From 147361524c5feea972b670781709eea981475f4e Mon Sep 17 00:00:00 2001 From: Frank Cools Date: Thu, 2 Oct 2025 17:21:34 +0200 Subject: [PATCH] Fix CSRF protection error in configuration form CSRF Protection Implementation: - Added CSRF token to form with newToken() function - Added token validation with checkToken() function - Proper error handling for CSRF token validation - Security compliance with Dolibarr standards Form Security: - Hidden token field in form submission - Token validation before processing form data - Error message display for invalid tokens - Proper security workflow Language Support: - Added English error message for CSRF token error - Added French error message for CSRF token error - Complete bilingual support for security messages The configuration form now properly handles CSRF protection and should work without security errors! --- admin/setup_mvp.php | 22 ++++++++++++++-------- langs/en_US/declarationtva.lang | 1 + langs/fr_FR/declarationtva.lang | 1 + 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/admin/setup_mvp.php b/admin/setup_mvp.php index 457db23..4e7879f 100644 --- a/admin/setup_mvp.php +++ b/admin/setup_mvp.php @@ -37,17 +37,22 @@ $form = new Form($db); // Handle form submission $action = GETPOST('action', 'alpha'); if ($action == 'update_mappings') { - $ca3_definitions = $config->getCA3LineDefinitions(); - - foreach ($ca3_definitions as $line => $definition) { - $account_codes = GETPOST('account_codes_' . $line, 'array'); + // CSRF protection + if (!checkToken()) { + setEventMessages($langs->trans("ErrorCSRFToken"), null, 'errors'); + } else { + $ca3_definitions = $config->getCA3LineDefinitions(); - if (!empty($account_codes)) { - $config->updateAccountMapping($line, $account_codes); + foreach ($ca3_definitions as $line => $definition) { + $account_codes = GETPOST('account_codes_' . $line, 'array'); + + if (!empty($account_codes)) { + $config->updateAccountMapping($line, $account_codes); + } } + + setEventMessages($langs->trans("ConfigurationUpdated"), null, 'mesgs'); } - - setEventMessages($langs->trans("ConfigurationUpdated"), null, 'mesgs'); } // Get current mappings @@ -72,6 +77,7 @@ print '
'; // Print configuration form print '
'; print ''; +print ''; print '
'; print '
' . $langs->trans("DeclarationTVAPCGMapping") . '
'; diff --git a/langs/en_US/declarationtva.lang b/langs/en_US/declarationtva.lang index cec0999..828dc0e 100644 --- a/langs/en_US/declarationtva.lang +++ b/langs/en_US/declarationtva.lang @@ -369,3 +369,4 @@ AccountSelection = Account Selection SelectedAccounts = Selected Accounts AccountCount = Account Count MultiSelectHelp = Hold Ctrl (or Cmd on Mac) to select multiple accounts +ErrorCSRFToken = Security token error. Please try again. diff --git a/langs/fr_FR/declarationtva.lang b/langs/fr_FR/declarationtva.lang index 6af63b9..356edbf 100644 --- a/langs/fr_FR/declarationtva.lang +++ b/langs/fr_FR/declarationtva.lang @@ -358,3 +358,4 @@ AccountSelection = Sélection de comptes SelectedAccounts = Comptes sélectionnés AccountCount = Nombre de comptes MultiSelectHelp = Maintenez Ctrl (ou Cmd sur Mac) pour sélectionner plusieurs comptes +ErrorCSRFToken = Erreur de jeton de sécurité. Veuillez réessayer.