Merge pull request #1576 from xisi/csrf-backend-only
[FIXES] More CSRF improvements
This commit is contained in:
Sebastian Grewe
commit
768d193793
@ -4,6 +4,7 @@
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
class CSRFToken Extends Base {
|
||||
public $valid = 0;
|
||||
/**
|
||||
* Gets a basic csrf token
|
||||
* @param string $user user or IP/host address
|
||||
|
||||
@ -126,7 +126,7 @@ $config['twofactor']['options']['withdraw'] = true;
|
||||
$config['twofactor']['options']['changepw'] = true;
|
||||
|
||||
/**
|
||||
* CSRF protection config
|
||||
* CSRF protection
|
||||
*
|
||||
* Explanation:
|
||||
* To help protect against CSRF, we can generate a hash that changes every minute
|
||||
@ -134,15 +134,11 @@ $config['twofactor']['options']['changepw'] = true;
|
||||
* form is submitted.
|
||||
*
|
||||
* Options:
|
||||
* enabled = Whether or not we will generate/check for valid CSRF tokens
|
||||
* disabled_forms = Which forms you want to disable csrf protection on, if enabled
|
||||
* * Valid options : login, contact, accountedit, workers, notifications, invite, register, passreset, unlockaccount
|
||||
* enabled = Whether or not we will generate & check for valid CSRF tokens
|
||||
* Default:
|
||||
* enabled = true
|
||||
* disabled_forms = array();
|
||||
*/
|
||||
$config['csrf']['enabled'] = true;
|
||||
$config['csrf']['disabled_forms'] = array();
|
||||
|
||||
/**
|
||||
* Lock account after maximum failed logins
|
||||
|
||||
@ -13,12 +13,6 @@ $oldtoken_cp = (isset($_POST['cp_token']) && $_POST['cp_token'] !== '') ? $_POST
|
||||
$oldtoken_wf = (isset($_POST['wf_token']) && $_POST['wf_token'] !== '') ? $_POST['wf_token'] : @$_GET['wf_token'];
|
||||
$updating = (@$_POST['do']) ? 1 : 0;
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('accountedit', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'editaccount', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
if ($user->isAuthenticated()) {
|
||||
if ($config['twofactor']['enabled']) {
|
||||
$popupmsg = 'E-mail confirmations are required for ';
|
||||
@ -70,7 +64,7 @@ if ($user->isAuthenticated()) {
|
||||
}
|
||||
|
||||
if (isset($_POST['do']) && $_POST['do'] == 'genPin') {
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($user->generatePin($_SESSION['USERDATA']['id'], $_POST['currentPassword'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Your PIN # has been sent to your email.', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -89,7 +83,7 @@ if ($user->isAuthenticated()) {
|
||||
$isvalid = in_array($_POST['utype'],$validtypes);
|
||||
if ($isvalid) {
|
||||
$ctype = strip_tags($_POST['utype']);
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
$send = $user->sendChangeConfigEmail($ctype, $_SESSION['USERDATA']['id']);
|
||||
if ($send) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'A confirmation was sent to your e-mail, follow that link to continue', 'TYPE' => 'success');
|
||||
@ -110,7 +104,7 @@ if ($user->isAuthenticated()) {
|
||||
$dBalance = $aBalance['confirmed'];
|
||||
if ($dBalance > $config['txfee_manual']) {
|
||||
if (!$oPayout->isPayoutActive($_SESSION['USERDATA']['id'])) {
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($iPayoutId = $oPayout->createPayout($_SESSION['USERDATA']['id'], $oldtoken_wf)) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Created new manual payout request with ID #' . $iPayoutId);
|
||||
} else {
|
||||
@ -129,7 +123,7 @@ if ($user->isAuthenticated()) {
|
||||
break;
|
||||
|
||||
case 'updateAccount':
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'], $_POST['email'], $_POST['is_anonymous'], $oldtoken_ea)) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -141,7 +135,7 @@ if ($user->isAuthenticated()) {
|
||||
break;
|
||||
|
||||
case 'updatePassword':
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($user->updatePassword($_SESSION['USERDATA']['id'], $_POST['currentPassword'], $_POST['newPassword'], $_POST['newPassword2'], $oldtoken_cp)) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Password updated', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -185,8 +179,7 @@ if ($user->isAuthenticated() && $config['twofactor']['enabled']) {
|
||||
(!empty($cpprep_sent) && !empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $cpprep_sent, 'TYPE' => 'success'):"";
|
||||
(!empty($cpprep_sent) && empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $message_tokensent_invalid.$messages_tokensent_status['cp'], 'TYPE' => 'success'):"";
|
||||
}
|
||||
|
||||
// csrf stuff
|
||||
// two-factor stuff
|
||||
$smarty->assign("CHANGEPASSUNLOCKED", $cp_editable);
|
