Handle ajax call to resend an invitation correctly (#21013)

* Handle ajax call to resend an invitatio correctly * built vue files * disallow sending password parameters as get * update other password usages
matomo-org · Jul 27, 2023 · b66db30 · b66db30
1 parent 0473f3b
commit b66db30
Show file tree

Hide file tree

Showing 7 changed files with 103 additions and 85 deletions.
diff --git a/plugins/CoreHome/vue/dist/CoreHome.umd.js b/plugins/CoreHome/vue/dist/CoreHome.umd.js
diff --git a/plugins/CoreHome/vue/dist/CoreHome.umd.min.js b/plugins/CoreHome/vue/dist/CoreHome.umd.min.js
diff --git a/plugins/CoreHome/vue/src/AjaxHelper/AjaxHelper.ts b/plugins/CoreHome/vue/src/AjaxHelper/AjaxHelper.ts
@@ -202,6 +202,12 @@ export default class AjaxHelper<T = any> { // eslint-disable-line
     if (Array.isArray(params)) {
       helper.setBulkRequests(...(params as QueryParameters[]));
     } else {
+      Object.keys(params).forEach((key) => {
+        if (/password/i.test(key)) {
+          throw new Error(`Password parameters are not allowed to be sent as GET parameter. Please send ${key} as POST parameter instead.`);
+        }
+      });
+
       helper.addParams({
         module: 'API',
         format: options.format || 'json',

diff --git a/plugins/UsersManager/vue/dist/UsersManager.umd.js b/plugins/UsersManager/vue/dist/UsersManager.umd.js
diff --git a/plugins/UsersManager/vue/dist/UsersManager.umd.min.js b/plugins/UsersManager/vue/dist/UsersManager.umd.min.js
diff --git a/plugins/UsersManager/vue/src/UserEditForm/UserEditForm.vue b/plugins/UsersManager/vue/src/UserEditForm/UserEditForm.vue
@@ -478,6 +478,7 @@ export default defineComponent({
       this.isResetting2FA = true;
       return AjaxHelper.post({
         method: 'TwoFactorAuth.resetTwoFactorAuth',
+      }, {
         userLogin: this.theUser.login,
         passwordConfirmation: password,
       }).catch((e) => {

diff --git a/plugins/UsersManager/vue/src/UsersManager/UsersManager.vue b/plugins/UsersManager/vue/src/UsersManager/UsersManager.vue
@@ -386,9 +386,10 @@ export default defineComponent({
       }
       this.loading = true;
       try {
-        const res = await AjaxHelper.fetch<{ value: string }>(
+        const res = await AjaxHelper.post<{ value: string }>(
           {
             method: 'UsersManager.generateInviteLink',
+          }, {
             userLogin: this.userBeingEdited!.login,
             passwordConfirmation: password,
           },
@@ -431,10 +432,12 @@ ${translate('UsersManager_CopyDeniedHints', [`<br><span class="invite-link">${va
     },
     onResendInvite(password: string) {
       if (password === '') return;
-      AjaxHelper.fetch<AjaxHelper>(
+      AjaxHelper.post<AjaxHelper>(
         {
           method: 'UsersManager.resendInvite',
           userLogin: this.userBeingEdited!.login,
+        },
+        {
           passwordConfirmation: password,
         },
       ).then(() => {