feature: csrf protection

2025-10-16 10:44:55 +02:00 · 2023-09-16 09:23:51 +02:00
parent 046c0b5cf4
commit 0e33fd103c
72 changed files with 332 additions and 39 deletions
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -13,6 +13,9 @@ use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');

 $title = 'Account editor';
+
+csrfProtect();
+
 $admin_base = ADMIN_URL . '?p=accounts';
 $use_datatable = true;

@@ -289,6 +292,7 @@ else if (isset($_REQUEST['search'])) {
 					<div class="tab-content" id="accounts-tabContent">
 						<div class="tab-pane fade active show" id="accounts-acc">
 							<form action="<?php echo $admin_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+								<?php csrf(); ?>
 								<div class="form-group row">
 									<?php if (USE_ACCOUNT_NAME): ?>
 										<div class="col-12 col-sm-12 col-lg-4">
@@ -581,6 +585,7 @@ else if (isset($_REQUEST['search'])) {
 				<div class="row">
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
+							<?php csrf(); ?>
 							<label for="name">Account Name:</label>
 							<div class="input-group input-group-sm">
 								<input type="text" class="form-control" name="search" value="<?php echo $search_account; ?>" maxlength="32" size="32">
@@ -590,6 +595,7 @@ else if (isset($_REQUEST['search'])) {
 					</div>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
+							<?php csrf(); ?>
 							<label for="name">Account ID:</label>
 							<div class="input-group input-group-sm">
 								<input type="text" class="form-control" name="id" value="" maxlength="32" size="32">
--- a/admin/pages/changelog.php
+++ b/admin/pages/changelog.php
@@ -13,12 +13,15 @@ use MyAAC\Models\Changelog as ModelsChangelog;

 defined('MYAAC') or die('Direct access not allowed!');

+$title = 'Changelog';
+
+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
 }

-$title = 'Changelog';
 $use_datatable = true;
 const CL_LIMIT = 600; // maximum changelog body length
 ?>
--- a/admin/pages/dashboard.php
+++ b/admin/pages/dashboard.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Dashboard';

+csrfProtect();
+
 if (isset($_GET['clear_cache'])) {
 	if (clearCache()) {
 		success('Cache cleared.');
--- a/admin/pages/login.php
+++ b/admin/pages/login.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Login';

+csrfProtect();
+
 require PAGES . 'account/login.php';
 if ($logged) {
 	header('Location: ' . (admin() ? ADMIN_URL : BASE_URL));
--- a/admin/pages/mailer.php
+++ b/admin/pages/mailer.php
@@ -10,6 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Mailer';

+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MAILER) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
--- a/admin/pages/mass_account.php
+++ b/admin/pages/mass_account.php
@@ -16,6 +16,8 @@ defined('MYAAC') or die('Direct access not allowed!');

 $title = 'Mass Account Actions';

+csrfProtect();
+
 $hasCoinsColumn = $db->hasColumn('accounts', 'coins');
 $hasPointsColumn = $db->hasColumn('accounts', 'premium_points');
 $freePremium = $config['lua']['freePremium'];
--- a/admin/pages/mass_teleport.php
+++ b/admin/pages/mass_teleport.php
@@ -16,6 +16,8 @@ defined('MYAAC') or die('Direct access not allowed!');

 $title = 'Mass Teleport Actions';

+csrfProtect();
+
 function admin_teleport_position($x, $y, $z) {
 	if (!Player::query()->update([
 		'posx' => $x, 'posy' => $y, 'posz' => $z
--- a/admin/pages/menus.php
+++ b/admin/pages/menus.php
@@ -13,6 +13,8 @@ use MyAAC\Models\Menu;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Menus';

+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_MENUS) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@@ -93,6 +95,7 @@ if (isset($_REQUEST['template'])) {
 		</p>
 		<?php if (isset($config['menu_default_color'])) {?>
 		<form method="post" action="?p=menus&reset_colors" onsubmit="return confirm('Do you really want to reset colors?');">
+			<?php csrf(); ?>
 			<input type="hidden" name="template" value="<?php echo $template ?>"/>
 			<button type="submit" class="btn btn-danger">Reset Colors to default</button>
 		</form>
@@ -112,6 +115,7 @@ if (isset($_REQUEST['template'])) {
 	$last_id = array();
 	?>
 	<form method="post" id="menus-form" action="?p=menus">
+		<?php csrf(); ?>
 		<input type="hidden" name="template" value="<?php echo $template ?>"/>
 		<button type="submit" class="btn btn-info">Save</button><br/><br/>
 		<div class="row">
--- a/admin/pages/modules/templates/web_status.twig
+++ b/admin/pages/modules/templates/web_status.twig
@@ -1,6 +1,7 @@
 <div class="col-12 col-md-6">
 	<div class="card card-warning card-outline">
 		<form action="?p=dashboard&maintenance" method="post" class="form-horizontal">
+			{{ csrf() }}
 			<div class="card-header">
 				<span class="m-0">Website Status<span class="float-right">
 				<div class="custom-control custom-switch custom-switch-off-danger custom-switch-on-success">
--- a/admin/pages/news.php
+++ b/admin/pages/news.php
@@ -9,12 +9,15 @@
 */
 defined('MYAAC') or die('Direct access not allowed!');

+$title = 'News Panel';
+
+csrfProtect();
+
+$use_datatable = true;
+
 require_once LIBS . 'forum.php';
 require_once LIBS . 'news.php';

-$title = 'News Panel';
-$use_datatable = true;
-
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
--- a/admin/pages/notepad.php
+++ b/admin/pages/notepad.php
@@ -13,6 +13,8 @@ use MyAAC\Models\Notepad as ModelsNotepad;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Notepad';

+csrfProtect();
+
 /**
 * @var $account_logged OTS_Account
 */
--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -13,6 +13,9 @@ use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');

 $title = 'Player editor';
+
+csrfProtect();
+
 $player_base = ADMIN_URL . '?p=players';

 $use_datatable = true;
@@ -373,6 +376,7 @@ else if (isset($_REQUEST['search'])) {
 					</ul>
 				</div>
 				<form action="<?php echo $player_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
+					<?php csrf(); ?>
 					<div class="card-body">
 						<div class="tab-content" id="tabs-tabContent">
 							<div class="tab-pane fade active show" id="tabs-home">
@@ -870,6 +874,7 @@ else if (isset($_REQUEST['search'])) {
 			<div class="card-body row">
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
+						<?php csrf(); ?>
 						<label for="name">Player Name:</label>
 						<div class="input-group input-group-sm">
 							<input type="text" class="form-control" name="search" value="<?php echo $search_player; ?>" maxlength="32" size="32">
@@ -879,6 +884,7 @@ else if (isset($_REQUEST['search'])) {
 				</div>
 				<div class="col-6 col-lg-12">
 					<form action="<?php echo $player_base; ?>" method="post">
+						<?php csrf(); ?>
 						<label for="name">Player ID:</label>
 						<div class="input-group input-group-sm">
 							<input type="text" class="form-control" name="id" value="" maxlength="32" size="32">
--- a/admin/pages/plugins.php
+++ b/admin/pages/plugins.php
@@ -9,6 +9,9 @@
 */
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Plugin manager';
+
+csrfProtect();
+
 $use_datatable = true;

 require_once LIBS . 'plugins.php';
--- a/admin/tools/settings_save.php
+++ b/admin/tools/settings_save.php
@@ -16,6 +16,8 @@ if(!admin()) {
 	die('Access denied.');
 }

+csrfProtect();
+
 if (!isset($_REQUEST['plugin'])) {
 	http_response_code(500);
 	die('Please enter plugin name.');