diff --git a/GameEngine/Admin/Mods/addABTroops.php b/GameEngine/Admin/Mods/addABTroops.php
index d3f74100..89b14d63 100755
--- a/GameEngine/Admin/Mods/addABTroops.php
+++ b/GameEngine/Admin/Mods/addABTroops.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/addTroops.php b/GameEngine/Admin/Mods/addTroops.php
index 097a28fa..80b540e4 100755
--- a/GameEngine/Admin/Mods/addTroops.php
+++ b/GameEngine/Admin/Mods/addTroops.php
@@ -12,11 +12,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die(defined('ACCESS_DENIED_ADMIN') ? ACCESS_DENIED_ADMIN : 'Access Denied: You are not Admin!');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/addUsers.php b/GameEngine/Admin/Mods/addUsers.php
index d90d8ed4..fcd86ff7 100755
--- a/GameEngine/Admin/Mods/addUsers.php
+++ b/GameEngine/Admin/Mods/addUsers.php
@@ -28,12 +28,14 @@ include_once($autoprefix."GameEngine/Database.php");
// Admin-rank guard (defense-in-depth). Reaching any file under /Admin already
// requires an admin session: Session.php's checkLogin() gates the whole /Admin
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
// path on $_SESSION['admin_username'], so a plain player session is bounced to
// login.php before this point. This re-check aligns addUsers with its sibling
// Mods (gold.php, cp.php, editResources.php, ...), which all assert the rank
// here too; it is a redundant safety net, not the sole guard.
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/additional.php b/GameEngine/Admin/Mods/additional.php
index 0a7bf77d..a7ab0bb9 100755
--- a/GameEngine/Admin/Mods/additional.php
+++ b/GameEngine/Admin/Mods/additional.php
@@ -18,8 +18,10 @@
include_once("../../config.php");
include_once("../../Database.php");
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if(($_SESSION['access']?? 0) < ADMIN) die("Access Denied: You are not Admin!");
+if(($_SESSION['access']?? 0) < ADMIN) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
diff --git a/GameEngine/Admin/Mods/cp.php b/GameEngine/Admin/Mods/cp.php
index d7f0de1b..cc937fb0 100755
--- a/GameEngine/Admin/Mods/cp.php
+++ b/GameEngine/Admin/Mods/cp.php
@@ -8,8 +8,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
$access = mysqli_fetch_array($sql);
$sessionaccess = $access['access'];
-if($sessionaccess != 9) die("
Access Denied: You are not Admin!
");
+if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET cp = cp + ".(int) $_POST['cp']." WHERE id = ".$id."");
diff --git a/GameEngine/Admin/Mods/delAli.php b/GameEngine/Admin/Mods/delAli.php
index a9b1495f..1f53ae8f 100644
--- a/GameEngine/Admin/Mods/delAli.php
+++ b/GameEngine/Admin/Mods/delAli.php
@@ -9,9 +9,11 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) { session_start(); }
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -47,7 +49,7 @@ if ($aid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/delUser.php b/GameEngine/Admin/Mods/delUser.php
index c15dbed7..09eb22fe 100644
--- a/GameEngine/Admin/Mods/delUser.php
+++ b/GameEngine/Admin/Mods/delUser.php
@@ -9,9 +9,11 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) { session_start(); }
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -48,7 +50,7 @@ if ($uid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
if (!password_verify($pass, $admin['password'])) {
die('');
diff --git a/GameEngine/Admin/Mods/delallymedal.php b/GameEngine/Admin/Mods/delallymedal.php
index 39743b7c..ed893c29 100755
--- a/GameEngine/Admin/Mods/delallymedal.php
+++ b/GameEngine/Admin/Mods/delallymedal.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -52,7 +54,7 @@ if ($delete <= 0 || $aid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/delallymedalbyaid.php b/GameEngine/Admin/Mods/delallymedalbyaid.php
index b924b67d..fb833aa8 100755
--- a/GameEngine/Admin/Mods/delallymedalbyaid.php
+++ b/GameEngine/Admin/Mods/delallymedalbyaid.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($aid <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/delallymedalbyweek.php b/GameEngine/Admin/Mods/delallymedalbyweek.php
index 815ac131..a7bedca7 100755
--- a/GameEngine/Admin/Mods/delallymedalbyweek.php
+++ b/GameEngine/Admin/Mods/delallymedalbyweek.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/deletemedalbyweek.php b/GameEngine/Admin/Mods/deletemedalbyweek.php
index 0d6c3c77..786ee12e 100755
--- a/GameEngine/Admin/Mods/deletemedalbyweek.php
+++ b/GameEngine/Admin/Mods/deletemedalbyweek.php
@@ -9,11 +9,13 @@
## ##
##################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($deleteweek <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editAccess.php b/GameEngine/Admin/Mods/editAccess.php
index 8c895081..36880f0a 100755
--- a/GameEngine/Admin/Mods/editAccess.php
+++ b/GameEngine/Admin/Mods/editAccess.php
@@ -8,8 +8,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -37,7 +39,7 @@ $sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id
$access = mysqli_fetch_array($sql);
$sessionaccess = $access['access'];
-if($sessionaccess != 9) die("
Access Denied: You are not Admin!
