diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php index a9fe3f97..d238339e 100644 --- a/public/include/classes/user.class.php +++ b/public/include/classes/user.class.php @@ -150,6 +150,9 @@ class User extends Base { $aDataN['username'] = $username; $aDataN['email'] = $this->getUserEmail($username); $aDataN['subject'] = 'Successful login notification'; + $aDataN['LOGINIP'] = $this->getCurrentIP(); + $aDataN['LOGINUSER'] = $this->user; + $aDataN['LOGINTIME'] = date('m/d/y H:i:s'); $notifs->sendNotification($uid, 'success_login', $aDataN); } return true; diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php index 3b7562c9..f8ae62ef 100644 --- a/public/include/config/global.inc.dist.php +++ b/public/include/config/global.inc.dist.php @@ -135,23 +135,21 @@ $config['twofactor']['options']['changepw'] = true; * * Options: * enabled = Whether or not we will generate/check for valid CSRF tokens - * sitewide = Require a valid CSRF token for all forms, does not override form specific settings + * sitewide = Require a valid CSRF token for most* forms, does not override form specific settings + * * contact, account edit, workers, notifications, invites, registration * leadtime = Length of time in seconds to give as leeway between minute switches * login = Use and check login-specific CSRF token - * register = Use and check register-specific CSRF token * * Default: * enabled = true * sitewide = true * leadtime = 3 * login = true - * register = true */ $config['csrf']['enabled'] = true; $config['csrf']['options']['sitewide'] = true; $config['csrf']['options']['leadtime'] = 3; $config['csrf']['forms']['login'] = true; -$config['csrf']['forms']['register'] = true; /** * Lock account after maximum failed logins diff --git a/public/include/pages/account/edit.inc.php b/public/include/pages/account/edit.inc.php index 5d1d305d..0d822e86 100644 --- a/public/include/pages/account/edit.inc.php +++ b/public/include/pages/account/edit.inc.php @@ -17,7 +17,6 @@ $updating = (@$_POST['do']) ? 1 : 0; $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; if ($csrfenabled) { $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; - $csrfvalid = 0; } if ($user->isAuthenticated()) { @@ -53,13 +52,8 @@ if ($user->isAuthenticated()) { $_SESSION['POPUP'][] = array('CONTENT' => $popupmsg, 'TYPE' => 'info'); } - // if csrf is enabled sitewide check this token - if ($csrfenabled) { - $csrfvalid = ($nocsrf && $csrfenabled) ? 1 : 0; - } - if (isset($_POST['do']) && $_POST['do'] == 'genPin') { - if (!$csrfenabled || $csrfenabled && $csrfvalid) { + if (!$csrfenabled || $csrfenabled && $nocsrf) { if ($user->generatePin($_SESSION['USERDATA']['id'], $_POST['currentPassword'])) { $_SESSION['POPUP'][] = array('CONTENT' => 'Your PIN # has been sent to your email.', 'TYPE' => 'success'); } else { @@ -67,7 +61,7 @@ if ($user->isAuthenticated()) { } } else { $img = $csrftoken->getDescriptionImageHTML(); - $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info'); + $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info'); } } else { @@ -79,7 +73,7 @@ if ($user->isAuthenticated()) { $isvalid = in_array($_POST['utype'],$validtypes); if ($isvalid) { $ctype = strip_tags($_POST['utype']); - if (!$csrfenabled || $csrfenabled && $csrfvalid) { + if (!$csrfenabled || $csrfenabled && $nocsrf) { $send = $user->sendChangeConfigEmail($ctype, $_SESSION['USERDATA']['id']); if ($send) { $_SESSION['POPUP'][] = array('CONTENT' => 'A confirmation was sent to your e-mail, follow that link to continue', 'TYPE' => 'success'); @@ -88,7 +82,7 @@ if ($user->isAuthenticated()) { } } else { $img = $csrftoken->getDescriptionImageHTML(); - $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info'); + $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info'); } } } else { @@ -106,7 +100,7 @@ if ($user->isAuthenticated()) { $dBalance = $aBalance['confirmed']; if ($dBalance > $config['txfee']) { if (!$oPayout->isPayoutActive($_SESSION['USERDATA']['id'])) { - if (!$csrfenabled || $csrfenabled && $csrfvalid) { + if (!$csrfenabled || $csrfenabled && $nocsrf) { if ($iPayoutId = $oPayout->createPayout($_SESSION['USERDATA']['id'], $wf_token)) { $_SESSION['POPUP'][] = array('CONTENT' => 'Created new manual payout request with ID #' . $iPayoutId); } else { @@ -114,7 +108,7 @@ if ($user->isAuthenticated()) { } } else { $img = $csrftoken->getDescriptionImageHTML(); - $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info'); + $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info'); } } else { $_SESSION['POPUP'][] = array('CONTENT' => 'You already have one active manual payout request.', 'TYPE' => 'errormsg'); @@ -126,7 +120,7 @@ if ($user->isAuthenticated()) { break; case 'updateAccount': - if (!$csrfenabled || $csrfenabled && $csrfvalid) { + if (!$csrfenabled || $csrfenabled && $nocsrf) { if ($user->updateAccount($_SESSION['USERDATA']['id'], $_POST['paymentAddress'], $_POST['payoutThreshold'], $_POST['donatePercent'], $_POST['email'], $_POST['is_anonymous'], $ea_token)) { $_SESSION['POPUP'][] = array('CONTENT' => 'Account details updated', 'TYPE' => 'success'); } else { @@ -134,12 +128,12 @@ if ($user->isAuthenticated()) { } } else { $img = $csrftoken->getDescriptionImageHTML(); - $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info'); + $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info'); } break; case 'updatePassword': - if (!$csrfenabled || $csrfenabled && $csrfvalid) { + if (!$csrfenabled || $csrfenabled && $nocsrf) { if ($user->updatePassword($_SESSION['USERDATA']['id'], $_POST['currentPassword'], $_POST['newPassword'], $_POST['newPassword2'], $cp_token)) { $_SESSION['POPUP'][] = array('CONTENT' => 'Password updated', 'TYPE' => 'success'); } else { @@ -147,7 +141,7 @@ if ($user->isAuthenticated()) { } } else { $img = $csrftoken->getDescriptionImageHTML(); - $_SESSION['POPUP'][] = array('CONTENT' => "Edit account token expired, please try again $img", 'TYPE' => 'info'); + $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info'); } break; } @@ -183,7 +177,7 @@ $smarty->assign("CHANGEPASSSENT", $cp_sent); $smarty->assign("WITHDRAWSENT", $wf_sent); $smarty->assign("DETAILSSENT", $ea_sent); // csrf token -if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { +if ($csrfenabled) { $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH'); $smarty->assign('CTOKEN', $token); } diff --git a/public/include/pages/account/invitations.inc.php b/public/include/pages/account/invitations.inc.php index 1fada08d..ce970e56 100644 --- a/public/include/pages/account/invitations.inc.php +++ b/public/include/pages/account/invitations.inc.php @@ -5,13 +5,23 @@ if (!defined('SECURITY')) die('Hacking attempt'); if ($user->isAuthenticated()) { if (!