xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-30 01:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
58475a03580d540fd29cbcb54406d36941eb70bc
TravianZ/GameEngine/Admin/Mods/delAli.php
T
Ferywir 8c1a6ad05b fix(admin): render a proper error page instead of a blank page on denial [#299] (#307) 
Issue #299: posting to an admin Mod (eg editBuildings.php) could show an
essentially blank page. The admin panel and the game share the same PHP
session, so a game logout (session_destroy) — or a mobile browser dropping the
session cookie / serving a cached form with a stale token — wipes the admin
session. The Mod then stopped on a bare die('<h1>Access Denied</h1>') (or the
403 die() in csrf_verify()), which renders as a blank/broken page outside the
panel.

Add a shared admin_deny() helper in GameEngine/Admin/csrf.php that renders a
clean, self-contained, styled error page (with a "Return to Admin Panel" link)
and a no-store header, then exits. Wire it into csrf_verify() and replace every
bare "Access Denied" die() across the 42 admin Mods. Each Mod now loads
csrf.php at the top so admin_deny() is available before its first access check.

This is the presentation fix Shadow asked for ("we must receive an error not
blank page"). The deeper root cause (admin and game sharing one PHP session) is
left for a follow-up: giving the admin panel its own session cookie name.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 10:25:18 +03:00

100 lines
4.6 KiB
PHP
Raw Blame History

<?php
#################################################################################
## -= YOU MAY NOT REMOVE OR CHANGE THIS NOTICE =- ##
## --------------------------------------------------------------------------- ##
## Filename delAli.php ##
## Type BACKEND ##
## Developed by: Shadow (după model editUser) ##
## License: TravianZ Project ##
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
#################################################################################
// #299: load CSRF helpers + admin_deny() before the access check below.
require_once(__DIR__ . '/../csrf.php');
if (!isset($_SESSION)) { session_start(); }
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
// itself (it does not go through admin.php's central csrf_verify()).
require_once(__DIR__ . '/../csrf.php');
csrf_verify();
include_once("../../config.php");
// ---------------------------------------------------------------------------
// Autoloader path - la fel ca în editUser.php
// ---------------------------------------------------------------------------
$autoprefix = '';
for ($i = 0; $i < 5; $i++) {
$autoprefix = str_repeat('../', $i);
if (file_exists($autoprefix . 'autoloader.php')) { break; }
}
include_once($autoprefix . "GameEngine/Database.php");
// ---------------------------------------------------------------------------
// Input
// ---------------------------------------------------------------------------
$aid = (int)($_POST['aid'] ?? 0);
$admid = (int)($_POST['admid'] ?? 0);
if ($aid <= 0 || $admid <= 0) {
header("Location: ../../../Admin/admin.php?p=alliance&aid=0&e=bad");
exit;
}
// ---------------------------------------------------------------------------
// Verificare admin
// ---------------------------------------------------------------------------
$admin = $database->getUserArray($admid, 1);
if (!$admin || (int)$admin['access'] !== 9) {
admin_deny('You must be signed in as an administrator to view this page. Your session may have expired — please return to the admin panel and sign in again.');
}
// ---------------------------------------------------------------------------
// 1. Scoate toți membrii
// ---------------------------------------------------------------------------
$database->query("UPDATE " . TB_PREFIX . "users SET alliance = 0 WHERE alliance = $aid");
// ---------------------------------------------------------------------------
// 2. Șterge structura alianței
// ---------------------------------------------------------------------------
$database->query("DELETE FROM " . TB_PREFIX . "alidata WHERE id = $aid");
$database->query("DELETE FROM " . TB_PREFIX . "ali_permission WHERE alliance = $aid");
$database->query("DELETE FROM " . TB_PREFIX . "ali_invite WHERE alliance = $aid");
$database->query("DELETE FROM " . TB_PREFIX . "ali_log WHERE aid = $aid");
// ---------------------------------------------------------------------------
// 3. Șterge diplomația
// ---------------------------------------------------------------------------
$database->query("DELETE FROM " . TB_PREFIX . "diplomacy WHERE alli1 = $aid OR alli2 = $aid");
// ---------------------------------------------------------------------------
// 4. Șterge forumul - CORECTAT pentru structura ta
// ---------------------------------------------------------------------------
// întâi posturile (prin topic)
$database->query("DELETE p FROM " . TB_PREFIX . "forum_post p
INNER JOIN " . TB_PREFIX . "forum_topic t ON p.topic = t.id
WHERE t.alliance = $aid");
// apoi topicurile
$database->query("DELETE FROM " . TB_PREFIX . "forum_topic WHERE alliance = $aid");
// apoi categoriile
$database->query("DELETE FROM " . TB_PREFIX . "forum_cat WHERE alliance = $aid");
// ---------------------------------------------------------------------------
// Log admin
// ---------------------------------------------------------------------------
$time = time();
$logText = "Deleted alliance ID $aid";
$logEsc = $database->escape($logText);
$database->query(
"INSERT INTO " . TB_PREFIX . "admin_log (`id`, `user`, `log`, `time`) " .
"VALUES (0, '$admid', '$logEsc', $time)"
);
header("Location: ../../../Admin/admin.php?p=search&delali=1");
exit;
?>
Reference in New Issue View Git Blame Copy Permalink