diff options
Diffstat (limited to 'app/Templates')
37 files changed, 57 insertions, 41 deletions
diff --git a/app/Templates/action_index.php b/app/Templates/action_index.php index b515ccaa..36c333a9 100644 --- a/app/Templates/action_index.php +++ b/app/Templates/action_index.php @@ -56,7 +56,7 @@ <h3><?= t('Add an action') ?></h3> <form method="post" action="?controller=action&action=params&project_id=<?= $project['id'] ?>" autocomplete="off"> - + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('project_id', $values) ?> <?= Helper\form_label(t('Event'), 'event_name') ?> diff --git a/app/Templates/action_params.php b/app/Templates/action_params.php index 15a1d420..da685860 100644 --- a/app/Templates/action_params.php +++ b/app/Templates/action_params.php @@ -9,7 +9,7 @@ <h3><?= t('Define action parameters') ?></h3> <form method="post" action="?controller=action&action=create&project_id=<?= $project['id'] ?>" autocomplete="off"> - + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('project_id', $values) ?> <?= Helper\form_hidden('event_name', $values) ?> <?= Helper\form_hidden('action_name', $values) ?> diff --git a/app/Templates/action_remove.php b/app/Templates/action_remove.php index b90136e8..13679eab 100644 --- a/app/Templates/action_remove.php +++ b/app/Templates/action_remove.php @@ -9,7 +9,7 @@ </p> <div class="form-actions"> - <a href="?controller=action&action=remove&action_id=<?= $action['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=action&action=remove&action_id=<?= $action['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=action&action=index&project_id=<?= $action['project_id'] ?>"><?= t('cancel') ?></a> </div> </div> diff --git a/app/Templates/user_forbidden.php b/app/Templates/app_forbidden.php index 853159ba..0c035404 100644 --- a/app/Templates/user_forbidden.php +++ b/app/Templates/app_forbidden.php @@ -4,6 +4,6 @@ </div> <p class="alert alert-error"> - <?= t('Only administrators can access to this page.') ?> + <?= t('Access Forbidden') ?> </p> </section>
\ No newline at end of file diff --git a/app/Templates/board_assign.php b/app/Templates/board_assign.php index 74448a5c..6f92b375 100644 --- a/app/Templates/board_assign.php +++ b/app/Templates/board_assign.php @@ -18,7 +18,7 @@ <section> <h3><?= t('Change assignee for the task "%s"', $values['title']) ?></h3> <form method="post" action="?controller=board&action=assignTask" autocomplete="off"> - + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('id', $values) ?> <?= Helper\form_hidden('project_id', $values) ?> diff --git a/app/Templates/board_edit.php b/app/Templates/board_edit.php index 575536a8..05d9a6f6 100644 --- a/app/Templates/board_edit.php +++ b/app/Templates/board_edit.php @@ -9,7 +9,7 @@ <h3><?= t('Change columns') ?></h3> <form method="post" action="?controller=board&action=update&project_id=<?= $project['id'] ?>" autocomplete="off"> - + <?= Helper\form_csrf() ?> <?php $i = 0; ?> <table> <tr> @@ -27,12 +27,12 @@ <ul> <?php if ($column['position'] != 1): ?> <li> - <a href="?controller=board&action=moveUp&project_id=<?= $project['id'] ?>&column_id=<?= $column['id'] ?>"><?= t('Move Up') ?></a> + <a href="?controller=board&action=moveUp&project_id=<?= $project['id'] ?>&column_id=<?= $column['id'].Helper\param_csrf() ?>"><?= t('Move Up') ?></a> </li> <?php endif ?> <?php if ($column['position'] != count($columns)): ?> <li> - <a href="?controller=board&action=moveDown&project_id=<?= $project['id'] ?>&column_id=<?= $column['id'] ?>"><?= t('Move Down') ?></a> + <a href="?controller=board&action=moveDown&project_id=<?= $project['id'] ?>&column_id=<?= $column['id'].Helper\param_csrf() ?>"><?= t('Move Down') ?></a> </li> <?php endif ?> <li> @@ -52,7 +52,7 @@ <h3><?= t('Add a new column') ?></h3> <form method="post" action="?controller=board&action=add&project_id=<?