From 944c29b96429ec95ac1371cb33cc43704a60c7b1 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Tue, 20 Nov 2018 16:02:03 +0100 Subject: Require POST for sending forms * Ensure that the form is submitted with a post request * Replaced several links with forms Closes #494 (Security Vulnerability) --- includes/controller/users_controller.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'includes/controller/users_controller.php') diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php index 0bf612d5..51b6e432 100644 --- a/includes/controller/users_controller.php +++ b/includes/controller/users_controller.php @@ -66,7 +66,7 @@ function user_delete_controller() redirect(user_link($user->id)); } - if ($request->has('submit')) { + if ($request->hasPostData('submit')) { $valid = true; if ( @@ -80,6 +80,8 @@ function user_delete_controller() } if ($valid) { + // Load data before user deletion to prevent errors when displaying + $user_source->load(['contact', 'personalData', 'settings', 'state']); $user_source->delete(); mail_user_delete($user_source); @@ -150,7 +152,7 @@ function user_edit_vouchers_controller() redirect(page_link_to('')); } - if ($request->has('submit')) { + if ($request->hasPostData('submit')) { $valid = true; $vouchers = ''; @@ -326,7 +328,7 @@ function user_password_recovery_set_new_controller() redirect(page_link_to('login')); } - if ($request->has('submit')) { + if ($request->hasPostData('submit')) { $valid = true; if ( @@ -361,7 +363,7 @@ function user_password_recovery_set_new_controller() function user_password_recovery_start_controller() { $request = request(); - if ($request->has('submit')) { + if ($request->hasPostData('submit')) { $valid = true; $user_source = null; -- cgit v1.2.3-54-g00ecf