mirror of
https://github.com/itflow-org/itflow
synced 2026-03-11 00:04:50 +00:00
Products: Add missing CSRF checks change wording from unarchive to restore
This commit is contained in:
johnnyq
@@ -22,6 +22,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -28,6 +28,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="product_id" value="<?php echo $product_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -13,6 +13,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
</div>
|
||||
|
||||
@@ -18,6 +18,7 @@ ob_start();
|
||||
</button>
|
||||
</div>
|
||||
<form action="post.php" method="post" autocomplete="off">
|
||||
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
|
||||
<input type="hidden" name="product_id" value="<?php echo $product_id; ?>">
|
||||
<div class="modal-body">
|
||||
|
||||
|
||||
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");
|
||||
|
||||
if (isset($_POST['add_product'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
require_once 'product_model.php';
|
||||
@@ -27,6 +29,8 @@ if (isset($_POST['add_product'])) {
|
||||
|
||||
if (isset($_POST['edit_product'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
require_once 'product_model.php';
|
||||
@@ -45,6 +49,8 @@ if (isset($_POST['edit_product'])) {
|
||||
|
||||
if (isset($_GET['archive_product'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$product_id = intval($_GET['archive_product']);
|
||||
@@ -61,17 +67,19 @@ if (isset($_GET['archive_product'])) {
|
||||
|
||||
}
|
||||
|
||||
if (isset($_GET['unarchive_product'])) {
|
||||
if (isset($_GET['restore_product'])) {
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$product_id = intval($_GET['unarchive_product']);
|
||||
$product_id = intval($_GET['restore_product']);
|
||||
|
||||
$product_name = sanitizeInput(getFieldById('products', $product_id, 'product_name'));
|
||||
|
||||
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id");
|
||||
|
||||
logAction("Product", "Unarchive", "$session_name unarchived product $product_name", 0, $product_id);
|
||||
logAction("Product", "Restore", "$session_name restored product $product_name", 0, $product_id);
|
||||
|
||||
flash_alert("Product <strong>$product_name</strong> restored");
|
||||
|
||||
@@ -80,7 +88,9 @@ if (isset($_GET['unarchive_product'])) {
|
||||
}
|
||||
|
||||
if (isset($_GET['delete_product'])) {
|
||||
|
||||
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 3);
|
||||
|
||||
$product_id = intval($_GET['delete_product']);
|
||||
@@ -100,6 +110,8 @@ if (isset($_GET['delete_product'])) {
|
||||
|
||||
if (isset($_POST['bulk_edit_product_category'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
$category_id = intval($_POST['bulk_category_id']);
|
||||
@@ -135,7 +147,7 @@ if (isset($_POST['bulk_edit_product_category'])) {
|
||||
}
|
||||
|
||||
if (isset($_POST['bulk_archive_products'])) {
|
||||
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
@@ -166,10 +178,10 @@ if (isset($_POST['bulk_archive_products'])) {
|
||||
|
||||
}
|
||||
|
||||
if (isset($_POST['bulk_unarchive_products'])) {
|
||||
if (isset($_POST['bulk_restore_products'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
|
||||
enforceUserPermission('module_sales', 2);
|
||||
|
||||
if (isset($_POST['product_ids'])) {
|
||||
@@ -185,13 +197,13 @@ if (isset($_POST['bulk_unarchive_products'])) {
|
||||
|
||||
mysqli_query($mysqli,"UPDATE products SET product_archived_at = NULL WHERE product_id = $product_id");
|
||||
|
||||
logAction("Product", "Unarchive", "$session_name unarchived product $product_name", 0, $product_id);
|
||||
logAction("Product", "Restore", "$session_name restored product $product_name", 0, $product_id);
|
||||
|
||||
}
|
||||
|
||||
logAction("Product", "Bulk Unarchive", "$session_name unarchived $count product(s)");
|
||||
logAction("Product", "Bulk Restore", "$session_name restored $count product(s)");
|
||||
|
||||
flash_alert("Unarchived <strong>$count</strong> product(s)");
|
||||
flash_alert("Restored <strong>$count</strong> product(s)");
|
||||
|
||||
}
|
||||
|
||||
@@ -202,9 +214,9 @@ if (isset($_POST['bulk_unarchive_products'])) {
|
||||
if (isset($_POST['bulk_delete_products'])) {
|
||||
|
||||
validateCSRFToken($_POST['csrf_token']);
|
||||
|
||||
|
||||
enforceUserPermission('module_sales', 3);
|
||||
|
||||
|
||||
|
||||
if (isset($_POST['product_ids'])) {
|
||||
|
||||
|
||||
@@ -287,18 +287,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
<?php if ($session_user_role == 3) { ?>
|
||||
<?php if ($product_archived_at) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-info" href="post.php?unarchive_product=<?php echo $product_id; ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Unarchive
|
||||
<a class="dropdown-item text-info" href="post.php?restore_product=<?= $product_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-redo mr-2"></i>Restore
|
||||
</a>
|
||||
<?php if ($config_destructive_deletes_enable) { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_product=<?php echo $product_id; ?>">
|
||||
<a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_product=<?= $product_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-trash mr-2"></i>Delete
|
||||
</a>
|
||||
<?php } ?>
|
||||
<?php } else { ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_product=<?php echo $product_id; ?>">
|
||||
<a class="dropdown-item text-danger confirm-link" href="post.php?archive_product=<?= $product_id ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
|
||||
<i class="fas fa-fw fa-archive mr-2"></i>Archive
|
||||
</a>
|
||||
<?php } ?>
|
||||
|
||||
Reference in New Issue
Block a user