Merge pull request #1704 from MPOS/worker-delete-csrf

[ADDE] CSRF validation for Worker Deletion

public/include/pages/account/workers.inc.php

@@ -4,13 +4,17 @@ $defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 if ($user->isAuthenticated()) {
   switch (@$_REQUEST['do']) {
   case 'delete':
-    if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
+    if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
+      if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
+        $_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
+      } else {
+        $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
+      }
     } else {
-      $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
+      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
     }
     break;
-    
+
   case 'add':
     if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
       if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
@@ -22,7 +26,7 @@ if ($user->isAuthenticated()) {
       $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
     }
     break;
-    
+
   case 'update':
     if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
       if ($worker->updateWorkers($_SESSION['USERDATA']['id'], @$_POST['data'])) {
@@ -43,4 +47,4 @@ if ($user->isAuthenticated()) {
 }
 $smarty->assign('CONTENT', 'default.tpl');
 
-?>
+?>

public/index.php

@@ -147,9 +147,9 @@ if (is_dir(INCLUDE_DIR . '/pages/' . $page)) {
 $action = (isset($_REQUEST['action']) && !is_array($_REQUEST['action'])) && isset($arrActions[$_REQUEST['action']]) ? $_REQUEST['action'] : "";
 
 // Check csrf token validity if necessary
-if ($config['csrf']['enabled'] && isset($_POST['ctoken']) && !empty($_POST['ctoken']) && !is_array($_POST['ctoken'])) {
-  $csrftoken->valid = ($csrftoken->checkBasic($user->getCurrentIP(), $arrPages[$page], $_POST['ctoken'])) ? 1 : 0;
-} else if ($config['csrf']['enabled'] && (!@$_POST['ctoken'] || empty($_POST['ctoken']))) {
+if ($config['csrf']['enabled'] && isset($_REQUEST['ctoken']) && !empty($_REQUEST['ctoken']) && !is_array($_REQUEST['ctoken'])) {
+  $csrftoken->valid = ($csrftoken->checkBasic($user->getCurrentIP(), $arrPages[$page], $_REQUEST['ctoken'])) ? 1 : 0;
+} else if ($config['csrf']['enabled'] && (!@$_REQUEST['ctoken'] || empty($_REQUEST['ctoken']))) {
   $csrftoken->valid = 0;
 }
 if ($config['csrf']['enabled']) $smarty->assign('CTOKEN', $csrftoken->getBasic($user->getCurrentIP(), $arrPages[$page]));

public/templates/mpos/account/workers/default.tpl

@@ -63,7 +63,7 @@
           {/if}
           <td align="right">{$WORKERS[worker].hashrate|number_format}</td>
           <td align="right">{$WORKERS[worker].difficulty|number_format:"2"}</td>
-          <td align="center" style="padding-right: 25px;"><a href="{$smarty.server.SCRIPT_NAME}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=delete&id={$WORKERS[worker].id|escape}" class="icn_trash"><i class="icon-trash" /></a></td>
+          <td align="center" style="padding-right: 25px;"><a href="{$smarty.server.SCRIPT_NAME}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=delete&id={$WORKERS[worker].id|escape}&ctoken={$CTOKEN}" class="icn_trash"><i class="icon-trash" /></a></td>
         </tr>
           {/section}
         {/nocache}