Skip to content
Permalink
Browse files
Protect DML operations against CSRF
  • Loading branch information
Ahmad Gneady committed Sep 13, 2021
1 parent 2bca559 commit f45953e26ffdbc37735239da20a9bf43c6bdc6c3
Showing with 11 additions and 1 deletion.
  1. +1 −0 .gitignore
  2. +1 −1 app/common.js
  3. +9 −0 app/datalist.php
@@ -10,3 +10,4 @@ app/images
*.cache
*.zip
test*.php
app/admin/backups
@@ -643,7 +643,7 @@ function mass_delete(t, ids) {
if(!continue_delete) return;
jQuery.ajax(t + '_view.php', {
type: 'POST',
data: { delete_x: 1, SelectedID: ids[itrn] },
data: { delete_x: 1, SelectedID: ids[itrn], csrf_token: $j('#csrf_token').val() },
success: function(resp) {
if(resp != 'OK') {
jQuery('<li class="text-danger">' + resp + '</li>').appendTo('.well.details_list ol');
@@ -240,6 +240,9 @@ function Render() {
}

elseif($insert_x != '') {
// insert only if either a csrf or jwt token is provided
if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);

$error_message = '';
$SelectedID = call_user_func_array(
$this->TableName . '_insert',
@@ -290,6 +293,9 @@ function Render() {
}

elseif($delete_x != '') {
// delete only if either a csrf or jwt token is provided
if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);

$delete_res = call_user_func_array($this->TableName.'_delete', array($SelectedID, $this->AllowDeleteOfParents, $SkipChecks));
// handle ajax delete requests
if(is_ajax()) {
@@ -314,6 +320,9 @@ function Render() {
}

elseif($update_x != '') {
// update only if either a csrf or jwt token is provided
if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);

$error_message = '';
$updated = call_user_func_array(
$this->TableName . '_update',

0 comments on commit f45953e

Please sign in to comment.