Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-10-14 09:44:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

CSRF Protection (#235)

Browse Source 
* Fix alert class name

* feature: csrf protection

* Cosmetics

* Fix token generate

* Admin Panel: changelogs csrf protection

* news/id route

* Refactor admin newses + add csrf

* Use admin.links instead

* Admin panel: Pages csrf

* Menus: better csrf + add success message on reset colors

* Plugins csrf

* Move definitions

* add info function, same as note($message)

* Update mailer.php

* Fix new page/news links

* clear_cache & maintenance csrf

* Formatting

* Fix news type

* Fix changelog link

* Add new changelog link

* More info to confirm dialog

* This is always true
This commit is contained in:
Slawomir Boczek
2023-11-11 10:57:57 +01:00
committed by GitHub
parent a04fbde607
commit 790d85a88a
89 changed files with 789 additions and 504 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
admin/pages/accounts.php
View File

@@ -13,6 +13,9 @@ use MyAAC\Models\Player;
defined('MYAAC') or die('Direct access not allowed!');
$title = 'Account editor';
csrfProtect();
$admin_base = ADMIN_URL . '?p=accounts';
$use_datatable = true;
@@ -82,7 +85,7 @@ else if (isset($_REQUEST['search'])) {
$account = new OTS_Account();
$account->load($id);
if (isset($account, $_POST['save']) && $account->isLoaded()) {
if (isset($_POST['save']) && $account->isLoaded()) {
$error = false;
$_error = '';
@@ -289,6 +292,7 @@ else if (isset($_REQUEST['search'])) {
<div class="tab-content" id="accounts-tabContent">
<div class="tab-pane fade active show" id="accounts-acc">
<form action="<?php echo $admin_base . ((isset($id) && $id > 0) ? '&id=' . $id : ''); ?>" method="post">
<?php csrf(); ?>
<div class="form-group row">
<?php if (USE_ACCOUNT_NAME): ?>
<div class="col-12 col-sm-12 col-lg-4">
@@ -581,6 +585,7 @@ else if (isset($_REQUEST['search'])) {
<div class="row">
<div class="col-6 col-lg-12">
<form action="<?php echo $admin_base; ?>" method="post">
<?php csrf(); ?>
<label for="search">Account Name:</label>
<div class="input-group input-group-sm">
<input type="text" class="form-control" id="search" name="search" value="<?= escapeHtml($search_account); ?>" maxlength="32" size="32">
@@ -590,6 +595,7 @@ else if (isset($_REQUEST['search'])) {
</div>
<div class="col-6 col-lg-12">
<form action="<?php echo $admin_base; ?>" method="post">
<?php csrf(); ?>
<label for="id">Account ID:</label>
<div class="input-group input-group-sm">
<input type="text" class="form-control" id="id" name="id" value="<?= $id; ?>" maxlength="32" size="32">