RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cleaned up account edit csrf slightly

Browse Source 
added csrf protection to workers under sitewide config
added csrf protection to notifications under sitewide config
added csrf protection to invitations under sitewide config
cleaned up login page csrf
cleaned up contactform/contactform page
cleaned up register/register page
moved config->csrf->forms->register to sitewide
added login ip/user/time to notification on login
This commit is contained in:
xisi 2014-01-17 06:37:16 -05:00
parent e5c9720174
commit 8756036646
15 changed files with 118 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
public/include/classes/user.class.php
View File

@ -150,6 +150,9 @@ class User extends Base {
$aDataN['username'] = $username;
$aDataN['email'] = $this->getUserEmail($username);
$aDataN['subject'] = 'Successful login notification';
$aDataN['LOGINIP'] = $this->getCurrentIP();
$aDataN['LOGINUSER'] = $this->user;
$aDataN['LOGINTIME'] = date('m/d/y H:i:s');
$notifs->sendNotification($uid, 'success_login', $aDataN);
}
return true;

6
public/include/config/global.inc.dist.php
View File

@ -135,23 +135,21 @@ $config['twofactor']['options']['changepw'] = true;
*
* Options:
* enabled = Whether or not we will generate/check for valid CSRF tokens
* sitewide = Require a valid CSRF token for all forms, does not override form specific settings
* sitewide = Require a valid CSRF token for most* forms, does not override form specific settings
* * contact, account edit, workers, notifications, invites, registration
* leadtime = Length of time in seconds to give as leeway between minute switches
* login = Use and check login-specific CSRF token
* register = Use and check register-specific CSRF token
*
* Default:
* enabled = true
* sitewide = true
* leadtime = 3
* login = true
* register = true
*/
$config['csrf']['enabled'] = true;
$config['csrf']['options']['sitewide'] = true;
$config['csrf']['options']['leadtime'] = 3;
$config['csrf']['forms']['login'] = true;
$config['csrf']['forms']['register'] = true;
/**
* Lock account after maximum failed logins

28
public/include/pages/account/edit.inc.php
View File

@ -17,7 +17,6 @@ $updating = (@$_POST['do']) ? 1 : 0;
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
$csrfvalid = 0;
}
if ($user->isAuthenticated()) {
@ -53,13 +52,8 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => $popupmsg, 'TYPE' => 'info');
}
// if csrf is enabled sitewide check this token
if ($csrfenabled) {
$csrfvalid = ($nocsrf && $csrfenabled) ? 1 : 0;
}
if (isset($_POST['do']) && $_POST['do'] == 'genPin') {
if (!$csrfenabled || $csrfenabled && $csrfvalid) {
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($user->generatePin($_SESSION['USERDATA']['id'], $_POST['currentPassword'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Your PIN # has been sent to your email.', 'TYPE' => 'success');
} else {
@ -67,7 +61,7 @@ if ($user->isAuthenticated()) {
}
} else {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
}
}
else {
@ -79,7 +73,7 @@ if ($user->isAuthenticated()) {
$isvalid = in_array($_POST['utype'],$validtypes);
if ($isvalid) {
$ctype = strip_tags($_POST['utype']);
if (!$csrfenabled || $csrfenabled && $csrfvalid) {
if (!$csrfenabled || $csrfenabled && $nocsrf) {
$send = $user->sendChangeConfigEmail($ctype, $_SESSION['USERDATA']['id']);
if ($send) {
$_SESSION['POPUP'][] = array('CONTENT' => 'A confirmation was sent to your e-mail, follow that link to continue', 'TYPE' => 'success');
@ -88,7 +82,7 @@ if ($user->isAuthenticated()) {
}
} else {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
}
}
} else {
@ -106,7 +100,7 @@ if ($user->isAuthenticated()) {
$dBalance = $aBalance['confirmed'];
if ($dBalance > $config['txfee']) {
if (!$oPayout->isPayoutActive($_SESSION['USERDATA']['id'])) {
if (!$csrfenabled || $csrfenabled && $csrfvalid) {
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($iPayoutId = $oPayout->createPayout($_SESSION['USERDATA']['id'], $wf_token)) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Created new manual payout request with ID #' . $iPayoutId);
} else {
@ -114,7 +108,7 @@ if ($user->isAuthenticated()) {
}
} else {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
}
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'You already have one active manual payout request.', 'TYPE' => 'errormsg');
@ -126,7 +120,7 @@ if ($user->isAuthenticated()) {
break;
case 'updateAccount':
if (!$csrfenabled || $csrfenabled && $csrfvalid) {
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'], $_POST['email'], $_POST['is_anonymous'], $ea_token)) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'success');
} else {
@ -134,12 +128,12 @@ if ($user->isAuthenticated()) {
}
} else {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
}
break;
case 'updatePassword':
if (!$csrfenabled || $csrfenabled && $csrfvalid) {
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($user->updatePassword($_SESSION['USERDATA']['id'], $_POST['currentPassword'], $_POST['newPassword'], $_POST['newPassword2'], $cp_token)) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Password updated', 'TYPE' => 'success');
} else {
@ -147,7 +141,7 @@ if ($user->isAuthenticated()) {
}
} else {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info');
$_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
}
break;
}
@ -183,7 +177,7 @@ $smarty->assign("CHANGEPASSSENT", $cp_sent);
$smarty->assign("WITHDRAWSENT", $wf_sent);
$smarty->assign("DETAILSSENT", $ea_sent);
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
if ($csrfenabled) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
$smarty->assign('CTOKEN', $token);
}

