fix(admin): verify CSRF token in troop admin Mods [#139] (#258)

addTroops and addABTroops are POSTed to directly, bypassing admin.php's
central csrf_verify(). Add csrf_verify() (after the admin access check, via
the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Ferywir
2026-06-23 07:43:18 +02:00
committed by GitHub
parent b880622fd1
commit 8d1a1cab38
4 changed files with 12 additions and 0 deletions
+1
View File
@@ -53,6 +53,7 @@ if(isset($id)){
<div class="ab-wrap">
<form action="../GameEngine/Admin/Mods/addABTroops.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" value="<?php echo $_GET['did']; ?>">
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">
+1
View File
@@ -55,6 +55,7 @@ if(isset($id)){
<div class="addtroops-wrap">
<form action="../GameEngine/Admin/Mods/addTroops.php" method="POST">
<?php echo csrf_field(); ?>
<input type="hidden" name="id" value="<?php echo $_GET['did']; ?>">
<input type="hidden" name="admid" value="<?php echo $_SESSION['id']; ?>">