diff options
| author | Mario <mario@mariovavti.com> | 2024-11-03 10:59:41 +0000 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2024-11-03 10:59:41 +0000 |
| commit | 2ab0118c132b2bc3e6f135acece45991eb12a86f (patch) | |
| tree | a768446eef801983009cb5d1e50a6e8ed77e9900 /Zotlabs/Module | |
| parent | 30419bdbf6fd29c97eed2d6f48545e2ae8db807e (diff) | |
| download | volse-hubzilla-2ab0118c132b2bc3e6f135acece45991eb12a86f.tar.gz volse-hubzilla-2ab0118c132b2bc3e6f135acece45991eb12a86f.tar.bz2 volse-hubzilla-2ab0118c132b2bc3e6f135acece45991eb12a86f.zip | |
Fix missing CSRF checks in admin/account_edit
(cherry picked from commit 38c947590e81fbb00e315e1902eba8dd6dbdd0ec)
342d94c3 tpl: Fix warnings in templates.
bccaeb1e tests: Update Module\TestCase to support POST requests
f627e55b tests: Update account fixtures with fixed account_level.
ee62aff4 Module\Admin\Account_edit: Add missing CSRF checks.
Co-authored-by: Harald Eilertsen <haraldei@anduin.net>
Diffstat (limited to 'Zotlabs/Module')
| -rw-r--r-- | Zotlabs/Module/Admin/Account_edit.php | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/Zotlabs/Module/Admin/Account_edit.php b/Zotlabs/Module/Admin/Account_edit.php index 0300fb10c..35a15133f 100644 --- a/Zotlabs/Module/Admin/Account_edit.php +++ b/Zotlabs/Module/Admin/Account_edit.php @@ -8,6 +8,11 @@ class Account_edit { function post() { + // Validate CSRF token + // + // We terminate with a 403 Forbidden status if the check fails. + check_form_security_token_ForbiddenOnErr('admin_account_edit', 'security'); + $account_id = $_REQUEST['aid']; if(! $account_id) @@ -18,7 +23,7 @@ class Account_edit { if($pass1 && $pass2 && ($pass1 === $pass2)) { $salt = random_string(32); $password_encoded = hash('whirlpool', $salt . $pass1); - $r = q("update account set account_salt = '%s', account_password = '%s', + $r = q("update account set account_salt = '%s', account_password = '%s', account_password_changed = '%s' where account_id = %d", dbesc($salt), dbesc($password_encoded), @@ -34,7 +39,7 @@ class Account_edit { $account_level = 5; $account_language = trim($_REQUEST['account_language']); - $r = q("update account set account_service_class = '%s', account_level = %d, account_language = '%s' + $r = q("update account set account_service_class = '%s', account_level = %d, account_language = '%s' where account_id = %d", dbesc($service_class), intval($account_level), @@ -62,8 +67,8 @@ class Account_edit { return ''; } - $a = replace_macros(get_markup_template('admin_account_edit.tpl'), [ + '$security' => get_form_security_token('admin_account_edit'), '$account' => $x[0], '$title' => t('Account Edit'), '$pass1' => [ 'pass1', t('New Password'), ' ','' ], |