Skip to content
Permalink
Browse files

Remove the possibility of a CSRF attack unlocking a page / module entry.

  • Loading branch information...
timbuckingham committed May 25, 2017
1 parent b722939 commit c17d09b05d9c20c214ee2f4fbb52f7307a7b4b6f
@@ -13,7 +13,7 @@
</p>
</section>
<footer>
<a href="?force=true<?=$view_data?>" class="button blue">Unlock</a>
<a href="?force=true<?=$view_data?><? $admin->drawCSRFTokenGET(); ?>" class="button blue">Unlock</a>
&nbsp;
<a href="javascript:history.go(-1);" class="button white">Cancel</a>
</footer>
@@ -1,6 +1,12 @@
<?
// Check for a page lock
$force = isset($_GET["force"]) ? true : false;
if (!empty($_GET["force"])) {
$admin->verifyCSRFToken();
$force = true;
} else {
$force = false;
}
$admin->lockCheck($bigtree["form"]["table"],$bigtree["edit_id"],"admin/auto-modules/forms/_locked.php",$force);
$pending_entry = BigTreeAutoModule::getPendingItem($bigtree["form"]["table"],$bigtree["edit_id"]);
@@ -12,6 +12,6 @@
<footer>
<a href="javascript:history.go(-1);" class="button white">Cancel</a>
&nbsp;
<a href="?force=true" class="button blue">Unlock</a>
<a href="?force=true<? $admin->drawCSRFTokenGET() ?>" class="button blue">Unlock</a>
</footer>
</div>
@@ -6,7 +6,13 @@
include BigTree::path("admin/modules/pages/_properties.php");
// Check for a page lock
$force = isset($_GET["force"]) ? $_GET["force"] : false;
if (!empty($_GET["force"])) {
$admin->verifyCSRFToken();
$force = true;
} else {
$force = false;
}
$admin->lockCheck("bigtree_pages",$page["id"],"admin/modules/pages/_locked.php",$force);
// Grab template information
@@ -32,7 +32,13 @@
}
// Check for a page lock
$force = isset($_GET["force"]) ? $_GET["force"] : false;
if (!empty($_GET["force"])) {
$admin->verifyCSRFToken();
$force = true;
} else {
$force = false;
}
$lock_id = $admin->lockCheck("bigtree_pages",$page["id"],"admin/modules/pages/_locked.php",$force);
// See if there's a draft copy.

0 comments on commit c17d09b

Please sign in to comment.
You can’t perform that action at this time.