Checking token on adding and deleting favorites

2025-07-05 20:41:53 -07:00 · 2021-08-29 16:05:33 +02:00 · 2021-08-29 16:05:33 +02:00 · 475fe47984
commit 475fe47984
parent 5262b3f447
3 changed files with 11 additions and 6 deletions
--- a/web/add/favorite/index.php
+++ b/web/add/favorite/index.php
@ -7,10 +7,9 @@ session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

 // Check token
-//    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
-//        header('location: /login/');
-//        exit();
-//    }
+if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+    die("Wrong token");
+}

    // Protect input
    $v_section = escapeshellarg($_REQUEST['v_section']);
--- a/web/delete/favorite/index.php
+++ b/web/delete/favorite/index.php
@ -5,6 +5,11 @@

    include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+    // Check token
+    if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+        die("Wrong token");
+    }
+
    unset($_SESSION['favourites'][strtoupper($_REQUEST['v_section'])][$_REQUEST['v_unit_id']]);

    $v_section = escapeshellarg($_REQUEST['v_section']);
--- a/web/js/init.js
+++ b/web/js/init.js
@ -128,6 +128,7 @@ $(document).ready(function(){

              $('.l-unit .l-icon-star').click(function(){
                var l_unit = $(this).parents('.l-unit');
+                var token = $('#token').attr('token');

                if(l_unit.hasClass('l-unit--starred')){
                  // removing star
@ -135,7 +136,7 @@ $(document).ready(function(){
                  $.ajax({
                    method: "POST",
                    url: "/delete/favorite/index.php",
-                    data: { v_section: l_unit.attr('v_section'), v_unit_id: l_unit.attr('v_unit_id') }
+                    data: { v_section: l_unit.attr('v_section'), v_unit_id: l_unit.attr('v_unit_id'), token: token }
                  });

                  l_unit.attr({'sort-star': 0});
@ -145,7 +146,7 @@ $(document).ready(function(){
                  $.ajax({
                    method: "POST",
                    url: "/add/favorite/index.php",
-                    data: { v_unit_id: l_unit.attr('v_unit_id'), v_section: l_unit.attr('v_section') }
+                    data: { v_unit_id: l_unit.attr('v_unit_id'), v_section: l_unit.attr('v_section'), token: token }
                  });

                  l_unit.attr({'sort-star': 1});