= $project['id'] ?>" autocomplete="off"> - + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('project_id', $values) ?> <?= Helper\form_label(t('Title'), 'title') ?> <?= Helper\form_text('title', $values, $errors, array('required')) ?> diff --git a/app/Templates/board_remove.php b/app/Templates/board_remove.php index b406eb38..76c217b3 100644 --- a/app/Templates/board_remove.php +++ b/app/Templates/board_remove.php @@ -10,7 +10,7 @@ </p> <div class="form-actions"> - <a href="?controller=board&action=remove&column_id=<?= $column['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=board&action=remove&column_id=<?= $column['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=board&action=edit&project_id=<?= $column['project_id'] ?>"><?= t('cancel') ?></a> </div> </div> diff --git a/app/Templates/board_show.php b/app/Templates/board_show.php index e5cd9ceb..6a138bf9 100644 --- a/app/Templates/board_show.php +++ b/app/Templates/board_show.php @@ -1,4 +1,4 @@ -<table id="board" data-project-id="<?= $current_project_id ?>" data-time="<?= time() ?>" data-check-interval="<?= BOARD_CHECK_INTERVAL ?>"> +<table id="board" data-project-id="<?= $current_project_id ?>" data-time="<?= time() ?>" data-check-interval="<?= BOARD_CHECK_INTERVAL ?>" data-csrf-token=<?= \Core\Security::getCSRFToken() ?>> <tr> <?php $column_with = round(100 / count($board), 2); ?> <?php foreach ($board as $column): ?> diff --git a/app/Templates/category_edit.php b/app/Templates/category_edit.php index 99ba0c7c..1339f6da 100644 --- a/app/Templates/category_edit.php +++ b/app/Templates/category_edit.php @@ -8,7 +8,7 @@ <section> <form method="post" action="?controller=category&action=update&project_id=<?= $project['id'] ?>" autocomplete="off"> - + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('id', $values) ?> <?= Helper\form_hidden('project_id', $values) ?> diff --git a/app/Templates/category_index.php b/app/Templates/category_index.php index db986143..7fb923ba 100644 --- a/app/Templates/category_index.php +++ b/app/Templates/category_index.php @@ -34,6 +34,7 @@ <h3><?= t('Add a new category') ?></h3> <form method="post" action="?controller=category&action=save&project_id=<?= $project['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('project_id', $values) ?> <?= Helper\form_label(t('Category Name'), 'name') ?> diff --git a/app/Templates/category_remove.php b/app/Templates/category_remove.php index cc2eb678..cfc23e07 100644 --- a/app/Templates/category_remove.php +++ b/app/Templates/category_remove.php @@ -9,7 +9,7 @@ </p> <div class="form-actions"> - <a href="?controller=category&action=remove&project_id=<?= $project['id'] ?>&category_id=<?= $category['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=category&action=remove&project_id=<?= $project['id'] ?>&category_id=<?= $category['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=category&project_id=<?= $project['id'] ?>"><?= t('cancel') ?></a> </div> </div> diff --git a/app/Templates/comment_create.php b/app/Templates/comment_create.php index a566d9c8..f598532d 100644 --- a/app/Templates/comment_create.php +++ b/app/Templates/comment_create.php @@ -3,7 +3,7 @@ </div> <form method="post" action="?controller=comment&action=save&task_id=<?= $task['id'] ?>" autocomplete="off"> - + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('task_id', $values) ?> <?= Helper\form_hidden('user_id', $values) ?> <?= Helper\form_textarea('comment', $values, $errors, array('required', 'placeholder="'.t('Leave a comment').'"'), 'comment-textarea') ?><br/> diff --git a/app/Templates/comment_edit.php b/app/Templates/comment_edit.php index 0a17a95e..fdf3db54 100644 --- a/app/Templates/comment_edit.php +++ b/app/Templates/comment_edit.php @@ -4,6 +4,7 @@ <form method="post" action="?controller=comment&action=update&task_id=<?