diff --git a/admin/pages/changelog.php b/admin/pages/changelog.php index 5fbd1a09..40097e4e 100644 --- a/admin/pages/changelog.php +++ b/admin/pages/changelog.php @@ -28,7 +28,7 @@ const CL_LIMIT = 600; // maximum changelog body length $id = $_GET['id'] ?? 0; -if(!empty($action)) +if(!empty($action) && isRequestMethod('post')) { $id = $_POST['id'] ?? null; $body = isset($_POST['body']) ? stripslashes($_POST['body']) : null; diff --git a/admin/pages/mass_account.php b/admin/pages/mass_account.php index 549310a5..dc921ac5 100644 --- a/admin/pages/mass_account.php +++ b/admin/pages/mass_account.php @@ -162,9 +162,9 @@ function admin_give_premdays($days) displayMessage('Premium Days not supported.'); } -if (isset($_POST['action']) && $_POST['action']) { +if (!empty(ACTION) && isRequestMethod('post')) { - $action = $_POST['action']; + $action = ACTION; if (preg_match("/[^A-z0-9_\-]/", $action)) { displayMessage('Invalid action.'); diff --git a/admin/pages/mass_teleport.php b/admin/pages/mass_teleport.php index f2a7ee27..5264914d 100644 --- a/admin/pages/mass_teleport.php +++ b/admin/pages/mass_teleport.php @@ -40,9 +40,9 @@ function admin_teleport_town($town_id) { displayMessage('Player\'s town updated.', true); } -if (isset($_POST['action']) && $_POST['action']) { +if (!empty(ACTION) && isRequestMethod('post')) { - $action = $_POST['action']; + $action = ACTION; if (preg_match("/[^A-z0-9_\-]/", $action)) { displayMessage('Invalid action.'); diff --git a/admin/pages/news.php b/admin/pages/news.php index 654d29d9..9bcb2226 100644 --- a/admin/pages/news.php +++ b/admin/pages/news.php @@ -47,53 +47,50 @@ if(!empty($action)) $forum_section = $_POST['forum_section'] ?? null; $errors = []; - if($action == 'new') { - if(isset($forum_section) && $forum_section != '-1') { - $forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors); - } + if (isRequestMethod('post')) { + if ($action == 'new') { + if (isset($forum_section) && $forum_section != '-1') { + $forum_add = Forum::add_thread($p_title, $body, $forum_section, $player_id, $account_logged->getId(), $errors); + } - if(isset($p_title) && News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) { - $p_title = $body = $comments = $article_text = $article_image = ''; - $type = $category = $player_id = 0; - - success('Added successful.'); - } - } - else if($action == 'delete') { - if (News::delete($id, $errors)) { - success('Deleted successful.'); - } - } - else if($action == 'edit') - { - if(isset($id) && !isset($p_title)) { - $news = News::get($id); - $p_title = $news['title']; - $body = $news['body']; - $comments = $news['comments']; - $type = $news['type']; - $category = $news['category']; - $player_id = $news['player_id']; - $article_text = $news['article_text']; - $article_image = $news['article_image']; - } - else { - if(News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) { - // update forum thread if exists - if(isset($forum_section) && Validator::number($forum_section)) { - $db->query("UPDATE `" . TABLE_PREFIX . "forum` SET `author_guid` = ".(int) $player_id.", `post_text` = ".$db->quote($body).", `post_topic` = ".