diff --git a/GameEngine/Admin/Mods/addABTroops.php b/GameEngine/Admin/Mods/addABTroops.php index d3f74100..89b14d63 100755 --- a/GameEngine/Admin/Mods/addABTroops.php +++ b/GameEngine/Admin/Mods/addABTroops.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/addTroops.php b/GameEngine/Admin/Mods/addTroops.php index 097a28fa..80b540e4 100755 --- a/GameEngine/Admin/Mods/addTroops.php +++ b/GameEngine/Admin/Mods/addTroops.php @@ -12,11 +12,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die(defined('ACCESS_DENIED_ADMIN') ? ACCESS_DENIED_ADMIN : 'Access Denied: You are not Admin!'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/addUsers.php b/GameEngine/Admin/Mods/addUsers.php index d90d8ed4..fcd86ff7 100755 --- a/GameEngine/Admin/Mods/addUsers.php +++ b/GameEngine/Admin/Mods/addUsers.php @@ -28,12 +28,14 @@ include_once($autoprefix."GameEngine/Database.php"); // Admin-rank guard (defense-in-depth). Reaching any file under /Admin already // requires an admin session: Session.php's checkLogin() gates the whole /Admin +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); // path on $_SESSION['admin_username'], so a plain player session is bounced to // login.php before this point. This re-check aligns addUsers with its sibling // Mods (gold.php, cp.php, editResources.php, ...), which all assert the rank // here too; it is a redundant safety net, not the sole guard. if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/additional.php b/GameEngine/Admin/Mods/additional.php index 0a7bf77d..a7ab0bb9 100755 --- a/GameEngine/Admin/Mods/additional.php +++ b/GameEngine/Admin/Mods/additional.php @@ -18,8 +18,10 @@ include_once("../../config.php"); include_once("../../Database.php"); +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) session_start(); -if(($_SESSION['access']?? 0) < ADMIN) die("Access Denied: You are not Admin!"); +if(($_SESSION['access']?? 0) < ADMIN) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token // itself (it does not go through admin.php's central csrf_verify()). diff --git a/GameEngine/Admin/Mods/cp.php b/GameEngine/Admin/Mods/cp.php index d7f0de1b..cc937fb0 100755 --- a/GameEngine/Admin/Mods/cp.php +++ b/GameEngine/Admin/Mods/cp.php @@ -8,8 +8,10 @@ ## Copyright: TravianZ (c) 2010-2025. All rights reserved. ## ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) session_start(); -if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!"); +if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token // itself (it does not go through admin.php's central csrf_verify()). @@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id $access = mysqli_fetch_array($sql); $sessionaccess = $access['access']; -if($sessionaccess != 9) die("

Access Denied: You are not Admin!

"); +if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET cp = cp + ".(int) $_POST['cp']." WHERE id = ".$id.""); diff --git a/GameEngine/Admin/Mods/delAli.php b/GameEngine/Admin/Mods/delAli.php index a9b1495f..1f53ae8f 100644 --- a/GameEngine/Admin/Mods/delAli.php +++ b/GameEngine/Admin/Mods/delAli.php @@ -9,9 +9,11 @@ ## Copyright: TravianZ (c) 2010-2025. All rights reserved. ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -47,7 +49,7 @@ if ($aid <= 0 || $admid <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($admid, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/delUser.php b/GameEngine/Admin/Mods/delUser.php index c15dbed7..09eb22fe 100644 --- a/GameEngine/Admin/Mods/delUser.php +++ b/GameEngine/Admin/Mods/delUser.php @@ -9,9 +9,11 @@ ## Copyright: TravianZ (c) 2010-2025. All rights reserved. ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -48,7 +50,7 @@ if ($uid <= 0 || $admid <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($admid, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } if (!password_verify($pass, $admin['password'])) { die(''); diff --git a/GameEngine/Admin/Mods/delallymedal.php b/GameEngine/Admin/Mods/delallymedal.php index 39743b7c..ed893c29 100755 --- a/GameEngine/Admin/Mods/delallymedal.php +++ b/GameEngine/Admin/Mods/delallymedal.php @@ -9,11 +9,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -52,7 +54,7 @@ if ($delete <= 0 || $aid <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/delallymedalbyaid.php b/GameEngine/Admin/Mods/delallymedalbyaid.php index b924b67d..fb833aa8 100755 --- a/GameEngine/Admin/Mods/delallymedalbyaid.php +++ b/GameEngine/Admin/Mods/delallymedalbyaid.php @@ -9,11 +9,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -51,7 +53,7 @@ if ($aid <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/delallymedalbyweek.php b/GameEngine/Admin/Mods/delallymedalbyweek.php index 815ac131..a7bedca7 100755 --- a/GameEngine/Admin/Mods/delallymedalbyweek.php +++ b/GameEngine/Admin/Mods/delallymedalbyweek.php @@ -9,11 +9,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/deletemedalbyweek.php b/GameEngine/Admin/Mods/deletemedalbyweek.php index 0d6c3c77..786ee12e 100755 --- a/GameEngine/Admin/Mods/deletemedalbyweek.php +++ b/GameEngine/Admin/Mods/deletemedalbyweek.php @@ -9,11 +9,13 @@ ## ## ################################################################################## +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editAccess.php b/GameEngine/Admin/Mods/editAccess.php index 8c895081..36880f0a 100755 --- a/GameEngine/Admin/Mods/editAccess.php +++ b/GameEngine/Admin/Mods/editAccess.php @@ -8,8 +8,10 @@ ## Copyright: TravianZ (c) 2010-2025. All rights reserved. ## ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) session_start(); -if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!"); +if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token // itself (it does not go through admin.php's central csrf_verify()). @@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id $access = mysqli_fetch_array($sql); $sessionaccess = $access['access']; -if($sessionaccess != 9) die("

