function csrfguard_start()
{
if (count($_POST)) {
if (!isset($_POST['CSRFName']) or !isset($_POST['CSRFToken'])) {
trigger_error("No CSRFName found, probable invalid request.", E_USER_ERROR);
}
$name = $_POST['CSRFName'];
$token = $_POST['CSRFToken'];
if (!csrfguard_validate_token($name, $token)) {
trigger_error("Invalid CSRF token.", E_USER_ERROR);
}
}
ob_start();
/* adding double quotes for "csrfguard_inject" to prevent:
Notice: Use of undefined constant csrfguard_inject - assumed 'csrfguard_inject' */
register_shutdown_function("csrfguard_inject");
}
/**
* Validates the CSRF tokens found in $_POST variable. Raoses user
* errors if the token is not found or invalid.
*
* @return true if validated correctly, otherwise false
*/
function csrfguard_start()
{
if (count($_POST)) {
if (!isset($_POST['CSRFName'])) {
//trigger_error("No CSRFName found, probable invalid request.",E_USER_ERROR);
//return false;
redirect($_SESSION['basehref'] . 'error.php?message=No CSRFName found, probable invalid request.');
exit;
}
// 20151107
$name = trim($_POST['CSRFName']);
$token = trim($_POST['CSRFToken']);
$good = strlen($name) > 0 && strlen($token) > 0;
if (!$good || !csrfguard_validate_token($name, $token)) {
//trigger_error("Invalid CSRF token.",E_USER_ERROR);
//return false;
redirect($_SESSION['basehref'] . 'error.php?message=Invalid CSRF token.');
exit;
}
}
}
/**
* A constructor for a CSRF object
*
* @throws Exception when CSRFName is expected and not found
* @throws Exception when token or name is not as stored in session
*/
public function __construct()
{
if (!empty($_POST)) {
if (!isset($_POST['CSRFName']) || !isset($_POST['CSRFToken'])) {
throw Exception('No CSRFName found, probable invalid request.');
}
if (!csrfguard_validate_token($_POST['CSRFName'], $_POST['CSRFToken'])) {
throw Exception('Invalid CSRF token');
}
}
}
function csrfguard_start()
{
if (count($_POST)) {
if (!isset($_POST['CSRFName'])) {
trigger_error("No CSRFName found, probable invalid request.", E_USER_ERROR);
}
$name = $_POST['CSRFName'];
$token = $_POST['CSRFToken'];
if (!csrfguard_validate_token($name, $token)) {
trigger_error("Invalid CSRF token.", E_USER_ERROR);
}
}
ob_start();
register_shutdown_function('csrfguard_inject');
}
$role = null;
switch ($args->doAction) {
case 'delete':
$role = tlRole::getByID($db, $args->roleid, tlRole::TLOBJ_O_GET_DETAIL_MINIMUM);
if ($role) {
$affectedUsers = $role->getAllUsersWithRole($db);
$doDelete = sizeof($affectedUsers) == 0;
}
break;
default:
break;
}
$userFeedback = null;
if ($doDelete) {
// CSRF check
if (!is_null($args->csrfid) && !is_null($args->csrftoken) && csrfguard_validate_token($args->csrfid, $args->csrftoken)) {
// only NON SYSTEM ROLES CAN be deleted
if ($args->roleid > TL_LAST_SYSTEM_ROLE) {
$userFeedback = deleteRole($db, $args->roleid);
checkSessionValid($db);
//refresh the current user
}
} else {
$msg = lang_get('CSRF_attack');
tLog($msg, 'ERROR');
die($msg);
}
}
$roles = tlRole::getAll($db, null, null, null, tlRole::TLOBJ_O_GET_DETAIL_MINIMUM);
$highlight = initialize_tabsmenu();
$highlight->view_roles = 1;