||||
$smarty->assign("WITHDRAWUNLOCKED", $wf_editable);
|
||||
$smarty->assign("DETAILSUNLOCKED", $ea_editable);
|
||||
@ -194,10 +187,7 @@ $smarty->assign("CHANGEPASSSENT", $cp_sent);
|
||||
$smarty->assign("WITHDRAWSENT", $wf_sent);
|
||||
$smarty->assign("DETAILSSENT", $ea_sent);
|
||||
$smarty->assign("DONATE_THRESHOLD", $config['donate_threshold']);
|
||||
if ($csrfenabled && !in_array('accountedit', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
// Tempalte specifics
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
?>
|
||||
|
||||
@ -5,15 +5,10 @@ if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
if ($user->isAuthenticated()) {
|
||||
if (!$setting->getValue('disable_invitations')) {
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('invitations', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'invitations', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg');
|
||||
} else if (isset($_POST['do']) && $_POST['do'] == 'sendInvitation') {
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -30,10 +25,5 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Invitations are disabled', 'TYPE' => 'errormsg');
|
||||
}
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled && !in_array('invitations', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
?>
|
||||
|
||||
@ -7,14 +7,8 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Notification system disabled by admin.', 'TYPE' => 'info');
|
||||
$smarty->assign('CONTENT', 'empty');
|
||||
} else {
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('notifications', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'editnotifs', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
if (@$_REQUEST['do'] == 'save') {
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -31,15 +25,11 @@ if ($user->isAuthenticated()) {
|
||||
|
||||
// Fetch user notification settings
|
||||
$aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']);
|
||||
|
||||
// csrf token
|
||||
if ($csrfenabled && !in_array('notifications', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
$smarty->assign('NOTIFICATIONS', $aNotifications);
|
||||
$smarty->assign('SETTINGS', $aSettings);
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
||||
?>
|
||||
@ -3,19 +3,13 @@
|
||||
// Make sure we are called from index.php
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'unlockaccount', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
// Confirm an account by token
|
||||
if (!isset($_GET['token']) || empty($_GET['token'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
|
||||
} else if (!$aToken = $oToken->getToken($_GET['token'], 'account_unlock')) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to re-activate your account. Invalid token.', 'TYPE' => 'errormsg');
|
||||
} else {
|
||||
if (!$csrfenabled || $csrfenabled && !$nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) {
|
||||
$oToken->deleteToken($aToken['token']);
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.');
|
||||
@ -26,10 +20,6 @@ if (!isset($_GET['token']) || empty($_GET['token'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
?>
|
||||
|
||||
?>
|
||||
@ -3,22 +3,21 @@
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
if ($user->isAuthenticated()) {
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('workers', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'workers', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
switch (@$_REQUEST['do']) {
|
||||
case 'delete':
|
||||
if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
|
||||
} else {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
|
||||
}
|
||||
} else {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
break;
|
||||
|
||||
case 'add':
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -28,8 +27,9 @@ if ($user->isAuthenticated()) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
break;
|
||||
|
||||
case 'update':
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -46,10 +46,6 @@ if ($user->isAuthenticated()) {
|
||||
|
||||
$smarty->assign('WORKERS', $aWorkers);
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled && !in_array('workers', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'workers');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
?>
|
||||
|
||||
?>
|
||||
@ -14,11 +14,6 @@ if ($setting->getValue('disable_contactform')) {
|
||||
require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
|
||||
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
|
||||
}
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Tempalte specifics
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
