From 1ee41d071c7b91158bfa60fef8f2cde27375435f Mon Sep 17 00:00:00 2001
From: elvill <elias.villiger@uzh.ch>
Date: Fri, 31 Aug 2018 16:20:18 +0200
Subject: [PATCH] Feature #6255 Inline Report Editing - now with SIP and
 save.php api

---
 extension/Documentation/Manual.rst   |  2 +-
 extension/qfq/api/save.php           |  5 +++
 extension/qfq/api/saveReport.php     | 53 ----------------------------
 extension/qfq/qfq/Constants.php      |  2 ++
 extension/qfq/qfq/QuickFormQuery.php | 30 +++++++++++-----
 5 files changed, 29 insertions(+), 63 deletions(-)
 delete mode 100644 extension/qfq/api/saveReport.php

diff --git a/extension/Documentation/Manual.rst b/extension/Documentation/Manual.rst
index bea2d71ff..60da60815 100644
--- a/extension/Documentation/Manual.rst
+++ b/extension/Documentation/Manual.rst
@@ -4834,7 +4834,7 @@ Note: :ref:`debug` information will only be shown with *showDebugInfo: yes* in c
 Inline Report editing
 ---------------------
 
-For quick changes it might be bothersome to go to the TYPO3 backend to update the page content and reload the page.
+For quick changes it can be bothersome to go to the TYPO3 backend to update the page content and reload the page.
 For this reason, QFQ offers an inline report editing feature whenever there is a TYPO3 BE user logged in. A small
 link symbol will appear on the right-hand side of each report record. Please note that the TYPO3 Frontend cache
 is also deleted upon each inline report save.
diff --git a/extension/qfq/api/save.php b/extension/qfq/api/save.php
index 71fcac137..054c54120 100644
--- a/extension/qfq/api/save.php
+++ b/extension/qfq/api/save.php
@@ -59,6 +59,11 @@ try {
 
         $data = $qfq->saveForm();
 
+        if (isset($data[REPORT_SAVE])) {
+            // Redirect to previous page
+            header("Location: {$_SERVER['HTTP_REFERER']}");
+        }
+
         $arr = $qfq->getForwardMode();
         $answer[API_REDIRECT] = $arr[API_REDIRECT];
         $answer[API_REDIRECT_URL] = $arr[API_REDIRECT_URL];
diff --git a/extension/qfq/api/saveReport.php b/extension/qfq/api/saveReport.php
deleted file mode 100644
index a6c3d246f..000000000
--- a/extension/qfq/api/saveReport.php
+++ /dev/null
@@ -1,53 +0,0 @@
-<?php
-/**
- * Created by PhpStorm.
- * User: ep
- * Date: 12/23/15
- * Time: 6:16 PM
- */
-
-namespace qfq;
-
-use qfq;
-
-require_once(__DIR__ . '/../qfq/QuickFormQuery.php');
-require_once(__DIR__ . '/../qfq/store/Store.php');
-require_once(__DIR__ . '/../qfq/Constants.php');
-require_once(__DIR__ . '/../qfq/exceptions/UserFormException.php');
-require_once(__DIR__ . '/../qfq/exceptions/CodeException.php');
-require_once(__DIR__ . '/../qfq/exceptions/DbException.php');
-
-
-/**
- * Return JSON encoded answer
- */
-
-$answer = array();
-
-$answer[API_REDIRECT] = API_ANSWER_REDIRECT_AUTO;
-$answer[API_STATUS] = API_ANSWER_STATUS_ERROR;
-$answer[API_MESSAGE] = '';
-
-try {
-    try {
-        if (isset($_POST[REPORT_INLINE_BODYTEXT])) {
-            $qfq = new QuickFormQuery(['bodytext' => '']);
-            $data = $qfq->saveReport();
-        }
-        // Redirect to previous page
-        header("Location: {$_SERVER['HTTP_REFERER']}");
-        exit;
-    } catch (qfq\UserFormException $e) {
-        $answer[API_MESSAGE] = $e->formatMessage();
-    } catch (qfq\CodeException $e) {
-        $answer[API_MESSAGE] = $e->formatMessage();
-    } catch (qfq\DbException $e) {
-        $answer[API_MESSAGE] = $e->formatMessage();
-    }
-} catch (\Exception $e) {
-    $answer[API_MESSAGE] = "Generic Exception: " . $e->getMessage();
-}
-
-header("Content-Type: application/json");
-echo json_encode($answer);
-
diff --git a/extension/qfq/qfq/Constants.php b/extension/qfq/qfq/Constants.php
index bdee08404..14b3947df 100644
--- a/extension/qfq/qfq/Constants.php
+++ b/extension/qfq/qfq/Constants.php
@@ -45,6 +45,8 @@ const FORM_BUTTON_DELETE = 'delete';
 const FORM_BUTTON_CLOSE = 'close';
 const FORM_BUTTON_SAVE = 'save';
 
