mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-16 01:26:07 +00:00
editVillageOwner, renameVillage, editBuildings and editResources are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms (editVillage.tpl, village.tpl, editResources.tpl). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -18,6 +18,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
||||
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
||||
}
|
||||
|
||||
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
||||
// itself (it does not go through admin.php's central csrf_verify()).
|
||||
require_once(__DIR__ . '/../csrf.php');
|
||||
csrf_verify();
|
||||
|
||||
include_once("../../config.php");
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user