}
|
||||
|
||||
@ -14,12 +14,6 @@ if ($setting->getValue('recaptcha_enabled')) {
|
||||
);
|
||||
}
|
||||
|
||||
// csrf if enabled
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'contact', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
if ($setting->getValue('disable_contactform')) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
|
||||
} else if ($setting->getValue('disable_contactform') && !$user->isAuthenticated(false)) {
|
||||
@ -29,7 +23,7 @@ if ($setting->getValue('disable_contactform')) {
|
||||
// Check if recaptcha is enabled, process form data if valid
|
||||
if ($rsp->is_valid) {
|
||||
// Check if csrf is enabled and fail if token is invalid
|
||||
if (!$nocsrf && $csrfenabled) {
|
||||
if ($config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
} else {
|
||||
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
|
||||
@ -50,7 +44,7 @@ if ($setting->getValue('disable_contactform')) {
|
||||
// Captcha disabled
|
||||
} else {
|
||||
// Check if csrf is enabled and fail if token is invalid
|
||||
if (!$nocsrf && $csrfenabled) {
|
||||
if ($config['csrf']['enabled'] && !$csrftoken->valid) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
} else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
|
||||
@ -60,11 +54,7 @@ if ($setting->getValue('disable_contactform')) {
|
||||
}
|
||||
}
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Tempalte specifics
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
?>
|
||||
|
||||
?>
|
||||
@ -22,11 +22,6 @@ if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
|
||||
} else {
|
||||
$debug->append('Using cached page', 3);
|
||||
}
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Load news entries for Desktop site and unauthenticated users
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
?>
|
||||
|
||||
@ -3,12 +3,6 @@
|
||||
// Make sure we are called from index.php
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
// csrf if enabled
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'login', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
// ReCaptcha handling if enabled
|
||||
if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins')) {
|
||||
require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
|
||||
@ -31,7 +25,7 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
|
||||
} else if (!empty($_POST['username']) && !empty($_POST['password'])) {
|
||||
// Check if recaptcha is enabled, process form data if valid
|
||||
if (!$setting->getValue('recaptcha_enabled') || !$setting->getValue('recaptcha_enabled_logins') || ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins') && $rsp->is_valid)) {
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($user->checkLogin(@$_POST['username'], @$_POST['password']) ) {
|
||||
empty($_POST['to']) ? $to = $_SERVER['SCRIPT_NAME'] : $to = $_POST['to'];
|
||||
$port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
|
||||
@ -48,11 +42,7 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again.', 'TYPE' => 'errormsg');
|
||||
}
|
||||
}
|
||||
// csrf token
|
||||
if ($csrfenabled && !in_array('login', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
// Load login template
|
||||
$smarty->assign('CONTENT', 'default.tpl');
|
||||
?>
|
||||
|
||||
@ -4,11 +4,7 @@
|
||||
if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Tempalte specifics
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
?>
|
||||
|
||||
?>
|
||||
@ -4,14 +4,7 @@
|
||||
if (!defined('SECURITY'))
|
||||
die('Hacking attempt');
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
// we have to use editaccount token because this that's where we'll get pushed here from
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'editaccount', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if (isset($_POST['do']) && $_POST['do'] == 'resetPassword') {
|
||||
if ($user->resetPassword($_POST['token'], $_POST['newPassword'], $_POST['newPassword2'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Password reset complete! Please login.', 'TYPE' => 'success');
|
||||
@ -23,13 +16,7 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
// Tempalte specifics
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
|
||||
?>
|
||||
?>
|
||||
@ -3,14 +3,8 @@
|
||||
// Make sure we are called from index.php
|
||||
if (!defined('SECURITY')) die('Hacking attempt');
|
||||
|
||||
// csrf stuff
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'resetpass', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
// Process password reset request
