From de51f59ef9a50bce0ef63a883c590d1feeadca5d Mon Sep 17 00:00:00 2001 From: Thomas Lange Date: Thu, 5 Aug 2021 17:38:36 +0200 Subject: Show error message if CSRF token does not matches Print an error message for various actions in the administration area if the security token is invalid, instead of silently preventing the user's desired action to perform if the token is invalid for some reason. This change applies for the delete actions on all entity types and also for the login action and the database command execution form; the forms for creating/modifying entities had already shown a CSRF error before. --- admin/post/delete.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'admin/post/delete.php') diff --git a/admin/post/delete.php b/admin/post/delete.php index 519ba9e..3fb4c84 100644 --- a/admin/post/delete.php +++ b/admin/post/delete.php @@ -25,13 +25,17 @@ if(!$Post = $PostRepository->find(HTTP::GET('id'))) { #=============================================================================== # Check for delete request #=============================================================================== -if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) { - try { - if($PostRepository->delete($Post)) { - HTTP::redirect(Application::getAdminURL('post/')); +if(HTTP::issetPOST('delete')) { + if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) { + try { + if($PostRepository->delete($Post)) { + HTTP::redirect(Application::getAdminURL('post/')); + } + } catch(PDOException $Exception) { + $messages[] = $Exception->getMessage(); } - } catch(PDOException $Exception) { - $messages[] = $Exception->getMessage(); + } else { + $messages[] = $Language->text('error_security_csrf'); } } -- cgit v1.2.3