diff --git a/src/CoreBundle/Controller/AccountController.php b/src/CoreBundle/Controller/AccountController.php index b4a6e5ed346..931a97f8aba 100644 --- a/src/CoreBundle/Controller/AccountController.php +++ b/src/CoreBundle/Controller/AccountController.php @@ -92,9 +92,14 @@ public function edit( return new RedirectResponse($url); } + // Legacy Chamilo CSRF token (sec_token) used by old endpoints (extra fields/tags, etc). + // This prevents "CSRF error" warnings from legacy flows while the Symfony form still saves correctly. + $legacyToken = Security::get_token(); + return $this->render('@ChamiloCore/Account/edit.html.twig', [ 'form' => $form->createView(), 'user' => $user, + 'legacy_token' => $legacyToken, ]); } diff --git a/src/CoreBundle/Form/ProfileType.php b/src/CoreBundle/Form/ProfileType.php index 3cd513218b9..61ca04304b7 100644 --- a/src/CoreBundle/Form/ProfileType.php +++ b/src/CoreBundle/Form/ProfileType.php @@ -76,6 +76,9 @@ public function buildForm(FormBuilderInterface $builder, array $options): void $editableHigh = $expand(\is_array($changeableOptions) ? $changeableOptions : []); $languages = array_flip($this->languageRepository->getAllAvailableToArray(true, true)); + $ignoredKeys = [ + 'theme', + ]; // Core fields map (keys must align with settings keys) $fieldsMap = [ @@ -117,6 +120,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void ], ], ], + // Timezone will be added below if visible (fine JSON or fallback) 'timezone' => [ 'field' => 'timezone', @@ -140,7 +144,10 @@ public function buildForm(FormBuilderInterface $builder, array $options): void // Visibility (core): // Strict when $hasFine: only keys present in $fieldsVisibility are visible. // Otherwise, fallback to visible_options. - $isCoreVisible = function (string $key) use ($fieldsVisibility, $visibleHigh, $hasFine): bool { + $isCoreVisible = function (string $key) use ($fieldsVisibility, $visibleHigh, $hasFine, $ignoredKeys): bool { + if (\in_array($key, $ignoredKeys, true)) { + return false; + } if ($hasFine) { return \array_key_exists($key, $fieldsVisibility); } @@ -150,7 +157,10 @@ public function buildForm(FormBuilderInterface $builder, array $options): void // Editability (core): // If key is in fine JSON, its boolean decides; otherwise fallback to changeable_options. - $isCoreEditable = function (string $key) use ($fieldsVisibility, $editableHigh): bool { + $isCoreEditable = function (string $key) use ($fieldsVisibility, $editableHigh, $ignoredKeys): bool { + if (\in_array($key, $ignoredKeys, true)) { + return false; + } if (\array_key_exists($key, $fieldsVisibility)) { return (bool) $fieldsVisibility[$key]; } @@ -221,6 +231,9 @@ public function buildForm(FormBuilderInterface $builder, array $options): void if ($hasFine) { // Strict: only extras listed in fine JSON foreach ($fieldsVisibility as $key => $bool) { + if (\in_array($key, $ignoredKeys, true)) { + continue; + } if (!\in_array($key, $coreKeys, true)) { $extraAllowlist[] = $key; // visible $extraEditableMap[$key] = (bool) $bool; // editable diff --git a/src/CoreBundle/Resources/views/Account/edit.html.twig b/src/CoreBundle/Resources/views/Account/edit.html.twig index ccd553497bc..c13b04a4fb3 100644 --- a/src/CoreBundle/Resources/views/Account/edit.html.twig +++ b/src/CoreBundle/Resources/views/Account/edit.html.twig @@ -7,9 +7,14 @@ document.addEventListener("DOMContentLoaded", function () { $('.select2_user_rel_tag').each(function(i, obj) { let fieldId = '&field_id=' + $(this).attr('data.field_id'); + + // Legacy CSRF token for old Chamilo AJAX endpoints. + // This prevents "CSRF error" warnings coming from legacy token checks. + let legacyToken = '&sec_token={{ legacy_token }}'; + $(this).select2({ ajax: { - url: '/main/inc/ajax/extra_field.ajax.php?{{ { 'name' : '', 'a': 'search_tags', 'type': 'user'}|url_encode }}' + fieldId, + url: '/main/inc/ajax/extra_field.ajax.php?{{ { 'name' : '', 'a': 'search_tags', 'type': 'user'}|url_encode }}' + fieldId + legacyToken, processResults: function (data) { return { results: data.items } } }, cache: false, @@ -28,7 +33,7 @@ $(this).on('select2:unselect', function (e) { let fieldId = '&tag_id=' + e.params.data.element.dataset.id; $.ajax({ - url: '/main/inc/ajax/extra_field.ajax.php?{{ { 'a': 'delete_tag', 'type': 'user'}|url_encode }}' + fieldId, + url: '/main/inc/ajax/extra_field.ajax.php?{{ { 'a': 'delete_tag', 'type': 'user'}|url_encode }}' + fieldId + legacyToken, success: function(data) {} }); }); @@ -49,6 +54,8 @@
{{ form_start(form, { 'action': path('chamilo_core_account_edit'), 'attr': { 'class': 'edit' } }) }} + {# Legacy Chamilo CSRF token used by old token checks (sec_token). #} + {{ form_widget(form, {'attr': {'class': 'flex flex-col gap-4'}}) }}
@@ -58,9 +65,9 @@
- {# Flatpickr JS desde /build #} + {# Flatpickr JS from /build #} - {# (Opcional) Localización, si quieres: #} + {# Optional locale example: #}