extern
/
egroupware_official
mirror of https://github.com/EGroupware/egroupware.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add token to deny access

This commit is contained in:
Ralf Becker 2017-10-27 16:22:56 +02:00
parent 10b37454f8
commit 5d6deed27d
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
admin/inc/class.admin_denyaccess.inc.php
View File

@ -108,6 +108,11 @@ class admin_denyaccess
{
$location = $_GET['location'];
// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
}
if ($_POST['submit'] || $_POST['cancel'])
{
if ($_POST['submit'])
@ -137,6 +142,7 @@ class admin_denyaccess
$this->common_header();
$this->template->set_file('form','acl_manager_form.tpl');
$this->template->set_var('csrf_token', Api\Csrf::token(__FILE__));
$afn = Api\Accounts::username($this->account_id);

1
admin/templates/default/acl_manager_form.tpl
View File

@ -1,5 +1,6 @@
<!-- BEGIN form -->
<form method="POST" action="{form_action}">
<input type="hidden" name="csrf_token" value="{csrf_token}"/>
<div align="left">
<p>{lang_message}</p>
<p>{select_values}</p>