+const REPORT_SAVE = 'reportSave';
+
 const F_BS_COLUMNS = 'bsColumns';
 
 const F_BS_LABEL_COLUMNS = 'bsLabelColumns';
diff --git a/extension/qfq/qfq/QuickFormQuery.php b/extension/qfq/qfq/QuickFormQuery.php
index 4850c80be..165abb8d8 100644
--- a/extension/qfq/qfq/QuickFormQuery.php
+++ b/extension/qfq/qfq/QuickFormQuery.php
@@ -23,6 +23,7 @@ use qfq;
 
 
 require_once(__DIR__ . '/store/Store.php');
+require_once(__DIR__ . '/store/Sip.php');
 require_once(__DIR__ . '/store/FillStoreForm.php');
 require_once(__DIR__ . '/store/Session.php');
 require_once(__DIR__ . '/Constants.php');
@@ -1356,8 +1357,6 @@ class QuickFormQuery {
         $bodytext = $this->t3data[T3DATA_BODYTEXT_RAW];
         $header = $this->t3data[T3DATA_HEADER];
 
-        $hiddenInput = "<input type='hidden' name='uid' value='$uid'>";
-
         $icon = Support::renderGlyphIcon(GLYPH_ICON_TASKS);
         $showFormJs = '$("#tt-content-edit-' . $uid . '").toggleClass("hidden")';
         $toggleBtn = Support::wrapTag("<a href='#' onclick='$showFormJs' style='float:right;'>", $icon);
@@ -1379,25 +1378,32 @@ class QuickFormQuery {
             Support::doAttribute('name', REPORT_INLINE_BODYTEXT);
         $codeBox = Support::wrapTag("<textarea $codeBoxAttributes>", $ttContentCode);
 
-        $form = join(' ', [$headerBar, $codeBox, $hiddenInput]);
+        $form = join(' ', [$headerBar, $codeBox]);
+        $sipObj = new Sip;
+        $action = $sipObj->queryStringToSip(API_DIR . "/save.php?uid=$uid&" . REPORT_SAVE . "=1");
         $formAttributes = Support::doAttribute('id', "tt-content-edit-$uid") .
             Support::doAttribute('class', 'hidden') .
             Support::doAttribute('method', 'post') .
-            Support::doAttribute('action', API_DIR . '/saveReport.php');
+            Support::doAttribute('action', $action);
         $form = Support::wrapTag("<form $formAttributes>", $form);
 
         return $toggleBtn . $form;
     }
 
     /**
-     * @return string
      * @throws CodeException
      * @throws DbException
      * @throws UserFormException
      */
     public function saveReport() {
+        $uid = $this->store->getVar(T3DATA_UID, STORE_SIP . STORE_ZERO, SANITIZE_ALLOW_DIGIT);
+        if ($uid == 0) {
+            // Check if it was called with a SIP (containing a uid)
+            // If not, this might be an attack => cancel.
+            return;
+        }
+
         $bodytext = Support::htmlEntityEncodeDecode(MODE_DECODE, $_POST[REPORT_INLINE_BODYTEXT]);
-        $uid = $_POST['uid'];
         $dbT3 = $this->store->getVar(SYSTEM_T3_DB_NAME, STORE_SYSTEM . STORE_EMPTY, SANITIZE_ALLOW_ALNUMX);
         if ($dbT3 == '') {
             $dbData = $this->store->getVar(SYSTEM_DB_NAME_DATA, STORE_SYSTEM, SANITIZE_ALLOW_ALNUMX);
@@ -1412,7 +1418,8 @@ class QuickFormQuery {
         // Need to truncate cf_cache_pages because it is used to restore page-specific cache
         $sql = "DELETE FROM $dbT3.cf_cache_pages WHERE 1";
         $this->dbArray[$this->dbIndexData]->sql($sql);
-        return '';
+
+        $this->formSpec[F_FORWARD_MODE] = 'auto';
     }
 
     /**
@@ -1426,8 +1433,13 @@ class QuickFormQuery {
      * @throws UserReportException
      */
     public function saveForm() {
-
-        $json = $this->doForm(FORM_SAVE);
+        if ($this->store->getVar(REPORT_SAVE, STORE_SIP . STORE_ZERO) == '1') {
+            $this->saveReport();
+            $json = array();
+            $json[REPORT_SAVE] = 1;
+        } else {
+            $json = $this->doForm(FORM_SAVE);
+        }
 
         return $json;
     }
-- 
GitLab