RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed the config options for CSRF/disabling forms

Browse Source 
* Now an array to disable with granularity
 * Fixed all CSRF tokens back to 1 min
 * Added CSRF protection for unlock account
 * Unified error message for all csrf tokens
 * Fixed a few issues with last commit
This commit is contained in:
xisi 2014-01-18 20:29:12 -05:00
parent 163e5de1f0
commit 76a67cb71a
29 changed files with 109 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
public/include/classes/csrftoken.class.php
View File

@ -19,9 +19,8 @@ class CSRFToken Extends Base {
$hour = $data[3]; $minute = $data[4]; $second = $data[5]; $hour = $data[3]; $minute = $data[4]; $second = $data[5];
$salt1 = $this->salt; $salt2 = $this->salty; $seed = $salt1; $salt1 = $this->salt; $salt2 = $this->salty; $seed = $salt1;
$lead = $this->config['csrf']['leadtime']; $lead = $this->config['csrf']['leadtime'];
if ($lead >= 11) { $lead = 10; } $lead_sec = ($lead <= 11 && $lead >= 0) ? $lead : 3;
if ($lead <= 0) { $lead = 3; } if ($minute == 59 && $second > (60-$lead_sec)) {
if ($minute == 59 && $second > (60-$lead)) {
$minute = 0; $minute = 0;
$fhour = ($hour == 23) ? $hour = 0 : $hour+=1; $fhour = ($hour == 23) ? $hour = 0 : $hour+=1;
} }
@ -36,9 +35,17 @@ class CSRFToken Extends Base {
} }
/** /**
* Gets the HTML image (?) with short csrf description for users for the incorrect * Convenience method to get a token expired message with a token type, and ? image with description
* token error message * @param string $tokentype if you want a specific tokentype, set it here
* @param dowhat string What will be put in the string "Simply $dowhat again to..." * @param string $dowhat What will be put in the string "Simply $dowhat again to...", default is try
*/
public static function getErrorWithDescriptionHTML($tokentype="", $dowhat="try") {
return ($tokentype !== "") ? "$tokentype token expired, please try again ".self::getDescriptionImageHTML($dowhat) : "Token expired, please try again ".self::getDescriptionImageHTML($dowhat);
}
/**
* Gets the HTML image (?) with short csrf description for users for the incorrect token error message
* @param dowhat string What will be put in the string "Simply $dowhat again to...", default is try
* @return string HTML image with description * @return string HTML image with description
*/ */
public static function getDescriptionImageHTML($dowhat="try") { public static function getDescriptionImageHTML($dowhat="try") {

22
public/include/config/global.inc.dist.php
View File

@ -134,23 +134,19 @@ $config['twofactor']['options']['changepw'] = true;
* form is submitted. * form is submitted.
* *
* Options: * Options:
* enabled = Whether or not we will generate/check for valid CSRF tokens * enabled = Whether or not we will generate/check for valid CSRF tokens
* sitewide = Require a valid CSRF token for most* forms, does not override form specific settings * leadtime = Length of time in seconds to give as leeway between minute switches
* * contact, account edit, workers, notifications, invites, registration, passsword resets * * Don't change this unless you know why you're changing it
* login = Use and check login-specific CSRF token * disabled_forms = Which forms you want to disable csrf protection on, if enabled
* leadtime = Length of time in seconds to give as leeway between minute switches * * Valid options : contact, accountedit, workers, notifications, invite, register, passreset, unlockaccount
* * Don't change this unless you know why you're changing it
*
* Default: * Default:
* enabled = true * enabled = true
* sitewide = true * leadtime = 3
* login = true * disabled_forms = array();
* leadtime = 3
*/ */
$config['csrf']['enabled'] = true; $config['csrf']['enabled'] = true;
$config['csrf']['options']['sitewide'] = true;
$config['csrf']['forms']['login'] = true;
$config['csrf']['leadtime'] = 3; $config['csrf']['leadtime'] = 3;
$config['csrf']['disabled_forms'] = array();
/** /**
* Lock account after maximum failed logins * Lock account after maximum failed logins

