CSRF for extensions

[Wanabo]

Currently I use two extensions:
xExtension-CustomCSS
xExtension-ImageProxy

Problem 1:
With both extentions I cannot manage the extension. I only can enable or disable them.
Providing input in CustomCSS or ImageProxy and saving causes a direct log out with a warning message:

Error 403 - Forbidden

You don’t have permission to access this page [HTTP_REFERER=https://www.nieuwskop.nl/p/i/?c=extension]
← Go back to your RSS feeds

Problem 2:
xExtension-ImageProxy only works when logged in, not for guests. But especially for my guests I want to get rid of insecure content warnings. :(

[Alkarex]

We need to add a CSRF token to all extension forms, e.g. https://github.com/FreshRSS/Extensions/blob/master/xExtension-CustomCSS/configure.phtml

<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />

[Alkarex]

@Frenzie This is the issue you describe on #1198 (comment)

[Frenzie]

Ah, ok. I can take care of applying the simple fix to all extensions if you like.

Regarding the image proxy, I suppose a simple change to "type": "system" might do the trick?

[Alkarex]

That would be nice, @Frenzie 👍
I do not understand your suggestion with "type": "system"

[Frenzie]

@Wanabo complained that ImageProxy only works for logged in users, probably on a per-user basis to boot ("type": "user" in metadata.json; I should've specified that part). Would "type": "system" result in the desired behavior? The documentation is quiet under the relevant header. xD

http://doc.freshrss.org/fr/developers/03_Backend/05_Extensions/#fiche-technique-0001-ecriture-dextensions-pour-freshrss

[Alkarex]

Yes indeed, "type": "system" :-)

FreshRSS/app/Controllers/extensionController.php

Line 93 in 789d9fc

if ($ext->getType() === 'system' && FreshRSS_Auth::hasAccess('admin')) {

[Alkarex]

@Wanabo Could you please try again the new version of the extensions, which @Frenzie has kindly updated?