mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-06 21:04:20 +00:00
Merge branch 'master' of https://github.com/Shadowss/TravianZ
This commit is contained in:
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -12,11 +12,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die(defined('ACCESS_DENIED_ADMIN') ? ACCESS_DENIED_ADMIN : 'Access Denied: You are not Admin!');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -28,12 +28,14 @@ include_once($autoprefix."GameEngine/Database.php");
|
||||
|
||||
// Admin-rank guard (defense-in-depth). Reaching any file under /Admin already
|
||||
// requires an admin session: Session.php's checkLogin() gates the whole /Admin
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
// path on $_SESSION['admin_username'], so a plain player session is bounced to
|
||||
// login.php before this point. This re-check aligns addUsers with its sibling
|
||||
// Mods (gold.php, cp.php, editResources.php, ...), which all assert the rank
|
||||
// here too; it is a redundant safety net, not the sole guard.
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -18,8 +18,10 @@
|
||||
include_once("../../config.php");
|
||||
include_once("../../Database.php");
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) session_start();
|
||||
if(($_SESSION['access']?? 0) < ADMIN) die("Access Denied: You are not Admin!");
|
||||
if(($_SESSION['access']?? 0) < ADMIN) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
|
||||
@@ -8,8 +8,10 @@
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
## ##
|
||||
#################################################################################
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) session_start();
|
||||
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
|
||||
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
|
||||
$access = mysqli_fetch_array($sql);
|
||||
$sessionaccess = $access['access'];
|
||||
|
||||
if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
|
||||
if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET cp = cp + ".(int) $_POST['cp']." WHERE id = ".$id."");
|
||||
|
||||
|
||||
@@ -9,9 +9,11 @@
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) { session_start(); }
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -47,7 +49,7 @@ if ($aid <= 0 || $admid <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($admid, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -9,9 +9,11 @@
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) { session_start(); }
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -48,7 +50,7 @@ if ($uid <= 0 || $admid <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($admid, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
if (!password_verify($pass, $admin['password'])) {
|
||||
die('<script>alert("Parola admin gresita!");history.back();</script>');
|
||||
|
||||
@@ -9,11 +9,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -52,7 +54,7 @@ if ($delete <= 0 || $aid <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -9,11 +9,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -51,7 +53,7 @@ if ($aid <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -9,11 +9,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -9,11 +9,13 @@
|
||||
## ##
|
||||
##################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -8,8 +8,10 @@
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
## ##
|
||||
#################################################################################
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) session_start();
|
||||
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
|
||||
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
|
||||
$access = mysqli_fetch_array($sql);
|
||||
$sessionaccess = $access['access'];
|
||||
|
||||
if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
|
||||
if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// Cast + whitelist the access level. $_POST['access'] was injected raw into
|
||||
// the UPDATE below (SQL injection). Only accept the values the admin form
|
||||
|
||||
@@ -9,11 +9,13 @@
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -51,7 +53,7 @@ if ($aid <= 0 || $admid <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($admid, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -11,11 +11,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -11,11 +11,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0 || $newpw === '') {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -54,7 +56,7 @@ if ($uid <= 0 || $session <= 0 || $username === '') {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -54,7 +56,7 @@ if ($did <= 0 || $session <= 0 || $newowner <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -11,11 +11,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
$wood = (int)($_POST['wood'] ?? 0) * 86400;
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,8 +10,10 @@
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
## ##
|
||||
#################################################################################
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) session_start();
|
||||
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
|
||||
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
@@ -41,7 +43,7 @@ if($amount == 0){
|
||||
// verificare admin
|
||||
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
|
||||
$acc = mysqli_fetch_assoc($check);
|
||||
if(!$acc || $acc['access'] != 9) die("<h1><font color=\"red\">Access Denied</font></h1>");
|
||||
if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// 1. UPDATE gold la toți (id > 3 = sare peste Natars etc)
|
||||
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id > 3") or die(mysqli_error($GLOBALS["link"]));
|
||||
|
||||
@@ -12,8 +12,10 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) session_start();
|
||||
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
|
||||
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
@@ -35,7 +37,7 @@ if($id <= 0 || $amount == 0){
|
||||
// verificare admin
|
||||
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
|
||||
$acc = mysqli_fetch_assoc($check);
|
||||
if(!$acc || $acc['access'] != 9) die("<h1><font color=\"red\">Access Denied</font></h1>");
|
||||
if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// 1. UPDATE GOLD
|
||||
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id = $id") or die(mysqli_error($GLOBALS["link"]));
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -9,11 +9,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -42,7 +44,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
|
||||
$session = (int)($_POST['admid'] ?? 0);
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -11,13 +11,15 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
session_start();
|
||||
|
||||
include_once("../../config.php");
|
||||
include_once("../../Database.php");
|
||||
|
||||
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
|
||||
die("Access Denied");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -9,8 +9,10 @@
|
||||
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
||||
## ##
|
||||
#################################################################################
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) session_start();
|
||||
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
|
||||
if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -45,7 +47,7 @@ $id = (int)($_POST['id'] ?? 0);
|
||||
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
if ($id <= 0) {
|
||||
|
||||
@@ -10,11 +10,13 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
@@ -54,7 +56,7 @@ if ($did <= 0 || $nameOrig === '') {
|
||||
// ---------------------------------------------------------------------------
|
||||
$admin = $database->getUserArray($session, 1);
|
||||
if (!$admin || (int)$admin['access'] !== 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
@@ -10,12 +10,14 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
if (!isset($_SESSION)) {
|
||||
session_start();
|
||||
}
|
||||
|
||||
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die("Access Denied: You are not Admin!");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -15,13 +15,15 @@
|
||||
## ##
|
||||
#################################################################################
|
||||
|
||||
// #299: load CSRF helpers + admin_deny() before the access check below.