19
public/include/pages/account/edit.inc.php
View File

@ -14,7 +14,7 @@ $oldtoken_wf = (isset($_POST['wf_token']) && $_POST['wf_token'] !== '') ? $_POST
$updating = (@$_POST['do']) ? 1 : 0; $updating = (@$_POST['do']) ? 1 : 0;
// csrf stuff // csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('accountedit', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
} }
@ -77,8 +77,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
} }
} }
else { else {
@ -98,8 +97,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
} }
} }
} else { } else {
@ -119,8 +117,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $iPayoutId->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $iPayoutId->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
} }
} else { } else {
$_SESSION['POPUP'][] = array('CONTENT' => 'You already have one active manual payout request.', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'You already have one active manual payout request.', 'TYPE' => 'errormsg');
@ -139,8 +136,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update your account: ' . $user->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update your account: ' . $user->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
} }
break; break;
@ -152,8 +148,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
} }
break; break;
} }
@ -198,7 +193,7 @@ $smarty->assign("DETAILSUNLOCKED", $ea_editable);
$smarty->assign("CHANGEPASSSENT", $cp_sent); $smarty->assign("CHANGEPASSSENT", $cp_sent);
$smarty->assign("WITHDRAWSENT", $wf_sent); $smarty->assign("WITHDRAWSENT", $wf_sent);
$smarty->assign("DETAILSSENT", $ea_sent); $smarty->assign("DETAILSSENT", $ea_sent);
if ($csrfenabled) { if ($csrfenabled && !in_array('accountedit', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }

11
public/include/pages/account/invitations.inc.php
View File

@ -6,9 +6,9 @@ if (!defined('SECURITY')) die('Hacking attempt');
if ($user->isAuthenticated()) { if ($user->isAuthenticated()) {
if (!$setting->getValue('disable_invitations')) { if (!$setting->getValue('disable_invitations')) {
// csrf stuff // csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('invitations', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations') == @$_POST['ctoken']) ? 1 : 0;
} }
if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) { if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) {
$_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg');
@ -20,8 +20,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Invitation token expired, please try again $img", 'TYPE' => 'info');
} }
} }
$aInvitations = $invitation->getInvitations($_SESSION['USERDATA']['id']); $aInvitations = $invitation->getInvitations($_SESSION['USERDATA']['id']);
@ -32,8 +31,8 @@ if ($user->isAuthenticated()) {
} }
} }
// csrf token // csrf token
if ($csrfenabled) { if ($csrfenabled && !in_array('invitations', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
$smarty->assign('CONTENT', 'default.tpl'); $smarty->assign('CONTENT', 'default.tpl');

11
public/include/pages/account/notifications.inc.php
View File

@ -8,9 +8,9 @@ if ($user->isAuthenticated()) {
$smarty->assign('CONTENT', 'empty'); $smarty->assign('CONTENT', 'empty');
} else { } else {
// csrf stuff // csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('notifications', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs') == @$_POST['ctoken']) ? 1 : 0;
} }
if (@$_REQUEST['do'] == 'save') { if (@$_REQUEST['do'] == 'save') {
@ -21,8 +21,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Notification token expired, please try again $img", 'TYPE' => 'info');
} }
} }
@ -34,8 +33,8 @@ if ($user->isAuthenticated()) {
$aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']); $aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']);
// csrf token // csrf token
if ($csrfenabled) { if ($csrfenabled && !in_array('notifications', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
$smarty->assign('NOTIFICATIONS', $aNotifications); $smarty->assign('NOTIFICATIONS', $aNotifications);

