frank/DeclarationTVA
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CSRF tokens back for action links to fix Dolibarr protection

Browse Source
This commit is contained in:
Frank Cools 2025-10-02 20:05:57 +02:00
parent d45fbc2d8f
commit 3fc6d1a3f2
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
declarationtvaindex.php
View File

@ -42,6 +42,8 @@ $declaration_id = GETPOST('declaration_id', 'int');
$period_id = GETPOST('period_id', 'int');
// Process actions
$token = GETPOST('token', 'alpha');
if ($action == 'create_declaration' && $period_id > 0) {
$declaration_id = $declarationtva->createDeclaration($period_id);
if ($declaration_id > 0) {
@ -49,19 +51,19 @@ if ($action == 'create_declaration' && $period_id > 0) {
} else {
setEventMessages($langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error, null, 'errors');
}
} elseif ($action == 'validate_declaration' && $declaration_id > 0) {
} elseif ($action == 'validate_declaration' && $declaration_id > 0 && $token) {
if ($declarationtva->validateDeclaration($declaration_id)) {
setEventMessages($langs->trans("DeclarationValidated"), null, 'mesgs');
} else {
setEventMessages($langs->trans("ErrorValidatingDeclaration"), null, 'errors');
}
} elseif ($action == 'submit_declaration' && $declaration_id > 0) {
} elseif ($action == 'submit_declaration' && $declaration_id > 0 && $token) {
if ($declarationtva->submitDeclaration($declaration_id)) {
setEventMessages($langs->trans("DeclarationSubmitted"), null, 'mesgs');
} else {
setEventMessages($langs->trans("ErrorSubmittingDeclaration"), null, 'errors');
}
} elseif ($action == 'delete_declaration' && $declaration_id > 0) {
} elseif ($action == 'delete_declaration' && $declaration_id > 0 && $token) {
if ($declarationtva->deleteDeclaration($declaration_id)) {
setEventMessages($langs->trans("DeclarationDeleted"), null, 'mesgs');
} else {
@ -134,10 +136,10 @@ if (empty($declarations)) {
print '<td>';
if ($d['status'] == 'draft') {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=validate_declaration&declaration_id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("Validate") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=delete_declaration&declaration_id=' . $d['rowid'] . '" class="butActionDelete" onclick="return confirm(\'' . $langs->trans("ConfirmDeleteDeclaration") . '\')">' . $langs->trans("Delete") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=validate_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butAction">' . $langs->trans("Validate") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=delete_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butActionDelete" onclick="return confirm(\'' . $langs->trans("ConfirmDeleteDeclaration") . '\')">' . $langs->trans("Delete") . '</a>';
} elseif ($d['status'] == 'validated') {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=submit_declaration&declaration_id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("Submit") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=submit_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butAction">' . $langs->trans("Submit") . '</a>';
}
print '<a href="declarationtva_view.php?id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("View") . '</a>';