fix(admin): verify CSRF token in village admin Mods [#139] (#259)

editVillageOwner, renameVillage, editBuildings and editResources are POSTed
to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify()
(after the admin access check, via the shared GameEngine/Admin/csrf.php) and
csrf_field() in their forms (editVillage.tpl, village.tpl, editResources.tpl).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Ferywir
2026-06-23 09:31:08 +02:00
committed by GitHub
parent 113e9029bd
commit ca991408c1
7 changed files with 24 additions and 0 deletions
+5
View File
@@ -18,6 +18,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------