Add CSRF protections

author: Frédéric Guillot <fred@kanboard.net> 2014-05-28 15:14:52 -0400
committer: Frédéric Guillot <fred@kanboard.net> 2014-05-28 15:14:52 -0400
commit: 445ef6d1481745cd4e7af7e671f534a25d4495dc (patch)
tree: 7990903e398d77339587595ef5a07df8464f5a2e /app/Templates/project_users.php
parent: 75ab09e28b22e9a5676ee912482027926e271515 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/app/Templates/project_users.php b/app/Templates/project_users.php
index 0448004f..8afac709 100644
--- a/app/Templates/project_users.php
+++ b/app/Templates/project_users.php
@@ -10,6 +10,8 @@
     <?php if (! empty($users['not_allowed'])): ?>
         <form method="post" action="?controller=project&amp;action=allow&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
 
+            <?= Helper\form_csrf() ?>
+
             <?= Helper\form_hidden('project_id', array('project_id' => $project['id'])) ?>
 
             <?= Helper\form_label(t('User'), 'user_id') ?>
@@ -32,7 +34,7 @@
         <?php foreach ($users['allowed'] as $user_id => $username): ?>
             <li>
                 <strong><?= Helper\escape($username) ?></strong>
-                (<a href="?controller=project&amp;action=revoke&amp;project_id=<?= $project['id'] ?>&amp;user_id=<?= $user_id ?>"><?= t('revoke') ?></a>)
+                (<a href="?controller=project&amp;action=revoke&amp;project_id=<?= $project['id'] ?>&amp;user_id=<?= $user_id.Helper\param_csrf() ?>"><?= t('revoke') ?></a>)
             </li>
         <?php endforeach ?>
         </ul>
author	Frédéric Guillot <fred@kanboard.net>	2014-05-28 15:14:52 -0400
committer	Frédéric Guillot <fred@kanboard.net>	2014-05-28 15:14:52 -0400
commit	445ef6d1481745cd4e7af7e671f534a25d4495dc (patch)
tree	7990903e398d77339587595ef5a07df8464f5a2e /app/Templates/project_users.php
parent	75ab09e28b22e9a5676ee912482027926e271515 (diff)