Admin panel: Pages csrf

2025-04-30 11:19:21 +02:00 · 2023-11-11 07:37:21 +01:00 · 2023-11-11 07:37:21 +01:00 · 13e6eb5666
commit 13e6eb5666
parent 56306dfb0a
4 changed files with 198 additions and 168 deletions
--- a/admin/pages/pages.php
+++ b/admin/pages/pages.php
@ -9,11 +9,14 @@
 */

 use MyAAC\Models\Pages as ModelsPages;
+use MyAAC\Admin\Pages;

 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Pages';
 $use_datatable = true;

+csrfProtect();
+
 if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 	echo 'Access denied.';
 	return;
@ -29,31 +32,37 @@ $enable_tinymce = true;
 $access = 0;

 // some constants, used mainly by database (cannot by modified without schema changes)
-define('PAGE_TITLE_LIMIT', 30);
-define('PAGE_NAME_LIMIT', 30);
-define('PAGE_BODY_LIMIT', 65535); // maximum page body length
+const PAGE_TITLE_LIMIT = 30;
+const PAGE_NAME_LIMIT = 30;
+const PAGE_BODY_LIMIT = 65535; // maximum page body length

+$action = $_POST['action'] ?? '';
 if (!empty($action)) {
-	if ($action == 'delete' || $action == 'edit' || $action == 'hide')
-		$id = $_REQUEST['id'];
-
-	if (isset($_REQUEST['name']))
-		$name = $_REQUEST['name'];
-
-	if (isset($_REQUEST['title']))
-		$p_title = $_REQUEST['title'];
-
-	$php = isset($_REQUEST['php']) && $_REQUEST['php'] == 1;
-	$enable_tinymce = isset($_REQUEST['enable_tinymce']) && $_REQUEST['enable_tinymce'] == 1;
-	if ($php)
-		$body = $_REQUEST['body'];
-	else if (isset($_REQUEST['body'])) {
-		//$body = $_REQUEST['body'];
-		$body = html_entity_decode(stripslashes($_REQUEST['body']));
+	if ($action == 'delete' || $action == 'edit' || $action == 'hide') {
+		$id = $_POST['id'];
 	}

-	if (isset($_REQUEST['access']))
-		$access = $_REQUEST['access'];
+	if (isset($_POST['name'])) {
+		$name = $_POST['name'];
+	}
+
+	if (isset($_POST['title'])) {
+		$p_title = $_POST['title'];
+	}
+
+	$php = isset($_POST['php']) && $_POST['php'] == 1;
+	$enable_tinymce = isset($_POST['enable_tinymce']) && $_POST['enable_tinymce'] == 1;
+	if ($php) {
+		$body = $_POST['body'];
+	}
+	else if (isset($_POST['body'])) {
+		//$body = $_POST['body'];
+		$body = html_entity_decode(stripslashes($_POST['body']));
+	}
+
+	if (isset($_POST['access'])) {
+		$access = $_POST['access'];
+	}

 	$errors = array();
 	$player_id = 1;
@ -70,7 +79,7 @@ if (!empty($action)) {
 		if (Pages::delete($id, $errors))
 			success('Page with id ' . $id . ' has been deleted');
 	} else if ($action == 'edit') {
-		if (isset($id) && !isset($_REQUEST['name'])) {
+		if (isset($id) && !isset($_POST['name'])) {
 			$_page = Pages::get($id);
 			$name = $_page['name'];
 			$p_title = $_page['title'];
@ -90,7 +99,7 @@ if (!empty($action)) {
 		}
 	} else if ($action == 'hide') {
 		if (Pages::toggleHidden($id, $errors, $status)) {
-			success(($status == 1 ? 'Show' : 'Hide') . ' successful.');
+			success(($status == 0 ? 'Show' : 'Hide') . ' successful.');
 		}
 	}

@ -108,7 +117,7 @@ $pages = ModelsPages::all()->map(function ($e) {
 	];
 })->toArray();

-$twig->display('admin.pages.form.html.twig', array(
+$twig->display('admin.pages.form.html.twig', [
 	'action' => $action,
 	'id' => $action == 'edit' ? $id : null,
 	'name' => $name,
@ -118,138 +127,8 @@ $twig->display('admin.pages.form.html.twig', array(
 	'body' => isset($body) ? escapeHtml($body) : '',
 	'groups' => $groups->getGroups(),
 	'access' => $access
-));
+]);

