diff --git a/system/controllers/customers.php b/system/controllers/customers.php index 57c20474..c623c691 100644 --- a/system/controllers/customers.php +++ b/system/controllers/customers.php @@ -25,6 +25,10 @@ switch ($action) { if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin'])) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } + $csrf_token = _req('token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $cs = ORM::for_table('tbl_customers') ->select('tbl_customers.id', 'id') @@ -153,6 +157,7 @@ switch ($action) { } $ui->assign('xheader', $leafletpickerHeader); run_hook('view_add_customer'); #HOOK + $ui->assign('csrf_token', Csrf::generateAndStoreToken()); $ui->display('customers-add.tpl'); break; case 'recharge': @@ -161,6 +166,10 @@ switch ($action) { } $id_customer = $routes['2']; $plan_id = $routes['3']; + $csrf_token = _req('token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $b = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('plan_id', $plan_id)->find_one(); if ($b) { $gateway = 'Recharge'; @@ -199,6 +208,7 @@ switch ($action) { $ui->assign('channel', $channel); $ui->assign('server', $b['routers']); $ui->assign('plan', $plan); + $ui->assign('csrf_token', Csrf::generateAndStoreToken()); $ui->display('recharge-confirm.tpl'); } else { r2(U . 'customers/view/' . $id_customer, 'e', 'Cannot find active plan'); @@ -210,6 +220,10 @@ switch ($action) { } $id_customer = $routes['2']; $plan_id = $routes['3']; + $csrf_token = _req('token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $b = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('plan_id', $plan_id)->find_one(); if ($b) { $p = ORM::for_table('tbl_plans')->where('id', $b['plan_id'])->find_one(); @@ -238,6 +252,10 @@ switch ($action) { break; case 'sync': $id_customer = $routes['2']; + $csrf_token = _req('token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $bs = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('status', 'on')->findMany(); if ($bs) { $routers = []; @@ -266,8 +284,12 @@ switch ($action) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } $id = $routes['2']; + $csrf_token = _req('token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $customer = ORM::for_table('tbl_customers')->find_one($id); - if($customer){ + if ($customer) { $_SESSION['uid'] = $id; User::setCookie($id); _alert("You are logging in as $customer[fullname],
don't logout just close tab.", 'info', "home", 10); @@ -308,6 +330,7 @@ switch ($action) { $ui->assign('d', $customer); $ui->assign('customFields', $customFields); $ui->assign('xheader', $leafletpickerHeader); + $ui->assign('csrf_token', Csrf::generateAndStoreToken()); $ui->display('customers-view.tpl'); } else { r2(U . 'customers/list', 'e', Lang::T('Account Not Found')); @@ -318,6 +341,10 @@ switch ($action) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } $id = $routes['2']; + $csrf_token = _req('token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } run_hook('edit_customer'); #HOOK $d = ORM::for_table('tbl_customers')->find_one($id); // Fetch the Customers Attributes values from the tbl_customers_fields table @@ -329,6 +356,7 @@ switch ($action) { $ui->assign('statuses', ORM::for_table('tbl_customers')->getEnum("status")); $ui->assign('customFields', $customFields); $ui->assign('xheader', $leafletpickerHeader); + $ui->assign('csrf_token', Csrf::generateAndStoreToken()); $ui->display('customers-edit.tpl'); } else { r2(U . 'customers/list', 'e', Lang::T('Account Not Found')); @@ -340,6 +368,10 @@ switch ($action) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } $id = $routes['2']; + $csrf_token = _req('token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } run_hook('delete_customer'); #HOOK $c = ORM::for_table('tbl_customers')->find_one($id); if ($c) { @@ -375,6 +407,11 @@ switch ($action) { break; case 'add-post': + + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/add', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $username = alphanumeric(_post('username'), ":+_.@-"); $fullname = _post('fullname'); $password = trim(_post('password')); @@ -499,6 +536,11 @@ switch ($action) { break; case 'edit-post': + $id = _post('id'); + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers/edit/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $username = alphanumeric(_post('username'), ":+_.@-"); $fullname = _post('fullname'); $account_type = _post('account_type'); @@ -526,7 +568,6 @@ switch ($action) { $msg .= 'Full Name should be between 2 to 25 characters' . '
