From 445ef6d1481745cd4e7af7e671f534a25d4495dc Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 28 May 2014 15:14:52 -0400
Subject: Add CSRF protections

---
 app/Templates/action_index.php          |  2 +-
 app/Templates/action_params.php         |  2 +-
 app/Templates/action_remove.php         |  2 +-
 app/Templates/app_forbidden.php         |  9 +++++++++
 app/Templates/board_assign.php          |  2 +-
 app/Templates/board_edit.php            |  8 ++++----
 app/Templates/board_remove.php          |  2 +-
 app/Templates/board_show.php            |  2 +-
 app/Templates/category_edit.php         |  2 +-
 app/Templates/category_index.php        |  1 +
 app/Templates/category_remove.php       |  2 +-
 app/Templates/comment_create.php        |  2 +-
 app/Templates/comment_edit.php          |  1 +
 app/Templates/comment_remove.php        |  2 +-
 app/Templates/config_index.php          | 10 ++++++----
 app/Templates/file_new.php              |  1 +
 app/Templates/file_remove.php           |  2 +-
 app/Templates/layout.php                |  2 +-
 app/Templates/project_edit.php          |  1 +
 app/Templates/project_forbidden.php     |  9 ---------
 app/Templates/project_index.php         |  4 ++--
 app/Templates/project_new.php           |  1 +
 app/Templates/project_remove.php        |  2 +-
 app/Templates/project_users.php         |  4 +++-
 app/Templates/subtask_create.php        |  2 ++
 app/Templates/subtask_edit.php          |  2 ++
 app/Templates/subtask_remove.php        |  2 +-
 app/Templates/task_close.php            |  2 +-
 app/Templates/task_edit.php             |  2 ++
 app/Templates/task_edit_description.php |  2 ++
 app/Templates/task_new.php              |  2 ++
 app/Templates/task_open.php             |  2 +-
 app/Templates/task_remove.php           |  2 +-
 app/Templates/user_edit.php             |  6 ++++--
 app/Templates/user_forbidden.php        |  9 ---------
 app/Templates/user_login.php            |  2 ++
 app/Templates/user_new.php              |  2 ++
 app/Templates/user_remove.php           |  2 +-
 38 files changed, 65 insertions(+), 49 deletions(-)
 create mode 100644 app/Templates/app_forbidden.php
 delete mode 100644 app/Templates/project_forbidden.php
 delete mode 100644 app/Templates/user_forbidden.php

(limited to 'app/Templates')

diff --git a/app/Templates/action_index.php b/app/Templates/action_index.php
index b515ccaa..36c333a9 100644
--- a/app/Templates/action_index.php
+++ b/app/Templates/action_index.php
@@ -56,7 +56,7 @@
 
     <h3><?= t('Add an action') ?></h3>
     <form method="post" action="?controller=action&amp;action=params&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
-
+        <?= Helper\form_csrf() ?>
         <?= Helper\form_hidden('project_id', $values) ?>
 
         <?= Helper\form_label(t('Event'), 'event_name') ?>
diff --git a/app/Templates/action_params.php b/app/Templates/action_params.php
index 15a1d420..da685860 100644
--- a/app/Templates/action_params.php
+++ b/app/Templates/action_params.php
@@ -9,7 +9,7 @@
 
     <h3><?= t('Define action parameters') ?></h3>
     <form method="post" action="?controller=action&amp;action=create&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
-
+        <?= Helper\form_csrf() ?>
         <?= Helper\form_hidden('project_id', $values) ?>
         <?= Helper\form_hidden('event_name', $values) ?>
         <?= Helper\form_hidden('action_name', $values) ?>
diff --git a/app/Templates/action_remove.php b/app/Templates/action_remove.php
index b90136e8..13679eab 100644
--- a/app/Templates/action_remove.php
+++ b/app/Templates/action_remove.php
@@ -9,7 +9,7 @@
         </p>
 