-$twig->display('admin.pages.html.twig', array(
+$twig->display('admin.pages.html.twig', [
 	'pages' => $pages
-));
-
-class Pages
-{
-	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!isset($title[0]) || !isset($body[0])) {
-			$errors[] = 'Please fill all inputs.';
-			return false;
-		}
-		if(strlen($name) > PAGE_NAME_LIMIT) {
-			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
-			return false;
-		}
-		if(strlen($title) > PAGE_TITLE_LIMIT) {
-			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
-			return false;
-		}
-		if(strlen($body) > PAGE_BODY_LIMIT) {
-			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
-			return false;
-		}
-		if(!isset($player_id) || $player_id == 0) {
-			$errors[] = 'Player ID is wrong.';
-			return false;
-		}
-		if(!isset($php) || ($php != 0 && $php != 1)) {
-			$errors[] = 'Enable PHP is wrong.';
-			return false;
-		}
-		if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
-			$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
-			return false;
-		}
-		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
-			$errors[] = 'Enable TinyMCE is wrong.';
-			return false;
-		}
-		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
-			$errors[] = 'Access is wrong.';
-			return false;
-		}
-
-		return true;
-	}
-
-	static public function get($id)
-	{
-		$row = ModelsPages::find($id);
-		if ($row) {
-			return $row->toArray();
-		}
-
-		return false;
-	}
-
-	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
-			return false;
-		}
-
-		if (!ModelsPages::where('name', $name)->exists())
-			ModelsPages::create([
-				'name' => $name,
-				'title' => $title,
-				'body' => $body,
-				'player_id' => $player_id,
-				'php' => $php ? '1' : '0',
-				'enable_tinymce' => $enable_tinymce ? '1' : '0',
-				'access' => $access
 ]);
-		else
-			$errors[] = 'Page with this link already exists.';
-
-		return !count($errors);
-	}
-
-	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
-	{
-		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
-			return false;
-		}
-
-		ModelsPages::where('id', $id)->update([
-			'name' => $name,
-			'title' => $title,
-			'body' => $body,
-			'player_id' => $player_id,
-			'php' => $php ? '1' : '0',
-			'enable_tinymce' => $enable_tinymce ? '1' : '0',
-			'access' => $access
-		]);
-		return true;
-	}
-
-	static public function delete($id, &$errors)
-	{
-		if (isset($id)) {
-			$row = ModelsPages::find($id);
-			if ($row) {
-				$row->delete();
-			}
-			else
-				$errors[] = 'Page with id ' . $id . ' does not exists.';
-		} else
-			$errors[] = 'id not set';
-
-		return !count($errors);
-	}
-
-	static public function toggleHidden($id, &$errors, &$status)
-	{
-		if (isset($id)) {
-			$row = ModelsPages::find($id);
-			if ($row) {
-				$row->hidden = $row->hidden == 1 ? 0 : 1;
-				if (!$row->save()) {
-					$errors[] = 'Fail during toggle hidden Page.';
-				}
-				$status = $row->hidden;
-			}
-			else {
-				$errors[] = 'Page with id ' . $id . ' does not exists.';
-			}
-		} else
-			$errors[] = 'id not set';
-
-		return !count($errors);
-	}
-}
--- a/system/src/Admin/Pages.php
+++ b/system/src/Admin/Pages.php
@ -0,0 +1,134 @@
+<?php
+namespace MyAAC\Admin;
+
+use MyAAC\Models\Pages as ModelsPages;
+
+class Pages
+{
+	static public function verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!isset($title[0]) || !isset($body[0])) {
+			$errors[] = 'Please fill all inputs.';
+			return false;
+		}
+		if(strlen($name) > PAGE_NAME_LIMIT) {
+			$errors[] = 'Page name cannot be longer than ' . PAGE_NAME_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($title) > PAGE_TITLE_LIMIT) {
+			$errors[] = 'Page title cannot be longer than ' . PAGE_TITLE_LIMIT . ' characters.';
+			return false;
+		}
+		if(strlen($body) > PAGE_BODY_LIMIT) {
+			$errors[] = 'Page content cannot be longer than ' . PAGE_BODY_LIMIT . ' characters.';
+			return false;
+		}
+		if(!isset($player_id) || $player_id == 0) {
+			$errors[] = 'Player ID is wrong.';
+			return false;
+		}
+		if(!isset($php) || ($php != 0 && $php != 1)) {
+			$errors[] = 'Enable PHP is wrong.';
+			return false;
+		}
+		if ($php == 1 && !getBoolean(setting('core.admin_pages_php_enable'))) {
+			$errors[] = 'PHP pages disabled on this server. To enable go to Settings in Admin Panel and enable <strong>Enable PHP Pages</strong>.';
+			return false;
+		}
+		if(!isset($enable_tinymce) || ($enable_tinymce != 0 && $enable_tinymce != 1)) {