23
public/include/pages/account/unlock.inc.php
View File

@ -3,18 +3,33 @@
// Make sure we are called from index.php // Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt'); if (!defined('SECURITY')) die('Hacking attempt');
// csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount') == @$_POST['ctoken']) ? 1 : 0;
}
// Confirm an account by token // Confirm an account by token
if (!isset($_GET['token']) || empty($_GET['token'])) { if (!isset($_GET['token']) || empty($_GET['token'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
} else if (!$aToken = $oToken->getToken($_GET['token'], 'account_unlock')) { } else if (!$aToken = $oToken->getToken($_GET['token'], 'account_unlock')) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to re-activate your account. Invalid token.', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to re-activate your account. Invalid token.', 'TYPE' => 'errormsg');
} else { } else {
if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) { if (!$csrfenabled || $csrfenabled && !$nocsrf) {
$oToken->deleteToken($aToken['token']); if ($user->setUserFailed($aToken['account_id'], 0) && $user->setUserPinFailed($aToken['account_id'], 0) && $user->changeLocked($aToken['account_id'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.'); $oToken->deleteToken($aToken['token']);
$_SESSION['POPUP'][] = array('CONTENT' => 'Account re-activated. Please login.');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Failed to re-activate account. Contact site support.', 'TYPE' => 'errormsg');
}
} else { } else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Failed to re-activate account. Contact site support.', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
} }
} }
// csrf token
if ($csrfenabled && !in_array('unlockaccount', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'unlockaccount');
$smarty->assign('CTOKEN', $token);
}
$smarty->assign('CONTENT', 'default.tpl'); $smarty->assign('CONTENT', 'default.tpl');
?> ?>

14
public/include/pages/account/workers.inc.php
View File

@ -4,9 +4,9 @@ if (!defined('SECURITY')) die('Hacking attempt');
if ($user->isAuthenticated()) { if ($user->isAuthenticated()) {
// csrf stuff // csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('workers', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers') == @$_POST['ctoken']) ? 1 : 0;
} }
switch (@$_REQUEST['do']) { switch (@$_REQUEST['do']) {
@ -25,8 +25,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
} }
break; break;
case 'update': case 'update':
@ -37,8 +36,7 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
} }
break; break;
} }
@ -49,8 +47,8 @@ if ($user->isAuthenticated()) {
$smarty->assign('WORKERS', $aWorkers); $smarty->assign('WORKERS', $aWorkers);
} }
// csrf token // csrf token
if ($csrfenabled) { if ($csrfenabled && !in_array('workers', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'workers');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
$smarty->assign('CONTENT', 'default.tpl'); $smarty->assign('CONTENT', 'default.tpl');

2
public/include/pages/contactform.inc.php
View File

@ -15,7 +15,7 @@ if ($setting->getValue('disable_contactform')) {
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'))); $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
} }
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'contact'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }

15
public/include/pages/contactform/contactform.inc.php
View File

@ -3,7 +3,6 @@
// Make sure we are called from index.php // Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt'); if (!defined('SECURITY')) die('Hacking attempt');
if ($setting->getValue('recaptcha_enabled')) { if ($setting->getValue('recaptcha_enabled')) {
// Load re-captcha specific data // Load re-captcha specific data
require_once(INCLUDE_DIR . '/lib/recaptchalib.php'); require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
@ -16,9 +15,9 @@ if ($setting->getValue('recaptcha_enabled')) {
} }
// csrf if enabled // csrf if enabled
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact') == @$_POST['ctoken']) ? 1 : 0;
} }
if ($setting->getValue('disable_contactform')) { if ($setting->getValue('disable_contactform')) {
@ -31,8 +30,7 @@ if ($setting->getValue('disable_contactform')) {
if ($rsp->is_valid) { if ($rsp->is_valid) {
// Check if csrf is enabled and fail if token is invalid // Check if csrf is enabled and fail if token is invalid
if (!$nocsrf && $csrfenabled) { if (!$nocsrf && $csrfenabled) {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
} else { } else {
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'))); $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
@ -53,8 +51,7 @@ if ($setting->getValue('disable_contactform')) {
} else { } else {
// Check if csrf is enabled and fail if token is invalid // Check if csrf is enabled and fail if token is invalid
if (!$nocsrf && $csrfenabled) { if (!$nocsrf && $csrfenabled) {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
} else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { } else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly'); $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
} else { } else {
@ -64,8 +61,8 @@ if ($setting->getValue('disable_contactform')) {
} }
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && !in_array('contact', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'contact');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
// Tempalte specifics // Tempalte specifics

