kevinowino869/mitrobill
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #316 from Focuslinkstech/Development

Browse Source 
Development
This commit is contained in:
iBNu Maksum 2024-10-11 08:01:40 +07:00 committed by GitHub
commit b32e2901af
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 48 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
system/autoload/Admin.php
View File

@ -47,12 +47,11 @@ class Admin
if (sha1("$tmp[0].$tmp[1].$db_pass") == $tmp[2]) { if (sha1("$tmp[0].$tmp[1].$db_pass") == $tmp[2]) {
// Validate the token in the cookie // Validate the token in the cookie
$isValid = self::validateToken($tmp[0], $_COOKIE['aid']); $isValid = self::validateToken($tmp[0], $_COOKIE['aid']);
if (!$isValid) { if (!empty($_COOKIE['aid']) && !$isValid) {
self::removeCookie(); self::removeCookie();
_alert(Lang::T('Token has expired. Please log in again.'), 'danger', "admin"); _alert(Lang::T('Token has expired. Please log in again.'), 'danger', "admin");
return 0; return 0;
} } else {
if (time() - $tmp[1] < 86400 * 7) { if (time() - $tmp[1] < 86400 * 7) {
$_SESSION['aid'] = $tmp[0]; $_SESSION['aid'] = $tmp[0];
if ($enable_session_timeout) { if ($enable_session_timeout) {
@ -62,6 +61,7 @@ class Admin
} }
} }
} }
}
return 0; return 0;
} }
@ -77,13 +77,11 @@ class Admin
// Detect the current protocol // Detect the current protocol
$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'; $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
$serverHost = $_SERVER['HTTP_HOST'];
$app_stage = ($serverHost === 'localhost') ? '' : APP_URL;
// Set cookie with security flags // Set cookie with security flags
setcookie('aid', $token, [ setcookie('aid', $token, [
'expires' => time() + 86400 * 7, // 7 days 'expires' => time() + 86400 * 7, // 7 days
'path' => '/', 'path' => '/',
'domain' => $app_stage, 'domain' => '',
'secure' => $isSecure, 'secure' => $isSecure,
'httponly' => true, 'httponly' => true,
'samesite' => 'Lax', // or Strict 'samesite' => 'Lax', // or Strict
@ -108,12 +106,10 @@ class Admin
global $_app_stage; global $_app_stage;
if (isset($_COOKIE['aid'])) { if (isset($_COOKIE['aid'])) {
$isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'; $isSecure = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off';
$serverHost = $_SERVER['HTTP_HOST'];
$app_stage = ($serverHost === 'localhost') ? '' : APP_URL;
setcookie('aid', '', [ setcookie('aid', '', [
'expires' => time() - 3600, 'expires' => time() - 3600,
'path' => '/', 'path' => '/',
'domain' => $app_stage, 'domain' => '',
'secure' => $isSecure, 'secure' => $isSecure,
'httponly' => true, 'httponly' => true,
'samesite' => 'Lax', 'samesite' => 'Lax',

