Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-05-03 20:59:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Admin Panel: changelogs csrf protection

Browse Source
This commit is contained in:
slawkens 2023-11-11 06:08:09 +01:00
parent 0127a4f417
commit 549c08c096
3 changed files with 47 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
admin/pages/changelog.php
View File

@ -24,22 +24,19 @@ if (!hasFlag(FLAG_CONTENT_PAGES) && !superAdmin()) {
$use_datatable = true; $use_datatable = true;
const CL_LIMIT = 600; // maximum changelog body length const CL_LIMIT = 600; // maximum changelog body length
?>
<link rel="stylesheet" type="text/css" href="<?php echo BASE_URL; ?>tools/css/jquery.datetimepicker.css"/ >
<script src="<?php echo BASE_URL; ?>tools/js/jquery.datetimepicker.js"></script>
<?php
$id = $_GET['id'] ?? 0; $id = $_GET['id'] ?? 0;
require_once LIBS . 'changelog.php'; require_once LIBS . 'changelog.php';
$action = $_POST['action'] ?? '';
if(!empty($action)) if(!empty($action))
{ {
$id = $_REQUEST['id'] ?? null; $id = $_POST['id'] ?? null;
$body = isset($_REQUEST['body']) ? stripslashes($_REQUEST['body']) : null; $body = isset($_POST['body']) ? stripslashes($_POST['body']) : null;
$create_date = isset($_REQUEST['createdate']) ? (int)strtotime($_REQUEST['createdate'] ): null; $create_date = isset($_POST['createdate']) ? (int)strtotime($_POST['createdate'] ): null;
$player_id = isset($_REQUEST['player_id']) ? (int)$_REQUEST['player_id'] : null; $player_id = isset($_POST['player_id']) ? (int)$_POST['player_id'] : null;
$type = isset($_REQUEST['type']) ? (int)$_REQUEST['type'] : null; $type = isset($_POST['type']) ? (int)$_POST['type'] : null;
$where = isset($_REQUEST['where']) ? (int)$_REQUEST['where'] : null; $where = isset($_POST['where']) ? (int)$_POST['where'] : null;
$errors = array(); $errors = array();
@ -78,7 +75,7 @@ if(!empty($action))
} }
else if($action == 'hide') { else if($action == 'hide') {
if (Changelog::toggleHidden($id, $errors, $status)) { if (Changelog::toggleHidden($id, $errors, $status)) {
success(($status == 1 ? 'Show' : 'Hide') . ' successful.'); success(($status == 1 ? 'Hide' : 'Show') . ' successful.');
} }
} }
@ -118,7 +115,7 @@ if($action == 'edit' || $action == 'new') {
$account_players->orderBy('group_id', POT::ORDER_DESC); $account_players->orderBy('group_id', POT::ORDER_DESC);
$twig->display('admin.changelog.form.html.twig', array( $twig->display('admin.changelog.form.html.twig', array(
'action' => $action, 'action' => $action,
'cl_link_form' => constant('ADMIN_URL').'?p=changelog&action=' . ($action == 'edit' ? 'edit' : 'new'), 'cl_link_form' => constant('ADMIN_URL').'?p=changelog',
'cl_id' => $id ?? null, 'cl_id' => $id ?? null,
'body' => isset($body) ? escapeHtml($body) : '', 'body' => isset($body) ? escapeHtml($body) : '',
'create_date' => $create_date ?? '', 'create_date' => $create_date ?? '',
@ -133,15 +130,3 @@ if($action == 'edit' || $action == 'new') {
$twig->display('admin.changelog.html.twig', array( $twig->display('admin.changelog.html.twig', array(
'changelogs' => $changelogs, 'changelogs' => $changelogs,
)); ));
?>
<script>
$(document).ready(function () {
$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
$('.tb_datatable').DataTable({
"order": [[0, "desc"]],
"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
});
});
</script>

