Security fix

Previous commit would add auth token to each 'btn-get' settings type. Have moved this to explicitly including the token in settings definitions so a token doesn't ever get sent to external URLs
2025-12-24 06:28:27 +01:00 · 2020-08-21 23:42:57 +01:00
parent e7c3dcd369
commit da34c723a3
3 changed files with 7 additions and 7 deletions
--- a/public/js/app.js
+++ b/public/js/app.js
--- a/resources/js/components/Settings/SettingWithModal.js
+++ b/resources/js/components/Settings/SettingWithModal.js
@@ -239,7 +239,7 @@ export default class SettingWithModal extends Component {
                                    <Row key={e.obj.id}>
                                        <Col md={md} sm={sm}>
                                            <p>{name}</p>
-                                            <Button onClick={() => { Axios.get(e.url + '?token=' + window.token) }} >{name}</Button>
+                                            <Button onClick={() => { Axios.get(e.url) }} >{name}</Button>
                                        </Col>
                                        {e.description == null &&
                                            <Col md={md} sm={sm}>
@@ -266,7 +266,7 @@ export default class SettingWithModal extends Component {
                                                {e.children.map((ee,ii) => {
                                                    if(ee.type == 'button-get') {
                                                        return (
-                                                            <Button key={ii} variant={ee.btnType} className={'mr-2 mb-3'} onClick={() => { Axios.get(ee.url + '?token=' + window.token)
+                                                            <Button key={ii} variant={ee.btnType} className={'mr-2 mb-3'} onClick={() => { Axios.get(ee.url)
                                                                                                                                                .then((resp) => { toast.success('Healthcheck sent') })
                                                                                                                                                .catch((resp) => { resp = resp.response; toast.error(resp.data.error) })
                                                            }} >{ee.text}</Button>
--- a/resources/js/components/Settings/Settings.js
+++ b/resources/js/components/Settings/Settings.js
@@ -143,7 +143,7 @@ export default class Settings extends Component {
                                description: "After saving your updated notification settings, use this to check your settings are correct."
                            },
                            type: 'button-get',
-                            url: 'api/settings/test-notification'
+                            url: 'api/settings/test-notification?token=' + window.token
                        },
                        {
                            obj: e.speedtest_notifications,
@@ -218,21 +218,21 @@ export default class Settings extends Component {
                            children: [
                                {
                                    type: 'button-get',
-                                    url: 'api/settings/test-healthchecks/start',
+                                    url: 'api/settings/test-healthchecks/start?token=' + window.token,
                                    btnType: 'outline-success',
                                    text: 'Start',
                                    inline: true,
                                },
                                {
                                    type: 'button-get',
-                                    url: 'api/settings/test-healthchecks/success',
+                                    url: 'api/settings/test-healthchecks/success?token=' + window.token,
                                    btnType: 'success',
                                    text: 'Success',
                                    inline: true,
                                },
                                {
                                    type: 'button-get',
-                                    url: 'api/settings/test-healthchecks/fail',
+                                    url: 'api/settings/test-healthchecks/fail?token=' + window.token,
                                    btnType: 'danger',
                                    text: 'Fail',
                                    inline: true,