From e776bd52beb3064a9e694efd1b9021ec972ee2f6 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Sat, 24 May 2025 11:28:56 +0200
Subject: [PATCH] Forum boards admin links: csrf + refactor

---
 system/pages/forum/admin.php                 | 24 ++++++-----
 system/templates/forum.admin.links.html.twig | 43 ++++++++++++++++++++
 system/templates/forum.boards.html.twig      | 20 +--------
 3 files changed, 58 insertions(+), 29 deletions(-)
 create mode 100644 system/templates/forum.admin.links.html.twig

diff --git a/system/pages/forum/admin.php b/system/pages/forum/admin.php
index 6e35bba5..1260cfb2 100644
--- a/system/pages/forum/admin.php
+++ b/system/pages/forum/admin.php
@@ -17,6 +17,8 @@ if(!$canEdit) {
 	return;
 }
 
+csrfProtect();
+
 $groupsList = new OTS_Groups_List();
 $groups = [
 	['id' => 0, 'name' => 'Guest'],
@@ -30,23 +32,24 @@ foreach ($groupsList as $group) {
 }
 
 if(!empty($action)) {
-	if($action == 'delete_board' || $action == 'edit_board' || $action == 'hide_board' || $action == 'moveup_board' || $action == 'movedown_board')
+	if($action == 'delete_board' || $action == 'edit_board' || $action == 'hide_board' || $action == 'moveup_board' || $action == 'movedown_board') {
 		$id = $_REQUEST['id'];
-
-	if(isset($_REQUEST['access'])) {
-		$access = $_REQUEST['access'];
 	}
 
-	if(isset($_REQUEST['guild'])) {
-		$guild = $_REQUEST['guild'];
+	if(isset($_POST['access'])) {
+		$access = $_POST['access'];
 	}
 
-	if(isset($_REQUEST['name'])) {
-		$name = $_REQUEST['name'];
+	if(isset($_POST['guild'])) {
+		$guild = $_POST['guild'];
 	}
 
-	if(isset($_REQUEST['description'])) {
-		$description = stripslashes($_REQUEST['description']);
+	if(isset($_POST['name'])) {
+		$name = $_POST['name'];
+	}
+
+	if(isset($_POST['description'])) {
+		$description = stripslashes($_POST['description']);
 	}
 
 	$errors = [];
@@ -55,6 +58,7 @@ if(!empty($action)) {
 		if(Forum::add_board($name, $description, $access, $guild, $errors)) {
 			$action = $name = $description = '';
 			header('Location: ' . getLink('forum'));
+			exit;
 		}
 	}
 	else if($action == 'delete_board') {
diff --git a/system/templates/forum.admin.links.html.twig b/system/templates/forum.admin.links.html.twig
new file mode 100644
index 00000000..2449e616
--- /dev/null
+++ b/system/templates/forum.admin.links.html.twig
@@ -0,0 +1,43 @@
+<table>
+	<tr>
+		<td>
+			<form action="{{ getLink('forum') }}" method="post" style="float: left">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="edit_board" />
+				<input type="hidden" name="id" value="{{ id }}" />
+				<button type="submit" title="Edit"><img src="images/edit.png"/> Edit</button>
+			</form>
+
+			<form action="{{ getLink('forum') }}" method="post" style="float: left">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="delete_board" />
+				<input type="hidden" name="id" value="{{ id }}" />
+				<button type="submit" onclick="return confirm('Are you sure?');" title="Delete"><img src="images/del.png"/>Delete</button>
+			</form>
+
+			<form action="{{ getLink('forum') }}" method="post" style="float: left">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="hide_board" />
+				<input type="hidden" name="id" value="{{ id }}" />
+				<button type="submit" title="{% if hide != 1 %}Hide{% else %}Show{% endif %}"><img src="images/{{ hide != 1 ? 'success' : 'error' }}.png"/>{{ hide != 1 ? 'Hide' : 'Show' }}</button>
+			</form>
+
+			{% if i != 1 %}
+				<form action="{{ getLink('forum') }}" method="post" style="float: left">
+					{{ csrf() }}
+					<input type="hidden" name="action" value="moveup_board" />
+					<input type="hidden" name="id" value="{{ id }}" />
+					<button type="submit" title="Move up"><img src="images/icons/arrow_up.gif"/>Move up</button>
+				</form>
+			{% endif %}
+			{% if i != loop.last %}
+				<form action="{{ getLink('forum') }}" method="post" style="float: left">
+					{{ csrf() }}
+					<input type="hidden" name="action" value="movedown_board" />
+					<input type="hidden" name="id" value="{{ id }}" />
+					<button type="submit" title="Move down"><img src="images/icons/arrow_down.gif"/>Move down</button>
+				</form>
+			{% endif %}
+		</td>
+	</tr>
+</table>
diff --git a/system/templates/forum.boards.html.twig b/system/templates/forum.boards.html.twig
index 5ac3e88b..aa2772f9 100644
--- a/system/templates/forum.boards.html.twig
+++ b/system/templates/forum.boards.html.twig
@@ -39,25 +39,7 @@
 		</td>
 		{% if canEdit %}
 			<td>
-				<a href="{{ getLink('forum') }}?action=edit_board&id={{ board.id }}" title="Edit">
-					<img src="images/edit.png"/>Edit
-				</a>
-				<a id="delete" href="{{ getLink('forum') }}?action=delete_board&id={{ board.id }}" onclick="return confirm('Are you sure?');" title="Delete">
-					<img src="images/del.png"/>Delete
-				</a>
-				<a href="{{ getLink('forum') }}?action=hide_board&id={{ board.id }}" title="{% if board.hide != 1 %}Hide{% else %}Show{% endif %}">
-					<img src="images/{% if board.hide != 1 %}success{% else %}error{% endif %}.png"/>{% if board.hide != 1 %}Hide{% else %}Show{% endif %}
-				</a>
-				{% if i != 1 %}
-					<a href="{{ getLink('forum') }}?action=moveup_board&id={{ board.id }}" title="Move up">
-						<img src="images/icons/arrow_up.gif"/>Move up
-					</a>
-				{% endif %}
-				{% if i != last %}
-					<a href="{{ getLink('forum') }}?action=movedown_board&id={{ board.id }}" title="Move down">
-						<img src="images/icons/arrow_down.gif"/>Move down
-					</a>
-				{% endif %}
+				{{ include('forum.admin.links.html.twig', {id: board.id, hide: board.hide, i: i }) }}
 			</td>
 		{% endif %}
 	</tr>