From b150f26d21c3ea19110a8076f67e7fd5389e6cd9 Mon Sep 17 00:00:00 2001 From: fredtempez Date: Mon, 21 Jan 2019 19:51:33 +0100 Subject: [PATCH] =?UTF-8?q?Affichage=20erreur=20infond=C3=A9e=20si=20clic?= =?UTF-8?q?=20user=20connect=C3=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGES.md | 2 ++ core/core.php | 2 +- core/module/user/user.php | 4 +++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 1bf052cc..c28a582f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,8 @@ - VisualBlocks dans TinyMCE Mises à jour : - TinyColoPicker + - contrôle CSRF de l'accès à l'utilisateur connecté + ## Version 8.5.7 * Correction : diff --git a/core/core.php b/core/core.php index d077813a..c9e7bb5c 100644 --- a/core/core.php +++ b/core/core.php @@ -2224,7 +2224,7 @@ class layout extends common { // } // Mise à jour bloquée } - $rightItems .= '
  • ' . template::ico('user', 'right') . $this->getUser('firstname') . ' ' . $this->getUser('lastname') . '
    • '; + $rightItems .= '
  • ' . template::ico('user', 'right') . $this->getUser('firstname') . ' ' . $this->getUser('lastname') . '
    • '; $rightItems .= '
  • ' . template::ico('logout') . '
    • '; // Barre de membre echo '
      ' . $leftItems . '
      ' . $rightItems . '
    '; diff --git a/core/module/user/user.php b/core/module/user/user.php index 4707bf40..b16cb252 100755 --- a/core/module/user/user.php +++ b/core/module/user/user.php @@ -152,12 +152,14 @@ class user extends common { 'access' => false ]); } - if ($this->getUrl(4) !== $_SESSION['csrf']) { + if ($this->getUrl(3) !== $_SESSION['csrf']) { + if ( $this->getUrl(4) !== $_SESSION['csrf']) { // Valeurs en sortie $this->addOutput([ 'redirect' => helper::baseUrl() . 'user', 'notification' => 'Action non autorisée' ]); + } } // Accès autorisé else {