         <div class="form-actions">
-            <a href="?controller=action&amp;action=remove&amp;action_id=<?= $action['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+            <a href="?controller=action&amp;action=remove&amp;action_id=<?= $action['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
             <?= t('or') ?> <a href="?controller=action&amp;action=index&amp;project_id=<?= $action['project_id'] ?>"><?= t('cancel') ?></a>
         </div>
     </div>
diff --git a/app/Templates/app_forbidden.php b/app/Templates/app_forbidden.php
new file mode 100644
index 00000000..0c035404
--- /dev/null
+++ b/app/Templates/app_forbidden.php
@@ -0,0 +1,9 @@
+<section id="main">
+    <div class="page-header">
+        <h2><?= t('Forbidden') ?></h2>
+    </div>
+
+    <p class="alert alert-error">
+        <?= t('Access Forbidden') ?>
+    </p>
+</section>
\ No newline at end of file
diff --git a/app/Templates/board_assign.php b/app/Templates/board_assign.php
index 74448a5c..6f92b375 100644
--- a/app/Templates/board_assign.php
+++ b/app/Templates/board_assign.php
@@ -18,7 +18,7 @@
     <section>
         <h3><?= t('Change assignee for the task "%s"', $values['title']) ?></h3>
         <form method="post" action="?controller=board&amp;action=assignTask" autocomplete="off">
-
+            <?= Helper\form_csrf() ?>
             <?= Helper\form_hidden('id', $values) ?>
             <?= Helper\form_hidden('project_id', $values) ?>
 
diff --git a/app/Templates/board_edit.php b/app/Templates/board_edit.php
index 575536a8..05d9a6f6 100644
--- a/app/Templates/board_edit.php
+++ b/app/Templates/board_edit.php
@@ -9,7 +9,7 @@
 
     <h3><?= t('Change columns') ?></h3>
     <form method="post" action="?controller=board&amp;action=update&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
-
+        <?= Helper\form_csrf() ?>
         <?php $i = 0; ?>
         <table>
             <tr>
@@ -27,12 +27,12 @@
                     <ul>
                         <?php if ($column['position'] != 1): ?>
                         <li>
-                            <a href="?controller=board&amp;action=moveUp&amp;project_id=<?= $project['id'] ?>&amp;column_id=<?= $column['id'] ?>"><?= t('Move Up') ?></a>
+                            <a href="?controller=board&amp;action=moveUp&amp;project_id=<?= $project['id'] ?>&amp;column_id=<?= $column['id'].Helper\param_csrf() ?>"><?= t('Move Up') ?></a>
                         </li>
                         <?php endif ?>
                         <?php if ($column['position'] != count($columns)): ?>
                         <li>
-                            <a href="?controller=board&amp;action=moveDown&amp;project_id=<?= $project['id'] ?>&amp;column_id=<?= $column['id'] ?>"><?= t('Move Down') ?></a>
+                            <a href="?controller=board&amp;action=moveDown&amp;project_id=<?= $project['id'] ?>&amp;column_id=<?= $column['id'].Helper\param_csrf() ?>"><?= t('Move Down') ?></a>
                         </li>
                         <?php endif ?>
                         <li>
@@ -52,7 +52,7 @@
 
     <h3><?= t('Add a new column') ?></h3>
     <form method="post" action="?controller=board&amp;action=add&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
-
+        <?= Helper\form_csrf() ?>
         <?= Helper\form_hidden('project_id', $values) ?>
         <?= Helper\form_label(t('Title'), 'title') ?>
         <?= Helper\form_text('title', $values, $errors, array('required')) ?>
diff --git a/app/Templates/board_remove.php b/app/Templates/board_remove.php
index b406eb38..76c217b3 100644
--- a/app/Templates/board_remove.php
+++ b/app/Templates/board_remove.php
@@ -10,7 +10,7 @@
         </p>
 
