diff --git a/system/controllers/admin.php b/system/controllers/admin.php
index c91f495d..0599f0c7 100644
--- a/system/controllers/admin.php
+++ b/system/controllers/admin.php
@@ -5,12 +5,12 @@
* by https://t.me/ibnux
**/
- header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
- header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
- header("Pragma: no-cache");
+header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
+header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
+header("Pragma: no-cache");
-if(Admin::getID()){
- r2(U.'dashboard', "s", Lang::T("You are already logged in"));
+if (Admin::getID()) {
+ r2(U . 'dashboard', "s", Lang::T("You are already logged in"));
}
if (isset($routes['1'])) {
@@ -23,6 +23,11 @@ switch ($do) {
case 'post':
$username = _post('username');
$password = _post('password');
+ //csrf token
+ $csrf_token = _post('csrf_token');
+ if (!Csrf::check($csrf_token)) {
+ _alert(Lang::T('Invalid CSRF Token') . ".", 'danger', "admin");
+ }
run_hook('admin_login'); #HOOK
if ($username != '' and $password != '') {
$d = ORM::for_table('tbl_users')->where('username', $username)->find_one();
@@ -36,26 +41,28 @@ switch ($do) {
_log($username . ' ' . Lang::T('Login Successful'), $d['user_type'], $d['id']);
if ($isApi) {
if ($token) {
- showResult(true, Lang::T('Login Successful'), ['token' => "a.".$token]);
+ showResult(true, Lang::T('Login Successful'), ['token' => "a." . $token]);
} else {
showResult(false, Lang::T('Invalid Username or Password'));
}
}
- _alert(Lang::T('Login Successful'),'success', "dashboard");
+ _alert(Lang::T('Login Successful'), 'success', "dashboard");
} else {
_log($username . ' ' . Lang::T('Failed Login'), $d['user_type']);
- _alert(Lang::T('Invalid Username or Password').".",'danger', "admin");
+ _alert(Lang::T('Invalid Username or Password') . ".", 'danger', "admin");
}
} else {
- _alert(Lang::T('Invalid Username or Password')."..",'danger', "admin");
+ _alert(Lang::T('Invalid Username or Password') . "..", 'danger', "admin");
}
} else {
- _alert(Lang::T('Invalid Username or Password')."...",'danger', "admin");
+ _alert(Lang::T('Invalid Username or Password') . "...", 'danger', "admin");
}
break;
default:
run_hook('view_login'); #HOOK
+ $csrf_token = Csrf::generateAndStoreToken();
+ $ui->assign('csrf_token', $csrf_token);
$ui->display('admin-login.tpl');
break;
}
diff --git a/ui/ui/admin-login.tpl b/ui/ui/admin-login.tpl
index 3ba9e197..76e05f06 100644
--- a/ui/ui/admin-login.tpl
+++ b/ui/ui/admin-login.tpl
@@ -24,6 +24,7 @@
{$notify}
{/if}
<form action="{$_url}admin/post" method="post">
+ <input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group has-feedback">
<input type="text" required class="form-control" name="username" placeholder="{Lang::T('Username')}">
<span class="glyphicon glyphicon-user form-control-feedback"></span>