Access Denied: You are not Admin!

"); +if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // Cast + whitelist the access level. $_POST['access'] was injected raw into // the UPDATE below (SQL injection). Only accept the values the admin form diff --git a/GameEngine/Admin/Mods/editAli.php b/GameEngine/Admin/Mods/editAli.php index 5be73a44..9d97df1c 100644 --- a/GameEngine/Admin/Mods/editAli.php +++ b/GameEngine/Admin/Mods/editAli.php @@ -9,11 +9,13 @@ ## Copyright: TravianZ (c) 2010-2025. All rights reserved. ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -51,7 +53,7 @@ if ($aid <= 0 || $admid <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($admid, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editBuildings.php b/GameEngine/Admin/Mods/editBuildings.php index 12c4e23d..7e56185e 100755 --- a/GameEngine/Admin/Mods/editBuildings.php +++ b/GameEngine/Admin/Mods/editBuildings.php @@ -11,11 +11,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/editHero.php b/GameEngine/Admin/Mods/editHero.php index 4bd8fd1d..a352b3f8 100755 --- a/GameEngine/Admin/Mods/editHero.php +++ b/GameEngine/Admin/Mods/editHero.php @@ -11,11 +11,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/editOverall.php b/GameEngine/Admin/Mods/editOverall.php index bf7e744d..5b1fcf7b 100755 --- a/GameEngine/Admin/Mods/editOverall.php +++ b/GameEngine/Admin/Mods/editOverall.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editPassword.php b/GameEngine/Admin/Mods/editPassword.php index 0dced632..5526b4ab 100755 --- a/GameEngine/Admin/Mods/editPassword.php +++ b/GameEngine/Admin/Mods/editPassword.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0 || $newpw === '') { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editPlus.php b/GameEngine/Admin/Mods/editPlus.php index f7c35d7b..e8281195 100755 --- a/GameEngine/Admin/Mods/editPlus.php +++ b/GameEngine/Admin/Mods/editPlus.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/editProtection.php b/GameEngine/Admin/Mods/editProtection.php index e0e149b3..6ef76523 100755 --- a/GameEngine/Admin/Mods/editProtection.php +++ b/GameEngine/Admin/Mods/editProtection.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editResources.php b/GameEngine/Admin/Mods/editResources.php index 0efa76b4..0e2a7c09 100755 --- a/GameEngine/Admin/Mods/editResources.php +++ b/GameEngine/Admin/Mods/editResources.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editSitter.php b/GameEngine/Admin/Mods/editSitter.php index 33eb0a47..0bf0679a 100755 --- a/GameEngine/Admin/Mods/editSitter.php +++ b/GameEngine/Admin/Mods/editSitter.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editUser.php b/GameEngine/Admin/Mods/editUser.php index 5c74bd96..0f0102da 100755 --- a/GameEngine/Admin/Mods/editUser.php +++ b/GameEngine/Admin/Mods/editUser.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editUsername.php b/GameEngine/Admin/Mods/editUsername.php index 6ae99ace..3b7da256 100755 --- a/GameEngine/Admin/Mods/editUsername.php +++ b/GameEngine/Admin/Mods/editUsername.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -54,7 +56,7 @@ if ($uid <= 0 || $session <= 0 || $username === '') { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editVillageOwner.php b/GameEngine/Admin/Mods/editVillageOwner.php index cfb40b37..2ec5bdd7 100755 --- a/GameEngine/Admin/Mods/editVillageOwner.php +++ b/GameEngine/Admin/Mods/editVillageOwner.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -54,7 +56,7 @@ if ($did <= 0 || $session <= 0 || $newowner <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editWeek.php b/GameEngine/Admin/Mods/editWeek.php index 3a2a5fe9..058ba382 100755 --- a/GameEngine/Admin/Mods/editWeek.php +++ b/GameEngine/Admin/Mods/editWeek.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/givePlus.php b/GameEngine/Admin/Mods/givePlus.php index 34cae608..875db864 100755 --- a/GameEngine/Admin/Mods/givePlus.php +++ b/GameEngine/Admin/Mods/givePlus.php @@ -11,11 +11,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/givePlusRes.php b/GameEngine/Admin/Mods/givePlusRes.php index b67ff9c7..fb7add95 100755 --- a/GameEngine/Admin/Mods/givePlusRes.php +++ b/GameEngine/Admin/Mods/givePlusRes.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } $wood = (int)($_POST['wood'] ?? 0) * 86400; diff --git a/GameEngine/Admin/Mods/giveResBonus.php b/GameEngine/Admin/Mods/giveResBonus.php index f8cc0763..9d4fbdc6 100755 --- a/GameEngine/Admin/Mods/giveResBonus.php +++ b/GameEngine/Admin/Mods/giveResBonus.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/gold.php b/GameEngine/Admin/Mods/gold.php index 12ba52c0..4d35c8aa 100755 --- a/GameEngine/Admin/Mods/gold.php +++ b/GameEngine/Admin/Mods/gold.php @@ -10,8 +10,10 @@ ## Copyright: TravianZ (c) 2010-2025. All rights reserved. ## ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) session_start(); -if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!"); +if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token // itself (it does not go through admin.php's central csrf_verify()). @@ -41,7 +43,7 @@ if($amount == 0){ // verificare admin $check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid"); $acc = mysqli_fetch_assoc($check); -if(!$acc || $acc['access'] != 9) die("