         <div class="form-actions">
-            <a href="?controller=board&amp;action=remove&amp;column_id=<?= $column['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+            <a href="?controller=board&amp;action=remove&amp;column_id=<?= $column['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
             <?= t('or') ?> <a href="?controller=board&amp;action=edit&amp;project_id=<?= $column['project_id'] ?>"><?= t('cancel') ?></a>
         </div>
     </div>
diff --git a/app/Templates/board_show.php b/app/Templates/board_show.php
index e5cd9ceb..6a138bf9 100644
--- a/app/Templates/board_show.php
+++ b/app/Templates/board_show.php
@@ -1,4 +1,4 @@
-<table id="board" data-project-id="<?= $current_project_id ?>" data-time="<?= time() ?>" data-check-interval="<?= BOARD_CHECK_INTERVAL ?>">
+<table id="board" data-project-id="<?= $current_project_id ?>" data-time="<?= time() ?>" data-check-interval="<?= BOARD_CHECK_INTERVAL ?>" data-csrf-token=<?= \Core\Security::getCSRFToken() ?>>
 <tr>
     <?php $column_with = round(100 / count($board), 2); ?>
     <?php foreach ($board as $column): ?>
diff --git a/app/Templates/category_edit.php b/app/Templates/category_edit.php
index 99ba0c7c..1339f6da 100644
--- a/app/Templates/category_edit.php
+++ b/app/Templates/category_edit.php
@@ -8,7 +8,7 @@
     <section>
 
     <form method="post" action="?controller=category&amp;action=update&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
-
+        <?= Helper\form_csrf() ?>
         <?= Helper\form_hidden('id', $values) ?>
         <?= Helper\form_hidden('project_id', $values) ?>
 
diff --git a/app/Templates/category_index.php b/app/Templates/category_index.php
index db986143..7fb923ba 100644
--- a/app/Templates/category_index.php
+++ b/app/Templates/category_index.php
@@ -34,6 +34,7 @@
     <h3><?= t('Add a new category') ?></h3>
     <form method="post" action="?controller=category&amp;action=save&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
 
+        <?= Helper\form_csrf() ?>
         <?= Helper\form_hidden('project_id', $values) ?>
 
         <?= Helper\form_label(t('Category Name'), 'name') ?>
diff --git a/app/Templates/category_remove.php b/app/Templates/category_remove.php
index cc2eb678..cfc23e07 100644
--- a/app/Templates/category_remove.php
+++ b/app/Templates/category_remove.php
@@ -9,7 +9,7 @@
         </p>
 
         <div class="form-actions">
-            <a href="?controller=category&amp;action=remove&amp;project_id=<?= $project['id'] ?>&amp;category_id=<?= $category['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+            <a href="?controller=category&amp;action=remove&amp;project_id=<?= $project['id'] ?>&amp;category_id=<?= $category['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
             <?= t('or') ?> <a href="?controller=category&amp;project_id=<?= $project['id'] ?>"><?= t('cancel') ?></a>
         </div>
     </div>
diff --git a/app/Templates/comment_create.php b/app/Templates/comment_create.php
index a566d9c8..f598532d 100644
--- a/app/Templates/comment_create.php
+++ b/app/Templates/comment_create.php
@@ -3,7 +3,7 @@
 </div>
 
 <form method="post" action="?controller=comment&amp;action=save&amp;task_id=<?= $task['id'] ?>" autocomplete="off">
-
+    <?= Helper\form_csrf() ?>
     <?= Helper\form_hidden('task_id', $values) ?>
     <?= Helper\form_hidden('user_id', $values) ?>
     <?= Helper\form_textarea('comment', $values, $errors, array('required', 'placeholder="'.t('Leave a comment').'"'), 'comment-textarea') ?><br/>
diff --git a/app/Templates/comment_edit.php b/app/Templates/comment_edit.php
index 0a17a95e..fdf3db54 100644
--- a/app/Templates/comment_edit.php
+++ b/app/Templates/comment_edit.php
@@ -4,6 +4,7 @@
 
 <form method="post" action="?controller=comment&amp;action=update&amp;task_id=<?= $task['id'] ?>&amp;comment_id=<?= $comment['id'] ?>" autocomplete="off">
 
