diff --git a/system/autoload/Admin.php b/system/autoload/Admin.php index 613fd384..2b31f337 100644 --- a/system/autoload/Admin.php +++ b/system/autoload/Admin.php @@ -73,6 +73,7 @@ class Admin return 0; } + public static function setCookie($aid) { global $db_pass, $config; diff --git a/system/controllers/settings.php b/system/controllers/settings.php index 35e69175..e23c0d0d 100644 --- a/system/controllers/settings.php +++ b/system/controllers/settings.php @@ -34,11 +34,11 @@ switch ($action) { $dev = pathinfo($file, PATHINFO_FILENAME); require_once $DEVICE_PATH . DIRECTORY_SEPARATOR . $file; $dvc = new $dev; - if(method_exists($dvc, 'description')){ + if (method_exists($dvc, 'description')) { $arr = $dvc->description(); $arr['file'] = $dev; $devices[] = $arr; - }else{ + } else { $devices[] = [ 'title' => $dev, 'description' => '', @@ -116,6 +116,8 @@ switch ($action) { $ui->assign('dir', str_replace('controllers', '', __DIR__)); $ui->assign('themes', $themes); run_hook('view_app_settings'); #HOOK + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->display('app-settings.tpl'); break; @@ -123,6 +125,10 @@ switch ($action) { if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin'])) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/app', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $company = _post('CompanyName'); $custom_tax_rate = filter_var(_post('custom_tax_rate'), FILTER_SANITIZE_SPECIAL_CHARS); if (preg_match('/[^0-9.]/', $custom_tax_rate)) { @@ -155,7 +161,7 @@ switch ($action) { die(); } } - // Save all settings including tax system + // Save all settings including tax system $enable_session_timeout = isset($_POST['enable_session_timeout']) ? 1 : 0; $_POST['enable_session_timeout'] = $enable_session_timeout; foreach ($_POST as $key => $value) { @@ -217,6 +223,8 @@ switch ($action) { $ui->assign('tlist', $timezonelist); $ui->assign('xjq', ' $("#tzone").select2(); '); run_hook('view_localisation'); #HOOK + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->display('app-localisation.tpl'); break; @@ -224,6 +232,10 @@ switch ($action) { if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin'])) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/app', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $tzone = _post('tzone'); $date_format = _post('date_format'); $country_code_phone = _post('country_code_phone'); @@ -295,7 +307,7 @@ switch ($action) { $d->value = _post('pppoe_plan'); $d->save(); } - $d = ORM::for_table('tbl_appconfig')->where('setting', 'vpn_plan')->find_one(); + $d = ORM::for_table('tbl_appconfig')->where('setting', 'vpn_plan')->find_one(); if ($d) { $d->value = _post('vpn_plan'); $d->save(); @@ -386,6 +398,8 @@ switch ($action) { $ui->assign('d', $d); $ui->assign('search', $search); run_hook('view_list_admin'); #HOOK + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->display('admin.tpl'); break; @@ -393,6 +407,8 @@ switch ($action) { if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin', 'Agent'])) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->assign('_title', Lang::T('Add User')); $ui->assign('agents', ORM::for_table('tbl_users')->where('user_type', 'Agent')->find_many()); $ui->display('admin-add.tpl'); @@ -422,6 +438,8 @@ switch ($action) { } $ui->assign('d', $d); $ui->assign('_title', $d['username']); + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->display('admin-view.tpl'); } else { r2(U . 'settings/users', 'e', Lang::T('Account Not Found')); @@ -459,6 +477,8 @@ switch ($action) { $ui->assign('id', $id); $ui->assign('d', $d); run_hook('view_edit_admin'); #HOOK + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->display('admin-edit.tpl'); } else { r2(U . 'settings/users', 'e', Lang::T('Account Not Found')); @@ -488,6 +508,10 @@ switch ($action) { if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin', 'Agent'])) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/users-add', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $username = _post('username'); $fullname = _post('fullname'); $password = _post('password'); @@ -552,6 +576,10 @@ switch ($action) { break; case 'users-edit-post': + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/users-edit/', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $username = _post('username'); $fullname = _post('fullname'); $password = _post('password'); @@ -646,11 +674,17 @@ switch ($action) { case 'change-password': run_hook('view_change_password'); #HOOK + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->display('change-password.tpl'); break; case 'change-password-post': $password = _post('password'); + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/change-password', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } if ($password != '') { $d = ORM::for_table('tbl_users')->where('username', $admin['username'])->find_one(); run_hook('change_password'); #HOOK @@ -695,6 +729,9 @@ switch ($action) { } else { $ui->assign('_json', json_decode(file_get_contents($UPLOAD_PATH . DIRECTORY_SEPARATOR . 