$db->quote($p_title).", `edit_date` = " . time() . " WHERE `id` = " . $db->quote($forum_section)); - } - - $action = $p_title = $body = $comments = $article_text = $article_image = ''; + if (isset($p_title) && News::add($p_title, $body, $type, $category, $player_id, isset($forum_add) && $forum_add != 0 ? $forum_add : 0, $article_text, $article_image, $errors)) { + $p_title = $body = $comments = $article_text = $article_image = ''; $type = $category = $player_id = 0; - success('Updated successful.'); + success('Added successful.'); + } + } else if ($action == 'delete') { + if (News::delete($id, $errors)) { + success('Deleted successful.'); + } + } else if ($action == 'edit') { + if (isset($id) && !isset($p_title)) { + $news = News::get($id); + $p_title = $news['title']; + $body = $news['body']; + $comments = $news['comments']; + $type = $news['type']; + $category = $news['category']; + $player_id = $news['player_id']; + $article_text = $news['article_text']; + $article_image = $news['article_image']; + } else { + if (News::update($id, $p_title, $body, $type, $category, $player_id, $forum_section, $article_text, $article_image, $errors)) { + // update forum thread if exists + if (isset($forum_section) && Validator::number($forum_section)) { + $db->query("UPDATE `" . TABLE_PREFIX . "forum` SET `author_guid` = " . (int)$player_id . ", `post_text` = " . $db->quote($body) . ", `post_topic` = " . $db->quote($p_title) . ", `edit_date` = " . time() . " WHERE `id` = " . $db->quote($forum_section)); + } + + $action = $p_title = $body = $comments = $article_text = $article_image = ''; + $type = $category = $player_id = 0; + + success('Updated successful.'); + } + } + } else if ($action == 'hide') { + if (News::toggleHidden($id, $errors, $status)) { + success(($status == 1 ? 'Hide' : 'Show') . ' successful.'); } - } - } - else if($action == 'hide') { - if (News::toggleHidden($id, $errors, $status)) { - success(($status == 1 ? 'Hide' : 'Show') . ' successful.'); } } diff --git a/admin/pages/pages.php b/admin/pages/pages.php index 43a8ecd5..834c0eed 100644 --- a/admin/pages/pages.php +++ b/admin/pages/pages.php @@ -36,7 +36,7 @@ const PAGE_TITLE_LIMIT = 30; const PAGE_NAME_LIMIT = 30; const PAGE_BODY_LIMIT = 65535; // maximum page body length -if (!empty($action)) { +if (!empty($action) && isRequestMethod('post')) { if ($action == 'delete' || $action == 'edit' || $action == 'hide') { $id = $_POST['id']; } diff --git a/system/functions.php b/system/functions.php index ce881447..2a8474ff 100644 --- a/system/functions.php +++ b/system/functions.php @@ -1070,7 +1070,7 @@ function csrfToken(): string { function isValidToken(): bool { $token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null; - return ($_SERVER['REQUEST_METHOD'] !== 'POST' || (isset($token) && CsrfToken::isValid($token))); + return (!isRequestMethod('post') || (isset($token) && CsrfToken::isValid($token))); } function csrfProtect(): void @@ -1665,6 +1665,10 @@ function makeLinksClickable($text, $blank = true) { return preg_replace('!(((f|ht)tp(s)?://)[-a-zA-Zа-яА-Я()0-9@:%_+.~#?&;//=]+)!i', '$1', $text); } +function isRequestMethod(string $method): bool { + return strtolower($_SERVER['REQUEST_METHOD']) == strtolower($method); +} + // validator functions require_once SYSTEM . 'compat/base.php'; diff --git a/system/templates/admin.pages.form.html.twig b/system/templates/admin.pages.form.html.twig index 267f0a40..7a4dba4d 100644 --- a/system/templates/admin.pages.form.html.twig +++ b/system/templates/admin.pages.form.html.twig @@ -54,7 +54,7 @@
- +
diff --git a/system/templates/admin.tools.teleport.html.twig b/system/templates/admin.tools.teleport.html.twig index 68cc3404..6eee5254 100644 --- a/system/templates/admin.tools.teleport.html.twig +++ b/system/templates/admin.tools.teleport.html.twig @@ -5,6 +5,7 @@
Set Town
+ {{ csrf() }}
@@ -32,6 +33,7 @@
Set Position
+ {{ csrf() }}
@@ -67,6 +69,7 @@
Teleport to Temple
+ {{ csrf() }}