projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 409f8ea)
CRM-15928 Backport fix for CRM-15928 to 4.6
authorSeamus Lee <seamuslee001@gmail.com>
Wed, 24 Aug 2016 21:21:10 +0000 (07:21 +1000)
committerSeamus Lee <seamuslee001@gmail.com>
Wed, 24 Aug 2016 21:21:10 +0000 (07:21 +1000)
CRM/Admin/Form/Setting/Miscellaneous.php patch | blob | blame | history
CRM/Profile/Page/Router.php patch | blob | blame | history
CRM/UF/Page/Group.php patch | blob | blame | history
CRM/Upgrade/Incremental/php/FourSix.php patch | blob | blame | history
settings/Core.setting.php patch | blob | blame | history
templates/CRM/Admin/Form/Setting/Miscellaneous.tpl patch | blob | blame | history

diff --git a/CRM/Admin/Form/Setting/Miscellaneous.php b/CRM/Admin/Form/Setting/Miscellaneous.php
index 277c278fb90f3f5a451e1eef144fcb7d8133deb4..4b960ea964b76e5d89c4791cb9606ff0fe6c1584 100644 (file)
--- a/CRM/Admin/Form/Setting/Miscellaneous.php
+++ b/CRM/Admin/Form/Setting/Miscellaneous.php
@@ -51,6 +51,7 @@ class CRM_Admin_Form_Setting_Miscellaneous extends CRM_Admin_Form_Setting {
     'doNotAttachPDFReceipt' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
     'secondDegRelPermissions' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
     'checksumTimeout' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
+    'remote_profile_submissions' => CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME,
   );
 
   public $_uploadMaxSize;
diff --git a/CRM/Profile/Page/Router.php b/CRM/Profile/Page/Router.php
index 511aee992bc51f8f2b2502784bf579615178e08d..88e8029190980bd8bae3ad23991bc50bf618633b 100644 (file)
--- a/CRM/Profile/Page/Router.php
+++ b/CRM/Profile/Page/Router.php
@@ -97,11 +97,12 @@ class CRM_Profile_Page_Router extends CRM_Core_Page {
     }
 
     if ($secondArg == 'edit' || $secondArg == 'create') {
+      $allowRemoteSubmit = CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'remote_profile_submissions');
       if ($secondArg == 'edit') {
         $controller = new CRM_Core_Controller_Simple('CRM_Profile_Form_Edit',
           ts('Create Profile'),
           CRM_Core_Action::UPDATE,
-          FALSE, FALSE, TRUE
+          FALSE, FALSE, $allowRemoteSubmit
         );
         $controller->set('edit', 1);
         $controller->process();
@@ -113,7 +114,7 @@ class CRM_Profile_Page_Router extends CRM_Core_Page {
           ts('Create Profile'),
           array(
             'mode' => CRM_Core_Action::ADD,
-            'ignoreKey' => TRUE,
+            'ignoreKey' => $allowRemoteSubmit,
           )
         );
       }
diff --git a/CRM/UF/Page/Group.php b/CRM/UF/Page/Group.php
index d08c024fc06a656668ded4770e48336c3ff7b1be..95970c5f2d6eaf96e8d9201ff079be4698e36546 100644 (file)
--- a/CRM/UF/Page/Group.php
+++ b/CRM/UF/Page/Group.php
@@ -111,12 +111,6 @@ class CRM_UF_Page_Group extends CRM_Core_Page {
           'qs' => 'action=delete&id=%%id%%',
           'title' => ts('Delete CiviCRM Profile Group'),
         ),
-        CRM_Core_Action::PROFILE => array(
-          'name' => ts('HTML Form Snippet'),
-          'url' => 'civicrm/admin/uf/group',
-          'qs' => 'action=profile&gid=%%id%%',
-          'title' => ts('HTML Form Snippet for this Profile'),
-        ),
         CRM_Core_Action::COPY => array(
           'name' => ts('Copy Profile'),
           'url' => 'civicrm/admin/uf/group',
@@ -125,6 +119,15 @@ class CRM_UF_Page_Group extends CRM_Core_Page {
           'extra' => 'onclick = "return confirm(\'' . $copyExtra . '\');"',
         ),
       );
+      $allowRemoteSubmit = CRM_Core_BAO_Setting::getItem(CRM_Core_BAO_Setting::SYSTEM_PREFERENCES_NAME, 'remote_profile_submissions');
+      if ($allowRemoteSubmit) {
+        self::$_actionLinks[CRM_Core_Action::PROFILE] = array(
+          'name' => ts('HTML Form Snippet'),
+          'url' => 'civicrm/admin/uf/group',
+          'qs' => 'action=profile&gid=%%id%%',
+          'title' => ts('HTML Form Snippet for this Profile'),
+        );
+      }
     }
     return self::$_actionLinks;
   }
diff --git a/CRM/Upgrade/Incremental/php/FourSix.php b/CRM/Upgrade/Incremental/php/FourSix.php
index 89787b890759dbf2de091d2564bc9d53d263bfe3..0564ec34c4f27b2384662ab4b6593f9aded9db4f 100644 (file)
--- a/CRM/Upgrade/Incremental/php/FourSix.php
+++ b/CRM/Upgrade/Incremental/php/FourSix.php
@@ -75,6 +75,9 @@ class CRM_Upgrade_Incremental_php_FourSix {
     if ($rev == '4.6.alpha3') {
       $postUpgradeMessage .= '<br /><br />' . ts('A new permission has been added for editing message templates. Previously, users needed the "administer CiviCRM" permission. Now, users need the new permission called "edit message templates." Please check your CMS permissions to ensure that users who should be able to edit message templates are assigned this new permission.');
     }
+    if ($rev == '4.6.21') {
+      $postUpgradeMessage .= '<br /><br />' . ts("WARNING: For increased security, profile submissions embedded in remote sites are no longer allowed to create or edit data by default. If you need to allow users to submit profiles from external sites, you can restore this at Administer > System Settings > Misc (Undelete, PDFs, Limits, Logging, Captcha, etc.) > 'Accept profile submissions from external sites'");
+    }
   }
 