'; } - $id = _post('id'); $c = ORM::for_table('tbl_customers')->find_one($id); if (!$c) { @@ -551,8 +592,8 @@ switch ($action) { if (ORM::for_table('tbl_customers')->where('username', $username)->find_one()) { $msg .= Lang::T('Username already used by another customer') . '
'; } - if(ORM::for_table('tbl_customers')->where('pppoe_username', $username)->find_one()){ - $msg.= Lang::T('Username already used by another pppoe username customer') . '
'; + if (ORM::for_table('tbl_customers')->where('pppoe_username', $username)->find_one()) { + $msg .= Lang::T('Username already used by another pppoe username customer') . '
'; } $userDiff = true; } @@ -659,13 +700,13 @@ switch ($action) { (new $p['device'])->change_username($p, $oldusername, $username); } if ($pppoeDiff && $tur['type'] == 'PPPOE') { - if(empty($oldPppoeUsername) && !empty($pppoe_username)){ + if (empty($oldPppoeUsername) && !empty($pppoe_username)) { // admin just add pppoe username (new $p['device'])->change_username($p, $username, $pppoe_username); - }else if(empty($pppoe_username) && !empty($oldPppoeUsername)){ + } else if (empty($pppoe_username) && !empty($oldPppoeUsername)) { // admin want to use customer username (new $p['device'])->change_username($p, $oldPppoeUsername, $username); - }else{ + } else { // regular change pppoe username (new $p['device'])->change_username($p, $oldPppoeUsername, $pppoe_username); } @@ -715,6 +756,10 @@ switch ($action) { $query->order_by_desc($order); } if (_post('export', '') == 'csv') { + $csrf_token = _post('csrf_token'); + if (!Csrf::check($csrf_token)) { + r2(U . 'customers', 'e', Lang::T('Invalid or Expired CSRF Token') . "."); + } $d = $query->findMany(); $h = false; set_time_limit(-1); @@ -764,6 +809,7 @@ switch ($action) { $ui->assign('order', $order); $ui->assign('order_pos', $order_pos[$order]); $ui->assign('orderby', $orderby); + $ui->assign('csrf_token', Csrf::generateAndStoreToken()); $ui->display('customers.tpl'); break; } diff --git a/ui/ui/customers-add.tpl b/ui/ui/customers-add.tpl index 893fe24e..cc2ff88c 100644 --- a/ui/ui/customers-add.tpl +++ b/ui/ui/customers-add.tpl @@ -1,6 +1,7 @@ {include file="sections/header.tpl"}
+
diff --git a/ui/ui/customers-edit.tpl b/ui/ui/customers-edit.tpl index d85a26df..c7dd43bc 100644 --- a/ui/ui/customers-edit.tpl +++ b/ui/ui/customers-edit.tpl @@ -1,6 +1,7 @@ {include file="sections/header.tpl"} +
-
- {Lang::T('Edit')}
@@ -239,12 +239,12 @@
- {Lang::T('Deactivate')}
- {Lang::T('Recharge')}
@@ -261,16 +261,16 @@ {Lang::T('Back')}
- {Lang::T('Sync')}
- + {Lang::T('Send Message')}
- + {Lang::T('Login as Customer')}
diff --git a/ui/ui/customers.tpl b/ui/ui/customers.tpl index 7bb00743..1e8b2999 100644 --- a/ui/ui/customers.tpl +++ b/ui/ui/customers.tpl @@ -17,7 +17,7 @@
{if in_array($_admin['user_type'],['SuperAdmin','Admin'])}
- CSV
@@ -26,6 +26,7 @@
+
@@ -147,13 +148,13 @@   {Lang::T('View')}   -   {Lang::T('Edit')}   -   {Lang::T('Sync')}   - {Lang::T('Recharge')} diff --git a/ui/ui/sections/header.tpl b/ui/ui/sections/header.tpl index cc8d295c..d98b4641 100644 --- a/ui/ui/sections/header.tpl +++ b/ui/ui/sections/header.tpl @@ -185,8 +185,6 @@ color: #a94442; background-color: #f2dede; border-color: #ebccd1; - border-bottom-right-radius: 21px; - border-bottom-left-radius: 21px; } .panel-heading { @@ -278,6 +276,10 @@ font-weight: bold; } + .box.box-solid.box-primary > .box-header .btn { + color: inherit; + } + .box-header>.fa, .box-header>.glyphicon, .box-header>.ion,