diff --git a/app/pages/agents.php b/app/pages/agents.php index 214a178..7b904e7 100644 --- a/app/pages/agents.php +++ b/app/pages/agents.php @@ -47,6 +47,11 @@ function isCacheExpired($agentId) { // Handle POST request (saving to cache) if ($_SERVER['REQUEST_METHOD'] === 'POST') { + + // Apply rate limiting for adding new contacts + require '../app/includes/rate_limit_middleware.php'; + checkRateLimit($dbWeb, 'contact', $user_id); + // Validate agent ID for POST operations if ($agentId === false || $agentId === null) { Feedback::flash('ERROR', 'DEFAULT', 'Invalid agent ID format'); diff --git a/app/pages/config.php b/app/pages/config.php index 184fc80..f1a73d6 100644 --- a/app/pages/config.php +++ b/app/pages/config.php @@ -11,9 +11,10 @@ include '../app/includes/feedback-get.php'; include '../app/includes/feedback-show.php'; require '../app/classes/config.php'; - $configObject = new Config(); +require '../app/includes/rate_limit_middleware.php'; + // For AJAX requests $isAjax = !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'; @@ -26,6 +27,9 @@ if (!$isWritable) { } if ($_SERVER['REQUEST_METHOD'] === 'POST') { + // Apply rate limiting + checkRateLimit($dbWeb, 'config', $user_id); + // Ensure no output before this point ob_clean(); diff --git a/app/pages/login.php b/app/pages/login.php index 9ceedb2..0686c66 100644 --- a/app/pages/login.php +++ b/app/pages/login.php @@ -27,6 +27,10 @@ try { if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) { try { + // apply page rate limiting + require_once '../app/includes/rate_limit_middleware.php'; + checkRateLimit($dbWeb, 'login', null); // null since user is not logged in yet + // Validate form data $security = SecurityHelper::getInstance(); $formData = $security->sanitizeArray($_POST, ['username', 'password', 'remember_me', 'csrf_token']); diff --git a/app/pages/profile.php b/app/pages/profile.php index c022106..11b78c8 100644 --- a/app/pages/profile.php +++ b/app/pages/profile.php @@ -21,7 +21,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { // Apply rate limiting for profile operations require_once '../app/includes/rate_limit_middleware.php'; - checkRateLimit($db, 'profile', $user_id); + checkRateLimit($dbWeb, 'profile', $user_id); $item = $_REQUEST['item'] ?? ''; diff --git a/app/pages/register.php b/app/pages/register.php index 01235fa..3144984 100644 --- a/app/pages/register.php +++ b/app/pages/register.php @@ -17,6 +17,11 @@ if ($config['registration_enabled'] == true) { $dbWeb = connectDB($config); if ( $_SERVER['REQUEST_METHOD'] == 'POST' ) { + + // Apply rate limiting + require '../app/includes/rate_limit_middleware.php'; + checkRateLimit($dbWeb, 'register'); + require_once '../app/classes/validator.php'; $validator = new Validator($_POST); diff --git a/app/pages/security.php b/app/pages/security.php index 2e37413..64e7017 100644 --- a/app/pages/security.php +++ b/app/pages/security.php @@ -24,6 +24,11 @@ $rateLimiter = new RateLimiter($dbWeb); // Handle form submissions if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) { require_once '../app/classes/validator.php'; + + // Apply rate limiting for security operations + require_once '../app/includes/rate_limit_middleware.php'; + checkRateLimit($dbWeb, 'security', $user_id); + $action = $_POST['action']; $validator = new Validator($_POST); @@ -147,7 +152,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) { // Always show rate limit info message for rate limiting section if ($section === 'ratelimit') { - $messages[] = ['category' => 'SECURITY', 'key' => 'RATE_LIMIT_INFO']; + $system_messages[] = ['category' => 'SECURITY', 'key' => 'RATE_LIMIT_INFO']; } // Get current lists diff --git a/app/pages/settings.php b/app/pages/settings.php index eb1c7a4..74ad3d3 100644 --- a/app/pages/settings.php +++ b/app/pages/settings.php @@ -26,6 +26,10 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { * Handles form submissions from editing */ + // Apply rate limiting for profile operations + require_once '../app/includes/rate_limit_middleware.php'; + checkRateLimit($dbWeb, 'profile', $user_id); + // Get hash from URL if present $hash = parse_url($_SERVER['REQUEST_URI'], PHP_URL_FRAGMENT) ?? ''; $redirectUrl = htmlspecialchars($app_root) . '?page=settings';