- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)

CHANGELOG

@@ -12,7 +12,9 @@ CHANGELOG Roundcube Webmail
 - Add option do bind for an individual LDAP address book (#1486997)
 - Change reply prefix to display email address only if sender name doesn't exist (#1486550)
 - Fix charset replacement in HTML message bodies (#1487021)
-- Plugin API: improved 'abort' flag handling, added 'result' item in some hooks (#1486914) 
+- Plugin API: improved 'abort' flag handling, added 'result' item in some hooks (#1486914)
+- Fix: contact group input is empty when using rename action more than once on the same group record
+- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
 
 RELEASE 0.4.1
 -------------

index.php

@@ -141,22 +141,6 @@ else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action !=
   }
 }
 
-// don't check for valid request tokens in these actions
-$request_check_whitelist = array('login'=>1, 'spell'=>1);
-
-// check client X-header to verify request origin
-if ($OUTPUT->ajax_call) {
-  if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !empty($RCMAIL->user->ID)) {
-    header('HTTP/1.1 404 Not Found');
-    die("Invalid Request");
-  }
-}
-// check request token in POST form submissions
-else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
-  $OUTPUT->show_message('invalidrequest', 'error');
-  $OUTPUT->send($RCMAIL->task);
-}
-
 // not logged in -> show login page
 if (empty($RCMAIL->user->ID)) {
   if ($OUTPUT->ajax_call)
@@ -176,17 +160,37 @@ if (empty($RCMAIL->user->ID)) {
       )
     );
   }
-  
+
   $OUTPUT->set_env('task', 'login');
   $OUTPUT->send('login');
 }
+// CSRF prevention
+else {
+  // don't check for valid request tokens in these actions
+  $request_check_whitelist = array('login'=>1, 'spell'=>1);
+
+  // check client X-header to verify request origin
+  if ($OUTPUT->ajax_call) {
+    if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
+      header('HTTP/1.1 404 Not Found');
+      die("Invalid Request");
+    }
+  }
+  // check request token in POST form submissions
+  else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
+    $OUTPUT->show_message('invalidrequest', 'error');
+    $OUTPUT->send($RCMAIL->task);
+  }
+}
 
-
-// handle keep-alive signal
+// handle special actions
 if ($RCMAIL->action == 'keep-alive') {
   $OUTPUT->reset();
   $OUTPUT->send();
 }
+else if ($RCMAIL->action == 'save-pref') {
+  include 'steps/utils/save_pref.inc';
+}
 
 
 // map task/action to a certain include file

program/js/app.js

@@ -1294,7 +1294,7 @@ function rcube_webmail()
       }
     }
 
-    this.http_post('utils/save-pref', '_name=collapsed_folders&_value='+urlencode(this.env.collapsed_folders));
+    this.http_post('save-pref', '_name=collapsed_folders&_value='+urlencode(this.env.collapsed_folders));
     this.set_unread_count_display(id, false);
   };
 
@@ -1465,7 +1465,7 @@ function rcube_webmail()
     if ((found = $.inArray('subject', this.env.coltypes)) >= 0)
       this.set_env('subject_col', found);
 
-    this.http_post('utils/save-pref', { '_name':'list_cols', '_value':this.env.coltypes, '_session':'list_attrib/columns' });
+    this.http_post('save-pref', { '_name':'list_cols', '_value':this.env.coltypes, '_session':'list_attrib/columns' });
   };
 
   this.check_droptarget = function(id)

skins/default/functions.js

@@ -287,7 +287,7 @@ switch_preview_pane: function(elem)
     rcmail.env.contentframe = null;
     rcmail.show_contentframe(false);
   }
-  rcmail.http_post('utils/save-pref', '_name=preview_pane&_value='+(elem.checked?1:0));
+  rcmail.http_post('save-pref', '_name=preview_pane&_value='+(elem.checked?1:0));
 },
 
 /* Message composing */