32
system/controllers/accounts.php
View File

@ -18,11 +18,17 @@ switch ($action) {
case 'change-password': case 'change-password':
run_hook('customer_view_change_password'); #HOOK run_hook('customer_view_change_password'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->display('customer/change-password.tpl'); $ui->display('customer/change-password.tpl');
break; break;
case 'change-password-post': case 'change-password-post':
$password = _post('password'); $password = _post('password');
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/change-password', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
run_hook('customer_change_password'); #HOOK run_hook('customer_change_password'); #HOOK
if ($password != '') { if ($password != '') {
$d_pass = $user['password']; $d_pass = $user['password'];
@ -67,9 +73,15 @@ switch ($action) {
case 'profile': case 'profile':
run_hook('customer_view_edit_profile'); #HOOK run_hook('customer_view_edit_profile'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->display('customer/profile.tpl'); $ui->display('customer/profile.tpl');
break; break;
case 'edit-profile-post': case 'edit-profile-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/profile', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$fullname = _post('fullname'); $fullname = _post('fullname');
$address = _post('address'); $address = _post('address');
$email = _post('email'); $email = _post('email');
@ -100,11 +112,17 @@ switch ($action) {
case 'phone-update': case 'phone-update':
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->assign('new_phone', $_SESSION['new_phone']); $ui->assign('new_phone', $_SESSION['new_phone']);
$ui->display('customer/phone-update.tpl'); $ui->display('customer/phone-update.tpl');
break; break;
case 'phone-update-otp': case 'phone-update-otp':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$phone = Lang::phoneFormat(_post('phone')); $phone = Lang::phoneFormat(_post('phone'));
$username = $user['username']; $username = $user['username'];
$otpPath = $CACHE_PATH . '/sms/'; $otpPath = $CACHE_PATH . '/sms/';
@ -152,6 +170,10 @@ switch ($action) {
break; break;
case 'phone-update-post': case 'phone-update-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$phone = Lang::phoneFormat(_post('phone')); $phone = Lang::phoneFormat(_post('phone'));
$otp_code = _post('otp'); $otp_code = _post('otp');
$username = $user['username']; $username = $user['username'];
@ -210,10 +232,16 @@ switch ($action) {
break; break;
case 'email-update': case 'email-update':
$csrf_token = Csrf::generateAndStoreToken();
$ui->assign('csrf_token', $csrf_token);
$ui->assign('new_email', $_SESSION['new_email']); $ui->assign('new_email', $_SESSION['new_email']);
$ui->display('customer/email-update.tpl'); $ui->display('customer/email-update.tpl');
break; break;
case 'email-update-otp': case 'email-update-otp':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$email = trim(_post('email')); $email = trim(_post('email'));
$username = $user['username']; $username = $user['username'];
$otpPath = $CACHE_PATH . '/email/'; $otpPath = $CACHE_PATH . '/email/';
@ -255,6 +283,10 @@ switch ($action) {
break; break;
case 'email-update-post': case 'email-update-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'accounts/email-update', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$email = trim(_post('email')); $email = trim(_post('email'));
$otp_code = _post('otp'); $otp_code = _post('otp');
$username = $user['username']; $username = $user['username'];

1
ui/ui/customer/change-password.tpl
View File

@ -7,6 +7,7 @@
<div class="panel-heading">{Lang::T('Change Password')}</div> <div class="panel-heading">{Lang::T('Change Password')}</div>
<div class="panel-body"> <div class="panel-body">
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/change-password-post"> <form class="form-horizontal" method="post" role="form" action="{$_url}accounts/change-password-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('Current Password')}</label> <label class="col-md-2 control-label">{Lang::T('Current Password')}</label>
<div class="col-md-6"> <div class="col-md-6">

2
ui/ui/customer/email-update.tpl
View File

@ -19,6 +19,7 @@
</div> </div>
</div> </div>
<form method="post" role="form" action="{$_url}accounts/email-update-otp"> <form method="post" role="form" action="{$_url}accounts/email-update-otp">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('New Email')}</label> <label class="col-md-2 control-label">{Lang::T('New Email')}</label>
<div class="col-md-6"> <div class="col-md-6">
@ -34,6 +35,7 @@
</div> </div>
</form> </form>
<form method="post" role="form" action="{$_url}accounts/email-update-post"> <form method="post" role="form" action="{$_url}accounts/email-update-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<!-- Form 2 --> <!-- Form 2 -->
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('OTP')}</label> <label class="col-md-2 control-label">{Lang::T('OTP')}</label>

2
ui/ui/customer/phone-update.tpl
View File

@ -19,6 +19,7 @@
</div> </div>
</div> </div>
<form method="post" role="form" action="{$_url}accounts/phone-update-otp"> <form method="post" role="form" action="{$_url}accounts/phone-update-otp">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('New Number')}</label> <label class="col-md-2 control-label">{Lang::T('New Number')}</label>
<div class="col-md-6"> <div class="col-md-6">
@ -34,6 +35,7 @@
</div> </div>
</form> </form>
<form method="post" role="form" action="{$_url}accounts/phone-update-post"> <form method="post" role="form" action="{$_url}accounts/phone-update-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<!-- Form 2 --> <!-- Form 2 -->
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('OTP')}</label> <label class="col-md-2 control-label">{Lang::T('OTP')}</label>

1
ui/ui/customer/profile.tpl
View File

@ -7,6 +7,7 @@
<div class="panel-heading">{Lang::T('Data Change')}</div> <div class="panel-heading">{Lang::T('Data Change')}</div>
<div class="panel-body"> <div class="panel-body">
<form class="form-horizontal" method="post" role="form" action="{$_url}accounts/edit-profile-post"> <form class="form-horizontal" method="post" role="form" action="{$_url}accounts/edit-profile-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<input type="hidden" name="id" value="{$_user['id']}"> <input type="hidden" name="id" value="{$_user['id']}">
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label">{Lang::T('Username')}</label> <label class="col-md-2 control-label">{Lang::T('Username')}</label>