PropertyTableSortForm: Don't use ipl`s CSRF counter measure (#2937)

It's incompatible with gipfl`s…

fixes #2935

Author: lippserd

library/Director/Web/Form/PropertyTableSortForm.php

@@ -2,15 +2,13 @@
 
 namespace Icinga\Module\Director\Web\Form;
 
-use Icinga\Web\Session;
+use ipl\Html\Contract\FormElement;
 use ipl\Html\Form;
+use ipl\Html\FormElement\HiddenElement;
 use ipl\Html\ValidHtml;
-use ipl\Web\Common\CsrfCounterMeasure;
 
 class PropertyTableSortForm extends Form
 {
-    use CsrfCounterMeasure;
-
     protected $method = 'POST';
 
     /** @var string Name of the form */
@@ -28,7 +26,38 @@ public function __construct(string $name, ValidHtml $table)
     protected function assemble()
     {
         $this->addElement('hidden', '__FORM_NAME', ['value' => $this->name]);
-        $this->addElement($this->createCsrfCounterMeasure(Session::getSession()->getId()));
+        $this->addElement($this->createCsrfCounterMeasure());
         $this->addHtml($this->table);
     }
+
+    /**
+     * Create a form element to countermeasure CSRF attacks
+     *
+     * @return FormElement
+     */
+    protected function createCsrfCounterMeasure(): FormElement
+    {
+        $token = CsrfToken::generate();
+
+        $options = [
+            'ignore'        => true,
+            'required'      => true,
+            'validators'    => ['Callback' => function ($token) {
+                return CsrfToken::isValid($token);
+            }]
+        ];
+
+        $element = new class (QuickForm::CSRF, $options) extends HiddenElement {
+            public function hasValue(): bool
+            {
+                return true; // The validator must run even if the value is empty
+            }
+        };
+
+        $element->getAttributes()->registerAttributeCallback('value', function () use ($token) {
+            return $token;
+        });
+
+        return $element;
+    }
 }

library/Director/Web/Table/PropertymodifierTable.php

@@ -12,6 +12,7 @@
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
 use gipfl\IcingaWeb2\Url;
 use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use Icinga\Module\Director\Web\Form\QuickForm;
 use ipl\Html\Form;
 use ipl\Html\HtmlString;
 
@@ -59,7 +60,7 @@ public function render()
         return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
             ->setAction($this->request->getUrl()->getAbsoluteUrl())
             ->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
-                $csrf = $form->getElement('CSRFToken');
+                $csrf = $form->getElement(QuickForm::CSRF);
                 if ($csrf !== null && $csrf->isValid()) {
                     $this->reallyHandleSortPriorityActions();
                 }

library/Director/Web/Table/SyncpropertyTable.php

@@ -8,6 +8,7 @@
 use gipfl\IcingaWeb2\Table\Extension\ZfSortablePriority;
 use gipfl\IcingaWeb2\Table\ZfQueryBasedTable;
 use Icinga\Module\Director\Web\Form\PropertyTableSortForm;
+use Icinga\Module\Director\Web\Form\QuickForm;
 use ipl\Html\Form;
 use ipl\Html\HtmlString;
 
@@ -44,7 +45,7 @@ public function render()
         return (new PropertyTableSortForm($this->getUniqueFormName(), new HtmlString(parent::render())))
             ->setAction($this->request->getUrl()->getAbsoluteUrl())
             ->on(Form::ON_SENT, function (PropertyTableSortForm $form) {
-                $csrf = $form->getElement('CSRFToken');
+                $csrf = $form->getElement(QuickForm::CSRF);
                 if ($csrf !== null && $csrf->isValid()) {
                     $this->reallyHandleSortPriorityActions();
                 }