2
public/include/pages/home.inc.php
View File

@ -23,7 +23,7 @@ if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
$debug->append('Using cached page', 3); $debug->append('Using cached page', 3);
} }
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) { if ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'login'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }

8
public/include/pages/login.inc.php
View File

@ -4,7 +4,7 @@
if (!defined('SECURITY')) die('Hacking attempt'); if (!defined('SECURITY')) die('Hacking attempt');
// csrf if enabled // csrf if enabled
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('login', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
} }
@ -59,13 +59,11 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
} }
} else { } else {
// csrf enabled and invalid csrf token $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
} }
} }
// csrf token // csrf token
if ($csrfenabled) { if ($csrfenabled && !in_array('login', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'login'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }

1
public/include/pages/logout.inc.php
View File

@ -7,5 +7,4 @@ if (!defined('SECURITY'))
// This probably (?) never fails // This probably (?) never fails
$user->logoutUser(); $user->logoutUser();
$smarty->assign("CONTENT", "default.tpl"); $smarty->assign("CONTENT", "default.tpl");
// header('Location: index.php?page=home');
?> ?>

4
public/include/pages/password.inc.php
View File

@ -5,8 +5,8 @@ if (!defined('SECURITY'))
die('Hacking attempt'); die('Hacking attempt');
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
// Tempalte specifics // Tempalte specifics

9
public/include/pages/password/change.inc.php
View File

@ -5,9 +5,9 @@ if (!defined('SECURITY'))
die('Hacking attempt'); die('Hacking attempt');
// csrf stuff // csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
// we have to use editaccount token because this can be called from 2 separate places // we have to use editaccount token because this that's where we'll get pushed here from
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount') == @$_POST['ctoken']) ? 1 : 0;
} }
@ -20,12 +20,11 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
} }
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
} }
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }

11
public/include/pages/password/reset.inc.php
View File

@ -4,9 +4,9 @@
if (!defined('SECURITY')) die('Hacking attempt'); if (!defined('SECURITY')) die('Hacking attempt');
// csrf stuff // csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetaccount') == @$_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'resetpass') == @$_POST['ctoken']) ? 1 : 0;
} }
// Process password reset request // Process password reset request
@ -17,13 +17,12 @@ if (!$csrfenabled || $csrfenabled && $nocsrf) {
$_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
} }
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && !in_array('passreset', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'resetaccount'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'resetpass');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
// Tempalte specifics, user default template by parent page // Tempalte specifics, user default template by parent page

4
public/include/pages/register.inc.php
View File

@ -15,8 +15,8 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), null, true)); $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), null, true));
} }
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
// Load news entries for Desktop site and unauthenticated users // Load news entries for Desktop site and unauthenticated users

11
public/include/pages/register/register.inc.php
View File

@ -18,9 +18,9 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
} }
// csrf if enabled // csrf if enabled
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) ? 1 : 0;
if ($csrfenabled) { if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0; $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register') == $_POST['ctoken']) ? 1 : 0;
} }
if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) { if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) {
@ -40,16 +40,15 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
} }
} }
} else { } else {
$img = $csrftoken->getDescriptionImageHTML('register'); $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
} }
} }
// We load the default registration template instead of an action specific one // We load the default registration template instead of an action specific one
$smarty->assign("CONTENT", "../default.tpl"); $smarty->assign("CONTENT", "../default.tpl");
// csrf token // csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { if ($config['csrf']['enabled'] && !in_array('register', $config['csrf']['disabled_forms'])) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH'); $token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
$smarty->assign('CTOKEN', $token); $smarty->assign('CTOKEN', $token);
} }
?> ?>