+    <?= Helper\form_csrf() ?>
     <?= Helper\form_hidden('id', $values) ?>
     <?= Helper\form_textarea('comment', $values, $errors, array('required', 'placeholder="'.t('Leave a comment').'"')) ?><br/>
 
diff --git a/app/Templates/comment_remove.php b/app/Templates/comment_remove.php
index 6409d7c0..7b117781 100644
--- a/app/Templates/comment_remove.php
+++ b/app/Templates/comment_remove.php
@@ -10,7 +10,7 @@
     <?= Helper\template('comment_show', array('comment' => $comment, 'task' => $task, 'preview' => true)) ?>
 
     <div class="form-actions">
-        <a href="?controller=comment&amp;action=remove&amp;task_id=<?= $task['id'] ?>&amp;comment_id=<?= $comment['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+        <a href="?controller=comment&amp;action=remove&amp;task_id=<?= $task['id'] ?>&amp;comment_id=<?= $comment['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
         <?= t('or') ?> <a href="?controller=task&amp;action=show&amp;task_id=<?= $task['id'] ?>#comment-<?= $comment['id'] ?>"><?= t('cancel') ?></a>
     </div>
 </div>
\ No newline at end of file
diff --git a/app/Templates/config_index.php b/app/Templates/config_index.php
index 6c610d2b..602e2070 100644
--- a/app/Templates/config_index.php
+++ b/app/Templates/config_index.php
@@ -7,6 +7,8 @@
         <section>
         <form method="post" action="?controller=config&amp;action=save" autocomplete="off">
 
+            <?= Helper\form_csrf() ?>
+
             <?= Helper\form_label(t('Language'), 'language') ?>
             <?= Helper\form_select('language', $languages, $values, $errors) ?><br/>
 
@@ -39,7 +41,7 @@
         </div>
         <section class="settings">
             <ul>
-                <li><a href="?controller=config&amp;action=tokens"><?= t('Reset all tokens') ?></a></li>
+                <li><a href="?controller=config&amp;action=tokens<?= Helper\param_csrf() ?>"><?= t('Reset all tokens') ?></a></li>
                 <li>
                     <?= t('Webhooks token:') ?>
                     <strong><?= Helper\escape($values['webhooks_token']) ?></strong>
@@ -50,11 +52,11 @@
                         <strong><?= Helper\format_bytes($db_size) ?></strong>
                     </li>
                     <li>
-                        <a href="?controller=config&amp;action=downloadDb"><?= t('Download the database') ?></a>
+                        <a href="?controller=config&amp;action=downloadDb<?= Helper\param_csrf() ?>"><?= t('Download the database') ?></a>
                         <?= t('(Gzip compressed Sqlite file)') ?>
                     </li>
                     <li>
-                        <a href="?controller=config&amp;action=optimizeDb"><?= t('Optimize the database') ?></a>
+                        <a href="?controller=config&amp;action=optimizeDb <?= Helper\param_csrf() ?>"><?= t('Optimize the database') ?></a>
                          <?= t('(VACUUM command)') ?>
                     </li>
                 <?php endif ?>
@@ -112,7 +114,7 @@
             <td><?= dt('%B %e, %G at %k:%M %p', $session['expiration']) ?></td>
             <td><?= Helper\escape($session['ip']) ?></td>
             <td><?= Helper\escape($session['user_agent']) ?></td>
-            <td><a href="?controller=config&amp;action=removeRememberMeToken&amp;id=<?= $session['id'] ?>"><?= t('Remove') ?></a></td>
+            <td><a href="?controller=config&amp;action=removeRememberMeToken&amp;id=<?= $session['id'].Helper\param_csrf() ?>"><?= t('Remove') ?></a></td>
         </tr>
         <?php endforeach ?>
         </table>
diff --git a/app/Templates/file_new.php b/app/Templates/file_new.php
index 643f340d..7f7f1d1c 100644
--- a/app/Templates/file_new.php
+++ b/app/Templates/file_new.php
@@ -3,6 +3,7 @@
 </div>
 
