Add CSRF protection to declaration creation form

Security Fixes: - Added CSRF token field to form - Added token validation in form processing - Added proper error handling for missing dates - Added ErrorMissingDates translation in both languages - Form now properly validates CSRF tokens before processing This fixes the 'Token not provided' error when submitting the form.
2025-10-02 18:14:58 +02:00 · 2025-10-02 18:14:58 +02:00 · 54d0ceaa03
commit 54d0ceaa03
parent e64c1f5a6d
3 changed files with 20 additions and 10 deletions
--- a/declarationtva_create.php
+++ b/declarationtva_create.php
@ -45,17 +45,24 @@ $end_date = GETPOST('end_date', 'alpha');
 $error = '';
 $success = '';

-if ($action == 'create' && !empty($start_date) && !empty($end_date)) {
-    // Create the declaration with dates
-    $declaration_id = $declarationtva->createDeclarationWithDates($start_date, $end_date, $declaration_name);
+if ($action == 'create') {
+    // Check CSRF token
+    if (!checkToken()) {
+        $error = $langs->trans("ErrorCSRFToken");
+    } elseif (!empty($start_date) && !empty($end_date)) {
+        // Create the declaration with dates
+        $declaration_id = $declarationtva->createDeclarationWithDates($start_date, $end_date, $declaration_name);
        
-    if ($declaration_id > 0) {
-        $success = $langs->trans("DeclarationCreated");
-        // Redirect to view the created declaration
-        header("Location: declarationtva_view.php?id=" . $declaration_id);
-        exit;
+        if ($declaration_id > 0) {
+            $success = $langs->trans("DeclarationCreated");
+            // Redirect to view the created declaration
+            header("Location: declarationtva_view.php?id=" . $declaration_id);
+            exit;
+        } else {
+            $error = $langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error;
+        }
    } else {
-        $error = $langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error;
+        $error = $langs->trans("ErrorMissingDates");
    }
 }

@ -80,6 +87,7 @@ print '<div class="titre">' . $langs->trans("DeclarationDetails") . '</div>';

 print '<form method="POST" action="' . $_SERVER['PHP_SELF'] . '">';
 print '<input type="hidden" name="action" value="create">';
+print '<input type="hidden" name="token" value="' . newToken() . '">';

 print '<table class="noborder centpercent">';

--- a/langs/en_US/declarationtva.lang
+++ b/langs/en_US/declarationtva.lang
@ -402,6 +402,7 @@ DeclarationSubmitted = Declaration submitted successfully
 ErrorCreatingDeclaration = Error creating declaration
 ErrorValidatingDeclaration = Error validating declaration
 ErrorSubmittingDeclaration = Error submitting declaration
+ErrorMissingDates = Please provide both start and end dates

 # Create Declaration Page
 DeclarationDetails = Declaration Details
--- a/langs/fr_FR/declarationtva.lang
+++ b/langs/fr_FR/declarationtva.lang
@ -391,6 +391,7 @@ DeclarationSubmitted = Déclaration soumise avec succès
 ErrorCreatingDeclaration = Erreur lors de la création de la déclaration
 ErrorValidatingDeclaration = Erreur lors de la validation de la déclaration
 ErrorSubmittingDeclaration = Erreur lors de la soumission de la déclaration
+ErrorMissingDates = Veuillez fournir les dates de début et de fin

 # Create Declaration Page
 DeclarationDetails = Détails de la déclaration