2
public/templates/mobile/login/default.tpl
View File

@ -1,6 +1,6 @@
<form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm" data-ajax="false"> <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm" data-ajax="false">
<input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" /> <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN}" />{/if} {if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<p><label for="userForm">Email</label><input type="text" name="username" value="" id="userForm"></p> <p><label for="userForm">Email</label><input type="text" name="username" value="" id="userForm"></p>
<p><label for="passForm">Password</label><input type="password" name="password" value="" id="passForm"></p> <p><label for="passForm">Password</label><input type="password" name="password" value="" id="passForm"></p>
<center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center> <center>{nocache}{$RECAPTCHA|default:"" nofilter}{/nocache}</center>

2
public/templates/mobile/password/change/default.tpl
View File

@ -2,7 +2,7 @@
<input type="hidden" name="token" value="{$smarty.request.token|escape}"> <input type="hidden" name="token" value="{$smarty.request.token|escape}">
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}"> <input type="hidden" name="action" value="{$smarty.request.action|escape}">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<input type="hidden" name="do" value="useToken"> <input type="hidden" name="do" value="useToken">
<table> <table>
<tr><td>New Password: </td><td><input type="password" name="newPassword"></td></tr> <tr><td>New Password: </td><td><input type="password" name="newPassword"></td></tr>

2
public/templates/mobile/password/default.tpl
View File

@ -1,7 +1,7 @@
<form action="" method="POST"> <form action="" method="POST">
<input type="hidden" name="page" value="password"> <input type="hidden" name="page" value="password">
<input type="hidden" name="action" value="reset"> <input type="hidden" name="action" value="reset">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<p>If you have an email set for your account, enter your username to get your password reset</p> <p>If you have an email set for your account, enter your username to get your password reset</p>
<p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p> <p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
</form> </form>

8
public/templates/mpos/account/edit/default.tpl
View File

@ -56,7 +56,7 @@
<footer> <footer>
<div class="submit_link"> <div class="submit_link">
{nocache} {nocache}
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<input type="hidden" name="ea_token" value="{$smarty.request.ea_token|escape|default:""}"> <input type="hidden" name="ea_token" value="{$smarty.request.ea_token|escape|default:""}">
<input type="hidden" name="utype" value="account_edit"> <input type="hidden" name="utype" value="account_edit">
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.details} {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.details}
@ -106,7 +106,7 @@
<div class="submit_link"> <div class="submit_link">
{nocache} {nocache}
<input type="hidden" name="wf_token" value="{$smarty.request.wf_token|escape|default:""}"> <input type="hidden" name="wf_token" value="{$smarty.request.wf_token|escape|default:""}">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<input type="hidden" name="utype" value="withdraw_funds"> <input type="hidden" name="utype" value="withdraw_funds">
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.withdraw} {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.withdraw}
{if $WITHDRAWSENT == 1 && $WITHDRAWUNLOCKED == 1} {if $WITHDRAWSENT == 1 && $WITHDRAWUNLOCKED == 1}
@ -159,7 +159,7 @@
<div class="submit_link"> <div class="submit_link">
{nocache} {nocache}
<input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}"> <input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"accountedit"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<input type="hidden" name="utype" value="change_pw"> <input type="hidden" name="utype" value="change_pw">
{if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw} {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
{if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1} {if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
@ -183,7 +183,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}"> <input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="genPin"> <input type="hidden" name="do" value="genPin">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"editaccount"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<article class="module width_half"> <article class="module width_half">
<header> <header>
<h3>Reset PIN</h3> <h3>Reset PIN</h3>

