Fixes regarding csrf + refactor some parts of AAC (guilds + forum)

Replace $account_logged->getPlayers() with getPlayersList()
$_REQUEST['todo'] -> $_REQUEST['post']
$guild_errors -> $errors

system/templates/forum.new_thread.html.twig

@@ -1,4 +1,4 @@
-<form action="?" method="post">
+<form method="post">
 	{{ csrf() }}
 	<input type="hidden" name="action" value="new_thread" />
 	<input type="hidden" name="section_id" value="{{ section_id }}" />

system/templates/forum.remove_post.html.twig

@@ -0,0 +1,12 @@
+<form action="{{ getLink('forum') }}" method="post" style="display: inline"
+	{% if post.first_post != post.id %}
+		onclick="return confirm('Are you sure you want remove post of {{ post.player.getName() }}?')"
+	{% else %}
+		onclick="return confirm('Are you sure you want remove thread > {{ post.post_topic}} <?')"
+	{% endif %}
+>
+	{{ csrf() }}
+	<input type="hidden" name="action" value="remove_post" />
+	<input type="hidden" name="id" value="{{ post.id }}" />
+	<input type="image" src="/images/del.png" border="0" alt="Delete" title="{% if post.first_post != post.id %}Remove Post{% else %}Remove Thread{% endif %}" />
+</form>

system/templates/forum.show_thread.html.twig

@@ -53,15 +53,16 @@ Page: {{ links_to_pages|raw }}<br/>
 			<td>
 				{% if is_moderator %}
 					{% if post.first_post != post.id %}
-						<a href="{{ getLink('forum') }}?action=remove_post&id={{ post.id }}" title="Remove Post" onclick="return confirm('Are you sure you want remove post of {{ post.player.getName() }}?')"><img src="images/del.png"/></a>
+						{{ include('forum.remove_post.html.twig') }}
 					{% else %}
 						<a href="{{ getLink('forum') }}?action=move_thread&id={{ post.id }}" title="Move Thread"><img src="images/icons/arrow_right.gif"/></a>
-						<a href="{{ getLink('forum') }}?action=remove_post&id={{ post.id }}" title="Remove Thread" target="_blank" onclick="return confirm('Are you sure you want remove thread > {{ post.post_topic}} <?')"><img src="images/del.png"/></a>
+						{{ include('forum.remove_post.html.twig') }}
 					{% endif %}
 				{% endif %}
 					{% if logged and (post.player.getAccount().getId() == account_logged.getId() or is_moderator) %}
 						<a href="{{ getLink('forum') }}?action=edit_post&id={{ post.id }}" title="Edit Post" target="_blank">
-							<img src="images/edit.png"/></a>
+							<img src="images/edit.png"/>
+						</a>
 					{% endif %}
 					{% if logged %}
 						<a href="{{ getLink('forum') }}?action=new_post&thread_id={{ thread_id }}&quote={{ post.id }}" title="Quote Post"><img src="images/icons/comment_add.png"/></a>

system/templates/guilds.accept_invite.html.twig

@@ -7,12 +7,15 @@
 	</tr>
 	<tr bgcolor="{{ config.darkborder }}">
 		<td>
-			<form action="{{ getLink('guilds') }}?action=accept_invite&guild={{ guild_name }}&todo=save" method="post">
+			<form action="{{ getLink('guilds') }}?action=accept_invite&guild={{ guild_name }}" method="post">
 				{{ csrf() }}
+
+				<input type="hidden" name="todo" value="save" />
+
 				{% set i = 0 %}
 				{% for player in invited_players %}
-				<input type="radio" name="name" id="name_{{ i }}" value="{{ player }}" /><label for="name_{{ i }}">{{ player }}</label>
-				{% set i = i + 1 %}
+					<input type="radio" name="name" id="name_{{ i }}" value="{{ player }}" /><label for="name_{{ i }}">{{ player }}</label>
+					{% set i = i + 1 %}
 				{% endfor %}
 				{{ include('buttons.submit.html.twig') }}
 			</form>

system/templates/guilds.change_logo.html.twig

@@ -8,7 +8,7 @@
 			<form enctype="multipart/form-data" action="{{ getLink('guilds') }}?guild={{ guild.getName() }}&action=change_logo" method="post" id="upload_form">
 				{{ csrf() }}
 				<input type="hidden" name="todo" value="save" />
-				<input type="hidden" name="MAX_FILE_SIZE" value="{{ max_image_size_b }}" />
+				<!--input type="hidden" name="MAX_FILE_SIZE" value="{{ max_image_size_b }}" /-->
 				Select new logo: <input name="newlogo" id="newlogo" type="file" />
 				<input type="submit" value="Send new logo" />
 			</form>