 <form action="?controller=file&amp;action=save&amp;task_id=<?= $task['id'] ?>" method="post" enctype="multipart/form-data">
+    <?= Helper\form_csrf() ?>
     <input type="file" name="files[]" multiple />
     <div class="form-help"><?= t('Maximum size: ') ?><?= is_integer($max_size) ? Helper\format_bytes($max_size) : $max_size ?></div>
     <div class="form-actions">
diff --git a/app/Templates/file_remove.php b/app/Templates/file_remove.php
index 1d26c15e..af77591c 100644
--- a/app/Templates/file_remove.php
+++ b/app/Templates/file_remove.php
@@ -8,7 +8,7 @@
     </p>
 
     <div class="form-actions">
-        <a href="?controller=file&amp;action=remove&amp;task_id=<?= $task['id'] ?>&amp;file_id=<?= $file['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+        <a href="?controller=file&amp;action=remove&amp;task_id=<?= $task['id'] ?>&amp;file_id=<?= $file['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
         <?= t('or') ?> <a href="?controller=task&amp;action=show&amp;task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a>
     </div>
 </div>
\ No newline at end of file
diff --git a/app/Templates/layout.php b/app/Templates/layout.php
index 3e3b2e89..aa430477 100644
--- a/app/Templates/layout.php
+++ b/app/Templates/layout.php
@@ -45,7 +45,7 @@
                         <a href="?controller=config"><?= t('Settings') ?></a>
                     </li>
                     <li>
-                        <a href="?controller=user&amp;action=logout"><?= t('Logout') ?></a>
+                        <a href="?controller=user&amp;action=logout<?= Helper\param_csrf() ?>"><?= t('Logout') ?></a>
                         (<?= Helper\escape(Helper\get_username()) ?>)
                     </li>
                 </ul>
diff --git a/app/Templates/project_edit.php b/app/Templates/project_edit.php
index 557986bf..a882fbc6 100644
--- a/app/Templates/project_edit.php
+++ b/app/Templates/project_edit.php
@@ -8,6 +8,7 @@
     <section>
     <form method="post" action="?controller=project&amp;action=update&amp;project_id=<?= $values['id'] ?>" autocomplete="off">
 
+        <?= Helper\form_csrf() ?>
         <?= Helper\form_hidden('id', $values) ?>
 
         <?= Helper\form_label(t('Name'), 'name') ?>
diff --git a/app/Templates/project_forbidden.php b/app/Templates/project_forbidden.php
deleted file mode 100644
index 1cba7b58..00000000
--- a/app/Templates/project_forbidden.php
+++ /dev/null
@@ -1,9 +0,0 @@
-<section id="main">
-    <div class="page-header">
-        <h2><?= t('Forbidden') ?></h2>
-    </div>
-
-    <p class="alert alert-error">
-        <?= t('You are not allowed to access to this project.') ?>
-    </p>
-</section>
\ No newline at end of file
diff --git a/app/Templates/project_index.php b/app/Templates/project_index.php
index 1a3dbd49..927924a5 100644
--- a/app/Templates/project_index.php
+++ b/app/Templates/project_index.php
@@ -78,9 +78,9 @@
                         </li>
                         <li>
                             <?php if ($project['is_active']): ?>
-                                <a href="?controller=project&amp;action=disable&amp;project_id=<?= $project['id'] ?>"><?= t('Disable') ?></a>
+                                <a href="?controller=project&amp;action=disable&amp;project_id=<?= $project['id'].Helper\param_csrf() ?>"><?= t('Disable') ?></a>
                             <?php else: ?>
-                                <a href="?controller=project&amp;action=enable&amp;project_id=<?= $project['id'] ?>"><?= t('Enable') ?></a>
+                                <a href="?controller=project&amp;action=enable&amp;project_id=<?= $project['id'].Helper\param_csrf() ?>"><?= t('Enable') ?></a>
                             <?php endif ?>
                         </li>
                         <li>
diff --git a/app/Templates/project_new.php b/app/Templates/project_new.php
index 2026d461..b4ed9990 100644
--- a/app/Templates/project_new.php
+++ b/app/Templates/project_new.php
@@ -8,6 +8,7 @@
     <section>
     <form method="post" action="?controller=project&amp;action=save" autocomplete="off">
 