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($user->initResetPassword($_POST['username'], $smarty)) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset', 'TYPE' => 'success');
|
||||
} else {
|
||||
@ -20,11 +14,6 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
|
||||
}
|
||||
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Tempalte specifics, user default template by parent page
|
||||
$smarty->assign("CONTENT", "../default.tpl");
|
||||
?>
|
||||
|
||||
@ -14,11 +14,6 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
|
||||
require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
|
||||
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), null, true));
|
||||
}
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
// Load news entries for Desktop site and unauthenticated users
|
||||
$smarty->assign("CONTENT", "default.tpl");
|
||||
}
|
||||
|
||||
@ -17,19 +17,13 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
|
||||
$recaptcha = ($rsp->is_valid) ? 1 : 0;
|
||||
}
|
||||
|
||||
// csrf if enabled
|
||||
$csrfenabled = ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) ? 1 : 0;
|
||||
if ($csrfenabled) {
|
||||
$nocsrf = ($csrftoken->checkBasic($user->getCurrentIP(), 'register', @$_POST['ctoken'])) ? 1 : 0;
|
||||
}
|
||||
|
||||
if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Account registration is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
|
||||
} else if ($setting->getValue('lock_registration') && !$setting->getValue('disable_invitations') && !isset($_POST['token'])) {
|
||||
$_SESSION['POPUP'][] = array('CONTENT' => 'Only invited users are allowed to register.', 'TYPE' => 'errormsg');
|
||||
} else {
|
||||
// Check if csrf is enabled and fail if token is invalid
|
||||
if (!$csrfenabled || $csrfenabled && $nocsrf) {
|
||||
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
|
||||
if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
|
||||
// Check if recaptcha is enabled, process form data if valid or disabled
|
||||
isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
|
||||
@ -46,9 +40,5 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
|
||||
|
||||
// We load the default registration template instead of an action specific one
|
||||
$smarty->assign("CONTENT", "../default.tpl");
|
||||
// csrf token
|
||||
if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
|
||||
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
|
||||
$smarty->assign('CTOKEN', $token);
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
@ -36,27 +36,26 @@ $master_template = 'master.tpl';
|
||||
|
||||
// Start a session
|
||||
session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
|
||||
if (!@session_start()) {
|
||||
$user->logoutUser();
|
||||
if (!@session_regenerate_id(true)) {
|
||||
$user->logoutUser();
|
||||
}
|
||||
if(!@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly'])) {
|
||||
@setcookie(session_name(),session_id(), time()-$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
|
||||
}
|
||||
$session_start = @session_start();
|
||||
if (!$session_start) {
|
||||
session_destroy();
|
||||
session_regenerate_id(true);
|
||||
session_start();
|
||||
}
|
||||
@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
|
||||
|
||||
// Load Classes, they name defines the $ variable used
|
||||
// We include all needed files here, even though our templates could load them themself
|
||||
require_once(INCLUDE_DIR . '/autoloader.inc.php');
|
||||
|
||||
// Create our pages array from existing files
|
||||
if (is_dir(INCLUDE_DIR . '/pages/')) {
|
||||
foreach (glob(INCLUDE_DIR . '/pages/*.inc.php') as $filepath) {
|
||||
$filename = basename($filepath);
|
||||
$pagename = substr($filename, 0, strlen($filename) - 8);
|
||||
$arrPages[$pagename] = $filename;
|
||||
$debug->append("Adding $pagename as " . $filename . " to accessible pages", 4);
|
||||
}
|
||||
foreach (glob(INCLUDE_DIR . '/pages/*.inc.php') as $filepath) {
|
||||
$filename = basename($filepath);
|
||||
$pagename = substr($filename, 0, strlen($filename) - 8);
|
||||
$arrPages[$pagename] = $filename;
|
||||
$debug->append("Adding $pagename as " . $filename . " to accessible pages", 4);
|
||||
}
|
||||
}
|
||||
|
||||
// Set a default action here if no page has been requested
|
||||
@ -71,23 +70,31 @@ if (isset($_REQUEST['page']) && isset($arrPages[$_REQUEST['page']])) {
|
||||
|
||||
// Create our pages array from existing files
|
||||
if (is_dir(INCLUDE_DIR . '/pages/' . $page)) {
|
||||
foreach (glob(INCLUDE_DIR . '/pages/' . $page . '/*.inc.php') as $filepath) {
|
||||
$filename = basename($filepath);
|
||||
$pagename = substr($filename, 0, strlen($filename) - 8);
|
