add token to deny access

This commit is contained in:
Ralf Becker 2017-10-27 16:22:56 +02:00
parent 10b37454f8
commit 5d6deed27d
2 changed files with 7 additions and 0 deletions

View File

@ -108,6 +108,11 @@ class admin_denyaccess
{ {
$location = $_GET['location']; $location = $_GET['location'];
// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
Api\Csrf::validate($_POST['csrf_token'], __FILE__);
}
if ($_POST['submit'] || $_POST['cancel']) if ($_POST['submit'] || $_POST['cancel'])
{ {
if ($_POST['submit']) if ($_POST['submit'])
@ -137,6 +142,7 @@ class admin_denyaccess
$this->common_header(); $this->common_header();
$this->template->set_file('form','acl_manager_form.tpl'); $this->template->set_file('form','acl_manager_form.tpl');
$this->template->set_var('csrf_token', Api\Csrf::token(__FILE__));
$afn = Api\Accounts::username($this->account_id); $afn = Api\Accounts::username($this->account_id);

View File

@ -1,5 +1,6 @@
<!-- BEGIN form --> <!-- BEGIN form -->
<form method="POST" action="{form_action}"> <form method="POST" action="{form_action}">
<input type="hidden" name="csrf_token" value="{csrf_token}"/>
<div align="left"> <div align="left">
<p>{lang_message}</p> <p>{lang_message}</p>
<p>{select_values}</p> <p>{select_values}</p>