");
+if($sessionaccess != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Cast + whitelist the access level. $_POST['access'] was injected raw into
// the UPDATE below (SQL injection). Only accept the values the admin form
diff --git a/GameEngine/Admin/Mods/editAli.php b/GameEngine/Admin/Mods/editAli.php
index 5be73a44..9d97df1c 100644
--- a/GameEngine/Admin/Mods/editAli.php
+++ b/GameEngine/Admin/Mods/editAli.php
@@ -9,11 +9,13 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -51,7 +53,7 @@ if ($aid <= 0 || $admid <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editBuildings.php b/GameEngine/Admin/Mods/editBuildings.php
index 12c4e23d..7e56185e 100755
--- a/GameEngine/Admin/Mods/editBuildings.php
+++ b/GameEngine/Admin/Mods/editBuildings.php
@@ -11,11 +11,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/editHero.php b/GameEngine/Admin/Mods/editHero.php
index 4bd8fd1d..a352b3f8 100755
--- a/GameEngine/Admin/Mods/editHero.php
+++ b/GameEngine/Admin/Mods/editHero.php
@@ -11,11 +11,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/editOverall.php b/GameEngine/Admin/Mods/editOverall.php
index bf7e744d..5b1fcf7b 100755
--- a/GameEngine/Admin/Mods/editOverall.php
+++ b/GameEngine/Admin/Mods/editOverall.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editPassword.php b/GameEngine/Admin/Mods/editPassword.php
index 0dced632..5526b4ab 100755
--- a/GameEngine/Admin/Mods/editPassword.php
+++ b/GameEngine/Admin/Mods/editPassword.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0 || $newpw === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editPlus.php b/GameEngine/Admin/Mods/editPlus.php
index f7c35d7b..e8281195 100755
--- a/GameEngine/Admin/Mods/editPlus.php
+++ b/GameEngine/Admin/Mods/editPlus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/editProtection.php b/GameEngine/Admin/Mods/editProtection.php
index e0e149b3..6ef76523 100755
--- a/GameEngine/Admin/Mods/editProtection.php
+++ b/GameEngine/Admin/Mods/editProtection.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editResources.php b/GameEngine/Admin/Mods/editResources.php
index 0efa76b4..0e2a7c09 100755
--- a/GameEngine/Admin/Mods/editResources.php
+++ b/GameEngine/Admin/Mods/editResources.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editSitter.php b/GameEngine/Admin/Mods/editSitter.php
index 33eb0a47..0bf0679a 100755
--- a/GameEngine/Admin/Mods/editSitter.php
+++ b/GameEngine/Admin/Mods/editSitter.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -55,7 +57,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editUser.php b/GameEngine/Admin/Mods/editUser.php
index 5c74bd96..0f0102da 100755
--- a/GameEngine/Admin/Mods/editUser.php
+++ b/GameEngine/Admin/Mods/editUser.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editUsername.php b/GameEngine/Admin/Mods/editUsername.php
index 6ae99ace..3b7da256 100755
--- a/GameEngine/Admin/Mods/editUsername.php
+++ b/GameEngine/Admin/Mods/editUsername.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($uid <= 0 || $session <= 0 || $username === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editVillageOwner.php b/GameEngine/Admin/Mods/editVillageOwner.php
index cfb40b37..2ec5bdd7 100755
--- a/GameEngine/Admin/Mods/editVillageOwner.php
+++ b/GameEngine/Admin/Mods/editVillageOwner.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($did <= 0 || $session <= 0 || $newowner <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/editWeek.php b/GameEngine/Admin/Mods/editWeek.php
index 3a2a5fe9..058ba382 100755
--- a/GameEngine/Admin/Mods/editWeek.php
+++ b/GameEngine/Admin/Mods/editWeek.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -53,7 +55,7 @@ if ($id <= 0 || $session <= 0) {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/givePlus.php b/GameEngine/Admin/Mods/givePlus.php
index 34cae608..875db864 100755
--- a/GameEngine/Admin/Mods/givePlus.php
+++ b/GameEngine/Admin/Mods/givePlus.php
@@ -11,11 +11,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/givePlusRes.php b/GameEngine/Admin/Mods/givePlusRes.php
index b67ff9c7..fb7add95 100755
--- a/GameEngine/Admin/Mods/givePlusRes.php
+++ b/GameEngine/Admin/Mods/givePlusRes.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
$wood = (int)($_POST['wood'] ?? 0) * 86400;
diff --git a/GameEngine/Admin/Mods/giveResBonus.php b/GameEngine/Admin/Mods/giveResBonus.php
index f8cc0763..9d4fbdc6 100755
--- a/GameEngine/Admin/Mods/giveResBonus.php
+++ b/GameEngine/Admin/Mods/giveResBonus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/gold.php b/GameEngine/Admin/Mods/gold.php
index 12ba52c0..4d35c8aa 100755
--- a/GameEngine/Admin/Mods/gold.php
+++ b/GameEngine/Admin/Mods/gold.php
