Merge pull request #6145 from Countly/ar2rsawseen/master

ar2rsawseen · web-flow · commit 29a6642963e4 · 2025-04-16T11:55:43.000+03:00
[email-reports] fix exposing auth token
diff --git a/plugins/reports/frontend/public/javascripts/countly.views.js b/plugins/reports/frontend/public/javascripts/countly.views.js
@@ -97,8 +97,9 @@
                     });
                     break;
                 case "preview-comment":
-                    var url = '/i/reports/preview?auth_token=' + countlyGlobal.auth_token + '&args=' + JSON.stringify({_id: scope.row._id}) + "&app_id=" + countlyCommon.ACTIVE_APP_ID;
-                    window.open(url, "_blank");
+                    document.forms.previewemailform.action = '/i/reports/preview?args=' + JSON.stringify({_id: scope.row._id}) + "&app_id=" + countlyCommon.ACTIVE_APP_ID;
+                    document.forms.previewemailform.querySelectorAll('input[type=hidden]')[0].value = countlyGlobal.auth_token;
+                    document.forms.previewemailform.submit();
                     break;
                 default:
                     return;
diff --git a/plugins/reports/frontend/public/templates/vue-main.html b/plugins/reports/frontend/public/templates/vue-main.html
@@ -94,6 +94,9 @@
                         <el-dropdown-item  icon="el-icon-position" command="send-comment">
                             Send Now
                         </el-dropdown-item>
+                        <form name="previewemailform" method="post" target="_blank">
+                            <input type="hidden" name="auth_token">
+                        </form>
                         <el-dropdown-item  icon="el-icon-chat-dot-square" command="preview-comment">
                             Preview
                         </el-dropdown-item>
