diff options
| author | Harald Eilertsen <haraldei@anduin.net> | 2022-03-12 15:41:35 +0100 |
|---|---|---|
| committer | Harald Eilertsen <haraldei@anduin.net> | 2022-03-12 15:41:35 +0100 |
| commit | a10aee732e36f18a8f3e35da9a205a24ba229373 (patch) | |
| tree | 62ac18f10b394c73a79e4f7c6e19e1c415fe129a | |
| parent | e0bf0d9d073894774bef5ce29056cc27c74d1505 (diff) | |
| download | gigologadmin-a10aee732e36f18a8f3e35da9a205a24ba229373.tar.gz gigologadmin-a10aee732e36f18a8f3e35da9a205a24ba229373.tar.bz2 gigologadmin-a10aee732e36f18a8f3e35da9a205a24ba229373.zip | |
Security: Add CSRF checks when updating concerts table.
| -rw-r--r-- | includes/admin/views/_concerts_table.php | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/includes/admin/views/_concerts_table.php b/includes/admin/views/_concerts_table.php index a7bf7c5..13d723a 100644 --- a/includes/admin/views/_concerts_table.php +++ b/includes/admin/views/_concerts_table.php @@ -29,9 +29,18 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) private string $username; private array $filter; private int $page_no; + private string $nonce; public static function update() : void { + // + // Check that we get a nonce, and that it is valid to prevent CSRF attacks. + // + if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'concerts-table')) { + wp_die('You are not allowed to do that.', 403); + exit(); + } + if (isset($_POST['assignitem'])) { $concert = GiglogAdmin_Concert::get(intval($_POST['cid'])); @@ -130,8 +139,12 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) wp_mail( $dest, $subject, $body ); } - public function __construct() { + public function __construct() + { $this->username = wp_get_current_user()->user_login; + + // Set the nonce we use to check for CSRF attacks. + $this->nonce = wp_create_nonce('concerts-table'); $this->get_args(); } @@ -387,6 +400,7 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) { return '<form class="adminactions" method="POST" action="">' + . '<input type="hidden" name="nonce" value="' . $this->nonce . '">' . '<input type="hidden" name="cid" value="' . $concert->id() . '" />' . \EternalTerror\ViewHelpers\select_field( 'selectstatus', @@ -423,6 +437,7 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) //first check if current slot is taken by current user if ( $assigned_user == $this->username ) { $f = '<form class="unassign_concert" method="POST" action="">' + . ' <input type="hidden" name="nonce" value="' . $this->nonce . '">' . ' <input type="hidden" name="cid" value="' . $concert->id() . '" />' . ' <input type="hidden" name="pid" value="' . $role . '" />' . ' <input type="submit" name="unassignitem" value=""/>' @@ -438,6 +453,7 @@ if (!class_exists("GiglogAdmin_ConcertsTable")) } else { //not taken by anyone $f = '<form class="assign_concert" method="POST" action="">' + . ' <input type="hidden" name="nonce" value="' . $this->nonce . '">' . ' <input type="hidden" name="cid" value="' . $concert->id() . '" />' . ' <input type="hidden" name="pid" value="' . $role. '" />' . ' <input type="submit" name="assignitem" value=""/>' |