mirror of
https://github.com/slawkens/myaac.git
synced 2025-10-14 09:44:55 +02:00
CSRF Protection (#235)
* Fix alert class name * feature: csrf protection * Cosmetics * Fix token generate * Admin Panel: changelogs csrf protection * news/id route * Refactor admin newses + add csrf * Use admin.links instead * Admin panel: Pages csrf * Menus: better csrf + add success message on reset colors * Plugins csrf * Move definitions * add info function, same as note($message) * Update mailer.php * Fix new page/news links * clear_cache & maintenance csrf * Formatting * Fix news type * Fix changelog link * Add new changelog link * More info to confirm dialog * This is always true
This commit is contained in:
Slawomir Boczek
@@ -92,18 +92,22 @@ else
|
||||
<tr>
|
||||
<td width="30"> </td>
|
||||
<td align=left>
|
||||
<form action="' . getLink('account/email') . '" method="post"><input type="hidden" name="changeemailsave" value=1 >
|
||||
<form action="' . getLink('account/email') . '" method="post">
|
||||
' . csrf() . '
|
||||
<input type="hidden" name="changeemailsave" value=1 >
|
||||
<INPUT TYPE=image NAME="I Agree" SRC="' . $template_path . '/images/global/buttons/sbutton_iagree.gif" BORDER=0 WIDTH=120 HEIGHT=17>
|
||||
</form>
|
||||
</td>
|
||||
<td align=left>
|
||||
<form action="' . getLink('account/email') . '" method="post">
|
||||
' . csrf() . '
|
||||
<input type="hidden" name="emailchangecancel" value=1 >
|
||||
' . $twig->render('buttons.cancel.html.twig') . '
|
||||
</form>
|
||||
</td>
|
||||
<td align=right>
|
||||
<form action="?subtopic=accountmanagement" method="post" >
|
||||
' . csrf() . '
|
||||
' . $twig->render('buttons.back.html.twig') . '
|
||||
</form>
|
||||
</td>
|
||||
@@ -125,6 +129,7 @@ else
|
||||
<td>
|
||||
<table border="0" cellspacing="0" cellpadding="0" >
|
||||
<form action="' .getLink('account/email') . '" method="post" >
|
||||
' . csrf() . '
|
||||
<tr>
|
||||
<td style="border:0px;" >
|
||||
<input type="hidden" name="emailchangecancel" value="1" >
|
||||
@@ -137,6 +142,7 @@ else
|
||||
<td>
|
||||
<table border="0" cellspacing="0" cellpadding="0" >
|
||||
<form action="' . getLink('account/manage') . '" method="post" >
|
||||
' . csrf() . '
|
||||
<tr>
|
||||
<td style="border:0px;" >
|
||||
' . $twig->render('buttons.back.html.twig') . '
|
||||
|
||||
@@ -153,7 +153,9 @@ class FAQ
|
||||
$row = ModelsFAQ::find($id);
|
||||
if ($row) {
|
||||
$row->hidden = ($row->hidden == 1 ? 0 : 1);
|
||||
$row->save();
|
||||
if (!$row->save()) {
|
||||
$errors[] = 'Fail during toggle hidden FAQ.';
|
||||
}
|
||||
} else {
|
||||
$errors[] = 'FAQ with id ' . $id . ' does not exists.';
|
||||
}
|
||||
|
||||
@@ -13,6 +13,7 @@ defined('MYAAC') or die('Direct access not allowed!');
|
||||
require_once LIBS . 'forum.php';
|
||||
require_once LIBS . 'news.php';
|
||||
|
||||
$canEdit = hasFlag(FLAG_CONTENT_NEWS) || superAdmin();
|
||||
if(isset($_GET['archive']))
|
||||
{
|
||||
$title = 'News Archive';
|
||||
@@ -57,9 +58,14 @@ if(isset($_GET['archive']))
|
||||
}
|
||||
}
|
||||
|
||||
$admin_options = '';
|
||||
if($canEdit) {
|
||||
$admin_options = $twig->render('admin.links.html.twig', ['page' => 'news', 'id' => $news['id'], 'hidden' => $news['hidden']]);
|
||||
}
|
||||
|
||||
$twig->display('news.html.twig', array(
|
||||
'title' => stripslashes($news['title']),
|
||||
'content' => $content_,
|
||||
'content' => $content_ . $admin_options,
|
||||
'date' => $news['date'],
|
||||
'icon' => $categories[$news['category']]['icon_id'],
|
||||
'author' => setting('core.news_author') ? $author : '',
|
||||
@@ -81,7 +87,7 @@ if(isset($_GET['archive']))
|
||||
foreach($news_DB as $news)
|
||||
{
|
||||
$newses[] = array(
|
||||
'link' => getLink('news') . '/archive/' . $news['id'],
|
||||
'link' => getLink('news') . '/' . $news['id'],
|
||||
'icon_id' => $categories[$news['category']]['icon_id'],
|
||||
'title' => stripslashes($news['title']),
|
||||
'date' => $news['date']
|
||||
@@ -99,7 +105,6 @@ header('X-XSS-Protection: 0');
|
||||
$title = 'Latest News';
|
||||
|
||||
$cache = Cache::getInstance();
|
||||
$canEdit = hasFlag(FLAG_CONTENT_NEWS) || superAdmin();
|
||||
|
||||
$news_cached = false;
|
||||
if($cache->enabled())
|
||||
@@ -180,18 +185,8 @@ if(!$news_cached)
|
||||
}
|
||||
|
||||
$admin_options = '';
|
||||
if($canEdit)
|
||||
{
|
||||
$admin_options = '<br/><br/><a target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=edit&id=' . $news['id'] . '" title="Edit">
|
||||
<img src="images/edit.png"/>Edit
|
||||
</a>
|
||||
<a id="delete" target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=delete&id=' . $news['id'] . '" onclick="return confirm(\'Are you sure?\');" title="Delete">
|
||||
<img src="images/del.png"/>Delete
|
||||
</a>
|
||||
<a target="_blank" rel="noopener noreferrer" href="' . ADMIN_URL . '?p=news&action=hide&id=' . $news['id'] . '" title="' . ($news['hidden'] != 1 ? 'Hide' : 'Show') . '">
|
||||
<img src="images/' . ($news['hidden'] != 1 ? 'success' : 'error') . '.png"/>
|
||||
' . ($news['hidden'] != 1 ? 'Hide' : 'Show') . '
|
||||
</a>';
|
||||
if($canEdit) {
|
||||
$admin_options = $twig->render('admin.links.html.twig', ['page' => 'news', 'id' => $news['id'], 'hidden' => $news['hidden']]);
|
||||
}
|
||||
|
||||
$content_ = $news['body'];
|
||||
|
||||
Reference in New Issue
Block a user