+			$errors[] = 'Enable TinyMCE is wrong.';
+			return false;
+		}
+		if(!isset($access) || $access < 0 || $access > PHP_INT_MAX) {
+			$errors[] = 'Access is wrong.';
+			return false;
+		}
+
+		return true;
+	}
+
+	static public function get($id)
+	{
+		$row = ModelsPages::find($id);
+		if ($row) {
+			return $row->toArray();
+		}
+
+		return false;
+	}
+
+	static public function add($name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
+		if (!ModelsPages::where('name', $name)->exists())
+			ModelsPages::create([
+				'name' => $name,
+				'title' => $title,
+				'body' => $body,
+				'player_id' => $player_id,
+				'php' => $php ? '1' : '0',
+				'enable_tinymce' => $enable_tinymce ? '1' : '0',
+				'access' => $access
+			]);
+		else
+			$errors[] = 'Page with this link already exists.';
+
+		return !count($errors);
+	}
+
+	static public function update($id, $name, $title, $body, $player_id, $php, $enable_tinymce, $access, &$errors)
+	{
+		if(!self::verify($name, $title, $body, $player_id, $php, $enable_tinymce, $access, $errors)) {
+			return false;
+		}
+
+		ModelsPages::where('id', $id)->update([
+			'name' => $name,
+			'title' => $title,
+			'body' => $body,
+			'player_id' => $player_id,
+			'php' => $php ? '1' : '0',
+			'enable_tinymce' => $enable_tinymce ? '1' : '0',
+			'access' => $access
+		]);
+		return true;
+	}
+
+	static public function delete($id, &$errors)
+	{
+		if (isset($id)) {
+			$row = ModelsPages::find($id);
+			if ($row) {
+				$row->delete();
+			}
+			else
+				$errors[] = 'Page with id ' . $id . ' does not exists.';
+		} else
+			$errors[] = 'id not set';
+
+		return !count($errors);
+	}
+
+	static public function toggleHidden($id, &$errors, &$status)
+	{
+		if (isset($id)) {
+			$row = ModelsPages::find($id);
+			if ($row) {
+				$row->hidden = $row->hidden == 1 ? 0 : 1;
+				if (!$row->save()) {
+					$errors[] = 'Fail during toggle hidden Page.';
+				}
+				$status = $row->hidden;
+			}
+			else {
+				$errors[] = 'Page with id ' . $id . ' does not exists.';
+			}
+		} else
+			$errors[] = 'id not set';
+
+		return !count($errors);
+	}
+}
--- a/system/templates/admin.pages.form.html.twig
+++ b/system/templates/admin.pages.form.html.twig
@ -3,8 +3,9 @@
 		<div class="card-header">
 			<h5 class="m-0">{% if action == 'edit' %}Edit{% else %}Add{% endif %} page</h5>
 		</div>
-		<form id="form" class="form-horizontal" method="post" action="?p=pages&action={% if action == 'edit' %}edit{% else %}new{% endif %}">
+		<form id="form" class="form-horizontal" method="post">
 			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action }}" />
 			{% if action == 'edit' %}
 				<input type="hidden" name="id" value="{{ id }}"/>
 			{% endif %}
--- a/system/templates/admin.pages.html.twig
+++ b/system/templates/admin.pages.html.twig
@ -1,7 +1,12 @@
 <div class="card card-info card-outline">
 	<div class="card-header">
 		<h5 class="m-0">Pages
-			<a href="?p=pages&action=new" class="float-right"><span class="btn btn-sm btn-success">New</span></a></h5>
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
+		</h5>
 	</div>
 	<div class="card-body">
 		<table class="table table-striped table-bordered table-responsive d-md-table" id="tb_pages">
@ -21,15 +26,26 @@
 					<td>{% if page.php %}Yes{% else %}No{% endif %}</td>
 					<td>
 						<div class="btn-group">
-							<a href="?p=pages&action=edit&id={{ page.id }}" class="btn btn-success btn-sm" title="Edit">
-								<i class="fas fa-pencil-alt"></i>
-							</a>
-							<a href="?p=pages&action=delete&id={{ page.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-								<i class="fas fa-trash"></i>
-							</a>
-							<a href="?p=pages&action=hide&id={{ page.id }}" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}">
-								<i class="fas fa-eye{{ (page.hidden != 1) ? '' : '-slash' }}"></i>
-							</a>
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="edit" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="delete" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
+							</form>
+
+							<form method="post">
+								{{ csrf() }}
+								<input type="hidden" name="action" value="hide" />
+								<input type="hidden" name="id" value="{{ page.id }}" />
+								<button type="submit" class="btn btn-{{ (page.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if page.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
+							</form>
 						</div>
 					</td>
 				</tr>