nestict/mitrobill
1
0
Fork 0
forked from kevinowino869/mitrobill
Code Pull Requests Activity

security

Browse Source 
add csrf token to customers post and get methods
This commit is contained in:
Focuslinkstech
2024-10-28 11:57:48 +01:00
parent e4fb835f2c
commit 8fdbe0ec1d
5 changed files with 67 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
system/controllers/customers.php
View File

@ -25,6 +25,10 @@ switch ($action) {
if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin'])) {
_alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
}
$csrf_token = _req('token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$cs = ORM::for_table('tbl_customers')
->select('tbl_customers.id', 'id')
@ -153,6 +157,7 @@ switch ($action) {
}
$ui->assign('xheader', $leafletpickerHeader);
run_hook('view_add_customer'); #HOOK
$ui->assign('csrf_token', Csrf::generateAndStoreToken());
$ui->display('customers-add.tpl');
break;
case 'recharge':
@ -161,6 +166,10 @@ switch ($action) {
}
$id_customer = $routes['2'];
$plan_id = $routes['3'];
$csrf_token = _req('token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$b = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('plan_id', $plan_id)->find_one();
if ($b) {
$gateway = 'Recharge';
@ -199,6 +208,7 @@ switch ($action) {
$ui->assign('channel', $channel);
$ui->assign('server', $b['routers']);
$ui->assign('plan', $plan);
$ui->assign('csrf_token', Csrf::generateAndStoreToken());
$ui->display('recharge-confirm.tpl');
} else {
r2(U . 'customers/view/' . $id_customer, 'e', 'Cannot find active plan');
@ -210,6 +220,10 @@ switch ($action) {
}
$id_customer = $routes['2'];
$plan_id = $routes['3'];
$csrf_token = _req('token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$b = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('plan_id', $plan_id)->find_one();
if ($b) {
$p = ORM::for_table('tbl_plans')->where('id', $b['plan_id'])->find_one();
@ -238,6 +252,10 @@ switch ($action) {
break;
case 'sync':
$id_customer = $routes['2'];
$csrf_token = _req('token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/view/' . $id_customer, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$bs = ORM::for_table('tbl_user_recharges')->where('customer_id', $id_customer)->where('status', 'on')->findMany();
if ($bs) {
$routers = [];
@ -266,8 +284,12 @@ switch ($action) {
_alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
}
$id = $routes['2'];
$csrf_token = _req('token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$customer = ORM::for_table('tbl_customers')->find_one($id);
if($customer){
if ($customer) {
$_SESSION['uid'] = $id;
User::setCookie($id);
_alert("You are logging in as $customer[fullname],<br>don't logout just close tab.", 'info', "home", 10);
@ -308,6 +330,7 @@ switch ($action) {
$ui->assign('d', $customer);
$ui->assign('customFields', $customFields);
$ui->assign('xheader', $leafletpickerHeader);
$ui->assign('csrf_token', Csrf::generateAndStoreToken());
$ui->display('customers-view.tpl');
} else {
r2(U . 'customers/list', 'e', Lang::T('Account Not Found'));
@ -318,6 +341,10 @@ switch ($action) {
_alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
}
$id = $routes['2'];
$csrf_token = _req('token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
run_hook('edit_customer'); #HOOK
$d = ORM::for_table('tbl_customers')->find_one($id);
// Fetch the Customers Attributes values from the tbl_customers_fields table
@ -329,6 +356,7 @@ switch ($action) {
$ui->assign('statuses', ORM::for_table('tbl_customers')->getEnum("status"));
$ui->assign('customFields', $customFields);
$ui->assign('xheader', $leafletpickerHeader);
$ui->assign('csrf_token', Csrf::generateAndStoreToken());
$ui->display('customers-edit.tpl');
} else {
r2(U . 'customers/list', 'e', Lang::T('Account Not Found'));
@ -340,6 +368,10 @@ switch ($action) {
_alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard");
}
$id = $routes['2'];
$csrf_token = _req('token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/view/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
run_hook('delete_customer'); #HOOK
$c = ORM::for_table('tbl_customers')->find_one($id);
if ($c) {
@ -375,6 +407,11 @@ switch ($action) {
break;
case 'add-post':
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/add', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$username = alphanumeric(_post('username'), ":+_.@-");
$fullname = _post('fullname');
$password = trim(_post('password'));
@ -499,6 +536,11 @@ switch ($action) {
break;
case 'edit-post':
$id = _post('id');
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers/edit/' . $id, 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$username = alphanumeric(_post('username'), ":+_.@-");
$fullname = _post('fullname');
$account_type = _post('account_type');
@ -526,7 +568,6 @@ switch ($action) {
$msg .= 'Full Name should be between 2 to 25 characters' . '<br>';
}
$id = _post('id');
$c = ORM::for_table('tbl_customers')->find_one($id);
if (!$c) {
@ -551,8 +592,8 @@ switch ($action) {
if (ORM::for_table('tbl_customers')->where('username', $username)->find_one()) {
$msg .= Lang::T('Username already used by another customer') . '<br>';
}
if(ORM::for_table('tbl_customers')->where('pppoe_username', $username)->find_one()){
$msg.= Lang::T('Username already used by another pppoe username customer') . '<br>';
if (ORM::for_table('tbl_customers')->where('pppoe_username', $username)->find_one()) {
$msg .= Lang::T('Username already used by another pppoe username customer') . '<br>';
}
$userDiff = true;
}
@ -659,13 +700,13 @@ switch ($action) {
(new $p['device'])->change_username($p, $oldusername, $username);
}
if ($pppoeDiff && $tur['type'] == 'PPPOE') {
if(empty($oldPppoeUsername) && !empty($pppoe_username)){
if (empty($oldPppoeUsername) && !empty($pppoe_username)) {
// admin just add pppoe username
(new $p['device'])->change_username($p, $username, $pppoe_username);
}else if(empty($pppoe_username) && !empty($oldPppoeUsername)){
} else if (empty($pppoe_username) && !empty($oldPppoeUsername)) {
// admin want to use customer username
(new $p['device'])->change_username($p, $oldPppoeUsername, $username);
}else{
} else {
// regular change pppoe username
(new $p['device'])->change_username($p, $oldPppoeUsername, $pppoe_username);
}
@ -715,6 +756,10 @@ switch ($action) {
$query->order_by_desc($order);
}
if (_post('export', '') == 'csv') {
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
r2(U . 'customers', 'e', Lang::T('Invalid or Expired CSRF Token') . ".");
}
$d = $query->findMany();
$h = false;
set_time_limit(-1);
@ -764,6 +809,7 @@ switch ($action) {
$ui->assign('order', $order);
$ui->assign('order_pos', $order_pos[$order]);
$ui->assign('orderby', $orderby);
$ui->assign('csrf_token', Csrf::generateAndStoreToken());
$ui->display('customers.tpl');
break;
}