kevinowino869/mitrobill
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CSRF added to customer acounts update

Browse Source
This commit is contained in:
Focuslinkstech 2024-10-10 15:48:32 +01:00 committed by GitHub
parent 6be0da383c
commit 6e5450d104
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
system/controllers/accounts.php
View File

@ -18,11 +18,17 @@ switch ($action) {
case 'change-password':
run_hook('customer_view_change_password'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->display('customer/change-password.tpl');
break;
case 'change-password-post':
$password = _post('password');
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/change-password', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
run_hook('customer_change_password'); #HOOK
if ($password != '') {
$d_pass = $user['password'];
@ -67,9 +73,15 @@ switch ($action) {
case 'profile':
run_hook('customer_view_edit_profile'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->display('customer/profile.tpl');
break;
case 'edit-profile-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/profile', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$fullname = _post('fullname');
$address = _post('address');
$email = _post('email');
@ -100,11 +112,17 @@ switch ($action) {
case 'phone-update':
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->assign('new_phone', $_SESSION['new_phone']);
$ui->display('customer/phone-update.tpl');
break;
case 'phone-update-otp':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$phone = Lang::phoneFormat(_post('phone'));
$username = $user['username'];
$otpPath = $CACHE_PATH . '/sms/';
@ -152,6 +170,10 @@ switch ($action) {
break;
case 'phone-update-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$phone = Lang::phoneFormat(_post('phone'));
$otp_code = _post('otp');
$username = $user['username'];
@ -210,10 +232,16 @@ switch ($action) {
break;
case 'email-update':
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->assign('new_email', $_SESSION['new_email']);
$ui->display('customer/email-update.tpl');
break;
case 'email-update-otp':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$email = trim(_post('email'));
$username = $user['username'];
$otpPath = $CACHE_PATH . '/email/';
@ -255,6 +283,10 @@ switch ($action) {
break;
case 'email-update-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$email = trim(_post('email'));
$otp_code = _post('otp');
$username = $user['username'];

1
ui/ui/customer/change-password.tpl
View File

@ -7,6 +7,7 @@
<div class="panel-heading">{Lang::T('Change Password')}</div>
<div class="panel-body">
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/change-password-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group">
<label class="col-md-2 control-label">{Lang::T('Current Password')}</label>
<div class="col-md-6">

2
ui/ui/customer/email-update.tpl
View File

@ -19,6 +19,7 @@
</div>
</div>
<form method="post" role="form" action="{$_url}accounts/email-update-otp">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group">
<label class="col-md-2 control-label">{Lang::T('New Email')}</label>
<div class="col-md-6">
@ -34,6 +35,7 @@
</div>
</form>
<form method="post" role="form" action="{$_url}accounts/email-update-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<!-- Form 2 -->
<div class="form-group">
<label class="col-md-2 control-label">{Lang::T('OTP')}</label>

2
ui/ui/customer/phone-update.tpl
View File

@ -19,6 +19,7 @@
</div>
</div>
<form method="post" role="form" action="{$_url}accounts/phone-update-otp">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group">
<label class="col-md-2 control-label">{Lang::T('New Number')}</label>
<div class="col-md-6">
@ -34,6 +35,7 @@
</div>
</form>
<form method="post" role="form" action="{$_url}accounts/phone-update-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<!-- Form 2 -->
<div class="form-group">
<label class="col-md-2 control-label">{Lang::T('OTP')}</label>

1
ui/ui/customer/profile.tpl
View File

@ -7,6 +7,7 @@
<div class="panel-heading">{Lang::T('Data Change')}</div>
<div class="panel-body">
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/edit-profile-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<input type="hidden" name="id" value="{$_user['id']}">
<div class="form-group">
<label class="col-md-2 control-label">{Lang::T('Username')}</label>