Merge branch 'master' of https://github.com/Shadowss/TravianZ

2026-06-28 00:24:23 +00:00 · 2026-06-23 11:13:05 +03:00
parent a9be6204db fb225b562f
commit 5f86fdcbf6
13 changed files with 50 additions and 4 deletions
@@ -63,6 +63,7 @@ $varmedal = $database->getProfileMedalAlly($_GET['aid']);
        <td><img src="../gpack/travian_default/img/t/<?=$medal['img']?>.jpg"></td>
        <td>
          <form action="../GameEngine/Admin/Mods/delallymedal.php" method="POST" style="margin:0">
+            <?php echo csrf_field(); ?>
            <input type="hidden" name="aid" value="<?=$_GET['aid']?>">
            <input type="hidden" name="admid" value="<?=$_SESSION['id']?>">
            <button type="submit" name="medalid" value="<?=$medal['id']?>" class="medal-del" title="Delete">
@@ -81,6 +82,7 @@ $varmedal = $database->getProfileMedalAlly($_GET['aid']);
        <td>Delete All</td>
        <td>
          <form action="../GameEngine/Admin/Mods/delallymedalbyaid.php" method="POST" style="margin:0">
+            <?php echo csrf_field(); ?>
            <input type="hidden" name="admid" value="<?=$_SESSION['id']?>">
            <input type="hidden" name="aid" value="<?=$_GET['aid']?>">
            <button type="submit" class="medal-del" title="Delete All">
@@ -44,6 +44,7 @@ $members = $database->getAllMember($aid);
        <div class="warn">⚠ All members will be removed from the alliance, permissions, diplomacy, logs and the alliance forum will be deleted. The action is irreversible!</div>

        <form method="POST" action="../GameEngine/Admin/Mods/delAli.php" onsubmit="return confirm('Last warning: DELETE PERMANENTLY?');">
+            <?php echo csrf_field(); ?>
            <input type="hidden" name="aid" value="<?php echo $aid;?>">
            <input type="hidden" name="admid" value="<?php echo $_SESSION['id'];?>">
            <button type="submit" class="btn del">YES, DELETE</button>
@@ -63,6 +63,7 @@ $nummedals = $sql['Total'];


 <form action="../GameEngine/Admin/Mods/delallymedalbyweek.php" method="POST">
+<?php echo csrf_field(); ?>
 <input type="hidden" name="admid" id="admid" value="<?php echo $_SESSION['id']; ?>">
 <table id="member">
 	<thead>
@@ -64,6 +64,7 @@ $nummedals = $sql['Total'];


 <form action="../GameEngine/Admin/Mods/deletemedalbyweek.php" method="POST">
+<?php echo csrf_field(); ?>
 <input type="hidden" name="admid" id="admid" value="<?php echo $_SESSION['id']; ?>">
 <table id="member">
 	<thead>
@@ -59,6 +59,7 @@ textarea{width:100%;box-sizing:border-box;min-height:120px;padding:8px;border:1p
    </div>

    <form action="../GameEngine/Admin/Mods/editAli.php" method="POST">
+        <?php echo csrf_field(); ?>
        <input type="hidden" name="aid" value="<?php echo $aid; ?>">
        <input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">

@@ -56,6 +56,7 @@
          <td><img class="medal" src="../gpack/travian_default/img/t/'.$medal['img'].'.jpg"></td>
          <td>
            <form action="../GameEngine/Admin/Mods/medals.php" method="POST" style="margin:0">
+              '.csrf_field().'
              <input type="hidden" name="uid" value="'.$_GET['uid'].'">
              <input type="hidden" name="medalid" value="'.$medal['id'].'">
              <button type="submit" class="medals-del" title="Delete medal">
@@ -71,6 +72,7 @@
      echo '<tr class="avg-row"><td style="text-align:left"><b>Average Rank</b></td><td>'.$average.'</td><td></td><td></td><td>Delete All</td>
        <td>
          <form action="../GameEngine/Admin/Mods/medals.php" method="POST" style="margin:0">
+            '.csrf_field().'
            <input type="hidden" name="uid" value="'.$_GET['uid'].'">
            <input type="hidden" name="userid" value="'.$id.'">
            <button type="submit" class="medals-del" title="Delete all medals">
@@ -14,6 +14,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");

 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");

 // ---------------------------------------------------------------------------
@@ -11,6 +11,12 @@
 #################################################################################
 if (!isset($_SESSION)) session_start();
 if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../Account.php");

 // go max 5 levels up - we don't have folders that go deeper than that
@@ -34,10 +40,12 @@ elseif(isset($_POST['userid']) && !empty($_POST['userid']) && is_numeric($_POST[
    mysqli_query($database->dblink, "UPDATE ".TB_PREFIX."medal set del = 1 WHERE userid = ".$userID."");
 }

-$admidID = (int) $_SESSION['id'];
-$name = $database->getUserField($adminID, "name", 0);
+$admid = (int) $_SESSION['id'];
+$uid   = (int) ($_POST['uid'] ?? 0);
+$name  = $database->escape((string) $database->getUserField($uid, "username", 0));
+$medalLogId = isset($medalID) ? $medalID : 0;
 //TODO: Make a dedicated method for logging
-mysqli_query($database->dblink, "INSERT INTO ".TB_PREFIX."admin_log values (0, $admid, 'Deleted medal id [#".$medalid."] from the user <a href=\'admin.php?p=player&uid=$uid\'>$name</a> ',".time().")");
+mysqli_query($database->dblink, "INSERT INTO ".TB_PREFIX."admin_log values (0, $admid, 'Deleted medal id [#".$medalLogId."] from the user <a href=\'admin.php?p=player&uid=$uid\'>$name</a> ',".time().")");

-header("Location: ../../../Admin/admin.php?p=player&uid=".$_POST['uid']."");
+header("Location: ../../../Admin/admin.php?p=player&uid=".$uid);
 ?>