Added csrf middleware

author: Igor Scheller <igor.scheller@igorshp.de> 2018-09-03 15:33:13 +0100
committer: msquare <msquare@notrademark.de> 2018-11-21 19:24:36 +0100
commit: 23c0fae36fb8159bcf8b95bae98555201146457e (patch)
tree: 6a169114a47391adb1da701f630bb27d73e925d2 /includes
parent: 8236989be066c51c5f57884bcc42dbc387794651 (diff)
2 files changed, 15 insertions, 1 deletions
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index 958563a0..3894e724 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -44,6 +44,7 @@ function admin_user()
         $html .= '<form action="'
             . page_link_to('admin_user', ['action' => 'save', 'id' => $user_id])
             . '" method="post">' . "\n";
+        $html .= form_csrf();
         $html .= '<table border="0">' . "\n";
         $html .= '<input type="hidden" name="Type" value="Normal">' . "\n";
         $html .= '<tr><td>' . "\n";
@@ -105,6 +106,7 @@ function admin_user()
         $html .= 'Hier kannst Du das Passwort dieses Engels neu setzen:<form action="'
             . page_link_to('admin_user', ['action' => 'change_pw', 'id' => $user_id])
             . '" method="post">' . "\n";
+        $html .= form_csrf();
         $html .= '<table>' . "\n";
         $html .= '  <tr><td>Passwort</td><td>' . '<input type="password" size="40" name="new_pw" value="" class="form-control"></td></tr>' . "\n";
         $html .= '  <tr><td>Wiederholung</td><td>' . '<input type="password" size="40" name="new_pw2" value="" class="form-control"></td></tr>' . "\n";
@@ -135,6 +137,7 @@ function admin_user()
             $html .= 'Hier kannst Du die Benutzergruppen des Engels festlegen:<form action="'
                 . page_link_to('admin_user', ['action' => 'save_groups', 'id' => $user_id])
                 . '" method="post">' . "\n";
+            $html .= form_csrf();
             $html .= '<table>';
 
             $groups = DB::select('
diff --git a/includes/sys_form.php b/includes/sys_form.php
index a1b78b70..07a61dbb 100644
--- a/includes/sys_form.php
+++ b/includes/sys_form.php
@@ -407,7 +407,18 @@ function form_element($label, $input, $for = '')
  */
 function form($elements, $action = '')
 {
-    return '<form action="' . $action . '" enctype="multipart/form-data" method="post">' . join($elements) . '</form>';
+    return '<form action="' . $action . '" enctype="multipart/form-data" method="post">'
+        . form_csrf()
+        . join($elements)
+        . '</form>';
+}
+
+/**
+ * @return string
+ */
+function form_csrf()
+{
+    return form_hidden('_token', session()->get('_token'));
 }
 
 /**
author	Igor Scheller <igor.scheller@igorshp.de>	2018-09-03 15:33:13 +0100
committer	msquare <msquare@notrademark.de>	2018-11-21 19:24:36 +0100
commit	23c0fae36fb8159bcf8b95bae98555201146457e (patch)
tree	6a169114a47391adb1da701f630bb27d73e925d2 /includes
parent	8236989be066c51c5f57884bcc42dbc387794651 (diff)