2
public/templates/mpos/account/invitations/default.tpl
View File

@ -2,7 +2,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}"> <input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="sendInvitation"> <input type="hidden" name="do" value="sendInvitation">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"invite"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<article class="module width_quarter"> <article class="module width_quarter">
<header><h3>Invitation</h3></header> <header><h3>Invitation</h3></header>
<div class="module_content"> <div class="module_content">

2
public/templates/mpos/account/notifications/default.tpl
View File

@ -2,7 +2,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}"> <input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="save"> <input type="hidden" name="do" value="save">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"notifications"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<article class="module width_quarter"> <article class="module width_quarter">
<header> <header>
<h3>Notification Settings</h3> <h3>Notification Settings</h3>

4
public/templates/mpos/account/workers/default.tpl
View File

@ -4,7 +4,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}"> <input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="add"> <input type="hidden" name="do" value="add">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<div class="module_content"> <div class="module_content">
<fieldset> <fieldset>
<label>Worker Name</label> <label>Worker Name</label>
@ -30,7 +30,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}"> <input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="update"> <input type="hidden" name="do" value="update">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"workers"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<table class="tablesorter" cellspacing="0"> <table class="tablesorter" cellspacing="0">
<thead> <thead>
<tr> <tr>

2
public/templates/mpos/contactform/contactform/default.tpl
View File

@ -1,7 +1,7 @@
<form action="{$smarty.server.SCRIPT_NAME}" method="post"> <form action="{$smarty.server.SCRIPT_NAME}" method="post">
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="contactform"> <input type="hidden" name="action" value="contactform">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<article class="module width_3_quarter"> <article class="module width_3_quarter">
<header><h3>Contact Us</h3></header> <header><h3>Contact Us</h3></header>
<div class="module_content"> <div class="module_content">

2
public/templates/mpos/contactform/default.tpl
View File

@ -1,7 +1,7 @@
<form action="{$smarty.server.SCRIPT_NAME}" method="post"> <form action="{$smarty.server.SCRIPT_NAME}" method="post">
<input type="hidden" name="page" value="{$smarty.request.page|escape}"> <input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="contactform"> <input type="hidden" name="action" value="contactform">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"contact"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<article class="module width_3_quarter"> <article class="module width_3_quarter">
<header><h3>Contact Us</h3></header> <header><h3>Contact Us</h3></header>
<div class="module_content"> <div class="module_content">

2
public/templates/mpos/login/default.tpl
View File

@ -1,7 +1,7 @@
<article class="module width_half"> <article class="module width_half">
<form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm"> <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm">
<input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" /> <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.login}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"login"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<header><h3>Login with existing account</h3></header> <header><h3>Login with existing account</h3></header>
<div class="module_content"> <div class="module_content">
<fieldset> <fieldset>

2
public/templates/mpos/password/default.tpl
View File

@ -2,7 +2,7 @@
<form action="" method="POST"> <form action="" method="POST">
<input type="hidden" name="page" value="password"> <input type="hidden" name="page" value="password">
<input type="hidden" name="action" value="reset"> <input type="hidden" name="action" value="reset">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"passreset"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<header><h3>Password reset</h3></header> <header><h3>Password reset</h3></header>
<div class="module_content"> <div class="module_content">
<p>If you have an email set for your account, enter your username to get your password reset</p> <p>If you have an email set for your account, enter your username to get your password reset</p>

2
public/templates/mpos/register/default.tpl
View File

@ -7,7 +7,7 @@
{if $smarty.request.token|default:""} {if $smarty.request.token|default:""}
<input type="hidden" name="token" value="{$smarty.request.token|escape}" /> <input type="hidden" name="token" value="{$smarty.request.token|escape}" />
{/if} {/if}
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if} {if $GLOBAL.csrf.enabled && !"register"|in_array:$GLOBAL.csrf.disabled_forms}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<input type="hidden" name="action" value="register"> <input type="hidden" name="action" value="register">
<fieldset> <fieldset>
<label>Username</label> <label>Username</label>