||||
$arrActions[$pagename] = $filename;
|
||||
$debug->append("Adding $pagename as " . $filename . ".inc.php to accessible actions", 4);
|
||||
}
|
||||
foreach (glob(INCLUDE_DIR . '/pages/' . $page . '/*.inc.php') as $filepath) {
|
||||
$filename = basename($filepath);
|
||||
$pagename = substr($filename, 0, strlen($filename) - 8);
|
||||
$arrActions[$pagename] = $filename;
|
||||
$debug->append("Adding $pagename as " . $filename . ".inc.php to accessible actions", 4);
|
||||
}
|
||||
}
|
||||
// Default to empty (nothing) if nothing set or not known
|
||||
$action = (isset($_REQUEST['action']) && !is_array($_REQUEST['action'])) && isset($arrActions[$_REQUEST['action']]) ? $_REQUEST['action'] : "";
|
||||
|
||||
// Check csrf token validity if necessary
|
||||
if ($config['csrf']['enabled'] && isset($_POST['ctoken']) && !empty($_POST['ctoken']) && !is_array($_POST['ctoken'])) {
|
||||
$csrftoken->valid = ($csrftoken->checkBasic($user->getCurrentIP(), $arrPages[$page], $_POST['ctoken'])) ? 1 : 0;
|
||||
} else if ($config['csrf']['enabled'] && (!@$_POST['ctoken'] || empty($_POST['ctoken']) || is_array($_POST['ctoken']))) {
|
||||
$csrftoken->valid = 0;
|
||||
}
|
||||
if ($config['csrf']['enabled']) $smarty->assign('CTOKEN', $csrftoken->getBasic($user->getCurrentIP(), $arrPages[$page]));
|
||||
|
||||
// Load the page code setting the content for the page OR the page action instead if set
|
||||
if (!empty($action)) {
|
||||
$debug->append('Loading Action: ' . $action . ' -> ' . $arrActions[$action], 1);
|
||||
require_once(PAGES_DIR . '/' . $page . '/' . $arrActions[$action]);
|
||||
$debug->append('Loading Action: ' . $action . ' -> ' . $arrActions[$action], 1);
|
||||
require_once(PAGES_DIR . '/' . $page . '/' . $arrActions[$action]);
|
||||
} else {
|
||||
$debug->append('Loading Page: ' . $page . ' -> ' . $arrPages[$page], 1);
|
||||
require_once(PAGES_DIR . '/' . $arrPages[$page]);
|
||||
$debug->append('Loading Page: ' . $page . ' -> ' . $arrPages[$page], 1);
|
||||
require_once(PAGES_DIR . '/' . $arrPages[$page]);
|
||||
}
|
||||
|
||||
define('PAGE', $page);
|
||||
@ -110,4 +117,5 @@ if (!@$supress_master) $smarty->display($master_template, $smarty_cache_key);
|
||||
|
||||
// Unset any temporary values here
|
||||
unset($_SESSION['POPUP']);
|
||||
?>
|
||||
|
||||
?>
|
||||
@ -1,6 +1,6 @@
|
||||
<form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm" data-ajax="false">
|
||||
<input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
|
||||
{if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<p><label for="userForm">Email</label><input type="text" name="username" value="" id="userForm"></p>
|
||||
<p><label for="passForm">Password</label><input type="password" name="password" value="" id="passForm"></p>
|
||||
<center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<input type="hidden" name="token" value="{$smarty.request.token|escape}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
{if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<input type="hidden" name="do" value="useToken">
|
||||
<table>
|
||||
<tr><td>New Password: </td><td><input type="password" name="newPassword"></td></tr>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<form action="" method="POST">
|
||||
<input type="hidden" name="page" value="password">
|
||||
<input type="hidden" name="action" value="reset">
|
||||
{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<p>If you have an email set for your account, enter your username to get your password reset</p>
|
||||
<p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
|
||||
</form>
|
||||
|
||||
@ -56,7 +56,7 @@
|
||||
<footer>
|
||||
<div class="submit_link">
|
||||
{nocache}
|
||||
{if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<input type="hidden" name="ea_token" value="{$smarty.request.ea_token|escape|default:""}">
|
||||
<input type="hidden" name="utype" value="account_edit">
|
||||
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.details}
|
||||
@ -106,7 +106,7 @@
|
||||
<div class="submit_link">
|
||||
{nocache}
|
||||
<input type="hidden" name="wf_token" value="{$smarty.request.wf_token|escape|default:""}">
|
||||
{if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<input type="hidden" name="utype" value="withdraw_funds">
|
||||
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.withdraw}
|
||||
{if $WITHDRAWSENT == 1 && $WITHDRAWUNLOCKED == 1}
|
||||
@ -161,7 +161,7 @@
|
||||
<div class="submit_link">
|
||||
{nocache}
|
||||
<input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
|
||||
{if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<input type="hidden" name="utype" value="change_pw">