'notifications.default.json'), true)); } + + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->assign('_default', json_decode(file_get_contents($UPLOAD_PATH . DIRECTORY_SEPARATOR . 'notifications.default.json'), true)); $ui->display('app-notifications.tpl'); break; @@ -702,6 +739,10 @@ switch ($action) { if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin'])) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/notifications', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } file_put_contents($UPLOAD_PATH . "/notifications.json", json_encode($_POST)); r2(U . 'settings/notifications', 's', Lang::T('Settings Saved Successfully')); break; @@ -807,10 +848,16 @@ switch ($action) { } else { $ui->assign('langs', []); } + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->display('language-add.tpl'); break; case 'lang-post': + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/language', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } file_put_contents($lan_file, json_encode($_POST, JSON_PRETTY_PRINT)); r2(U . 'settings/language', 's', Lang::T('Translation saved Successfully')); break; @@ -820,7 +867,12 @@ switch ($action) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); exit; } + if (_post('save') == 'save') { + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/maintenance', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $status = isset($_POST['maintenance_mode']) ? 1 : 0; // Checkbox returns 1 if checked, otherwise 0 $force_logout = isset($_POST['maintenance_mode_logout']) ? 1 : 0; // Checkbox returns 1 if checked, otherwise 0 $date = isset($_POST['maintenance_date']) ? $_POST['maintenance_date'] : null; @@ -846,11 +898,45 @@ switch ($action) { r2(U . "settings/maintenance", 's', Lang::T('Settings Saved Successfully')); } + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); $ui->assign('_c', $config); $ui->assign('_title', Lang::T('Maintenance Mode Settings')); $ui->display('maintenance-mode.tpl'); break; + case 'miscellaneous': + if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin'])) { + _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); + exit; + } + if (_post('save') == 'save') { + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'settings/miscellaneous', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } + foreach ($_POST as $key => $value) { + $d = ORM::for_table('tbl_appconfig')->where('setting', $key)->find_one(); + if ($d) { + $d->value = $value; + $d->save(); + } else { + $d = ORM::for_table('tbl_appconfig')->create(); + $d->setting = $key; + $d->value = $value; + $d->save(); + } + } + + r2(U . "settings/miscellaneous", 's', Lang::T('Settings Saved Successfully')); + } + $csrf_token = Csrf::generateAndStoreToken(); + $ui->assign('csrf_token', $csrf_token); + $ui->assign('_c', $config); + $ui->assign('_title', Lang::T('Miscellaneous Settings')); + $ui->display('miscellaneous.tpl'); + break; + default: $ui->display('a404.tpl'); } diff --git a/ui/ui/admin-add.tpl b/ui/ui/admin-add.tpl index edd26814..fd9abae9 100644 --- a/ui/ui/admin-add.tpl +++ b/ui/ui/admin-add.tpl @@ -2,6 +2,7 @@
+
diff --git a/ui/ui/admin-edit.tpl b/ui/ui/admin-edit.tpl index d040da65..785dd528 100644 --- a/ui/ui/admin-edit.tpl +++ b/ui/ui/admin-edit.tpl @@ -2,6 +2,7 @@ +
+
diff --git a/ui/ui/app-localisation.tpl b/ui/ui/app-localisation.tpl index 571d5588..f27cf732 100644 --- a/ui/ui/app-localisation.tpl +++ b/ui/ui/app-localisation.tpl @@ -13,6 +13,7 @@
+
diff --git a/ui/ui/app-notifications.tpl b/ui/ui/app-notifications.tpl index 7dc158f9..b8c8143f 100644 --- a/ui/ui/app-notifications.tpl +++ b/ui/ui/app-notifications.tpl @@ -1,6 +1,7 @@ {include file="sections/header.tpl"} +
diff --git a/ui/ui/app-settings.tpl b/ui/ui/app-settings.tpl index b1526c60..049b6808 100644 --- a/ui/ui/app-settings.tpl +++ b/ui/ui/app-settings.tpl @@ -1,6 +1,7 @@ {include file="sections/header.tpl"} +
@@ -590,174 +591,6 @@
-
-
- -
- {Lang::T('Miscellaneous')} -
-
-
- -
- -
-

- {Lang::T('Logout Admin if not Available/Online a period of time')}

-
- -
- -
- -
-

{Lang::T('This is to notify you when new updates is available')} -

-
-
- -
- -
-

- {Lang::T('If enabled, the system will notify Admin when router goes Offline, If admin have 10 or more router and many customers, it will get overlapping, you can disabled')} -

-
-
- -
- -
-

- {Lang::T('OTP is required when user want to change phone number and registration')} -

-
-
- -
- -
-

{Lang::T('The method which OTP will be sent to user')}

-
-
- -
- -
-

- {Lang::T('OTP is required when user want to change Email Address')} -

-
-
- -
- -
-

- {Lang::T('If user buy same internet plan, expiry date will extend')}

-
-
- -
- -
-

- {Lang::T(' for Customer')}

-
-
- -
- -
-

- {Lang::T('Hotspot Authentication Method. Make sure you have changed your hotspot login page.')}
Download - phpnuxbill-login-hotspot -

-
-
- -
- -
-

- {Lang::T('This will show is Customer currently is online or not')} -

-
-
-