+        <?= Helper\form_csrf() ?>
         <?= Helper\form_label(t('Name'), 'name') ?>
         <?= Helper\form_text('name', $values, $errors, array('autofocus', 'required')) ?>
 
diff --git a/app/Templates/project_remove.php b/app/Templates/project_remove.php
index e9f213b5..e25efa2f 100644
--- a/app/Templates/project_remove.php
+++ b/app/Templates/project_remove.php
@@ -9,7 +9,7 @@
         </p>
 
         <div class="form-actions">
-            <a href="?controller=project&amp;action=remove&amp;project_id=<?= $project['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+            <a href="?controller=project&amp;action=remove&amp;project_id=<?= $project['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
             <?= t('or') ?> <a href="?controller=project"><?= t('cancel') ?></a>
         </div>
     </div>
diff --git a/app/Templates/project_users.php b/app/Templates/project_users.php
index 0448004f..8afac709 100644
--- a/app/Templates/project_users.php
+++ b/app/Templates/project_users.php
@@ -10,6 +10,8 @@
     <?php if (! empty($users['not_allowed'])): ?>
         <form method="post" action="?controller=project&amp;action=allow&amp;project_id=<?= $project['id'] ?>" autocomplete="off">
 
+            <?= Helper\form_csrf() ?>
+
             <?= Helper\form_hidden('project_id', array('project_id' => $project['id'])) ?>
 
             <?= Helper\form_label(t('User'), 'user_id') ?>
@@ -32,7 +34,7 @@
         <?php foreach ($users['allowed'] as $user_id => $username): ?>
             <li>
                 <strong><?= Helper\escape($username) ?></strong>
-                (<a href="?controller=project&amp;action=revoke&amp;project_id=<?= $project['id'] ?>&amp;user_id=<?= $user_id ?>"><?= t('revoke') ?></a>)
+                (<a href="?controller=project&amp;action=revoke&amp;project_id=<?= $project['id'] ?>&amp;user_id=<?= $user_id.Helper\param_csrf() ?>"><?= t('revoke') ?></a>)
             </li>
         <?php endforeach ?>
         </ul>
diff --git a/app/Templates/subtask_create.php b/app/Templates/subtask_create.php
index a456aa37..f1b27ab9 100644
--- a/app/Templates/subtask_create.php
+++ b/app/Templates/subtask_create.php
@@ -4,6 +4,8 @@
 
 <form method="post" action="?controller=subtask&amp;action=save&amp;task_id=<?= $task['id'] ?>" autocomplete="off">
 
+    <?= Helper\form_csrf() ?>
+
     <?= Helper\form_hidden('task_id', $values) ?>
 
     <?= Helper\form_label(t('Title'), 'title') ?>
diff --git a/app/Templates/subtask_edit.php b/app/Templates/subtask_edit.php
index 3080cdad..fc65d3b3 100644
--- a/app/Templates/subtask_edit.php
+++ b/app/Templates/subtask_edit.php
@@ -4,6 +4,8 @@
 
 <form method="post" action="?controller=subtask&amp;action=update&amp;task_id=<?= $task['id'] ?>&amp;subtask_id=<?= $subtask['id'] ?>" autocomplete="off">
 
+    <?= Helper\form_csrf() ?>
+
     <?= Helper\form_hidden('id', $values) ?>
     <?= Helper\form_hidden('task_id', $values) ?>
 
diff --git a/app/Templates/subtask_remove.php b/app/Templates/subtask_remove.php
index 2862176c..12c99cf1 100644
--- a/app/Templates/subtask_remove.php
+++ b/app/Templates/subtask_remove.php
@@ -10,7 +10,7 @@
     <p><strong><?= Helper\escape($subtask['title']) ?></strong></p>
 