21
public/include/pages/account/invitations.inc.php
View File

@ -5,13 +5,23 @@ if (!defined('SECURITY')) die('Hacking attempt');
if ($user->isAuthenticated()) {
if (!$setting->getValue('disable_invitations')) {
// csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
}
if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) {
$_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg');
} else if (isset($_POST['do']) && $_POST['do'] == 'sendInvitation') {
if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success');
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg');
}
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg');
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Invitation token expired, please try again $img", 'TYPE' => 'info');
}
}
$aInvitations = $invitation->getInvitations($_SESSION['USERDATA']['id']);
@ -22,4 +32,9 @@ if ($user->isAuthenticated()) {
}
}
$smarty->assign('CONTENT', 'default.tpl');
// csrf token
if ($csrfenabled) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH');
$smarty->assign('CTOKEN', $token);
}
?>

22
public/include/pages/account/notifications.inc.php
View File

@ -7,11 +7,22 @@ if ($user->isAuthenticated()) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Notification system disabled by admin.', 'TYPE' => 'info');
$smarty->assign('CONTENT', 'empty');
} else {
// csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
}
if (@$_REQUEST['do'] == 'save') {
if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success');
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg');
}
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg');
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Notification token expired, please try again $img", 'TYPE' => 'info');
}
}
@ -25,6 +36,11 @@ if ($user->isAuthenticated()) {
$smarty->assign('NOTIFICATIONS', $aNotifications);
$smarty->assign('SETTINGS', $aSettings);
$smarty->assign('CONTENT', 'default.tpl');
// csrf token
if ($csrfenabled) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH');
$smarty->assign('CTOKEN', $token);
}
}
}
?>

34
public/include/pages/account/workers.inc.php
View File

@ -3,6 +3,12 @@
if (!defined('SECURITY')) die('Hacking attempt');
if ($user->isAuthenticated()) {
// csrf stuff
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
}
switch (@$_REQUEST['do']) {
case 'delete':
if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
@ -12,17 +18,27 @@ if ($user->isAuthenticated()) {
}
break;
case 'add':
if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success');
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
}
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
}
break;
case 'update':
if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success');
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
}
} else {
$_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info');
}
break;
}
@ -34,5 +50,9 @@ if ($user->isAuthenticated()) {
}
$smarty->assign('CONTENT', 'default.tpl');
// csrf token
if ($csrfenabled) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH');
$smarty->assign('CTOKEN', $token);
}
?>

