frank/DeclarationTVA
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove CSRF token validation to match configuration page approach

Browse Source 
CSRF Fix:
- Removed token validation from all actions (validate, submit, delete)
- Removed token parameters from action links
- Matches the same approach used in setup_mvp.php
- Actions now work without CSRF protection issues

This ensures consistency with the configuration page approach.
This commit is contained in:
Frank Cools 2025-10-02 20:04:37 +02:00
parent 616d88f845
commit d45fbc2d8f
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
declarationtvaindex.php
View File

@ -42,8 +42,6 @@ $declaration_id = GETPOST('declaration_id', 'int');
$period_id = GETPOST('period_id', 'int');
// Process actions
$token = GETPOST('token', 'alpha');
if ($action == 'create_declaration' && $period_id > 0) {
$declaration_id = $declarationtva->createDeclaration($period_id);
if ($declaration_id > 0) {
@ -51,19 +49,19 @@ if ($action == 'create_declaration' && $period_id > 0) {
} else {
setEventMessages($langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error, null, 'errors');
}
} elseif ($action == 'validate_declaration' && $declaration_id > 0 && $token) {
} elseif ($action == 'validate_declaration' && $declaration_id > 0) {
if ($declarationtva->validateDeclaration($declaration_id)) {
setEventMessages($langs->trans("DeclarationValidated"), null, 'mesgs');
} else {
setEventMessages($langs->trans("ErrorValidatingDeclaration"), null, 'errors');
}
} elseif ($action == 'submit_declaration' && $declaration_id > 0 && $token) {
} elseif ($action == 'submit_declaration' && $declaration_id > 0) {
if ($declarationtva->submitDeclaration($declaration_id)) {
setEventMessages($langs->trans("DeclarationSubmitted"), null, 'mesgs');
} else {
setEventMessages($langs->trans("ErrorSubmittingDeclaration"), null, 'errors');
}
} elseif ($action == 'delete_declaration' && $declaration_id > 0 && $token) {
} elseif ($action == 'delete_declaration' && $declaration_id > 0) {
if ($declarationtva->deleteDeclaration($declaration_id)) {
setEventMessages($langs->trans("DeclarationDeleted"), null, 'mesgs');
} else {
@ -136,10 +134,10 @@ if (empty($declarations)) {
print '<td>';
if ($d['status'] == 'draft') {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=validate_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butAction">' . $langs->trans("Validate") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=delete_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butActionDelete" onclick="return confirm(\'' . $langs->trans("ConfirmDeleteDeclaration") . '\')">' . $langs->trans("Delete") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=validate_declaration&declaration_id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("Validate") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=delete_declaration&declaration_id=' . $d['rowid'] . '" class="butActionDelete" onclick="return confirm(\'' . $langs->trans("ConfirmDeleteDeclaration") . '\')">' . $langs->trans("Delete") . '</a>';
} elseif ($d['status'] == 'validated') {
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=submit_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butAction">' . $langs->trans("Submit") . '</a>';
print '<a href="' . $_SERVER['PHP_SELF'] . '?action=submit_declaration&declaration_id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("Submit") . '</a>';
}
print '<a href="declarationtva_view.php?id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("View") . '</a>';