kevinowino869/mitrobill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CSRF added to customer acounts update

Browse Source
This commit is contained in:
Focuslinkstech 2024-10-10 15:48:32 +01:00 committed by GitHub
parent 6be0da383c
commit 6e5450d104
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
system/controllers/accounts.php
View File

@ -18,11 +18,17 @@ switch ($action) {
case 'change-password': case 'change-password':
run_hook('customer_view_change_password'); #HOOK run_hook('customer_view_change_password'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->display('customer/change-password.tpl'); $ui->display('customer/change-password.tpl');
break; break;
case 'change-password-post': case 'change-password-post':
$password = _post('password'); $password = _post('password');
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/change-password', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
run_hook('customer_change_password'); #HOOK run_hook('customer_change_password'); #HOOK
if ($password != '') { if ($password != '') {
$d_pass = $user['password']; $d_pass = $user['password'];
@ -67,9 +73,15 @@ switch ($action) {
case 'profile': case 'profile':
run_hook('customer_view_edit_profile'); #HOOK run_hook('customer_view_edit_profile'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->display('customer/profile.tpl'); $ui->display('customer/profile.tpl');
break; break;
case 'edit-profile-post': case 'edit-profile-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/profile', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$fullname = _post('fullname'); $fullname = _post('fullname');
$address = _post('address'); $address = _post('address');
$email = _post('email'); $email = _post('email');
@ -100,11 +112,17 @@ switch ($action) {
case 'phone-update': case 'phone-update':
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->assign('new_phone', $_SESSION['new_phone']); $ui->assign('new_phone', $_SESSION['new_phone']);
$ui->display('customer/phone-update.tpl'); $ui->display('customer/phone-update.tpl');
break; break;
case 'phone-update-otp': case 'phone-update-otp':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$phone = Lang::phoneFormat(_post('phone')); $phone = Lang::phoneFormat(_post('phone'));
$username = $user['username']; $username = $user['username'];
$otpPath = $CACHE_PATH . '/sms/'; $otpPath = $CACHE_PATH . '/sms/';
@ -152,6 +170,10 @@ switch ($action) {
break; break;
case 'phone-update-post': case 'phone-update-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$phone = Lang::phoneFormat(_post('phone')); $phone = Lang::phoneFormat(_post('phone'));
$otp_code = _post('otp'); $otp_code = _post('otp');
$username = $user['username']; $username = $user['username'];
@ -210,10 +232,16 @@ switch ($action) {
break; break;
case 'email-update': case 'email-update':
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->assign('new_email', $_SESSION['new_email']); $ui->assign('new_email', $_SESSION['new_email']);
$ui->display('customer/email-update.tpl'); $ui->display('customer/email-update.tpl');
break; break;
case 'email-update-otp': case 'email-update-otp':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$email = trim(_post('email')); $email = trim(_post('email'));
$username = $user['username']; $username = $user['username'];
$otpPath = $CACHE_PATH . '/email/'; $otpPath = $CACHE_PATH . '/email/';
@ -255,6 +283,10 @@ switch ($action) {
break; break;
case 'email-update-post': case 'email-update-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$email = trim(_post('email')); $email = trim(_post('email'));
$otp_code = _post('otp'); $otp_code = _post('otp');
$username = $user['username']; $username = $user['username'];

1
ui/ui/customer/change-password.tpl
View File

@ -7,6 +7,7 @@
<div class="panel-heading">{Lang::T('Change Password')}</div> <div class="panel-heading">{Lang::T('Change Password')}</div>
<div class="panel-body"> <div class="panel-body">
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/change-password-post"> <form class="form-horizontal" method="post" role="form" action="{$_url}accounts/change-password-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('Current Password')}</label> <label class="col-md-2 control-label">{Lang::T('Current Password')}</label>
<div class="col-md-6"> <div class="col-md-6">

2
ui/ui/customer/email-update.tpl
View File

@ -19,6 +19,7 @@
</div> </div>
</div> </div>
<form method="post" role="form" action="{$_url}accounts/email-update-otp"> <form method="post" role="form" action="{$_url}accounts/email-update-otp">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('New Email')}</label> <label class="col-md-2 control-label">{Lang::T('New Email')}</label>
<div class="col-md-6"> <div class="col-md-6">
@ -34,6 +35,7 @@
</div> </div>
</form> </form>
<form method="post" role="form" action="{$_url}accounts/email-update-post"> <form method="post" role="form" action="{$_url}accounts/email-update-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<!-- Form 2 --> <!-- Form 2 -->
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('OTP')}</label> <label class="col-md-2 control-label">{Lang::T('OTP')}</label>

2
ui/ui/customer/phone-update.tpl
View File

@ -19,6 +19,7 @@
</div> </div>
</div> </div>
<form method="post" role="form" action="{$_url}accounts/phone-update-otp"> <form method="post" role="form" action="{$_url}accounts/phone-update-otp">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('New Number')}</label> <label class="col-md-2 control-label">{Lang::T('New Number')}</label>
<div class="col-md-6"> <div class="col-md-6">
@ -34,6 +35,7 @@
</div> </div>
</form> </form>
<form method="post" role="form" action="{$_url}accounts/phone-update-post"> <form method="post" role="form" action="{$_url}accounts/phone-update-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<!-- Form 2 --> <!-- Form 2 -->
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('OTP')}</label> <label class="col-md-2 control-label">{Lang::T('OTP')}</label>

1
ui/ui/customer/profile.tpl
View File

@ -7,6 +7,7 @@
<div class="panel-heading">{Lang::T('Data Change')}</div> <div class="panel-heading">{Lang::T('Data Change')}</div>
<div class="panel-body"> <div class="panel-body">
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/edit-profile-post"> <form class="form-horizontal" method="post" role="form" action="{$_url}accounts/edit-profile-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<input type="hidden" name="id" value="{$_user['id']}"> <input type="hidden" name="id" value="{$_user['id']}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('Username')}</label> <label class="col-md-2 control-label">{Lang::T('Username')}</label>