system/templates/guilds.change_rank.html.twig

@@ -1,5 +1,6 @@
-<form action="{{ getLink('guilds') }}?action=change_rank&guild={{ guild_name }}&todo=save" method="post">
+<form action="{{ getLink('guilds') }}?action=change_rank&guild={{ guild_name }}" method="post">
 	{{ csrf() }}
+	<input type="hidden" name="todo" value="save" />
 	<table border="0" cellspacing="1" cellpadding="4" width="100%">
 		<tr bgcolor="{{ config.vdarkborder }}"><td class="white"><b>Change Rank</b></td></tr>
 		<tr bgcolor="{{ config.darkborder }}">

system/templates/guilds.create.html.twig

@@ -1,5 +1,6 @@
-<form action="{{ getLink('guilds') }}?action=create&todo=save" method="post">
+<form action="{{ getLink('guilds') }}?action=create" method="post">
 	{{ csrf() }}
+	<input type="hidden" name="todo" value="save" />
 	<table width="100%" border="0" cellspacing="1" cellpadding="4">
 		<tr>
 			<td bgcolor="{{ config.vdarkborder }}" class="white"><B>Create a {{ config.lua.serverName }} Guild</b></td>

system/templates/guilds.delete_invite.html.twig

@@ -7,9 +7,10 @@
 	<table border="0" cellspacing="0" cellpadding="0" width="100%">
 		<tr>
 			<td align="right" width="50%">
-				<form action="{{ getLink('guilds') }}?action=delete_invite&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
-				{{ csrf() }}
-				{{ include('buttons.submit.html.twig') }}
+				<form action="{{ getLink('guilds') }}?action=delete_invite&guild={{ guild_name }}&name={{ player_name }}" method="post">
+					{{ csrf() }}
+					<input type="hidden" name="todo" value="save" />
+					{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>
 			<td style="width: 10px; "></td>

system/templates/guilds.invite.html.twig

@@ -1,5 +1,6 @@
-<form action="{{ getLink('guilds') }}?action=invite&guild={{ guild_name }}&todo=save" method="post">
+<form action="{{ getLink('guilds') }}?action=invite&guild={{ guild_name }}" method="post">
 	{{ csrf() }}
+	<input type="hidden" name="todo" value="save" />
 	Invite player with name:&nbsp;&nbsp;<input type="text" name="name">&nbsp;&nbsp;&nbsp;&nbsp;
 	{{ include('buttons.submit.html.twig') }}
 </form>

system/templates/guilds.kick_player.html.twig

@@ -7,8 +7,9 @@
 	<table border="0" cellspacing="0" cellpadding="0" width="100%">
 		<tr>
 			<td align="right" width="50%">
-				<form action="{{ getLink('guilds') }}?action=kick_player&guild={{ guild_name }}&name={{ player_name }}&todo=save" method="post">
+				<form action="{{ getLink('guilds') }}?action=kick_player&guild={{ guild_name }}&name={{ player_name }}" method="post">
 					{{ csrf() }}
+					<input type="hidden" name="todo" value="save" />
 					{{ include('buttons.submit.html.twig') }}
 				</form>
 			</td>

system/templates/guilds.leave_guild.html.twig

@@ -1,5 +1,6 @@
-<form action="{{ getLink('guilds') }}?action=leave&guild={{ guild_name }}&todo=save" METHOD="post">
+<form action="{{ getLink('guilds') }}?action=leave&guild={{ guild_name }}" METHOD="post">
 	{{ csrf() }}
+	<input type="hidden" name="todo" value="save" />
 <table border="0" cellspacing="1" cellpadding="4" width="100%">
 	<tr bgcolor="{{ config.vdarkborder }}">
 		<td class="white"><b>Leave guild</b></td></tr>

system/templates/guilds.manager.html.twig

@@ -101,7 +101,12 @@ Here you can change names of ranks, delete and add ranks, pass leadership to oth
 		{% set i = 0 %}
 		{% for rank in rank_list %}
 		<tr bgcolor="{{ getStyle(i) }}">
-			<td align="center">{{ rank.getId() }} // <a href="{{ getLink('guilds') }}?guild={{ guild.getName() }}&action=delete_rank&rankid={{ rank.getId() }}" border="0"><img src="/images/news/delete.png" border="0" alt="Delete Rank"></a>
+			<td align="center">{{ rank.getId() }} //
+				<form action="{{ getLink('guilds') }}?guild={{ guild.getName() }}&action=delete_rank" method="post" style="display: inline;">
+					{{ csrf() }}
+					<input type="hidden" name="rankid" value="{{ rank.getId() }}" />
+					<input type="image" src="/images/news/delete.png" border="0" alt="Delete" />
+				</form>
 			</td>
 			<td>
 				<input type="text" name="{{ rank.getId() }}_name" value="{{ rank.getName() }}" size="35"/>