summaryrefslogtreecommitdiffstats
path: root/includes
diff options
context:
space:
mode:
Diffstat (limited to 'includes')
-rw-r--r--includes/admin/views/_edit_concert_form.php1
-rw-r--r--includes/admin/views/giglog_admin_page.php9
2 files changed, 9 insertions, 1 deletions
diff --git a/includes/admin/views/_edit_concert_form.php b/includes/admin/views/_edit_concert_form.php
index 32ca762..61f2bf4 100644
--- a/includes/admin/views/_edit_concert_form.php
+++ b/includes/admin/views/_edit_concert_form.php
@@ -48,6 +48,7 @@ if (!class_exists("GiglogAdmin_EditConcertForm"))
$content='<div><h3>Form to create/edit concerts and venues</h3><br></div><div class="editform"><div class="concertform">';
$content.='<form method="POST" action="" class="concert" >'
.'<div class="concertitems"><strong>CONCERT DETAILS</strong><br><br><fieldset>'
+ . wp_nonce_field( plugin_basename( __FILE__ ), 'giglog_edit_concert_nonce' )
.'<input type="hidden" name="pid" value="' .$c->id(). '" />'
.'<label for="cname">Concert Name:</label><textarea id="cname" name="cname" value="'.$c->cname().'">'.$c->cname().'</textarea><br>'
.'<label for="venue">Venue:</label>' . $this->get_venue_selector($c->venue()) . '<br>'
diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php
index 86c414e..fa853fb 100644
--- a/includes/admin/views/giglog_admin_page.php
+++ b/includes/admin/views/giglog_admin_page.php
@@ -121,8 +121,15 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) {
}
}
- if(isset($_POST['editconcert']))
+ if (isset($_POST['editconcert']))
{
+ if (!isset($_POST['giglog_edit_concert_nonce'])
+ || wp_verify_nonce($_POST['giglog_edit_concert_nonce'], plugin_basename( __FILE__ )))
+ {
+ header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden");
+ wp_die('CSRF validation failed.', 403);
+ }
+
$roles = array_reduce(
['photo1', 'photo1', 'rev1', 'rev2'],
function($roles, $r) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-21 21:04:52 +0000