Submit report download link as a post request (matomo-org#14351)

* Submit report download link as a post request to hide auth token from user * Rework to pass all params except token_auth on the URL * Redo with hidden form already embedded in the DOM * PR changes * Missed one * minor tweak
Charpy · May 2, 2019 · 6268a6a · 6268a6a
1 parent efd14a5
commit 6268a6a
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 8 deletions.
diff --git a/.../ScheduledReports/angularjs/manage-scheduled-report/manage-scheduled-report.controller.js b/.../ScheduledReports/angularjs/manage-scheduled-report/manage-scheduled-report.controller.js
@@ -177,6 +177,10 @@
             resetParameters(this.report.type, this.report);
         };
 
+        this.displayReport = function (reportId) {
+            $('#downloadReportForm_' + reportId).submit();
+        };
+
         // Email now
         this.sendReportNow = function (idReport) {
             var ajaxHandler = getReportAjaxRequest(idReport, 'ScheduledReports.sendReport');

diff --git a/plugins/ScheduledReports/templates/_listReports.twig b/plugins/ScheduledReports/templates/_listReports.twig
@@ -75,24 +75,31 @@
             </td>
             <td>
                 {# download link #}
-                <a href="{{ linkTo({'module':'API', 'segment': null, 'token_auth':token_auth,
-                            'method':'ScheduledReports.generateReport', 'idReport':report.idreport,
-                            'outputType':downloadOutputType, 'language':language,
-                            'format': (report.format in ['html', 'csv']) ? report.format : false
-                       }) }}"
-                   rel="noreferrer noopener" target="_blank" name="linkDownloadReport" id="{{ report.idreport }}" class="link_but withIcon">
+                <form action="{{ linkTo({ 'module':'API', 'segment': null,
+                    'method':'ScheduledReports.generateReport', 'idReport':report.idreport,
+                    'outputType':downloadOutputType, 'language':language,
+                    'format': (report.format in ['html', 'csv']) ? report.format : false }) }}"
+                      method="POST"
+                      target="_blank"
+                      id="downloadReportForm_{{ report.idreport|e('html_attr') }}"
+                >
+                    <input type="hidden" name="token_auth" value="{{ token_auth|e('html_attr') }}">
+                </form>
+                <a href="javascript:void(0)"
+                   ng-click="manageScheduledReport.displayReport({{ report.idreport|json_encode }})"
+                   rel="noreferrer noopener" name="linkDownloadReport" id="{{ report.idreport|e('html_attr') }}" class="link_but withIcon">
                     <img src='{{ reportFormatsByReportType[report.type][report.format] }}' border="0" width="16px" height="16px"/>
                     {{ 'General_Download'|translate }}
                 </a>
             </td>
             <td style="text-align: center;padding-top:2px;">
-                <button ng-click="manageScheduledReport.editReport({{ report.idreport }})"
+                <button ng-click="manageScheduledReport.editReport({{ report.idreport|json_encode }})"
                         class="table-action" title="{{ 'General_Edit'|translate|e('html_attr') }}">
                     <span class="icon-edit"></span>
                 </button>
             </td>
             <td style="text-align: center;padding-top:2px;">
-                <button ng-click="manageScheduledReport.deleteReport({{ report.idreport }})"
+                <button ng-click="manageScheduledReport.deleteReport({{ report.idreport|json_encode }})"
                         class="table-action" title="{{ 'General_Delete'|translate|e('html_attr') }}">
                     <span class="icon-delete"></span>
                 </button>