$setting->getValue('disable_invitations')) { + // csrf stuff + $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; + if ($csrfenabled) { + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; + } if ($invitation->getCountInvitations($_SESSION['USERDATA']['id']) >= $config['accounts']['invitations']['count']) { $_SESSION['POPUP'][] = array('CONTENT' => 'You have exceeded the allowed invitations of ' . $config['accounts']['invitations']['count'], 'TYPE' => 'errormsg'); } else if (isset($_POST['do']) && $_POST['do'] == 'sendInvitation') { - if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) { - $_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success'); + if (!$csrfenabled || $csrfenabled && $nocsrf) { + if ($invitation->sendInvitation($_SESSION['USERDATA']['id'], $_POST['data'])) { + $_SESSION['POPUP'][] = array('CONTENT' => 'Invitation sent', 'TYPE' => 'success'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg'); + } } else { - $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to send invitation to recipient: ' . $invitation->getError(), 'TYPE' => 'errormsg'); + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Invitation token expired, please try again $img", 'TYPE' => 'info'); } } $aInvitations = $invitation->getInvitations($_SESSION['USERDATA']['id']); @@ -22,4 +32,9 @@ if ($user->isAuthenticated()) { } } $smarty->assign('CONTENT', 'default.tpl'); +// csrf token +if ($csrfenabled) { + $token = $csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH'); + $smarty->assign('CTOKEN', $token); +} ?> diff --git a/public/include/pages/account/notifications.inc.php b/public/include/pages/account/notifications.inc.php index 49e18496..ca53b7f2 100644 --- a/public/include/pages/account/notifications.inc.php +++ b/public/include/pages/account/notifications.inc.php @@ -7,11 +7,22 @@ if ($user->isAuthenticated()) { $_SESSION['POPUP'][] = array('CONTENT' => 'Notification system disabled by admin.', 'TYPE' => 'info'); $smarty->assign('CONTENT', 'empty'); } else { + // csrf stuff + $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; + if ($csrfenabled) { + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; + } + if (@$_REQUEST['do'] == 'save') { - if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) { - $_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success'); + if (!$csrfenabled || $csrfenabled && $nocsrf) { + if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) { + $_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings', 'TYPE' => 'success'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg'); + } } else { - $_SESSION['POPUP'][] = array('CONTENT' => $notification->getError(), 'TYPE' => 'errormsg'); + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Notification token expired, please try again $img", 'TYPE' => 'info'); } } @@ -25,6 +36,11 @@ if ($user->isAuthenticated()) { $smarty->assign('NOTIFICATIONS', $aNotifications); $smarty->assign('SETTINGS', $aSettings); $smarty->assign('CONTENT', 'default.tpl'); + // csrf token + if ($csrfenabled) { + $token = $csrftoken->getBasic($user->getCurrentIP(), 'editnotifs', 'mdyH'); + $smarty->assign('CTOKEN', $token); + } } } ?> diff --git a/public/include/pages/account/workers.inc.php b/public/include/pages/account/workers.inc.php index 3ccacfd3..23068959 100644 --- a/public/include/pages/account/workers.inc.php +++ b/public/include/pages/account/workers.inc.php @@ -3,6 +3,12 @@ if (!defined('SECURITY')) die('Hacking attempt'); if ($user->isAuthenticated()) { + // csrf stuff + $csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; + if ($csrfenabled) { + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; + } + switch (@$_REQUEST['do']) { case 'delete': if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) { @@ -12,17 +18,27 @@ if ($user->isAuthenticated()) { } break; case 'add': - if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) { - $_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success'); + if (!$csrfenabled || $csrfenabled && $nocsrf) { + if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) { + $_SESSION['POPUP'][] = array('CONTENT' => 'Worker added', 'TYPE' => 'success'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg'); + } } else { - $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg'); + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info'); } break; case 'update': - if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) { - $_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success'); + if (!$csrfenabled || $csrfenabled && $nocsrf) { + if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) { + $_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated', 'TYPE' => 'success'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg'); + } } else { - $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg'); + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Worker token expired, please try again $img", 'TYPE' => 'info'); } break; } @@ -34,5 +50,9 @@ if ($user->isAuthenticated()) { } $smarty->assign('CONTENT', 'default.tpl'); - +// csrf token +if ($csrfenabled) { + $token = $csrftoken->getBasic($user->getCurrentIP(), 'workers', 'mdyH'); + $smarty->assign('CTOKEN', $token); +} ?> diff --git a/public/include/pages/contactform/contactform.inc.php b/public/include/pages/contactform/contactform.inc.php index 5fadba39..7e0a3106 100644 --- a/public/include/pages/contactform/contactform.inc.php +++ b/public/include/pages/contactform/contactform.inc.php @@ -16,8 +16,9 @@ if ($setting->getValue('recaptcha_enabled')) { } // csrf if enabled -if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { - $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'contact', 'mdyH') == $_POST['ctoken']) ? 