@@ -10,8 +10,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -41,7 +43,7 @@ if($amount == 0){
// verificare admin
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
$acc = mysqli_fetch_assoc($check);
-if(!$acc || $acc['access'] != 9) die("
Access Denied
");
+if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// 1. UPDATE gold la toți (id > 3 = sare peste Natars etc)
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id > 3") or die(mysqli_error($GLOBALS["link"]));
diff --git a/GameEngine/Admin/Mods/gold_1.php b/GameEngine/Admin/Mods/gold_1.php
index 51846dc2..435dd4df 100755
--- a/GameEngine/Admin/Mods/gold_1.php
+++ b/GameEngine/Admin/Mods/gold_1.php
@@ -12,8 +12,10 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
@@ -35,7 +37,7 @@ if($id <= 0 || $amount == 0){
// verificare admin
$check = mysqli_query($GLOBALS["link"], "SELECT access, username FROM ".TB_PREFIX."users WHERE id = $admid");
$acc = mysqli_fetch_assoc($check);
-if(!$acc || $acc['access'] != 9) die("
Access Denied
");
+if(!$acc || $acc['access'] != 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// 1. UPDATE GOLD
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET gold = gold + $amount WHERE id = $id") or die(mysqli_error($GLOBALS["link"]));
diff --git a/GameEngine/Admin/Mods/mainteneceBan.php b/GameEngine/Admin/Mods/mainteneceBan.php
index 808dde38..3ebf9688 100755
--- a/GameEngine/Admin/Mods/mainteneceBan.php
+++ b/GameEngine/Admin/Mods/mainteneceBan.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceCleanBanData.php b/GameEngine/Admin/Mods/mainteneceCleanBanData.php
index 93ff78f7..758a68c8 100755
--- a/GameEngine/Admin/Mods/mainteneceCleanBanData.php
+++ b/GameEngine/Admin/Mods/mainteneceCleanBanData.php
@@ -9,11 +9,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -42,7 +44,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceResetGold.php b/GameEngine/Admin/Mods/mainteneceResetGold.php
index 91119b7c..222fa089 100755
--- a/GameEngine/Admin/Mods/mainteneceResetGold.php
+++ b/GameEngine/Admin/Mods/mainteneceResetGold.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceResetPlus.php b/GameEngine/Admin/Mods/mainteneceResetPlus.php
index 6030bade..66743a62 100755
--- a/GameEngine/Admin/Mods/mainteneceResetPlus.php
+++ b/GameEngine/Admin/Mods/mainteneceResetPlus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php b/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php
index 3e923003..4b3a387c 100755
--- a/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php
+++ b/GameEngine/Admin/Mods/mainteneceResetPlusBonus.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/mainteneceUnban.php b/GameEngine/Admin/Mods/mainteneceUnban.php
index 9728c7b0..c702fd70 100755
--- a/GameEngine/Admin/Mods/mainteneceUnban.php
+++ b/GameEngine/Admin/Mods/mainteneceUnban.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -43,7 +45,7 @@ include_once($autoprefix . "GameEngine/Database.php");
$session = (int)($_POST['admid'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/massmessage.php b/GameEngine/Admin/Mods/massmessage.php
index 0a5536e2..094f0206 100644
--- a/GameEngine/Admin/Mods/massmessage.php
+++ b/GameEngine/Admin/Mods/massmessage.php
@@ -11,13 +11,15 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
session_start();
include_once("../../config.php");
include_once("../../Database.php");
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
- die("Access Denied");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/medals.php b/GameEngine/Admin/Mods/medals.php
index b332d972..c4f93324 100755
--- a/GameEngine/Admin/Mods/medals.php
+++ b/GameEngine/Admin/Mods/medals.php
@@ -9,8 +9,10 @@
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) session_start();
-if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
+if($_SESSION['access'] < 9) admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
diff --git a/GameEngine/Admin/Mods/recalcWH.php b/GameEngine/Admin/Mods/recalcWH.php
index 5c29ad86..fe3e48ea 100755
--- a/GameEngine/Admin/Mods/recalcWH.php
+++ b/GameEngine/Admin/Mods/recalcWH.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -45,7 +47,7 @@ $id = (int)($_POST['id'] ?? 0);
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
if ($id <= 0) {
diff --git a/GameEngine/Admin/Mods/renameVillage.php b/GameEngine/Admin/Mods/renameVillage.php
index e17a94c6..5b99143d 100755
--- a/GameEngine/Admin/Mods/renameVillage.php
+++ b/GameEngine/Admin/Mods/renameVillage.php
@@ -10,11 +10,13 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
@@ -54,7 +56,7 @@ if ($did <= 0 || $nameOrig === '') {
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($session, 1);
if (!$admin || (int)$admin['access'] !== 9) {
- die('
Access Denied: You are not Admin!
