fix(admin): verify CSRF token in alliance/medal admin Mods [#139] (#261)

editAli, delAli, medals, delallymedal, delallymedalbyaid, delallymedalbyweek and deletemedalbyweek are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms (playermedals.tpl, editAli.tpl, delAli.tpl, delmedal.tpl, allymedals.tpl, delallymedal.tpl). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 01:24:23 +00:00 · 2026-06-23 10:11:32 +02:00
parent e4658f250f
commit 8a3a67d175
13 changed files with 44 additions and 0 deletions
@@ -63,6 +63,7 @@ $varmedal = $database->getProfileMedalAlly($_GET['aid']);
        <td><img src="../gpack/travian_default/img/t/<?=$medal['img']?>.jpg"></td>
        <td>
          <form action="../GameEngine/Admin/Mods/delallymedal.php" method="POST" style="margin:0">
+            <?php echo csrf_field(); ?>
            <input type="hidden" name="aid" value="<?=$_GET['aid']?>">
            <input type="hidden" name="admid" value="<?=$_SESSION['id']?>">
            <button type="submit" name="medalid" value="<?=$medal['id']?>" class="medal-del" title="Delete">
@@ -81,6 +82,7 @@ $varmedal = $database->getProfileMedalAlly($_GET['aid']);
        <td>Delete All</td>
        <td>
          <form action="../GameEngine/Admin/Mods/delallymedalbyaid.php" method="POST" style="margin:0">
+            <?php echo csrf_field(); ?>
            <input type="hidden" name="admid" value="<?=$_SESSION['id']?>">
            <input type="hidden" name="aid" value="<?=$_GET['aid']?>">
            <button type="submit" class="medal-del" title="Delete All">
@@ -44,6 +44,7 @@ $members = $database->getAllMember($aid);
        <div class="warn">⚠ All members will be removed from the alliance, permissions, diplomacy, logs and the alliance forum will be deleted. The action is irreversible!</div>

        <form method="POST" action="../GameEngine/Admin/Mods/delAli.php" onsubmit="return confirm('Last warning: DELETE PERMANENTLY?');">
+            <?php echo csrf_field(); ?>
            <input type="hidden" name="aid" value="<?php echo $aid;?>">
            <input type="hidden" name="admid" value="<?php echo $_SESSION['id'];?>">
            <button type="submit" class="btn del">YES, DELETE</button>
@@ -63,6 +63,7 @@ $nummedals = $sql['Total'];


 <form action="../GameEngine/Admin/Mods/delallymedalbyweek.php" method="POST">
+<?php echo csrf_field(); ?>
 <input type="hidden" name="admid" id="admid" value="<?php echo $_SESSION['id']; ?>">
 <table id="member">
 	<thead>
@@ -64,6 +64,7 @@ $nummedals = $sql['Total'];


 <form action="../GameEngine/Admin/Mods/deletemedalbyweek.php" method="POST">
+<?php echo csrf_field(); ?>
 <input type="hidden" name="admid" id="admid" value="<?php echo $_SESSION['id']; ?>">
 <table id="member">
 	<thead>
@@ -59,6 +59,7 @@ textarea{width:100%;box-sizing:border-box;min-height:120px;padding:8px;border:1p
    </div>

    <form action="../GameEngine/Admin/Mods/editAli.php" method="POST">
+        <?php echo csrf_field(); ?>
        <input type="hidden" name="aid" value="<?php echo $aid; ?>">
        <input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">

@@ -56,6 +56,7 @@
          <td><img class="medal" src="../gpack/travian_default/img/t/'.$medal['img'].'.jpg"></td>
          <td>
            <form action="../GameEngine/Admin/Mods/medals.php" method="POST" style="margin:0">
+              '.csrf_field().'
              <input type="hidden" name="uid" value="'.$_GET['uid'].'">
              <input type="hidden" name="medalid" value="'.$medal['id'].'">
              <button type="submit" class="medals-del" title="Delete medal">
@@ -71,6 +72,7 @@
      echo '<tr class="avg-row"><td style="text-align:left"><b>Average Rank</b></td><td>'.$average.'</td><td></td><td></td><td>Delete All</td>
        <td>
          <form action="../GameEngine/Admin/Mods/medals.php" method="POST" style="margin:0">
+            '.csrf_field().'
            <input type="hidden" name="uid" value="'.$_GET['uid'].'">
            <input type="hidden" name="userid" value="'.$id.'">
            <button type="submit" class="medals-del" title="Delete all medals">
@@ -14,6 +14,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");

 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 // ---------------------------------------------------------------------------
 // Autoloader path
 // ---------------------------------------------------------------------------
@@ -16,6 +16,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
    die("Access Denied: You are not Admin!");
 }

+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../config.php");

 // ---------------------------------------------------------------------------
@@ -11,6 +11,12 @@
 #################################################################################
 if (!isset($_SESSION)) session_start();
 if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../Account.php");

 // go max 5 levels up - we don't have folders that go deeper than that