1 : 0; +$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; +if ($csrfenabled) { + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'invitations', 'mdyH') == @$_POST['ctoken']) ? 1 : 0; } if ($setting->getValue('disable_contactform')) { @@ -29,11 +30,10 @@ if ($setting->getValue('disable_contactform')) { // Check if recaptcha is enabled, process form data if valid if ($rsp->is_valid) { // Check if csrf is enabled and fail if token is invalid - if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) { + if (!$nocsrf && $csrfenabled) { $img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info'); } else { - // csrf is valid or disabled, send $smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'))); if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { $_SESSION['POPUP'][] = array('CONTENT' => 'Thanks for sending your message! We will get back to you shortly'); @@ -52,7 +52,7 @@ if ($setting->getValue('disable_contactform')) { // Captcha disabled } else { // Check if csrf is enabled and fail if token is invalid - if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { + if (!$nocsrf && $csrfenabled) { $img = $csrftoken->getDescriptionImageHTML(); $_SESSION['POPUP'][] = array('CONTENT' => "Contact token expired, please try again $img", 'TYPE' => 'info'); } else if ($mail->contactform($_POST['senderName'], $_POST['senderEmail'], $_POST['senderSubject'], $_POST['senderMessage'])) { diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php index 57005c7d..b7590abd 100644 --- a/public/include/pages/login.inc.php +++ b/public/include/pages/login.inc.php @@ -3,6 +3,12 @@ // Make sure we are called from index.php if (!defined('SECURITY')) die('Hacking attempt'); +// csrf if enabled +$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) ? 1 : 0; +if ($csrfenabled) { + $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0; +} + // ReCaptcha handling if enabled if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins')) { require_once(INCLUDE_DIR . '/lib/recaptchalib.php'); @@ -21,11 +27,6 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena } } -// csrf if enabled -if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) { - $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0; -} - if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST['username']))) { $_SESSION['POPUP'][] = array('CONTENT' => 'You are not allowed to login during maintenace.', 'TYPE' => 'info'); } else if (!empty($_POST['username']) && !empty($_POST['password'])) { @@ -57,12 +58,15 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST } else { $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg'); } + } else { + $img = $csrftoken->getDescriptionImageHTML(); + $_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info'); } } // Load login template $smarty->assign('CONTENT', 'default.tpl'); // csrf token -if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) { +if ($csrfenabled) { $token = $csrftoken->getBasic($user->getCurrentIP(), 'login'); $smarty->assign('CTOKEN', $token); } diff --git a/public/include/pages/register.inc.php b/public/include/pages/register.inc.php index 4ae62a6a..2be0e636 100644 --- a/public/include/pages/register.inc.php +++ b/public/include/pages/register.inc.php @@ -17,7 +17,7 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit // Load news entries for Desktop site and unauthenticated users $smarty->assign("CONTENT", "default.tpl"); // csrf token - if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) { + if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH'); $smarty->assign('CTOKEN', $token); } diff --git a/public/include/pages/register/register.inc.php b/public/include/pages/register/register.inc.php index cb262546..deca410d 100644 --- a/public/include/pages/register/register.inc.php +++ b/public/include/pages/register/register.inc.php @@ -18,7 +18,8 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena } // csrf if enabled -if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) { +$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0; +if ($csrfenabled) { $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0; } @@ -28,24 +29,26 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist $_SESSION['POPUP'][] = array('CONTENT' => 'Only invited users are allowed to register.', 'TYPE' => 'errormsg'); } else { // Check if csrf is enabled and fail if token is invalid - if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) { + if (!$csrfenabled || $csrfenabled && $nocsrf) { + if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) { + // Check if recaptcha is enabled, process form data if valid or disabled + isset($_POST['token']) ? $token = $_POST['token'] : $token = ''; + if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) { + ! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg'); + } + } + } else { $img = $csrftoken->getDescriptionImageHTML('register'); $_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info'); - } else if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) { - // Check if recaptcha is enabled, process form data if valid or disabled - isset($_POST['token']) ? $token = $_POST['token'] : $token = ''; - if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) { - ! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login'); - } else { - $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg'); - } } } // We load the default registration template instead of an action specific one $smarty->assign("CONTENT", "../default.tpl"); // csrf token -if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) { +if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) { $token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH'); $smarty->assign('CTOKEN', $token); } diff --git a/public/templates/mail/notifications/success_login.tpl b/public/templates/mail/notifications/success_login.tpl index df92934b..e1a07bac 100644 --- a/public/templates/mail/notifications/success_login.tpl +++ b/public/templates/mail/notifications/success_login.tpl @@ -1,6 +1,9 @@

