Fix: CSRF check failed (#54)

Rom1-B · web-flow · commit e68890f25afb · 2025-11-18T14:30:28.000+01:00
* Fix: CSRF check failed

* changelog

* fix
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,9 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [UNRELEASED]
+
+### Fixed
+
+- Avoids a CSRF check error if print is clicked multiple times
+- Fixes some SQL errors during export
+
 ## [4.1.1] - 2025-10-30
 
-## Fixed
+### Fixed
 
 - Fix error message `Unknown '__s' function`
 
diff --git a/front/export.php b/front/export.php
@@ -33,7 +33,6 @@
 /** @var array $PLUGIN_HOOKS */
 global $PLUGIN_HOOKS;
 
-define('GLPI_KEEP_CSRF_TOKEN', true); // 0.90
 $token = ($_POST['_glpi_csrf_token'] ?? false);
 
 Session::checkRight('plugin_pdf', READ);
diff --git a/inc/item_device.class.php b/inc/item_device.class.php
@@ -29,6 +29,7 @@
  *             http://www.gnu.org/licenses/agpl-3.0-standalone.html
  *  --------------------------------------------------------------------------
  */
+use Glpi\DBAL\QueryExpression;
 
 class PluginPdfItem_Device extends PluginPdfCommon
 {
@@ -69,15 +70,14 @@ public static function pdfForItem(PluginPdfSimplePDF $pdf, $item)
             $linktable       = $dbu->getTableForItemType($itemtype);
             $fk              = $dbu->getForeignKeyFieldForTable($dbu->getTableForItemType($associated_type));
 
-            $select_fields = ['COUNT(*) AS NB', 'id', $fk];
-            if ($specif_fields !== []) {
-                $select_fields = array_merge($select_fields, $specif_fields);
-            }
-
+            $select_fields = [new QueryExpression('COUNT(*) AS NB'), 'id', $fk];
             // Construction of the GROUP BY clause
             $group_by = [$fk];
-            if ($specif_fields !== []) {
-                $group_by = array_merge($group_by, $specif_fields);
+            foreach ($specif_fields as $field) {
+                if ($DB->fieldExists($linktable, $field)) {
+                    $select_fields[] = $field;
+                    $group_by[]      = $field;
+                }
             }
 
             $query_params = [
diff --git a/inc/item_softwareversion.class.php b/inc/item_softwareversion.class.php
@@ -498,19 +498,12 @@ public static function pdfForItem(PluginPdfSimplePDF $pdf, $item)
                 ],
                 'glpi_softwareversions' => [
                     'ON' => [
-                        'OR' => [
-                            [
-                                'glpi_softwarelicenses' => 'softwareversions_id_use',
-                                'glpi_softwareversions' => 'id',
-                            ],
-                            [
-                                'AND' => [
-                                    'glpi_softwarelicenses.softwareversions_id_use' => 0,
-                                    [
-                                        'glpi_softwarelicenses' => 'softwareversions_id_buy',
-                                        'glpi_softwareversions' => 'id',
-                                    ],
-                                ],
+                        'glpi_softwarelicenses' => 'softwareversions_id_use',
+                        'glpi_softwareversions' => 'id',
+                        [
+                            'OR' => [
+                                'glpi_softwarelicenses.softwareversions_id_use' => 0,
+                                'glpi_softwarelicenses.softwareversions_id_buy' => 'glpi_softwareversions.id',
                             ],
                         ],
                     ],
diff --git a/templates/preference_form.html.twig b/templates/preference_form.html.twig
@@ -206,5 +206,37 @@
         });
 
         updateSelectionCount(formId);
+
+        function refreshCsrfToken(formId) {
+            fetch(window.location.href, { credentials: 'same-origin' })
+                .then(r => r.text())
+                .then(html => {
+                    try {
+                        const newTokenInput = new DOMParser()
+                            .parseFromString(html, 'text/html')
+                            .querySelector('input[name="_glpi_csrf_token"]');
+                        if (!newTokenInput) return;
+
+                        const currentTokenInput = document.querySelector(`#${formId} input[name="_glpi_csrf_token"]`);
+                        if (currentTokenInput) {
+                            currentTokenInput.value = newTokenInput.value;
+                        }
+                    } catch (e) {
+                        // Ignore errors silently
+                    }
+                })
+                .catch(() => {
+                    // Ignore errors silently
+                });
+        }
+
+        // Schedule a CSRF token refresh after form submission
+        const form = document.getElementById(formId);
+        if (form) {
+            form.addEventListener('submit', () => {
+                // Delay to allow server-side AJAX handlers to complete; full navigation will reload everything
+                setTimeout(() => refreshCsrfToken(formId), 800);
+            });
+        }
     });
 </script>
