mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-12 23:56:08 +00:00
addTroops and addABTroops are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
csrf_verify();
|
||||
|
||||
include_once __DIR__ . "/../../Database.php";
|
||||
|
||||
/* ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user