From 54d0ceaa0385df17363cb783663d3a4d8c222912 Mon Sep 17 00:00:00 2001
From: Frank Cools <frank@covago.com>
Date: Thu, 2 Oct 2025 18:14:58 +0200
Subject: [PATCH] Add CSRF protection to declaration creation form

Security Fixes:
- Added CSRF token field to form
- Added token validation in form processing
- Added proper error handling for missing dates
- Added ErrorMissingDates translation in both languages
- Form now properly validates CSRF tokens before processing

This fixes the 'Token not provided' error when submitting the form.
---
 declarationtva_create.php       | 28 ++++++++++++++++++----------
 langs/en_US/declarationtva.lang |  1 +
 langs/fr_FR/declarationtva.lang |  1 +
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/declarationtva_create.php b/declarationtva_create.php
index 164c495..2bd27a8 100644
--- a/declarationtva_create.php
+++ b/declarationtva_create.php
@@ -45,17 +45,24 @@ $end_date = GETPOST('end_date', 'alpha');
 $error = '';
 $success = '';
 
-if ($action == 'create' && !empty($start_date) && !empty($end_date)) {
-    // Create the declaration with dates
-    $declaration_id = $declarationtva->createDeclarationWithDates($start_date, $end_date, $declaration_name);
-    
-    if ($declaration_id > 0) {
-        $success = $langs->trans("DeclarationCreated");
-        // Redirect to view the created declaration
-        header("Location: declarationtva_view.php?id=" . $declaration_id);
-        exit;
+if ($action == 'create') {
+    // Check CSRF token
+    if (!checkToken()) {
+        $error = $langs->trans("ErrorCSRFToken");
+    } elseif (!empty($start_date) && !empty($end_date)) {
+        // Create the declaration with dates
+        $declaration_id = $declarationtva->createDeclarationWithDates($start_date, $end_date, $declaration_name);
+        
+        if ($declaration_id > 0) {
+            $success = $langs->trans("DeclarationCreated");
+            // Redirect to view the created declaration
+            header("Location: declarationtva_view.php?id=" . $declaration_id);
+            exit;
+        } else {
+            $error = $langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error;
+        }
     } else {
-        $error = $langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error;
+        $error = $langs->trans("ErrorMissingDates");
     }
 }
 
@@ -80,6 +87,7 @@ print '<div class="titre">' . $langs->trans("DeclarationDetails") . '</div>';
 
 print '<form method="POST" action="' . $_SERVER['PHP_SELF'] . '">';
 print '<input type="hidden" name="action" value="create">';
+print '<input type="hidden" name="token" value="' . newToken() . '">';
 
 print '<table class="noborder centpercent">';
 
diff --git a/langs/en_US/declarationtva.lang b/langs/en_US/declarationtva.lang
index e33224d..db5987a 100644
--- a/langs/en_US/declarationtva.lang
+++ b/langs/en_US/declarationtva.lang
@@ -402,6 +402,7 @@ DeclarationSubmitted = Declaration submitted successfully
 ErrorCreatingDeclaration = Error creating declaration
 ErrorValidatingDeclaration = Error validating declaration
 ErrorSubmittingDeclaration = Error submitting declaration
+ErrorMissingDates = Please provide both start and end dates
 
 # Create Declaration Page
 DeclarationDetails = Declaration Details
diff --git a/langs/fr_FR/declarationtva.lang b/langs/fr_FR/declarationtva.lang
index 5246d7c..5b93839 100644
--- a/langs/fr_FR/declarationtva.lang
+++ b/langs/fr_FR/declarationtva.lang
@@ -391,6 +391,7 @@ DeclarationSubmitted = Déclaration soumise avec succès
 ErrorCreatingDeclaration = Erreur lors de la création de la déclaration
 ErrorValidatingDeclaration = Erreur lors de la validation de la déclaration
 ErrorSubmittingDeclaration = Erreur lors de la soumission de la déclaration
+ErrorMissingDates = Veuillez fournir les dates de début et de fin
 
 # Create Declaration Page
 DeclarationDetails = Détails de la déclaration