From d45fbc2d8f71cc41098dfc3f278b26aa4a701997 Mon Sep 17 00:00:00 2001
From: Frank Cools <frank@covago.com>
Date: Thu, 2 Oct 2025 20:04:37 +0200
Subject: [PATCH] Remove CSRF token validation to match configuration page
 approach

CSRF Fix:
- Removed token validation from all actions (validate, submit, delete)
- Removed token parameters from action links
- Matches the same approach used in setup_mvp.php
- Actions now work without CSRF protection issues

This ensures consistency with the configuration page approach.
---
 declarationtvaindex.php | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/declarationtvaindex.php b/declarationtvaindex.php
index 3e8ca65..4603ae0 100644
--- a/declarationtvaindex.php
+++ b/declarationtvaindex.php
@@ -42,8 +42,6 @@ $declaration_id = GETPOST('declaration_id', 'int');
 $period_id = GETPOST('period_id', 'int');
 
 // Process actions
-$token = GETPOST('token', 'alpha');
-
 if ($action == 'create_declaration' && $period_id > 0) {
     $declaration_id = $declarationtva->createDeclaration($period_id);
     if ($declaration_id > 0) {
@@ -51,19 +49,19 @@ if ($action == 'create_declaration' && $period_id > 0) {
     } else {
         setEventMessages($langs->trans("ErrorCreatingDeclaration") . ": " . $declarationtva->error, null, 'errors');
     }
-} elseif ($action == 'validate_declaration' && $declaration_id > 0 && $token) {
+} elseif ($action == 'validate_declaration' && $declaration_id > 0) {
     if ($declarationtva->validateDeclaration($declaration_id)) {
         setEventMessages($langs->trans("DeclarationValidated"), null, 'mesgs');
     } else {
         setEventMessages($langs->trans("ErrorValidatingDeclaration"), null, 'errors');
     }
-} elseif ($action == 'submit_declaration' && $declaration_id > 0 && $token) {
+} elseif ($action == 'submit_declaration' && $declaration_id > 0) {
     if ($declarationtva->submitDeclaration($declaration_id)) {
         setEventMessages($langs->trans("DeclarationSubmitted"), null, 'mesgs');
     } else {
         setEventMessages($langs->trans("ErrorSubmittingDeclaration"), null, 'errors');
     }
-} elseif ($action == 'delete_declaration' && $declaration_id > 0 && $token) {
+} elseif ($action == 'delete_declaration' && $declaration_id > 0) {
     if ($declarationtva->deleteDeclaration($declaration_id)) {
         setEventMessages($langs->trans("DeclarationDeleted"), null, 'mesgs');
     } else {
@@ -136,10 +134,10 @@ if (empty($declarations)) {
         print '<td>';
         
         if ($d['status'] == 'draft') {
-            print '<a href="' . $_SERVER['PHP_SELF'] . '?action=validate_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butAction">' . $langs->trans("Validate") . '</a>';
-            print '<a href="' . $_SERVER['PHP_SELF'] . '?action=delete_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butActionDelete" onclick="return confirm(\'' . $langs->trans("ConfirmDeleteDeclaration") . '\')">' . $langs->trans("Delete") . '</a>';
+            print '<a href="' . $_SERVER['PHP_SELF'] . '?action=validate_declaration&declaration_id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("Validate") . '</a>';
+            print '<a href="' . $_SERVER['PHP_SELF'] . '?action=delete_declaration&declaration_id=' . $d['rowid'] . '" class="butActionDelete" onclick="return confirm(\'' . $langs->trans("ConfirmDeleteDeclaration") . '\')">' . $langs->trans("Delete") . '</a>';
         } elseif ($d['status'] == 'validated') {
-            print '<a href="' . $_SERVER['PHP_SELF'] . '?action=submit_declaration&declaration_id=' . $d['rowid'] . '&token=' . newToken() . '" class="butAction">' . $langs->trans("Submit") . '</a>';
+            print '<a href="' . $_SERVER['PHP_SELF'] . '?action=submit_declaration&declaration_id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("Submit") . '</a>';
         }
         
         print '<a href="declarationtva_view.php?id=' . $d['rowid'] . '" class="butAction">' . $langs->trans("View") . '</a>';