Testing CSRF from admin login, if works well then we will make it official

2024-10-09 17:13:25 +01:00 · 2024-10-09 17:13:25 +01:00 · 99e8b20bb3
commit 99e8b20bb3
parent bd30261e84
2 changed files with 18 additions and 10 deletions
--- a/system/controllers/admin.php
+++ b/system/controllers/admin.php
@ -23,6 +23,11 @@ switch ($do) {
    case 'post':
        $username = _post('username');
        $password = _post('password');
+        //csrf token
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            _alert(Lang::T('Invalid CSRF Token') . ".", 'danger', "admin");
+        }
        run_hook('admin_login'); #HOOK
        if ($username != '' and $password != '') {
            $d = ORM::for_table('tbl_users')->where('username', $username)->find_one();
@ -56,6 +61,8 @@ switch ($do) {
        break;
    default:
        run_hook('view_login'); #HOOK
+        $csrf_token = Csrf::generateAndStoreToken();
+        $ui->assign('csrf_token', $csrf_token);
        $ui->display('admin-login.tpl');
        break;
 }
--- a/ui/ui/admin-login.tpl
+++ b/ui/ui/admin-login.tpl
@ -24,6 +24,7 @@
                {$notify}
            {/if}
            <form action="{$_url}admin/post" method="post">
+                <input type="hidden" name="csrf_token" value="{$csrf_token}">
                <div class="form-group has-feedback">
                    <input type="text" required class="form-control" name="username" placeholder="{Lang::T('Username')}">
                    <span class="glyphicon glyphicon-user form-control-feedback"></span>