From 549c08c0968c6d7a108441702a8e82bc02a91148 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Sat, 11 Nov 2023 06:08:09 +0100
Subject: [PATCH] Admin Panel: changelogs csrf protection

---
 admin/pages/changelog.php                     | 33 ++++---------
 .../templates/admin.changelog.form.html.twig  |  1 +
 system/templates/admin.changelog.html.twig    | 48 ++++++++++++++-----
 3 files changed, 47 insertions(+), 35 deletions(-)

diff --git a/admin/pages/changelog.php b/admin/pages/changelog.php
index 31318eb5..1c663dae 100644
--- a/admin/pages/changelog.php
+++ b/admin/pages/changelog.php
@@ -24,22 +24,19 @@ if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
 
 $use_datatable = true;
 const CL_LIMIT = 600; // maximum changelog body length
-?>
 
-<link rel="stylesheet" type="text/css" href="<?php echo BASE_URL; ?>tools/css/jquery.datetimepicker.css"/ >
-<script src="<?php echo BASE_URL; ?>tools/js/jquery.datetimepicker.js"></script>
-<?php
 $id = $_GET['id'] ?? 0;
 require_once LIBS . 'changelog.php';
 
+$action = $_POST['action'] ?? '';
 if(!empty($action))
 {
-	$id = $_REQUEST['id'] ?? null;
-	$body = isset($_REQUEST['body']) ? stripslashes($_REQUEST['body']) : null;
-	$create_date = isset($_REQUEST['createdate']) ? (int)strtotime($_REQUEST['createdate'] ): null;
-	$player_id = isset($_REQUEST['player_id']) ? (int)$_REQUEST['player_id'] : null;
-	$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : null;
-	$where = isset($_REQUEST['where']) ? (int)$_REQUEST['where'] : null;
+	$id = $_POST['id'] ?? null;
+	$body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;
+	$create_date = isset($_POST['createdate']) ? (int)strtotime($_POST['createdate'] ): null;
+	$player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : null;
+	$type = isset($_POST['type']) ? (int)$_POST['type'] : null;
+	$where = isset($_POST['where']) ? (int)$_POST['where'] : null;
 
 	$errors = array();
 
@@ -78,7 +75,7 @@ if(!empty($action))
 	}
 	else if($action == 'hide') {
 		if (Changelog::toggleHidden($id, $errors, $status)) {
-			success(($status == 1 ? 'Show' : 'Hide') . ' successful.');
+			success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
 		}
 	}
 
@@ -118,7 +115,7 @@ if($action == 'edit' || $action == 'new') {
 	$account_players->orderBy('group_id', POT::ORDER_DESC);
 	$twig->display('admin.changelog.form.html.twig', array(
 		'action' => $action,
-		'cl_link_form' => constant('ADMIN_URL').'?p=changelog&action=' . ($action == 'edit' ? 'edit' : 'new'),
+		'cl_link_form' => constant('ADMIN_URL').'?p=changelog',
 		'cl_id' => $id ?? null,
 		'body' => isset($body) ? escapeHtml($body) : '',
 		'create_date' => $create_date ?? '',
@@ -133,15 +130,3 @@ if($action == 'edit' || $action == 'new') {
 $twig->display('admin.changelog.html.twig', array(
 	'changelogs' => $changelogs,
 ));
-
-?>
-<script>
-	$(document).ready(function () {
-		$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
-
-		$('.tb_datatable').DataTable({
-			"order": [[0, "desc"]],
-			"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
-		});
-	});
-</script>
diff --git a/system/templates/admin.changelog.form.html.twig b/system/templates/admin.changelog.form.html.twig
index 1d4c1b99..f0505644 100644
--- a/system/templates/admin.changelog.form.html.twig
+++ b/system/templates/admin.changelog.form.html.twig
@@ -5,6 +5,7 @@
 		</div>
 		<form role="form" method="post" action="{{ cl_link_form }}" id="cl-edit-form">
 			{{ csrf() }}
+			<input type="hidden" name="action" value="{{ action }}" />
 			<div class="card-body">
 				{% if action == 'edit' %}
 					<input type="hidden" name="id" value="{{ cl_id }}"/>
diff --git a/system/templates/admin.changelog.html.twig b/system/templates/admin.changelog.html.twig
index 28ee35e4..7826a0fe 100644
--- a/system/templates/admin.changelog.html.twig
+++ b/system/templates/admin.changelog.html.twig
@@ -1,8 +1,11 @@
 <div class="card card-info card-outline">
 	<div class="card-header">
 		<h5 class="m-0">News:
-			<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=new" class="float-right"><span
-					class="btn btn-sm btn-success">New</span></a>
+			<form method="post" class="float-right">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="new" />
+				<button type="submit" class="btn btn-sm btn-success">New</button>
+			</form>
 		</h5>
 	</div>
 
@@ -30,15 +33,26 @@
 						<td><img src="{{ constant('BASE_URL') }}images/changelog/{{ log.where }}.png" alt="icon" title="{{ log.where|capitalize }}"/> {{ log.where|capitalize }}</td>
 						<td>
 							<div class="btn-group">
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=edit&id={{ log.id }}" class="btn btn-success btn-sm" title="Edit">
-									<i class="fas fa-pencil-alt"></i>
-								</a>
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=delete&id={{ log.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete">
-									<i class="fas fa-trash"></i>
-								</a>
-								<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=hide&id={{ log.id }}" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}">
-									<i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i>
-								</a>
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="edit" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
+								</form>
+
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="delete" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
+								</form>
+
+								<form method="post">
+									{{ csrf() }}
+									<input type="hidden" name="action" value="hide" />
+									<input type="hidden" name="id" value="{{ log.id }}" />
+									<button type="submit" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
+								</form>
 							</div>
 						</td>
 					</tr>
@@ -53,3 +67,15 @@
 		</table>
 	</div>
 </div>
+<link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/jquery.datetimepicker.css"/ >
+<script src="{{ constant('BASE_URL') }}tools/js/jquery.datetimepicker.js"></script>
+<script>
+	$(document).ready(function () {
+		$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
+
+		$('.tb_datatable').DataTable({
+			"order": [[0, "desc"]],
+			"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
+		});
+	});
+</script>