MNT-17427 : api/invite/cancel deletes records in the database with a GET: CSRF/XSS attack

- delete the script/org/alfresco/repository/invite/invite.get - use the alternatives: script/org/alfresco/repository/site/invitation/invitation.post and script/org/alfresco/repository/site/invitation/invitation.delete - updating the tests - updating the controller for the invitation.delete to a java controller - fix test fallout (SiteServiceTest testInviteDisabledUser - expected error status code) - improve security by allowing only invitationIDs that belong the the site passed as parameter to be canceled - be consistent and return 404 when an invitationID can not be found git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@135255 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-10-08 14:51:49 +00:00 · 2017-02-20 09:04:45 +00:00
parent 41516285f4
commit cc9876de74
1 changed files with 5 additions and 1 deletions
--- a/source/java/org/alfresco/repo/invitation/script/ScriptNominatedInvitation.java
+++ b/source/java/org/alfresco/repo/invitation/script/ScriptNominatedInvitation.java
@@ -90,6 +90,10 @@ public class ScriptNominatedInvitation  extends ScriptInvitation<NominatedInvita
    public String getSentInviteDateAsISO8601()
    {
        return ISO8601DateFormat.format(getSentInviteDate());
+    }
+
+    public String getInviteTicket()
+    {
+        return getInvitation().getTicket();
    }
-
 }