 
diff --git a/settings/Core.setting.php b/settings/Core.setting.php
index 797818ad3ffc6a843bf8e1341f0e3864d31d7d1d..6d3f79ca5c94d131667ee098bf628907cc3648e6 100644 (file)
--- a/settings/Core.setting.php
+++ b/settings/Core.setting.php
@@ -32,7 +32,8 @@
  * $Id$
  *
  */
-/*
+
+/**
  * Settings metadata file
  */
 return array(
@@ -176,6 +177,21 @@ return array(
     'description' => NULL,
     'help_text' => NULL,
   ),
+  'remote_profile_submissions' => array(
+    'group_name' => 'CiviCRM Preferences',
+    'group' => 'core',
+    'name' => 'remote_profile_submissions',
+    'type' => 'Boolean',
+    'quick_form_type' => 'YesNo',
+    'default' => FALSE,
+    'html_type' => 'radio',
+    'add' => '4.6',
+    'title' => 'Accept profile submissions from external sites',
+    'is_domain' => 1,
+    'is_contact' => 0,
+    'description' => 'If enabled, CiviCRM will permit submissions from external sites to profiles. This is disabled by default to limit abuse.',
+    'help_text' => NULL,
+  ),
   'editor_id' => array(
     'group_name' => 'CiviCRM Preferences',
     'group' => 'core',
diff --git a/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl b/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl
index f59963479bfdd1b36a487c1e428b664182a94c1d..c85f1d85bc80879ed77dcffdcf4b865baf56d3e2 100644 (file)
--- a/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl
+++ b/templates/CRM/Admin/Form/Setting/Miscellaneous.tpl
@@ -113,9 +113,16 @@
                 <p class="description">{ts}If enabled, contacts with the permission to edit a related contact will inherit that contact's permission to edit other related contacts.{/ts}</p>
             </td>
         </tr>
-
+        <tr class="crm-miscellaneous-form-block-remote_profile_submissions_allowed">
+          <td class="label">{$form.remote_profile_submissions_allowed.label}</td>
+          <td>{$form.remote_profile_submissions_allowed.html}<br />
+            <p class="description">{ts}If enabled, CiviCRM will allow users to submit profiles from external sites. This is disabled by default to limit abuse.{/ts}</p>
+          </td>
+        </tr>
     </table>
-<h3>{ts}reCAPTCHA Keys{/ts}</h3>
+
+    <h3>{ts}reCAPTCHA Keys{/ts}</h3>
+
     <div class="description">
         {ts 1="https://www.google.com/recaptcha"}reCAPTCHA is a free service that helps prevent automated abuse of your site. To use reCAPTCHA on public-facing CiviCRM forms: sign up at <a href="%1" "target=_blank">Google's reCaptcha site</a>; enter the provided public and private reCAPTCHA keys here; then enable reCAPTCHA under Advanced Settings in any Profile.{/ts}
     </div>
@@ -164,4 +171,4 @@
     });
   });
 </script>
-{/literal}
\ No newline at end of file
+{/literal}