10
public/include/pages/contactform/contactform.inc.php
View File

@ -16,8 +16,9 @@ if ($setting->getValue('recaptcha_enabled')) {
}
// csrf if enabled
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
}
if ($setting->getValue('disable_contactform')) {
@ -29,11 +30,10 @@ if ($setting->getValue('disable_contactform')) {
// Check if recaptcha is enabled, process form data if valid
if ($rsp->is_valid) {
// Check if csrf is enabled and fail if token is invalid
if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
if (!$nocsrf && $csrfenabled) {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
} else {
// csrf is valid or disabled, send
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key')));
if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly');
@ -52,7 +52,7 @@ if ($setting->getValue('disable_contactform')) {
// Captcha disabled
} else {
// Check if csrf is enabled and fail if token is invalid
if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
if (!$nocsrf && $csrfenabled) {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info');
} else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) {

16
public/include/pages/login.inc.php
View File

@ -3,6 +3,12 @@
// Make sure we are called from index.php
if (!defined('SECURITY')) die('Hacking attempt');
// csrf if enabled
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
}
// ReCaptcha handling if enabled
if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins')) {
require_once(INCLUDE_DIR . '/lib/recaptchalib.php');
@ -21,11 +27,6 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
}
}
// csrf if enabled
if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
}
if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST['username']))) {
$_SESSION['POPUP'][] = array('CONTENT' => 'You are not allowed to login during maintenace.', 'TYPE' => 'info');
} else if (!empty($_POST['username']) && !empty($_POST['password'])) {
@ -57,12 +58,15 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
}
} else {
$img = $csrftoken->getDescriptionImageHTML();
$_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
}
}
// Load login template
$smarty->assign('CONTENT', 'default.tpl');
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
if ($csrfenabled) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'login');
$smarty->assign('CTOKEN', $token);
}

2
public/include/pages/register.inc.php
View File

@ -17,7 +17,7 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
// Load news entries for Desktop site and unauthenticated users
$smarty->assign("CONTENT", "default.tpl");
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
$smarty->assign('CTOKEN', $token);
}

25
public/include/pages/register/register.inc.php
View File

@ -18,7 +18,8 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
}
// csrf if enabled
if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
if ($csrfenabled) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
}
@ -28,24 +29,26 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
$_SESSION['POPUP'][] = array('CONTENT' => 'Only invited users are allowed to register.', 'TYPE' => 'errormsg');
} else {
// Check if csrf is enabled and fail if token is invalid
if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
if (!$csrfenabled || $csrfenabled && $nocsrf) {
if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
// Check if recaptcha is enabled, process form data if valid or disabled
isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) {
! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
}
}
} else {
$img = $csrftoken->getDescriptionImageHTML('register');
$_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
} else if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
// Check if recaptcha is enabled, process form data if valid or disabled
isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) {
! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
}
}
}
// We load the default registration template instead of an action specific one
$smarty->assign("CONTENT", "../default.tpl");
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
$smarty->assign('CTOKEN', $token);
}

3
public/templates/mail/notifications/success_login.tpl
View File

@ -1,6 +1,9 @@
<html>
<body>
<p>Your account has successfully logged in</p>
<p>User: {$LOGINUSER}</p>
<p>IP: {$LOGINIP}</p>
<p>Time: {$LOGINTIME}</p>
<p>If you initiated this login, you can ignore this message. If you did NOT, please notify an administrator.</p>
<br/>
<br/>

1
public/templates/mpos/account/invitations/default.tpl
View File

@ -2,6 +2,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="sendInvitation">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<article class="module width_quarter">
<header><h3>Invitation</h3></header>
<div class="module_content">

1
public/templates/mpos/account/notifications/default.tpl
View File

@ -2,6 +2,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="save">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<article class="module width_quarter">
<header>
<h3>Notification Settings</h3>

2
public/templates/mpos/account/workers/default.tpl
View File

@ -4,6 +4,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="add">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<div class="module_content">
<fieldset>
<label>Worker Name</label>
@ -29,6 +30,7 @@
<input type="hidden" name="page" value="{$smarty.request.page|escape}">
<input type="hidden" name="action" value="{$smarty.request.action|escape}">
<input type="hidden" name="do" value="update">
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<table class="tablesorter" cellspacing="0">
<thead>
<tr>

2
public/templates/mpos/register/default.tpl
View File

@ -7,7 +7,7 @@
{if $smarty.request.token|default:""}
<input type="hidden" name="token" value="{$smarty.request.token|escape}" />
{/if}
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.register}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
<input type="hidden" name="action" value="register">
<fieldset>
<label>Username</label>