= $task['id'] ?>&comment_id=<?= $comment['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('id', $values) ?> <?= Helper\form_textarea('comment', $values, $errors, array('required', 'placeholder="'.t('Leave a comment').'"')) ?><br/> diff --git a/app/Templates/comment_remove.php b/app/Templates/comment_remove.php index 6409d7c0..7b117781 100644 --- a/app/Templates/comment_remove.php +++ b/app/Templates/comment_remove.php @@ -10,7 +10,7 @@ <?= Helper\template('comment_show', array('comment' => $comment, 'task' => $task, 'preview' => true)) ?> <div class="form-actions"> - <a href="?controller=comment&action=remove&task_id=<?= $task['id'] ?>&comment_id=<?= $comment['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=comment&action=remove&task_id=<?= $task['id'] ?>&comment_id=<?= $comment['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=task&action=show&task_id=<?= $task['id'] ?>#comment-<?= $comment['id'] ?>"><?= t('cancel') ?></a> </div> </div>
\ No newline at end of file diff --git a/app/Templates/config_index.php b/app/Templates/config_index.php index 6c610d2b..602e2070 100644 --- a/app/Templates/config_index.php +++ b/app/Templates/config_index.php @@ -7,6 +7,8 @@ <section> <form method="post" action="?controller=config&action=save" autocomplete="off"> + <?= Helper\form_csrf() ?> + <?= Helper\form_label(t('Language'), 'language') ?> <?= Helper\form_select('language', $languages, $values, $errors) ?><br/> @@ -39,7 +41,7 @@ </div> <section class="settings"> <ul> - <li><a href="?controller=config&action=tokens"><?= t('Reset all tokens') ?></a></li> + <li><a href="?controller=config&action=tokens<?= Helper\param_csrf() ?>"><?= t('Reset all tokens') ?></a></li> <li> <?= t('Webhooks token:') ?> <strong><?= Helper\escape($values['webhooks_token']) ?></strong> @@ -50,11 +52,11 @@ <strong><?= Helper\format_bytes($db_size) ?></strong> </li> <li> - <a href="?controller=config&action=downloadDb"><?= t('Download the database') ?></a> + <a href="?controller=config&action=downloadDb<?= Helper\param_csrf() ?>"><?= t('Download the database') ?></a> <?= t('(Gzip compressed Sqlite file)') ?> </li> <li> - <a href="?controller=config&action=optimizeDb"><?= t('Optimize the database') ?></a> + <a href="?controller=config&action=optimizeDb <?= Helper\param_csrf() ?>"><?= t('Optimize the database') ?></a> <?= t('(VACUUM command)') ?> </li> <?php endif ?> @@ -112,7 +114,7 @@ <td><?= dt('%B %e, %G at %k:%M %p', $session['expiration']) ?></td> <td><?= Helper\escape($session['ip']) ?></td> <td><?= Helper\escape($session['user_agent']) ?></td> - <td><a href="?controller=config&action=removeRememberMeToken&id=<?= $session['id'] ?>"><?= t('Remove') ?></a></td> + <td><a href="?controller=config&action=removeRememberMeToken&id=<?= $session['id'].Helper\param_csrf() ?>"><?= t('Remove') ?></a></td> </tr> <?php endforeach ?> </table> diff --git a/app/Templates/file_new.php b/app/Templates/file_new.php index 643f340d..7f7f1d1c 100644 --- a/app/Templates/file_new.php +++ b/app/Templates/file_new.php @@ -3,6 +3,7 @@ </div> <form action="?controller=file&action=save&task_id=<?= $task['id'] ?>" method="post" enctype="multipart/form-data"> + <?= Helper\form_csrf() ?> <input type="file" name="files[]" multiple /> <div class="form-help"><?= t('Maximum size: ') ?><?= is_integer($max_size) ? Helper\format_bytes($max_size) : $max_size ?></div> <div class="form-actions"> diff --git a/app/Templates/file_remove.php b/app/Templates/file_remove.php index 1d26c15e..af77591c 100644 --- a/app/Templates/file_remove.php +++ b/app/Templates/file_remove.php @@ -8,7 +8,7 @@ </p> <div class="form-actions"> - <a href="?controller=file&action=remove&task_id=<?= $task['id'] ?>&file_id=<?= $file['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=file&action=remove&task_id=<?= $task['id'] ?>&file_id=<?= $file['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=task&action=show&task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a> </div> </div>