     <div class="form-actions">
-        <a href="?controller=subtask&amp;action=remove&amp;task_id=<?= $task['id'] ?>&amp;subtask_id=<?= $subtask['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+        <a href="?controller=subtask&amp;action=remove&amp;task_id=<?= $task['id'] ?>&amp;subtask_id=<?= $subtask['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
         <?= t('or') ?> <a href="?controller=task&amp;action=show&amp;task_id=<?= $task['id'] ?>#subtasks"><?= t('cancel') ?></a>
     </div>
 </div>
\ No newline at end of file
diff --git a/app/Templates/task_close.php b/app/Templates/task_close.php
index 6843c2f6..5c75b72b 100644
--- a/app/Templates/task_close.php
+++ b/app/Templates/task_close.php
@@ -8,7 +8,7 @@
     </p>
 
     <div class="form-actions">
-        <a href="?controller=task&amp;action=close&amp;task_id=<?= $task['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+        <a href="?controller=task&amp;action=close&amp;task_id=<?= $task['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
         <?= t('or') ?> <a href="?controller=task&amp;action=show&amp;task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a>
     </div>
 </div>
\ No newline at end of file
diff --git a/app/Templates/task_edit.php b/app/Templates/task_edit.php
index d698c21d..c03c7d9a 100644
--- a/app/Templates/task_edit.php
+++ b/app/Templates/task_edit.php
@@ -8,6 +8,8 @@
     <section>
     <form method="post" action="?controller=task&amp;action=update&amp;task_id=<?= $task['id'] ?>" autocomplete="off">
 
+        <?= Helper\form_csrf() ?>
+
         <div class="form-column">
 
             <?= Helper\form_label(t('Title'), 'title') ?>
diff --git a/app/Templates/task_edit_description.php b/app/Templates/task_edit_description.php
index 0bdc40a2..550dac73 100644
--- a/app/Templates/task_edit_description.php
+++ b/app/Templates/task_edit_description.php
@@ -4,6 +4,8 @@
 
 <form method="post" action="?controller=task&amp;action=saveDescription&amp;task_id=<?= $task['id'] ?>" autocomplete="off">
 
+    <?= Helper\form_csrf() ?>
+
     <?= Helper\form_hidden('id', $values) ?>
     <?= Helper\form_textarea('description', $values, $errors, array('required', 'placeholder="'.t('Leave a description').'"'), 'description-textarea') ?><br/>
     <div class="form-help"><a href="http://kanboard.net/documentation/syntax-guide" target="_blank" rel="noreferrer"><?= t('Write your text in Markdown') ?></a></div>
diff --git a/app/Templates/task_new.php b/app/Templates/task_new.php
index d233efd2..2938c4ca 100644
--- a/app/Templates/task_new.php
+++ b/app/Templates/task_new.php
@@ -5,6 +5,8 @@
     <section>
     <form method="post" action="?controller=task&amp;action=save" autocomplete="off">
 
+        <?= Helper\form_csrf() ?>
+
         <div class="form-column">
             <?= Helper\form_label(t('Title'), 'title') ?>
             <?= Helper\form_text('title', $values, $errors, array('autofocus', 'required')) ?><br/>
diff --git a/app/Templates/task_open.php b/app/Templates/task_open.php
index 59ea0b54..3526ec81 100644
--- a/app/Templates/task_open.php
+++ b/app/Templates/task_open.php
@@ -8,7 +8,7 @@
     </p>
 
     <div class="form-actions">
-        <a href="?controller=task&amp;action=open&amp;task_id=<?= $task['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+        <a href="?controller=task&amp;action=open&amp;task_id=<?= $task['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
         <?= t('or') ?> <a href="?controller=task&amp;action=show&amp;task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a>
     </div>
 </div>
\ No newline at end of file
diff --git a/app/Templates/task_remove.php b/app/Templates/task_remove.php
index 60e4e8e7..dd4841db 100644
--- a/app/Templates/task_remove.php
+++ b/app/Templates/task_remove.php
@@ -8,7 +8,7 @@
     </p>
 
