This commit is contained in:
novgorodschi catalin
2026-06-29 10:25:53 +03:00
43 changed files with 205 additions and 74 deletions
+3 -1
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+3 -1
View File
@@ -12,11 +12,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die(defined('ACCESS_DENIED_ADMIN') ? ACCESS_DENIED_ADMIN : 'Access Denied: You are not Admin!');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+3 -1
View File
@@ -28,12 +28,14 @@ include_once($autoprefix."GameEngine/Database.php");
// Admin-rank guard (defense-in-depth). Reaching any file under /Admin already
// requires an admin session: Session.php's checkLogin() gates the whole /Admin
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
// path on $_SESSION['admin_username'], so a plain player session is bounced to
// login.php before this point. This re-check aligns addUsers with its sibling
// Mods (gold.php, cp.php, editResources.php, ...), which all assert the rank
// here too; it is a redundant safety net, not the sole guard.
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+3 -1
View File
@@ -18,8 +18,10 @@
include_once("../../config.php");
include_once("../../Database.php");
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
if(($_SESSION['access']?? 0) < ADMIN) die("Access Denied: You are not Admin!");
if(($_SESSION['access']?? 0) < ADMIN) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
+4 -2
View File
@@ -8,8 +8,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
$access = mysqli_fetch_array($sql);
$sessionaccess = $access['access'];
if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET cp = cp + ".(int) $_POST['cp']." WHERE id = ".$id."");
+4 -2
View File
@@ -9,9 +9,11 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) { session_start(); }
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -47,7 +49,7 @@ if ($aid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -9,9 +9,11 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) { session_start(); }
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -48,7 +50,7 @@ if ($uid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
if (!password_verify($pass, $admin['password'])) {
die('<script>alert("Parola admin gresita!");history.back();</script>');
+4 -2
View File
@@ -9,11 +9,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -52,7 +54,7 @@ if ($delete <= 0 || $aid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -9,11 +9,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($aid <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -9,11 +9,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -9,11 +9,13 @@
## ##
##################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -8,8 +8,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
$access = mysqli_fetch_array($sql);
$sessionaccess = $access['access'];
if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Cast + whitelist the access level. $_POST['access'] was injected raw into
// the UPDATE below (SQL injection). Only accept the values the admin form
+4 -2
View File
@@ -9,11 +9,13 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($aid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+3 -1
View File
@@ -11,11 +11,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+3 -1
View File
@@ -11,11 +11,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0 || $newpw === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+3 -1
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($uid <= 0 || $session <= 0 || $username === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($did <= 0 || $session <= 0 || $newowner <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+3 -1
View File
@@ -11,11 +11,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
$wood = (int)($_POST['wood'] ?? 0) * 86400;
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,8 +10,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -41,7 +43,7 @@ if($amount == 0){
// verificare admin
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
$acc = mysqli_fetch_assoc($check);
if(!$acc || $acc['access'] != 9) die("<h1><font color=\"red\">Access Denied</font></h1>");
if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// 1. UPDATE gold la toți (id > 3 = sare peste Natars etc)
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id > 3") or die(mysqli_error($GLOBALS["link"]));
+4 -2
View File
@@ -12,8 +12,10 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -35,7 +37,7 @@ if($id <= 0 || $amount == 0){
// verificare admin
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
$acc = mysqli_fetch_assoc($check);
if(!$acc || $acc['access'] != 9) die("<h1><font color=\"red\">Access Denied</font></h1>");
if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// 1. UPDATE GOLD
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id = $id") or die(mysqli_error($GLOBALS["link"]));
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
@@ -9,11 +9,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -42,7 +44,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+3 -1
View File
@@ -11,13 +11,15 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
session_start();
include_once("../../config.php");
include_once("../../Database.php");
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
die("Access Denied");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+3 -1
View File
@@ -9,8 +9,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -45,7 +47,7 @@ $id = (int)($_POST['id'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
if ($id <= 0) {
+4 -2
View File
@@ -10,11 +10,13 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($did <= 0 || $nameOrig === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
+3 -1
View File
@@ -10,12 +10,14 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die("Access Denied: You are not Admin!");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+3 -1
View File
@@ -15,13 +15,15 @@
## ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
session_start();
include_once("../../config.php");
include_once("../../Database.php");
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
die("Access Denied");
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+49 -2
View File
@@ -40,6 +40,49 @@ if (!function_exists('csrf_token')) {
return '<input type="hidden" name="_csrf_token" value="' . htmlspecialchars(csrf_token(), ENT_QUOTES, 'UTF-8') . '">';
}
/**
* Render a clean, self-contained error page and stop execution (issue #299).
*
* The admin Mods are POSTed to directly; when the admin session is missing
* (e.g. it was destroyed by a game logout that shares the same PHP session,
* or the form was served from a mobile cache with a stale/empty token) the
* old code stopped with a bare die('<h1>Access Denied</h1>') fragment, which
* shows up as an essentially blank page. This renders a proper, styled error
* with a way back into the panel instead.
*/
function admin_deny(string $message, string $title = 'Access Denied', int $httpCode = 403): void
{
if (!headers_sent()) {
http_response_code($httpCode);
header('Content-Type: text/html; charset=UTF-8');
// Never let this error page be cached (it is session-dependent).
header('Cache-Control: no-store, no-cache, must-revalidate');
}
$safeTitle = htmlspecialchars($title, ENT_QUOTES, 'UTF-8');
$safeMsg = htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
echo '<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">'
. '<meta name="viewport" content="width=device-width, initial-scale=1">'
. '<title>' . $safeTitle . '</title><style>'
. 'body{margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;'
. 'font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;'
. 'background:#0f172a;color:#e2e8f0}'
. '.card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:32px 28px;'
. 'max-width:420px;width:calc(100% - 32px);text-align:center;box-shadow:0 10px 30px rgba(0,0,0,.4)}'
. '.card h1{margin:0 0 10px;font-size:20px;color:#f87171}'
. '.card p{margin:0 0 22px;font-size:14px;line-height:1.55;color:#cbd5e1}'
. '.card a{display:inline-block;background:#2563eb;color:#fff;text-decoration:none;'
. 'padding:10px 18px;border-radius:8px;font-size:14px;font-weight:500}'
. '.card a:hover{background:#1d4ed8}'
. '</style></head><body><div class="card">'
. '<h1>' . $safeTitle . '</h1>'
. '<p>' . $safeMsg . '</p>'
. '<a href="/Admin/admin.php">Return to Admin Panel</a>'
. '</div></body></html>';
exit;
}
/**
* Verify the CSRF token of a POST request.
* Stops execution with HTTP 403 if the token is missing or does not match.
@@ -51,9 +94,13 @@ if (!function_exists('csrf_token')) {
$stored = csrf_token();
if ($stored === '' || !hash_equals($stored, $submitted)) {
http_response_code(403);
// Generic message — does not reveal details about the mechanism.
die('<h1>403 Forbidden</h1><p>Invalid or missing security token. Please go back and try again.</p>');
admin_deny(
'Your session may have expired or this page was loaded from cache. '
. 'Please reload the admin panel and try again.',
'Security Check Failed',
403
);
}
}
}