nestict/mitrobill
1
0
Fork 0
forked from kevinowino869/mitrobill
Code Pull Requests Activity

security

Browse Source 
add csrf token to customers post and get methods
This commit is contained in:
Focuslinkstech
2024-10-28 11:57:48 +01:00
parent e4fb835f2c
commit 8fdbe0ec1d
5 changed files with 67 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ui/ui/customers-add.tpl
View File

@ -1,6 +1,7 @@
{include file="sections/header.tpl"}
<form class="form-horizontal" method="post" role="form" action="{$_url}customers/add-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="row">
<div class="col-md-6">
<div class="panel panel-primary panel-hovered panel-stacked mb30">

1
ui/ui/customers-edit.tpl
View File

@ -1,6 +1,7 @@
{include file="sections/header.tpl"}
<form class="form-horizontal" method="post" role="form" action="{$_url}customers/edit-post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="row">
<div class="col-md-6">
<div

14
ui/ui/customers-view.tpl
View File

@ -111,12 +111,12 @@
</ul>
<div class="row">
<div class="col-xs-4">
<a href="{$_url}customers/delete/{$d['id']}" id="{$d['id']}"
<a href="{$_url}customers/delete/{$d['id']}&token={$csrf_token}" id="{$d['id']}"
class="btn btn-danger btn-block btn-sm"
onclick="return confirm('{Lang::T('Delete')}?')"><span class="fa fa-trash"></span></a>
</div>
<div class="col-xs-8">
<a href="{$_url}customers/edit/{$d['id']}"
<a href="{$_url}customers/edit/{$d['id']}&token={$csrf_token}"
class="btn btn-warning btn-sm btn-block">{Lang::T('Edit')}</a>
</div>
</div>
@ -239,12 +239,12 @@
</ul>
<div class="row">
<div class="col-xs-4">
<a href="{$_url}customers/deactivate/{$d['id']}/{$package['plan_id']}" id="{$d['id']}"
<a href="{$_url}customers/deactivate/{$d['id']}/{$package['plan_id']}&token={$csrf_token}" id="{$d['id']}"
class="btn btn-danger btn-block btn-sm"
onclick="return confirm('This will deactivate Customer Plan, and make it expired')">{Lang::T('Deactivate')}</a>
</div>
<div class="col-xs-8">
<a href="{$_url}customers/recharge/{$d['id']}/{$package['plan_id']}"
<a href="{$_url}customers/recharge/{$d['id']}/{$package['plan_id']}&token={$csrf_token}"
class="btn btn-success btn-sm btn-block">{Lang::T('Recharge')}</a>
</div>
</div>
@ -261,16 +261,16 @@
<a href="{$_url}customers/list" class="btn btn-primary btn-sm btn-block">{Lang::T('Back')}</a>
</div>
<div class="col-xs-6 col-md-3">
<a href="{$_url}customers/sync/{$d['id']}" onclick="return confirm('This will sync Customer to Mikrotik?')"
<a href="{$_url}customers/sync/{$d['id']}&token={$csrf_token}" onclick="return confirm('This will sync Customer to Mikrotik?')"
class="btn btn-info btn-sm btn-block">{Lang::T('Sync')}</a>
</div>
<div class="col-xs-6 col-md-3">
<a href="{$_url}message/send/{$d['id']}" class="btn btn-success btn-sm btn-block">
<a href="{$_url}message/send/{$d['id']}&token={$csrf_token}" class="btn btn-success btn-sm btn-block">
{Lang::T('Send Message')}
</a>
</div>
<div class="col-xs-6 col-md-3">
<a href="{$_url}customers/login/{$d['id']}" target="_blank" class="btn btn-warning btn-sm btn-block">
<a href="{$_url}customers/login/{$d['id']}&token={$csrf_token}" target="_blank" class="btn btn-warning btn-sm btn-block">
{Lang::T('Login as Customer')}
</a>
</div>

9
ui/ui/customers.tpl
View File

@ -17,7 +17,7 @@
<div class="panel-heading">
{if in_array($_admin['user_type'],['SuperAdmin','Admin'])}
<div class="btn-group pull-right">
<a class="btn btn-primary btn-xs" title="save" href="{$_url}customers/csv"
<a class="btn btn-primary btn-xs" title="save" href="{$_url}customers/csv&token={$csrf_token}"
onclick="return confirm('This will export to CSV?')"><span class="glyphicon glyphicon-download"
aria-hidden="true"></span> CSV</a>
</div>
@ -26,6 +26,7 @@
</div>
<div class="panel-body">
<form id="site-search" method="post" action="{$_url}customers">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="md-whiteframe-z1 mb20 text-center" style="padding: 15px">
<div class="col-lg-4">
<div class="input-group">
@ -147,13 +148,13 @@
<a href="{$_url}customers/view/{$ds['id']}" id="{$ds['id']}"
style="margin: 0px; color:black"
class="btn btn-success btn-xs">&nbsp;&nbsp;{Lang::T('View')}&nbsp;&nbsp;</a>
<a href="{$_url}customers/edit/{$ds['id']}" id="{$ds['id']}"
<a href="{$_url}customers/edit/{$ds['id']}&token={$csrf_token}" id="{$ds['id']}"
style="margin: 0px; color:black"
class="btn btn-info btn-xs">&nbsp;&nbsp;{Lang::T('Edit')}&nbsp;&nbsp;</a>
<a href="{$_url}customers/sync/{$ds['id']}" id="{$ds['id']}"
<a href="{$_url}customers/sync/{$ds['id']}&token={$csrf_token}" id="{$ds['id']}"
style="margin: 5px; color:black"
class="btn btn-success btn-xs">&nbsp;&nbsp;{Lang::T('Sync')}&nbsp;&nbsp;</a>
<a href="{$_url}plan/recharge/{$ds['id']}" id="{$ds['id']}" style="margin: 0px;"
<a href="{$_url}plan/recharge/{$ds['id']}&token={$csrf_token}" id="{$ds['id']}" style="margin: 0px;"
class="btn btn-primary btn-xs">{Lang::T('Recharge')}</a>
</td>
</tr>