Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix of issue #484
editing user now requires csrf token
  • Loading branch information
peter-mw committed Aug 31, 2018
1 parent 670228a commit 982ea9d
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 1 deletion.
19 changes: 19 additions & 0 deletions src/Microweber/Providers/UserManager.php
Expand Up @@ -646,6 +646,7 @@ public function register($params)
}

if (defined('MW_API_CALL')) {

if (isset($params['is_admin']) and $this->is_admin() == false) {
unset($params['is_admin']);
}
Expand Down Expand Up @@ -901,6 +902,21 @@ public function save($params)
}
}
if ($force == false) {

if (isset($params['id'])) {
$validate_token = mw()->user_manager->csrf_validate($params);

if ($validate_token == false) {

return array(
'error' => _e('Confirm edit of profile', true),
'form_data_required' => 'token',
'form_data_module' => 'users/profile/confirm_edit'
);

}
}

if (isset($params['id']) and $params['id'] != 0) {
$adm = $this->is_admin();
if ($adm == false) {
Expand All @@ -923,6 +939,9 @@ public function save($params)
return array('error' => 'You must be logged save your settings');
}
} else {



if (!isset($params['id'])) {
$params['id'] = $this->id();
}
Expand Down
3 changes: 2 additions & 1 deletion userfiles/modules/users/edit_user.php
Expand Up @@ -186,7 +186,8 @@
</span>
<?php endif; ?>
</div>
<input type="hidden" class="mw-ui-field" name="id" value="<?php print $data['id']; ?>">
<input type="hidden" name="id" value="<?php print $data['id']; ?>">
<input type="hidden" name="token" value="<?php print csrf_token() ?>" autocomplete="off">
<div>
<table btos="0" cellpadding="0" cellspacing="0" class="mw-ui-table mw-ui-table-basic mw-admin-user-tab-content" width="100%">
<col width="150px"/>
Expand Down
11 changes: 11 additions & 0 deletions userfiles/modules/users/profile/confirm_edit.php
@@ -0,0 +1,11 @@
<div class="row" style="margin-top: 20px;margin-bottom: 20px;">
<div class="col-xs-12">
<div class="form-group">
<h5><?php _e('Confirm edit of profile'); ?></h5>
<label class="mw-ui-check">
<input type="checkbox" name="token" value="<?php print csrf_token() ?>" autocomplete="off"/> &nbsp;
<span><?php _e('Confirm'); ?></span>
</label>
</div>
</div>
</div>

0 comments on commit 982ea9d

Please sign in to comment.