Forum boards admin links: csrf + refactor

2025-05-25 06:54:29 +02:00 · 2025-05-24 11:28:56 +02:00 · 2025-05-24 11:28:56 +02:00 · e776bd52be
commit e776bd52be
parent 6e793390c6
3 changed files with 58 additions and 29 deletions
--- a/system/pages/forum/admin.php
+++ b/system/pages/forum/admin.php
@ -17,6 +17,8 @@ if(!$canEdit) {
 	return;
 }

+csrfProtect();
+
 $groupsList = new OTS_Groups_List();
 $groups = [
 	['id' => 0, 'name' => 'Guest'],
@ -30,23 +32,24 @@ foreach ($groupsList as $group) {
 }

 if(!empty($action)) {
-	if($action == 'delete_board' || $action == 'edit_board' || $action == 'hide_board' || $action == 'moveup_board' || $action == 'movedown_board')
+	if($action == 'delete_board' || $action == 'edit_board' || $action == 'hide_board' || $action == 'moveup_board' || $action == 'movedown_board') {
 		$id = $_REQUEST['id'];
-
-	if(isset($_REQUEST['access'])) {
-		$access = $_REQUEST['access'];
 	}

-	if(isset($_REQUEST['guild'])) {
-		$guild = $_REQUEST['guild'];
+	if(isset($_POST['access'])) {
+		$access = $_POST['access'];
 	}

-	if(isset($_REQUEST['name'])) {
-		$name = $_REQUEST['name'];
+	if(isset($_POST['guild'])) {
+		$guild = $_POST['guild'];
 	}

-	if(isset($_REQUEST['description'])) {
-		$description = stripslashes($_REQUEST['description']);
+	if(isset($_POST['name'])) {
+		$name = $_POST['name'];
+	}
+
+	if(isset($_POST['description'])) {
+		$description = stripslashes($_POST['description']);
 	}

 	$errors = [];
@ -55,6 +58,7 @@ if(!empty($action)) {
 		if(Forum::add_board($name, $description, $access, $guild, $errors)) {
 			$action = $name = $description = '';
 			header('Location: ' . getLink('forum'));
+			exit;
 		}
 	}
 	else if($action == 'delete_board') {
--- a/system/templates/forum.admin.links.html.twig
+++ b/system/templates/forum.admin.links.html.twig
@ -0,0 +1,43 @@
+<table>
+	<tr>
+		<td>
+			<form action="{{ getLink('forum') }}" method="post" style="float: left">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="edit_board" />
+				<input type="hidden" name="id" value="{{ id }}" />
+				<button type="submit" title="Edit"><img src="images/edit.png"/> Edit</button>
+			</form>
+
+			<form action="{{ getLink('forum') }}" method="post" style="float: left">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="delete_board" />
+				<input type="hidden" name="id" value="{{ id }}" />
+				<button type="submit" onclick="return confirm('Are you sure?');" title="Delete"><img src="images/del.png"/>Delete</button>
+			</form>
+
+			<form action="{{ getLink('forum') }}" method="post" style="float: left">
+				{{ csrf() }}
+				<input type="hidden" name="action" value="hide_board" />
+				<input type="hidden" name="id" value="{{ id }}" />
+				<button type="submit" title="{% if hide != 1 %}Hide{% else %}Show{% endif %}"><img src="images/{{ hide != 1 ? 'success' : 'error' }}.png"/>{{ hide != 1 ? 'Hide' : 'Show' }}</button>
+			</form>
+
+			{% if i != 1 %}
+				<form action="{{ getLink('forum') }}" method="post" style="float: left">
+					{{ csrf() }}
+					<input type="hidden" name="action" value="moveup_board" />
+					<input type="hidden" name="id" value="{{ id }}" />
+					<button type="submit" title="Move up"><img src="images/icons/arrow_up.gif"/>Move up</button>
+				</form>
+			{% endif %}
+			{% if i != loop.last %}
+				<form action="{{ getLink('forum') }}" method="post" style="float: left">
+					{{ csrf() }}
+					<input type="hidden" name="action" value="movedown_board" />
+					<input type="hidden" name="id" value="{{ id }}" />
+					<button type="submit" title="Move down"><img src="images/icons/arrow_down.gif"/>Move down</button>
+				</form>
+			{% endif %}
+		</td>
+	</tr>
+</table>
--- a/system/templates/forum.boards.html.twig
+++ b/system/templates/forum.boards.html.twig
@ -39,25 +39,7 @@
 		</td>
 		{% if canEdit %}
 			<td>
-				<a href="{{ getLink('forum') }}?action=edit_board&id={{ board.id }}" title="Edit">
-					<img src="images/edit.png"/>Edit
-				</a>
-				<a id="delete" href="{{ getLink('forum') }}?action=delete_board&id={{ board.id }}" onclick="return confirm('Are you sure?');" title="Delete">
-					<img src="images/del.png"/>Delete
-				</a>
-				<a href="{{ getLink('forum') }}?action=hide_board&id={{ board.id }}" title="{% if board.hide != 1 %}Hide{% else %}Show{% endif %}">
-					<img src="images/{% if board.hide != 1 %}success{% else %}error{% endif %}.png"/>{% if board.hide != 1 %}Hide{% else %}Show{% endif %}
-				</a>
-				{% if i != 1 %}
-					<a href="{{ getLink('forum') }}?action=moveup_board&id={{ board.id }}" title="Move up">
-						<img src="images/icons/arrow_up.gif"/>Move up
-					</a>
-				{% endif %}
-				{% if i != last %}
-					<a href="{{ getLink('forum') }}?action=movedown_board&id={{ board.id }}" title="Move down">
-						<img src="images/icons/arrow_down.gif"/>Move down
-					</a>
-				{% endif %}
+				{{ include('forum.admin.links.html.twig', {id: board.id, hide: board.hide, i: i }) }}
 			</td>
 		{% endif %}
 	</tr>