Access Denied

"); +if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // 1. UPDATE gold la toți (id > 3 = sare peste Natars etc) mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id > 3") or die(mysqli_error($GLOBALS["link"])); diff --git a/GameEngine/Admin/Mods/gold_1.php b/GameEngine/Admin/Mods/gold_1.php index 51846dc2..435dd4df 100755 --- a/GameEngine/Admin/Mods/gold_1.php +++ b/GameEngine/Admin/Mods/gold_1.php @@ -12,8 +12,10 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) session_start(); -if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!"); +if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token // itself (it does not go through admin.php's central csrf_verify()). @@ -35,7 +37,7 @@ if($id <= 0 || $amount == 0){ // verificare admin $check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid"); $acc = mysqli_fetch_assoc($check); -if(!$acc || $acc['access'] != 9) die("

Access Denied

"); +if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // 1. UPDATE GOLD mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id = $id") or die(mysqli_error($GLOBALS["link"])); diff --git a/GameEngine/Admin/Mods/mainteneceBan.php b/GameEngine/Admin/Mods/mainteneceBan.php index 808dde38..3ebf9688 100755 --- a/GameEngine/Admin/Mods/mainteneceBan.php +++ b/GameEngine/Admin/Mods/mainteneceBan.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/mainteneceCleanBanData.php b/GameEngine/Admin/Mods/mainteneceCleanBanData.php index 93ff78f7..758a68c8 100755 --- a/GameEngine/Admin/Mods/mainteneceCleanBanData.php +++ b/GameEngine/Admin/Mods/mainteneceCleanBanData.php @@ -9,11 +9,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -42,7 +44,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/mainteneceResetGold.php b/GameEngine/Admin/Mods/mainteneceResetGold.php index 91119b7c..222fa089 100755 --- a/GameEngine/Admin/Mods/mainteneceResetGold.php +++ b/GameEngine/Admin/Mods/mainteneceResetGold.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/mainteneceResetPlus.php b/GameEngine/Admin/Mods/mainteneceResetPlus.php index 6030bade..66743a62 100755 --- a/GameEngine/Admin/Mods/mainteneceResetPlus.php +++ b/GameEngine/Admin/Mods/mainteneceResetPlus.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php b/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php index 3e923003..4b3a387c 100755 --- a/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php +++ b/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/mainteneceUnban.php b/GameEngine/Admin/Mods/mainteneceUnban.php index 9728c7b0..c702fd70 100755 --- a/GameEngine/Admin/Mods/mainteneceUnban.php +++ b/GameEngine/Admin/Mods/mainteneceUnban.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php"); $session = (int)($_POST['admid'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/massmessage.php b/GameEngine/Admin/Mods/massmessage.php index 0a5536e2..094f0206 100644 --- a/GameEngine/Admin/Mods/massmessage.php +++ b/GameEngine/Admin/Mods/massmessage.php @@ -11,13 +11,15 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); session_start(); include_once("../../config.php"); include_once("../../Database.php"); if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) { - die("Access Denied"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/medals.php b/GameEngine/Admin/Mods/medals.php index b332d972..c4f93324 100755 --- a/GameEngine/Admin/Mods/medals.php +++ b/GameEngine/Admin/Mods/medals.php @@ -9,8 +9,10 @@ ## Copyright: TravianZ (c) 2010-2025. All rights reserved. ## ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) session_start(); -if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!"); +if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token // itself (it does not go through admin.php's central csrf_verify()). diff --git a/GameEngine/Admin/Mods/recalcWH.php b/GameEngine/Admin/Mods/recalcWH.php index 5c29ad86..fe3e48ea 100755 --- a/GameEngine/Admin/Mods/recalcWH.php +++ b/GameEngine/Admin/Mods/recalcWH.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -45,7 +47,7 @@ $id = (int)($_POST['id'] ?? 0); $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } if ($id <= 0) { diff --git a/GameEngine/Admin/Mods/renameVillage.php b/GameEngine/Admin/Mods/renameVillage.php index e17a94c6..5b99143d 100755 --- a/GameEngine/Admin/Mods/renameVillage.php +++ b/GameEngine/Admin/Mods/renameVillage.php @@ -10,11 +10,13 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token @@ -54,7 +56,7 @@ if ($did <= 0 || $nameOrig === '') { // --------------------------------------------------------------------------- $admin = $database->getUserArray($session, 1); if (!$admin || (int)$admin['access'] !== 9) { - die('