1
system/templates/admin.changelog.form.html.twig
View File

@ -5,6 +5,7 @@
</div> </div>
<form role="form" method="post" action="{{ cl_link_form }}" id="cl-edit-form"> <form role="form" method="post" action="{{ cl_link_form }}" id="cl-edit-form">
{{ csrf() }} {{ csrf() }}
<input type="hidden" name="action" value="{{ action }}" />
<div class="card-body"> <div class="card-body">
{% if action == 'edit' %} {% if action == 'edit' %}
<input type="hidden" name="id" value="{{ cl_id }}"/> <input type="hidden" name="id" value="{{ cl_id }}"/>

48
system/templates/admin.changelog.html.twig
View File

@ -1,8 +1,11 @@
<div class="card card-info card-outline"> <div class="card card-info card-outline">
<div class="card-header"> <div class="card-header">
<h5 class="m-0">News: <h5 class="m-0">News:
<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=new" class="float-right"><span <form method="post" class="float-right">
class="btn btn-sm btn-success">New</span></a> {{ csrf() }}
<input type="hidden" name="action" value="new" />
<button type="submit" class="btn btn-sm btn-success">New</button>
</form>
</h5> </h5>
</div> </div>
@ -30,15 +33,26 @@
<td><img src="{{ constant('BASE_URL') }}images/changelog/{{ log.where }}.png" alt="icon" title="{{ log.where|capitalize }}"/> {{ log.where|capitalize }}</td> <td><img src="{{ constant('BASE_URL') }}images/changelog/{{ log.where }}.png" alt="icon" title="{{ log.where|capitalize }}"/> {{ log.where|capitalize }}</td>
<td> <td>
<div class="btn-group"> <div class="btn-group">
<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=edit&id={{ log.id }}" class="btn btn-success btn-sm" title="Edit"> <form method="post">
<i class="fas fa-pencil-alt"></i> {{ csrf() }}
</a> <input type="hidden" name="action" value="edit" />
<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=delete&id={{ log.id }}" class="btn btn-danger btn-sm" onclick="return confirm('Are you sure?');" title="Delete"> <input type="hidden" name="id" value="{{ log.id }}" />
<i class="fas fa-trash"></i> <button type="submit" class="btn btn-success btn-sm" title="Edit"><i class="fas fa-pencil-alt"></i></button>
</a> </form>
<a href="{{ constant('ADMIN_URL') }}?p=changelog&action=hide&id={{ log.id }}" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}">
<i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i> <form method="post">
</a> {{ csrf() }}
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="id" value="{{ log.id }}" />
<button type="submit" class="btn btn-danger btn-sm" title="Delete" onclick="return confirm('Are you sure?');"><i class="fas fa-pencil-alt"></i></button>
</form>
<form method="post">
{{ csrf() }}
<input type="hidden" name="action" value="hide" />
<input type="hidden" name="id" value="{{ log.id }}" />
<button type="submit" class="btn btn-{{ (log.hidden != 1) ? 'info' : 'default' }} btn-sm" title="{% if log.hidden != 1 %}Hide{% else %}Show{% endif %}"><i class="fas fa-eye{{ (log.hidden != 1) ? '' : '-slash' }}"></i></button>
</form>
</div> </div>
</td> </td>
</tr> </tr>
@ -53,3 +67,15 @@
</table> </table>
</div> </div>
</div> </div>
<link rel="stylesheet" type="text/css" href="{{ constant('BASE_URL') }}tools/css/jquery.datetimepicker.css"/ >
<script src="{{ constant('BASE_URL') }}tools/js/jquery.datetimepicker.js"></script>
<script>
$(document).ready(function () {
$('#createdate').datetimepicker({format: "M d Y, H:i:s",});
$('.tb_datatable').DataTable({
"order": [[0, "desc"]],
"columnDefs": [{targets: [1, 2,4,5],orderable: false}]
});
});
</script>