');
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
diff --git a/GameEngine/Admin/Mods/sendMessage.php b/GameEngine/Admin/Mods/sendMessage.php
index 8a6e98e3..0efaeb9d 100755
--- a/GameEngine/Admin/Mods/sendMessage.php
+++ b/GameEngine/Admin/Mods/sendMessage.php
@@ -10,12 +10,14 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) {
session_start();
}
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
- die("Access Denied: You are not Admin!");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/Mods/sysmessage.php b/GameEngine/Admin/Mods/sysmessage.php
index b26680ae..12d270ae 100644
--- a/GameEngine/Admin/Mods/sysmessage.php
+++ b/GameEngine/Admin/Mods/sysmessage.php
@@ -15,13 +15,15 @@
## ##
#################################################################################
+// #299: load CSRF helpers + admin_deny() before the access check below.
+require_once(__DIR__ . '/../csrf.php');
session_start();
include_once("../../config.php");
include_once("../../Database.php");
if (!isset($_SESSION['access']) || $_SESSION['access'] < ADMIN) {
- die("Access Denied");
+ admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
diff --git a/GameEngine/Admin/csrf.php b/GameEngine/Admin/csrf.php
index fc8a50ac..cfd70935 100644
--- a/GameEngine/Admin/csrf.php
+++ b/GameEngine/Admin/csrf.php
@@ -40,6 +40,49 @@ if (!function_exists('csrf_token')) {
return '';
}
+ /**
+ * Render a clean, self-contained error page and stop execution (issue #299).
+ *
+ * The admin Mods are POSTed to directly; when the admin session is missing
+ * (e.g. it was destroyed by a game logout that shares the same PHP session,
+ * or the form was served from a mobile cache with a stale/empty token) the
+ * old code stopped with a bare die('
Access Denied
') fragment, which
+ * shows up as an essentially blank page. This renders a proper, styled error
+ * with a way back into the panel instead.
+ */
+ function admin_deny(string $message, string $title = 'Access Denied', int $httpCode = 403): void
+ {
+ if (!headers_sent()) {
+ http_response_code($httpCode);
+ header('Content-Type: text/html; charset=UTF-8');
+ // Never let this error page be cached (it is session-dependent).
+ header('Cache-Control: no-store, no-cache, must-revalidate');
+ }
+
+ $safeTitle = htmlspecialchars($title, ENT_QUOTES, 'UTF-8');
+ $safeMsg = htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
+
+ echo ''
+ . ''
+ . '' . $safeTitle . '
';
+ exit;
+ }
+
/**
* Verify the CSRF token of a POST request.
* Stops execution with HTTP 403 if the token is missing or does not match.
@@ -51,9 +94,13 @@ if (!function_exists('csrf_token')) {
$stored = csrf_token();
if ($stored === '' || !hash_equals($stored, $submitted)) {
- http_response_code(403);
// Generic message — does not reveal details about the mechanism.
- die('
403 Forbidden
Invalid or missing security token. Please go back and try again.
');
+ admin_deny(
+ 'Your session may have expired or this page was loaded from cache. '
+ . 'Please reload the admin panel and try again.',
+ 'Security Check Failed',
+ 403
+ );
}
}
}