#10217 CSRF for enable/disable users

2023-02-03 14:14:44 +01:00 · 2023-02-03 14:14:44 +01:00 · 0437e46b5b
parent 30a0e2abe8
commit 0437e46b5b
1 changed files with 9 additions and 0 deletions
--- a/pandora_console/godmode/users/user_list.php
+++ b/pandora_console/godmode/users/user_list.php
@ -402,6 +402,11 @@ if ($delete_user === true) {
        __('There was a problem deleting the profile')
    );
 } else if ($disable_user !== false) {
+    // CSRF Validator.
+    if (html_print_csrf_error()) {
+        return;
+    }
+
    // Disable_user.
    $id_user = get_parameter('id', 0);

@ -646,6 +651,8 @@ $limit = (int) $config['block_size'];
 $rowPair = true;
 $iterator = 0;
 $cont = 0;
+// Creates csrf.
+$csrf = html_print_csrf_hidden(true);
 foreach ($info as $user_id => $user_info) {
    if (empty($user_id) === true) {
        continue;
@ -815,6 +822,8 @@ foreach ($info as $user_id => $user_info) {
                    $user_info['id_user'],
                    true
                );
+                // Same csrf for every disable button for submit.
+                $data[6] .= $csrf;
                $data[6] .= html_print_input_hidden(
                    'disable_user',
                    $toDoAction,