Your account has successfully logged in

+

User: {$LOGINUSER}

+

IP: {$LOGINIP}

+

Time: {$LOGINTIME}

If you initiated this login, you can ignore this message. If you did NOT, please notify an administrator.



diff --git a/public/templates/mpos/account/invitations/default.tpl b/public/templates/mpos/account/invitations/default.tpl index bea7df13..59615fff 100644 --- a/public/templates/mpos/account/invitations/default.tpl +++ b/public/templates/mpos/account/invitations/default.tpl @@ -2,6 +2,7 @@ + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if}

Invitation

diff --git a/public/templates/mpos/account/notifications/default.tpl b/public/templates/mpos/account/notifications/default.tpl index b0003f6a..8c0c56e1 100644 --- a/public/templates/mpos/account/notifications/default.tpl +++ b/public/templates/mpos/account/notifications/default.tpl @@ -2,6 +2,7 @@ + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if}

Notification Settings

diff --git a/public/templates/mpos/account/workers/default.tpl b/public/templates/mpos/account/workers/default.tpl index 31df5fa0..5682acd0 100644 --- a/public/templates/mpos/account/workers/default.tpl +++ b/public/templates/mpos/account/workers/default.tpl @@ -4,6 +4,7 @@ + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if}
@@ -29,6 +30,7 @@ + {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if} diff --git a/public/templates/mpos/register/default.tpl b/public/templates/mpos/register/default.tpl index 9a0fa15f..4c83640b 100644 --- a/public/templates/mpos/register/default.tpl +++ b/public/templates/mpos/register/default.tpl @@ -7,7 +7,7 @@ {if $smarty.request.token|default:""} {/if} -{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.register}{/if} +{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}{/if}