\ No newline at end of file diff --git a/app/Templates/layout.php b/app/Templates/layout.php index 3e3b2e89..aa430477 100644 --- a/app/Templates/layout.php +++ b/app/Templates/layout.php @@ -45,7 +45,7 @@ <a href="?controller=config"><?= t('Settings') ?></a> </li> <li> - <a href="?controller=user&action=logout"><?= t('Logout') ?></a> + <a href="?controller=user&action=logout<?= Helper\param_csrf() ?>"><?= t('Logout') ?></a> (<?= Helper\escape(Helper\get_username()) ?>) </li> </ul> diff --git a/app/Templates/project_edit.php b/app/Templates/project_edit.php index 557986bf..a882fbc6 100644 --- a/app/Templates/project_edit.php +++ b/app/Templates/project_edit.php @@ -8,6 +8,7 @@ <section> <form method="post" action="?controller=project&action=update&project_id=<?= $values['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> <?= Helper\form_hidden('id', $values) ?> <?= Helper\form_label(t('Name'), 'name') ?> diff --git a/app/Templates/project_forbidden.php b/app/Templates/project_forbidden.php deleted file mode 100644 index 1cba7b58..00000000 --- a/app/Templates/project_forbidden.php +++ /dev/null @@ -1,9 +0,0 @@ -<section id="main"> - <div class="page-header"> - <h2><?= t('Forbidden') ?></h2> - </div> - - <p class="alert alert-error"> - <?= t('You are not allowed to access to this project.') ?> - </p> -</section>
\ No newline at end of file diff --git a/app/Templates/project_index.php b/app/Templates/project_index.php index 1a3dbd49..927924a5 100644 --- a/app/Templates/project_index.php +++ b/app/Templates/project_index.php @@ -78,9 +78,9 @@ </li> <li> <?php if ($project['is_active']): ?> - <a href="?controller=project&action=disable&project_id=<?= $project['id'] ?>"><?= t('Disable') ?></a> + <a href="?controller=project&action=disable&project_id=<?= $project['id'].Helper\param_csrf() ?>"><?= t('Disable') ?></a> <?php else: ?> - <a href="?controller=project&action=enable&project_id=<?= $project['id'] ?>"><?= t('Enable') ?></a> + <a href="?controller=project&action=enable&project_id=<?= $project['id'].Helper\param_csrf() ?>"><?= t('Enable') ?></a> <?php endif ?> </li> <li> diff --git a/app/Templates/project_new.php b/app/Templates/project_new.php index 2026d461..b4ed9990 100644 --- a/app/Templates/project_new.php +++ b/app/Templates/project_new.php @@ -8,6 +8,7 @@ <section> <form method="post" action="?controller=project&action=save" autocomplete="off"> + <?= Helper\form_csrf() ?> <?= Helper\form_label(t('Name'), 'name') ?> <?= Helper\form_text('name', $values, $errors, array('autofocus', 'required')) ?> diff --git a/app/Templates/project_remove.php b/app/Templates/project_remove.php index e9f213b5..e25efa2f 100644 --- a/app/Templates/project_remove.php +++ b/app/Templates/project_remove.php @@ -9,7 +9,7 @@ </p> <div class="form-actions"> - <a href="?controller=project&action=remove&project_id=<?= $project['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=project&action=remove&project_id=<?= $project['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=project"><?= t('cancel') ?></a> </div> </div> diff --git a/app/Templates/project_users.php b/app/Templates/project_users.php index 0448004f..8afac709 100644 --- a/app/Templates/project_users.php +++ b/app/Templates/project_users.php @@ -10,6 +10,8 @@ <?php if (! empty($users['not_allowed'])): ?> <form method="post" action="?controller=project&action=allow&project_id=<?= $project['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> + <?= Helper\form_hidden('project_id', array('project_id' => $project['id'])) ?> <?= Helper\form_label(t('User'), 'user_id') ?> @@ -32,7 +34,7 @@ <?php foreach ($users['allowed'] as $user_id => $username): ?