $form,
array $policies,
FormAccessParameters $parameters
): bool {
@@ -212,6 +214,7 @@ private function validateAccessControlsPolicies(
/** @var FormAccessControl[] $policies */
foreach ($policies as $policiy) {
$votes[] = $policiy->getStrategy()->canAnswer(
+ $form,
$policiy->getConfig(),
$parameters
);
diff --git a/templates/pages/form_renderer.html.twig b/templates/pages/form_renderer.html.twig
index e437dfb1bd7..0d760dbb530 100644
--- a/templates/pages/form_renderer.html.twig
+++ b/templates/pages/form_renderer.html.twig
@@ -265,11 +265,6 @@
-
- {# Include direct access token if supplied #}
- {% if token %}
-
- {% endif %}