Skip to content

Commit 05a1d51

Browse files
simonLeary42simonLeary42
committed
validate in all pages
1 parent 13e402b commit 05a1d51

File tree

9 files changed

+12
-0
lines changed

9 files changed

+12
-0
lines changed

webroot/admin/ajax/get_group_members.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,10 @@
1313
UnityHTTPD::badRequest("PI UID not set");
1414
}
1515

16+
if ($_SERVER["REQUEST_METHOD"] == "POST") {
17+
UnityHTTPD::validatePostCSRFToken();
18+
}
19+
1620
$group = new UnityGroup($_GET["gid"], $LDAP, $SQL, $MAILER, $WEBHOOK);
1721
$members = $group->getGroupMembersAttributes(["gecos", "mail"]);
1822
$requests = $group->getRequests();

webroot/admin/content.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
}
1010

1111
if ($_SERVER["REQUEST_METHOD"] == "POST") {
12+
UnityHTTPD::validatePostCSRFToken();
1213
if (!empty($_POST["pageSel"])) {
1314
$SQL->editPage($_POST["pageSel"], $_POST["content"], $USER);
1415
}

webroot/admin/notices.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
}
1010

1111
if ($_SERVER["REQUEST_METHOD"] == "POST") {
12+
UnityHTTPD::validatePostCSRFToken();
1213
switch ($_POST["form_type"]) {
1314
case "newNotice":
1415
$SQL->addNotice($_POST["title"], $_POST["date"], $_POST["content"], $USER);

webroot/admin/pi-mgmt.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
}
1313

1414
if ($_SERVER["REQUEST_METHOD"] == "POST") {
15+
UnityHTTPD::validatePostCSRFToken();
1516
if (isset($_POST["uid"])) {
1617
$form_user = new UnityUser($_POST["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK);
1718
}

webroot/admin/user-mgmt.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
}
1010

1111
if ($_SERVER["REQUEST_METHOD"] == "POST") {
12+
UnityHTTPD::validatePostCSRFToken();
1213
switch ($_POST["form_type"]) {
1314
case "viewAsUser":
1415
$_SESSION["viewUser"] = $_POST["uid"];

webroot/panel/account.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
$hasGroups = count($USER->getPIGroupGIDs()) > 0;
1111

1212
if ($_SERVER['REQUEST_METHOD'] == "POST") {
13+
UnityHTTPD::validatePostCSRFToken();
1314
switch (UnityHTTPD::getPostData("form_type")) {
1415
case "addKey":
1516
$keys = array();

webroot/panel/groups.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
use UnityWebPortal\lib\UnityHTTPD;
88

99
if ($_SERVER["REQUEST_METHOD"] == "POST") {
10+
UnityHTTPD::validatePostCSRFToken();
1011
if (isset($_POST["form_type"])) {
1112
if (isset($_POST["pi"])) {
1213
$pi_groupname = $_POST["pi"];

webroot/panel/new_account.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
UnityHTTPD::redirect(CONFIG["site"]["prefix"] . "/panel/account.php");
1010
}
1111
if ($_SERVER["REQUEST_METHOD"] == "POST") {
12+
UnityHTTPD::validatePostCSRFToken();
1213
$user = new UnityUser($SSO["user"], $LDAP, $SQL, $MAILER, $WEBHOOK);
1314
$user->init($SSO["firstname"], $SSO["lastname"], $SSO["mail"], $SSO["org"]);
1415
// header.php will redirect to this same page again and then this page will redirect to account

webroot/panel/pi.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
}
1313

1414
if ($_SERVER["REQUEST_METHOD"] == "POST") {
15+
UnityHTTPD::validatePostCSRFToken();
1516
if (isset($_POST["uid"])) {
1617
$form_user = new UnityUser($_POST["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK);
1718
}

0 commit comments

Comments
 (0)