- Require CSRF validation when disabling/enabling users

- Code tidy

post.php

@@ -190,6 +190,7 @@ if(isset($_POST['edit_user'])){
 if(isset($_GET['activate_user'])){
 
     validateAdminRole();
+    validateCSRFToken($_GET['csrf_token']);
 
     $user_id = intval($_GET['activate_user']);
 
@@ -207,6 +208,7 @@ if(isset($_GET['activate_user'])){
 if(isset($_GET['disable_user'])){
 
     validateAdminRole();
+    validateCSRFToken($_GET['csrf_token']);
 
     $user_id = intval($_GET['disable_user']);
 

users.php

@@ -10,11 +10,14 @@ if (!empty($_GET['sb'])) {
 //Rebuild URL
 $url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, 'o' => $o)));
 
-$sql = mysqli_query($mysqli, "SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings
+$sql = mysqli_query(
+    $mysqli,
+    "SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings
     WHERE users.user_id = user_settings.user_id
     AND (user_name LIKE '%$q%' OR user_email LIKE '%$q%')
     AND user_archived_at IS NULL
-    ORDER BY $sb $o LIMIT $record_from, $record_to");
+    ORDER BY $sb $o LIMIT $record_from, $record_to"
+);
 
 $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 
@@ -142,9 +145,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                 <div class="dropdown-menu">
                                     <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserModal<?php echo $user_id; ?>">Edit</a>
                                     <?php if ($user_status == 0) { ?>
-                                        <a class="dropdown-item text-success" href="post.php?activate_user=<?php echo $user_id; ?>">Activate</a>
+                                        <a class="dropdown-item text-success" href="post.php?activate_user=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Activate</a>
                                     <?php }elseif ($user_status == 1) { ?>
-                                        <a class="dropdown-item text-danger" href="post.php?disable_user=<?php echo $user_id; ?>">Disable</a>
+                                        <a class="dropdown-item text-danger" href="post.php?disable_user=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Disable</a>
                                     <?php } ?>
                                     <div class="dropdown-divider"></div>
                                     <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserCompaniesModal<?php echo $user_id; ?>">Company Access</a>
@@ -157,9 +160,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 
                     <?php
 
-                    include("user_edit_modal.php");
+                    require("user_edit_modal.php");
-                    include("user_companies_modal.php");
+                    require("user_companies_modal.php");
-                    include("user_archive_modal.php");
+                    require("user_archive_modal.php");
 
                 }
 
@@ -168,7 +171,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                 </tbody>
             </table>
         </div>
-        <?php include("pagination.php"); ?>
+        <?php require_once("pagination.php"); ?>
     </div>
 </div>
 <script>
@@ -179,9 +182,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 
 <?php
 
-include("user_add_modal.php");
+require_once("user_add_modal.php");
-include("user_invite_modal.php");
+require_once("user_invite_modal.php");
-
+require_once("footer.php");
-include("footer.php");
-
-?>