> <li> <strong><?= Helper\escape($username) ?></strong> - (<a href="?controller=project&action=revoke&project_id=<?= $project['id'] ?>&user_id=<?= $user_id ?>"><?= t('revoke') ?></a>) + (<a href="?controller=project&action=revoke&project_id=<?= $project['id'] ?>&user_id=<?= $user_id.Helper\param_csrf() ?>"><?= t('revoke') ?></a>) </li> <?php endforeach ?> </ul> diff --git a/app/Templates/subtask_create.php b/app/Templates/subtask_create.php index a456aa37..f1b27ab9 100644 --- a/app/Templates/subtask_create.php +++ b/app/Templates/subtask_create.php @@ -4,6 +4,8 @@ <form method="post" action="?controller=subtask&action=save&task_id=<?= $task['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> + <?= Helper\form_hidden('task_id', $values) ?> <?= Helper\form_label(t('Title'), 'title') ?> diff --git a/app/Templates/subtask_edit.php b/app/Templates/subtask_edit.php index 3080cdad..fc65d3b3 100644 --- a/app/Templates/subtask_edit.php +++ b/app/Templates/subtask_edit.php @@ -4,6 +4,8 @@ <form method="post" action="?controller=subtask&action=update&task_id=<?= $task['id'] ?>&subtask_id=<?= $subtask['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> + <?= Helper\form_hidden('id', $values) ?> <?= Helper\form_hidden('task_id', $values) ?> diff --git a/app/Templates/subtask_remove.php b/app/Templates/subtask_remove.php index 2862176c..12c99cf1 100644 --- a/app/Templates/subtask_remove.php +++ b/app/Templates/subtask_remove.php @@ -10,7 +10,7 @@ <p><strong><?= Helper\escape($subtask['title']) ?></strong></p> <div class="form-actions"> - <a href="?controller=subtask&action=remove&task_id=<?= $task['id'] ?>&subtask_id=<?= $subtask['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=subtask&action=remove&task_id=<?= $task['id'] ?>&subtask_id=<?= $subtask['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=task&action=show&task_id=<?= $task['id'] ?>#subtasks"><?= t('cancel') ?></a> </div> </div>
\ No newline at end of file diff --git a/app/Templates/task_close.php b/app/Templates/task_close.php index 6843c2f6..5c75b72b 100644 --- a/app/Templates/task_close.php +++ b/app/Templates/task_close.php @@ -8,7 +8,7 @@ </p> <div class="form-actions"> - <a href="?controller=task&action=close&task_id=<?= $task['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=task&action=close&task_id=<?= $task['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=task&action=show&task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a> </div> </div>
\ No newline at end of file diff --git a/app/Templates/task_edit.php b/app/Templates/task_edit.php index d698c21d..c03c7d9a 100644 --- a/app/Templates/task_edit.php +++ b/app/Templates/task_edit.php @@ -8,6 +8,8 @@ <section> <form method="post" action="?controller=task&action=update&task_id=<?= $task['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> + <div class="form-column"> <?= Helper\form_label(t('Title'), 'title') ?> diff --git a/app/Templates/task_edit_description.php b/app/Templates/task_edit_description.php index 0bdc40a2..550dac73 100644 --- a/app/Templates/task_edit_description.php +++ b/app/Templates/task_edit_description.php @@ -4,6 +4,8 @@ <form method="post" action="?controller=task&action=saveDescription&task_id=<?= $task['id'] ?>" autocomplete="off"> + <?= Helper\form_csrf() ?> + <?= Helper\form_hidden('id', $values) ?> <?= Helper\form_textarea('description', $values, $errors, array('required', 'placeholder="'.t('Leave a description').'"'), 'description-textarea') ?><br/> <div class="form-help"><a href="http://kanboard.net/documentation/syntax-guide" target="_blank" rel="noreferrer"><?= t('Write your text in Markdown') ?></a></div> diff --git a/app/Templates/task_new.php b/app/Templates/task_new.php index d233efd2..2938c4ca 100644 --- a/app/Templates/task_new.php +++ b/app/Templates/task_new.php @@ -5,6 +5,8 @@ <section> <form method="post" action="?controller=task&action=save" autocomplete="off"> + <?