Faille CRSF articles des blogs

This commit is contained in:
fredtempez 2019-01-16 16:48:03 +01:00
parent 0ba83d0612
commit a30b210e82
2 changed files with 12 additions and 4 deletions

View File

@ -113,7 +113,7 @@ class blog extends common {
$comment['userId'] ? $this->getData(['user', $comment['userId'], 'firstname']) . ' ' . $this->getData(['user', $comment['userId'], 'lastname']) : $comment['author'], $comment['userId'] ? $this->getData(['user', $comment['userId'], 'firstname']) . ' ' . $this->getData(['user', $comment['userId'], 'lastname']) : $comment['author'],
template::button('blogCommentDelete' . $commentIds[$i], [ template::button('blogCommentDelete' . $commentIds[$i], [
'class' => 'blogCommentDelete buttonRed', 'class' => 'blogCommentDelete buttonRed',
'href' => helper::baseUrl() . $this->getUrl(0) . '/comment-delete/' . $comment['articleId'] . '/' . $commentIds[$i], 'href' => helper::baseUrl() . $this->getUrl(0) . '/comment-delete/' . $comment['articleId'] . '/' . $commentIds[$i] . '/' . $_SESSION['csrf'] ,
'value' => template::ico('cancel') 'value' => template::ico('cancel')
]) ])
]; ];
@ -136,6 +136,14 @@ class blog extends common {
'access' => false 'access' => false
]); ]);
} }
// Jeton incorrect
elseif ($this->getUrl(4) !== $_SESSION['csrf']) {
// Valeurs en sortie
$this->addOutput([
'redirect' => helper::baseUrl() . $this->getUrl(0) . '/config',
'notification' => 'Action non autorisée'
]);
}
// Suppression // Suppression
else { else {
$this->deleteData(['module', $this->getUrl(0), $this->getUrl(2), 'comment', $this->getUrl(3)]); $this->deleteData(['module', $this->getUrl(0), $this->getUrl(2), 'comment', $this->getUrl(3)]);

View File

@ -115,7 +115,7 @@ code d'origine
<div class="col2 offset8"> <div class="col2 offset8">
<?php echo template::button('blogEdit', [ <?php echo template::button('blogEdit', [
'class' => 'buttonBlue', 'class' => 'buttonBlue',
'href' => helper::baseUrl() . $this->getUrl(0) . '/edit/' . $this->getUrl(1), 'href' => helper::baseUrl() . $this->getUrl(0) . '/edit/' . $this->getUrl(1) . '/' . $_SESSION['csrf'],
'value' => 'Editer' 'value' => 'Editer'
]); ?> ]); ?>
</div> </div>