lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 6 Wiki Activity

Adds CSRF protection to profile page

main
Yasen Pramatarov 2025-04-07 15:24:53 +03:00
parent 90688016e8
commit 7668ee2040
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
app/pages/profile.php
View File

@ -13,9 +13,18 @@
*/ */
$action = $_REQUEST['action'] ?? ''; $action = $_REQUEST['action'] ?? '';
$item = $_REQUEST['item'] ?? '';
// if a form is submitted, it's from the edit page // if a form is submitted, it's from the edit page
if ($_SERVER['REQUEST_METHOD'] == 'POST') { if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Validate CSRF token
require_once '../app/helpers/security.php';
$security = SecurityHelper::getInstance();
if (!$security->verifyCsrfToken($_POST['csrf_token'] ?? '')) {
Feedback::flash('ERROR', 'DEFAULT', 'Invalid security token. Please try again.');
header("Location: $app_root?page=profile");
exit();
}
require_once '../app/classes/validator.php'; require_once '../app/classes/validator.php';
@ -23,8 +32,6 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
require_once '../app/includes/rate_limit_middleware.php'; require_once '../app/includes/rate_limit_middleware.php';
checkRateLimit($dbWeb, 'profile', $user_id); checkRateLimit($dbWeb, 'profile', $user_id);
$item = $_REQUEST['item'] ?? '';
// avatar removal // avatar removal
if ($item === 'avatar' && $action === 'remove') { if ($item === 'avatar' && $action === 'remove') {
$validator = new Validator(['user_id' => $user_id]); $validator = new Validator(['user_id' => $user_id]);
@ -136,8 +143,12 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$avatar = !empty($userDetails[0]['avatar']) ? $config['avatars_path'] . $userDetails[0]['avatar'] : $config['default_avatar']; $avatar = !empty($userDetails[0]['avatar']) ? $config['avatars_path'] . $userDetails[0]['avatar'] : $config['default_avatar'];
$default_avatar = empty($userDetails[0]['avatar']) ? true : false; $default_avatar = empty($userDetails[0]['avatar']) ? true : false;
switch ($action) { // Generate CSRF token if not exists
require_once '../app/helpers/security.php';
$security = SecurityHelper::getInstance();
$security->generateCsrfToken();
switch ($action) {
case 'edit': case 'edit':
$allRights = $userObject->getAllRights(); $allRights = $userObject->getAllRights();
$allTimezones = timezone_identifiers_list(); $allTimezones = timezone_identifiers_list();