= Helper\form_csrf() ?> + <div class="form-column"> <?= Helper\form_label(t('Title'), 'title') ?> <?= Helper\form_text('title', $values, $errors, array('autofocus', 'required')) ?><br/> diff --git a/app/Templates/task_open.php b/app/Templates/task_open.php index 59ea0b54..3526ec81 100644 --- a/app/Templates/task_open.php +++ b/app/Templates/task_open.php @@ -8,7 +8,7 @@ </p> <div class="form-actions"> - <a href="?controller=task&action=open&task_id=<?= $task['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=task&action=open&task_id=<?= $task['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=task&action=show&task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a> </div> </div>
\ No newline at end of file diff --git a/app/Templates/task_remove.php b/app/Templates/task_remove.php index 60e4e8e7..dd4841db 100644 --- a/app/Templates/task_remove.php +++ b/app/Templates/task_remove.php @@ -8,7 +8,7 @@ </p> <div class="form-actions"> - <a href="?controller=task&action=remove&task_id=<?= $task['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=task&action=remove&task_id=<?= $task['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=task&action=show&task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a> </div> </div>
\ No newline at end of file diff --git a/app/Templates/user_edit.php b/app/Templates/user_edit.php index c857fe1c..6b83f748 100644 --- a/app/Templates/user_edit.php +++ b/app/Templates/user_edit.php @@ -8,6 +8,8 @@ <section> <form method="post" action="?controller=user&action=update" autocomplete="off"> + <?= Helper\form_csrf() ?> + <div class="form-column"> <?= Helper\form_hidden('id', $values) ?> @@ -48,9 +50,9 @@ <?php if (GOOGLE_AUTH && Helper\is_current_user($values['id'])): ?> <?php if (empty($values['google_id'])): ?> - <a href="?controller=user&action=google"><?= t('Link my Google Account') ?></a> + <a href="?controller=user&action=google<?= Helper\param_csrf() ?>"><?= t('Link my Google Account') ?></a> <?php else: ?> - <a href="?controller=user&action=unlinkGoogle"><?= t('Unlink my Google Account') ?></a> + <a href="?controller=user&action=unlinkGoogle<?= Helper\param_csrf() ?>"><?= t('Unlink my Google Account') ?></a> <?php endif ?> <?php endif ?> diff --git a/app/Templates/user_login.php b/app/Templates/user_login.php index 878170e3..49902ebb 100644 --- a/app/Templates/user_login.php +++ b/app/Templates/user_login.php @@ -8,6 +8,8 @@ <form method="post" action="?controller=user&action=check" class="form-login"> + <?= Helper\form_csrf() ?> + <?= Helper\form_label(t('Username'), 'username') ?> <?= Helper\form_text('username', $values, $errors, array('autofocus', 'required')) ?><br/> diff --git a/app/Templates/user_new.php b/app/Templates/user_new.php index 6ad976f2..3e22b7ee 100644 --- a/app/Templates/user_new.php +++ b/app/Templates/user_new.php @@ -8,6 +8,8 @@ <section> <form method="post" action="?controller=user&action=save" autocomplete="off"> + <?= Helper\form_csrf() ?> + <div class="form-column"> <?= Helper\form_label(t('Username'), 'username') ?> diff --git a/app/Templates/user_remove.php b/app/Templates/user_remove.php index a4db2e4a..61d4163b 100644 --- a/app/Templates/user_remove.php +++ b/app/Templates/user_remove.php @@ -7,7 +7,7 @@ <p class="alert alert-info"><?= t('Do you really want to remove this user: "%s"?', $user['username']) ?></p> <div class="form-actions"> - <a href="?controller=user&action=remove&user_id=<?= $user['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a> + <a href="?controller=user&action=remove&user_id=<?= $user['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a> <?= t('or') ?> <a href="?controller=user"><?= t('cancel') ?></a> </div> </div> |