mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-06-28 00:24:23 +00:00
Ferywir
8a3a67d175
editAli, delAli, medals, delallymedal, delallymedalbyaid, delallymedalbyweek and deletemedalbyweek are POSTed to directly, bypassing admin.php's central csrf_verify(). Add csrf_verify() (after the admin access check, via the shared GameEngine/Admin/csrf.php) and csrf_field() in their forms (playermedals.tpl, editAli.tpl, delAli.tpl, delmedal.tpl, allymedals.tpl, delallymedal.tpl). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
72 lines
3.1 KiB
PHP
Executable File
72 lines
3.1 KiB
PHP
Executable File
<?php
|
|
#################################################################################
|
|
## -= YOU MAY NOT REMOVE OR CHANGE THIS NOTICE =- ##
|
|
## --------------------------------------------------------------------------- ##
|
|
## Filename delallymedal.php ##
|
|
## Developed by: aggenkeech ##
|
|
## License: TravianZ Project ##
|
|
## Copyright: TravianZ (c) 2010-2025. All rights reserved. ##
|
|
## ##
|
|
#################################################################################
|
|
|
|
if (!isset($_SESSION)) {
|
|
session_start();
|
|
}
|
|
if (empty($_SESSION['access']) || $_SESSION['access'] < 9) {
|
|
die("Access Denied: You are not Admin!");
|
|
}
|
|
|
|
// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
|
|
// itself (it does not go through admin.php's central csrf_verify()).
|
|
require_once(__DIR__ . '/../csrf.php');
|
|
csrf_verify();
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Autoloader path
|
|
// ---------------------------------------------------------------------------
|
|
$autoprefix = '';
|
|
for ($i = 0; $i < 5; $i++) {
|
|
$autoprefix = str_repeat('../', $i);
|
|
if (file_exists($autoprefix . 'autoloader.php')) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
include_once($autoprefix . "GameEngine/config.php");
|
|
include_once($autoprefix . "GameEngine/Database.php");
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Input
|
|
// ---------------------------------------------------------------------------
|
|
$delete = (int)($_POST['medalid'] ?? 0); // id din allimedal
|
|
$aid = (int)($_POST['aid'] ?? 0); // id alianță
|
|
$session = (int)($_POST['admid'] ?? 0);
|
|
|
|
if ($delete <= 0 || $aid <= 0) {
|
|
header("Location: ../../../Admin/admin.php?p=alliance&aid=$aid&e=bad");
|
|
exit;
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Verificare admin - păstrăm logica originală
|
|
// ---------------------------------------------------------------------------
|
|
$admin = $database->getUserArray($session, 1);
|
|
if (!$admin || (int)$admin['access'] !== 9) {
|
|
die('<h1><font color="red">Access Denied: You are not Admin!</font></h1>');
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Ștergere logică medalie alianță
|
|
// ---------------------------------------------------------------------------
|
|
$database->query("UPDATE ".TB_PREFIX."allimedal SET del = 1 WHERE id = $delete AND allyid = $aid");
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Log admin
|
|
// ---------------------------------------------------------------------------
|
|
$adminId = (int)$_SESSION['id'];
|
|
$log = $database->escape("Deleted ally medal #$delete (affected $affected) for ally $aid");
|
|
$database->query("INSERT INTO ".TB_PREFIX."admin_log (`id`,`user`,`log`,`time`) VALUES (0,'$adminId','$log',".time().")");
|
|
|
|
header("Location: ../../../Admin/admin.php?p=alliance&aid=" . $aid);
|
|
exit;
|
|
?>
|