Merge pull request #625 from wrongecho/users
Require CSRF when enabling/disabling users
This commit is contained in:
Johnny
@@ -190,6 +190,7 @@ if(isset($_POST['edit_user'])){
|
||||
if(isset($_GET['activate_user'])){
|
||||
|
||||
validateAdminRole();
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
$user_id = intval($_GET['activate_user']);
|
||||
|
||||
@@ -207,6 +208,7 @@ if(isset($_GET['activate_user'])){
|
||||
if(isset($_GET['disable_user'])){
|
||||
|
||||
validateAdminRole();
|
||||
validateCSRFToken($_GET['csrf_token']);
|
||||
|
||||
$user_id = intval($_GET['disable_user']);
|
||||
|
||||
|
||||
@@ -14,6 +14,10 @@
|
||||
|
||||
<div class="modal-body bg-white">
|
||||
|
||||
<div class="alert alert-danger" role="alert">
|
||||
<b>The multi-company feature is deprecated and should not be used.</b>
|
||||
</div>
|
||||
|
||||
<div class="alert alert-info">
|
||||
Select Companies that the user will need access to
|
||||
</div>
|
||||
|
||||
@@ -10,11 +10,14 @@ if (!empty($_GET['sb'])) {
|
||||
//Rebuild URL
|
||||
$url_query_strings_sb = http_build_query(array_merge($_GET, array('sb' => $sb, 'o' => $o)));
|
||||
|
||||
$sql = mysqli_query($mysqli, "SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings
|
||||
$sql = mysqli_query(
|
||||
$mysqli,
|
||||
"SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings
|
||||
WHERE users.user_id = user_settings.user_id
|
||||
AND (user_name LIKE '%$q%' OR user_email LIKE '%$q%')
|
||||
AND user_archived_at IS NULL
|
||||
ORDER BY $sb $o LIMIT $record_from, $record_to");
|
||||
ORDER BY $sb $o LIMIT $record_from, $record_to"
|
||||
);
|
||||
|
||||
$num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
|
||||
@@ -142,9 +145,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
<div class="dropdown-menu">
|
||||
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserModal<?php echo $user_id; ?>">Edit</a>
|
||||
<?php if ($user_status == 0) { ?>
|
||||
<a class="dropdown-item text-success" href="post.php?activate_user=<?php echo $user_id; ?>">Activate</a>
|
||||
<a class="dropdown-item text-success" href="post.php?activate_user=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Activate</a>
|
||||
<?php }elseif ($user_status == 1) { ?>
|
||||
<a class="dropdown-item text-danger" href="post.php?disable_user=<?php echo $user_id; ?>">Disable</a>
|
||||
<a class="dropdown-item text-danger" href="post.php?disable_user=<?php echo $user_id; ?>&csrf_token=<?php echo $_SESSION['csrf_token'] ?>">Disable</a>
|
||||
<?php } ?>
|
||||
<div class="dropdown-divider"></div>
|
||||
<a class="dropdown-item" href="#" data-toggle="modal" data-target="#editUserCompaniesModal<?php echo $user_id; ?>">Company Access</a>
|
||||
@@ -157,9 +160,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
|
||||
<?php
|
||||
|
||||
include("user_edit_modal.php");
|
||||
include("user_companies_modal.php");
|
||||
include("user_archive_modal.php");
|
||||
require("user_edit_modal.php");
|
||||
require("user_companies_modal.php");
|
||||
require("user_archive_modal.php");
|
||||
|
||||
}
|
||||
|
||||
@@ -168,7 +171,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<?php include("pagination.php"); ?>
|
||||
<?php require_once("pagination.php"); ?>
|
||||
</div>
|
||||
</div>
|
||||
<script>
|
||||
@@ -179,9 +182,6 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
|
||||
|
||||
<?php
|
||||
|
||||
include("user_add_modal.php");
|
||||
include("user_invite_modal.php");
|
||||
|
||||
include("footer.php");
|
||||
|
||||
?>
|
||||
require_once("user_add_modal.php");
|
||||
require_once("user_invite_modal.php");
|
||||
require_once("footer.php");
|
||||
|
||||
Reference in New Issue
Block a user