Access Denied: You are not Admin!

'); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/sendMessage.php b/GameEngine/Admin/Mods/sendMessage.php index 8a6e98e3..0efaeb9d 100755 --- a/GameEngine/Admin/Mods/sendMessage.php +++ b/GameEngine/Admin/Mods/sendMessage.php @@ -10,12 +10,14 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); if (!isset($_SESSION)) { session_start(); } if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { - die("Access Denied: You are not Admin!"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/Mods/sysmessage.php b/GameEngine/Admin/Mods/sysmessage.php index b26680ae..12d270ae 100644 --- a/GameEngine/Admin/Mods/sysmessage.php +++ b/GameEngine/Admin/Mods/sysmessage.php @@ -15,13 +15,15 @@ ## ## ################################################################################# +// #299: load CSRF helpers + admin_deny() before the access check below. +require_once(__DIR__ . '/../csrf.php'); session_start(); include_once("../../config.php"); include_once("../../Database.php"); if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) { - die("Access Denied"); + admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.'); } // Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token diff --git a/GameEngine/Admin/csrf.php b/GameEngine/Admin/csrf.php index fc8a50ac..cfd70935 100644 --- a/GameEngine/Admin/csrf.php +++ b/GameEngine/Admin/csrf.php @@ -40,6 +40,49 @@ if (!function_exists('csrf_token')) { return ''; } + /** + * Render a clean, self-contained error page and stop execution (issue #299). + * + * The admin Mods are POSTed to directly; when the admin session is missing + * (e.g. it was destroyed by a game logout that shares the same PHP session, + * or the form was served from a mobile cache with a stale/empty token) the + * old code stopped with a bare die('

Access Denied

') fragment, which + * shows up as an essentially blank page. This renders a proper, styled error + * with a way back into the panel instead. + */ + function admin_deny(string $message, string $title = 'Access Denied', int $httpCode = 403): void + { + if (!headers_sent()) { + http_response_code($httpCode); + header('Content-Type: text/html; charset=UTF-8'); + // Never let this error page be cached (it is session-dependent). + header('Cache-Control: no-store, no-cache, must-revalidate'); + } + + $safeTitle = htmlspecialchars($title, ENT_QUOTES, 'UTF-8'); + $safeMsg = htmlspecialchars($message, ENT_QUOTES, 'UTF-8'); + + echo '' + . '' + . '' . $safeTitle . '
' + . '

' . $safeTitle . '

' + . '

' . $safeMsg . '

' + . 'Return to Admin Panel' + . '
'; + exit; + } + /** * Verify the CSRF token of a POST request. * Stops execution with HTTP 403 if the token is missing or does not match. @@ -51,9 +94,13 @@ if (!function_exists('csrf_token')) { $stored = csrf_token(); if ($stored === '' || !hash_equals($stored, $submitted)) { - http_response_code(403); // Generic message — does not reveal details about the mechanism. - die('

403 Forbidden

Invalid or missing security token. Please go back and try again.

'); + admin_deny( + 'Your session may have expired or this page was loaded from cache. ' + . 'Please reload the admin panel and try again.', + 'Security Check Failed', + 403 + ); } } }