diff options
Diffstat (limited to 'includes')
-rw-r--r-- | includes/pages/admin_user.php | 3 | ||||
-rw-r--r-- | includes/sys_form.php | 13 |
2 files changed, 15 insertions, 1 deletions
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index 958563a0..3894e724 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -44,6 +44,7 @@ function admin_user() $html .= '<form action="' . page_link_to('admin_user', ['action' => 'save', 'id' => $user_id]) . '" method="post">' . "\n"; + $html .= form_csrf(); $html .= '<table border="0">' . "\n"; $html .= '<input type="hidden" name="Type" value="Normal">' . "\n"; $html .= '<tr><td>' . "\n"; @@ -105,6 +106,7 @@ function admin_user() $html .= 'Hier kannst Du das Passwort dieses Engels neu setzen:<form action="' . page_link_to('admin_user', ['action' => 'change_pw', 'id' => $user_id]) . '" method="post">' . "\n"; + $html .= form_csrf(); $html .= '<table>' . "\n"; $html .= ' <tr><td>Passwort</td><td>' . '<input type="password" size="40" name="new_pw" value="" class="form-control"></td></tr>' . "\n"; $html .= ' <tr><td>Wiederholung</td><td>' . '<input type="password" size="40" name="new_pw2" value="" class="form-control"></td></tr>' . "\n"; @@ -135,6 +137,7 @@ function admin_user() $html .= 'Hier kannst Du die Benutzergruppen des Engels festlegen:<form action="' . page_link_to('admin_user', ['action' => 'save_groups', 'id' => $user_id]) . '" method="post">' . "\n"; + $html .= form_csrf(); $html .= '<table>'; $groups = DB::select(' diff --git a/includes/sys_form.php b/includes/sys_form.php index a1b78b70..07a61dbb 100644 --- a/includes/sys_form.php +++ b/includes/sys_form.php @@ -407,7 +407,18 @@ function form_element($label, $input, $for = '') */ function form($elements, $action = '') { - return '<form action="' . $action . '" enctype="multipart/form-data" method="post">' . join($elements) . '</form>'; + return '<form action="' . $action . '" enctype="multipart/form-data" method="post">' + . form_csrf() + . join($elements) + . '</form>'; +} + +/** + * @return string + */ +function form_csrf() +{ + return form_hidden('_token', session()->get('_token')); } /** |