Merge branch 'ent-10217-disable-admin-s-account-via-cross-site-request-forgery' into 'develop'

Ent 10217 disable admin s account via cross site request forgery See merge request artica/pandorafms!5503
2023-02-20 15:03:42 +00:00 · 2023-02-20 15:03:42 +00:00 · 8d13e873cc
parent 30604d50a6 0437e46b5b
commit 8d13e873cc
1 changed files with 9 additions and 0 deletions
--- a/pandora_console/godmode/users/user_list.php
+++ b/pandora_console/godmode/users/user_list.php
@ -402,6 +402,11 @@ if ($delete_user === true) {
        __('There was a problem deleting the profile')
    );
 } else if ($disable_user !== false) {
+    // CSRF Validator.
+    if (html_print_csrf_error()) {
+        return;
+    }
+
    // Disable_user.
    $id_user = get_parameter('id', 0);

@ -646,6 +651,8 @@ $limit = (int) $config['block_size'];
 $rowPair = true;
 $iterator = 0;
 $cont = 0;
+// Creates csrf.
+$csrf = html_print_csrf_hidden(true);
 foreach ($info as $user_id => $user_info) {
    if (empty($user_id) === true) {
        continue;
@ -815,6 +822,8 @@ foreach ($info as $user_id => $user_info) {
                    $user_info['id_user'],
                    true
                );
+                // Same csrf for every disable button for submit.
+                $data[6] .= $csrf;
                $data[6] .= html_print_input_hidden(
                    'disable_user',
                    $toDoAction,