     <div class="form-actions">
-        <a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+        <a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
         <?= t('or') ?> <a href="?controller=task&amp;action=show&amp;task_id=<?= $task['id'] ?>"><?= t('cancel') ?></a>
     </div>
 </div>
\ No newline at end of file
diff --git a/app/Templates/user_edit.php b/app/Templates/user_edit.php
index c857fe1c..6b83f748 100644
--- a/app/Templates/user_edit.php
+++ b/app/Templates/user_edit.php
@@ -8,6 +8,8 @@
     <section>
     <form method="post" action="?controller=user&amp;action=update" autocomplete="off">
 
+        <?= Helper\form_csrf() ?>
+
         <div class="form-column">
 
             <?= Helper\form_hidden('id', $values) ?>
@@ -48,9 +50,9 @@
 
             <?php if (GOOGLE_AUTH && Helper\is_current_user($values['id'])): ?>
                 <?php if (empty($values['google_id'])): ?>
-                    <a href="?controller=user&amp;action=google"><?= t('Link my Google Account') ?></a>
+                    <a href="?controller=user&amp;action=google<?= Helper\param_csrf() ?>"><?= t('Link my Google Account') ?></a>
                 <?php else: ?>
-                    <a href="?controller=user&amp;action=unlinkGoogle"><?= t('Unlink my Google Account') ?></a>
+                    <a href="?controller=user&amp;action=unlinkGoogle<?= Helper\param_csrf() ?>"><?= t('Unlink my Google Account') ?></a>
                 <?php endif ?>
             <?php endif ?>
 
diff --git a/app/Templates/user_forbidden.php b/app/Templates/user_forbidden.php
deleted file mode 100644
index 853159ba..00000000
--- a/app/Templates/user_forbidden.php
+++ /dev/null
@@ -1,9 +0,0 @@
-<section id="main">
-    <div class="page-header">
-        <h2><?= t('Forbidden') ?></h2>
-    </div>
-
-    <p class="alert alert-error">
-        <?= t('Only administrators can access to this page.') ?>
-    </p>
-</section>
\ No newline at end of file
diff --git a/app/Templates/user_login.php b/app/Templates/user_login.php
index 878170e3..49902ebb 100644
--- a/app/Templates/user_login.php
+++ b/app/Templates/user_login.php
@@ -8,6 +8,8 @@
 
 <form method="post" action="?controller=user&amp;action=check" class="form-login">
 
+    <?= Helper\form_csrf() ?>
+
     <?= Helper\form_label(t('Username'), 'username') ?>
     <?= Helper\form_text('username', $values, $errors, array('autofocus', 'required')) ?><br/>
 
diff --git a/app/Templates/user_new.php b/app/Templates/user_new.php
index 6ad976f2..3e22b7ee 100644
--- a/app/Templates/user_new.php
+++ b/app/Templates/user_new.php
@@ -8,6 +8,8 @@
     <section>
     <form method="post" action="?controller=user&amp;action=save" autocomplete="off">
 
+        <?= Helper\form_csrf() ?>
+
         <div class="form-column">
 
             <?= Helper\form_label(t('Username'), 'username') ?>
diff --git a/app/Templates/user_remove.php b/app/Templates/user_remove.php
index a4db2e4a..61d4163b 100644
--- a/app/Templates/user_remove.php
+++ b/app/Templates/user_remove.php
@@ -7,7 +7,7 @@
         <p class="alert alert-info"><?= t('Do you really want to remove this user: "%s"?', $user['username']) ?></p>
 
         <div class="form-actions">
-            <a href="?controller=user&amp;action=remove&amp;user_id=<?= $user['id'] ?>" class="btn btn-red"><?= t('Yes') ?></a>
+            <a href="?controller=user&amp;action=remove&amp;user_id=<?= $user['id'].Helper\param_csrf() ?>" class="btn btn-red"><?= t('Yes') ?></a>
             <?= t('or') ?> <a href="?controller=user"><?= t('cancel') ?></a>
         </div>
     </div>
-- 
cgit v1.2.3