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
session_start();
|
||||
|
||||
include_once("../../config.php");
|
||||
include_once("../../Database.php");
|
||||
|
||||
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
|
||||
die("Access Denied");
|
||||
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
|
||||
@@ -40,6 +40,49 @@ if (!function_exists('csrf_token')) {
|
||||
return '<input type="hidden" name="_csrf_token" value="' . htmlspecialchars(csrf_token(), ENT_QUOTES, 'UTF-8') . '">';
|
||||
}
|
||||
|
||||
/**
|
||||
* Render a clean, self-contained error page and stop execution (issue #299).
|
||||
*
|
||||
* The admin Mods are POSTed to directly; when the admin session is missing
|
||||
* (e.g. it was destroyed by a game logout that shares the same PHP session,
|
||||
* or the form was served from a mobile cache with a stale/empty token) the
|
||||
* old code stopped with a bare die('<h1>Access Denied</h1>') fragment, which
|
||||
* shows up as an essentially blank page. This renders a proper, styled error
|
||||
* with a way back into the panel instead.
|
||||
*/
|
||||
function admin_deny(string $message, string $title = 'Access Denied', int $httpCode = 403): void
|
||||
{
|
||||
if (!headers_sent()) {
|
||||
http_response_code($httpCode);
|
||||
header('Content-Type: text/html; charset=UTF-8');
|
||||
// Never let this error page be cached (it is session-dependent).
|
||||
header('Cache-Control: no-store, no-cache, must-revalidate');
|
||||
}
|
||||
|
||||
$safeTitle = htmlspecialchars($title, ENT_QUOTES, 'UTF-8');
|
||||
$safeMsg = htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
|
||||
|
||||
echo '<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">'
|
||||
. '<meta name="viewport" content="width=device-width, initial-scale=1">'
|
||||
. '<title>' . $safeTitle . '</title><style>'
|
||||
. 'body{margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;'
|
||||
. 'font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;'
|
||||
. 'background:#0f172a;color:#e2e8f0}'
|
||||
. '.card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:32px 28px;'
|
||||
. 'max-width:420px;width:calc(100% - 32px);text-align:center;box-shadow:0 10px 30px rgba(0,0,0,.4)}'
|
||||
. '.card h1{margin:0 0 10px;font-size:20px;color:#f87171}'
|
||||
. '.card p{margin:0 0 22px;font-size:14px;line-height:1.55;color:#cbd5e1}'
|
||||
. '.card a{display:inline-block;background:#2563eb;color:#fff;text-decoration:none;'
|
||||
. 'padding:10px 18px;border-radius:8px;font-size:14px;font-weight:500}'
|
||||
. '.card a:hover{background:#1d4ed8}'
|
||||
. '</style></head><body><div class="card">'
|
||||
. '<h1>' . $safeTitle . '</h1>'
|
||||
. '<p>' . $safeMsg . '</p>'
|
||||
. '<a href="/Admin/admin.php">Return to Admin Panel</a>'
|
||||
. '</div></body></html>';
|
||||
exit;
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify the CSRF token of a POST request.
|
||||
* Stops execution with HTTP 403 if the token is missing or does not match.
|
||||
@@ -51,9 +94,13 @@ if (!function_exists('csrf_token')) {
|
||||
$stored = csrf_token();
|
||||
|
||||
if ($stored === '' || !hash_equals($stored, $submitted)) {
|
||||
http_response_code(403);
|
||||
// Generic message — does not reveal details about the mechanism.
|
||||
die('<h1>403 Forbidden</h1><p>Invalid or missing security token. Please go back and try again.</p>');
|
||||
admin_deny(
|
||||
'Your session may have expired or this page was loaded from cache. '
|
||||
. 'Please reload the admin panel and try again.',
|
||||
'Security Check Failed',
|
||||
403
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user