|
||||
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
|
||||
{if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
|
||||
@ -185,7 +185,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="genPin">
|
||||
{if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<article class="module width_half">
|
||||
<header>
|
||||
<h3>Reset PIN</h3>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="sendInvitation">
|
||||
{if $GLOBAL.csrf.enabled && !"invite"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<article class="module width_quarter">
|
||||
<header><h3>Invitation</h3></header>
|
||||
<div class="module_content">
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="save">
|
||||
{if $GLOBAL.csrf.enabled && !"notifications"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<article class="module width_quarter">
|
||||
<header>
|
||||
<h3>Notification Settings</h3>
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="add">
|
||||
{if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<div class="module_content">
|
||||
<fieldset>
|
||||
<label>Worker Name</label>
|
||||
@ -30,7 +30,7 @@
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
<input type="hidden" name="do" value="update">
|
||||
{if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<table class="tablesorter" cellspacing="0">
|
||||
<thead>
|
||||
<tr>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<form action="{$smarty.server.SCRIPT_NAME}" method="post">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="contactform">
|
||||
{if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<article class="module width_3_quarter">
|
||||
<header><h3>Contact Us</h3></header>
|
||||
<div class="module_content">
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<form action="{$smarty.server.SCRIPT_NAME}" method="post">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="contactform">
|
||||
{if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<article class="module width_3_quarter">
|
||||
<header><h3>Contact Us</h3></header>
|
||||
<div class="module_content">
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<article class="module width_half">
|
||||
<form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm">
|
||||
<input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
|
||||
{if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<header><h3>Login with existing account</h3></header>
|
||||
<div class="module_content">
|
||||
<fieldset>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<div class="login_small">
|
||||
<form action="{$smarty.server.SCRIPT_NAME}" method="post" id="loginForm">
|
||||
<input type="hidden" name="page" value="login" />
|
||||
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<input type="hidden" name="to" value="{$smarty.server.SCRIPT_NAME}?page=dashboard" />
|
||||
<fieldset2 class="small">
|
||||
<label>Username</label>
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
<input type="hidden" name="token" value="{$smarty.request.token|escape}">
|
||||
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
|
||||
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
|
||||
{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
|
||||
<input type="hidden" name="do" value="resetPassword">
|
||||
<header><h3>Password reset</h3></header>
|
||||
@ -21,7 +21,6 @@
|
||||
<footer>
|
||||
{nocache}
|
||||
<input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
|
||||
{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="utype" value="change_pw">
|
||||
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
|
||||
{if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
<form action="" method="POST">
|
||||
<input type="hidden" name="page" value="password">
|
||||
<input type="hidden" name="action" value="reset">
|
||||
{if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<header><h3>Password reset</h3></header>
|
||||
<div class="module_content">
|
||||
<p>If you have an email set for your account, enter your username to get your password reset</p>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
{if $smarty.request.token|default:""}
|
||||
<input type="hidden" name="token" value="{$smarty.request.token|escape}" />
|
||||
{/if}
|
||||
{if $GLOBAL.csrf.enabled && !"register"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
|
||||
<input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
|
||||
<input type="hidden" name="action" value="register">
|
||||
<fieldset>
|
||||
<label>Username</label>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user