Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Protect page for module management with token even for GET action

Browse Source
This commit is contained in:
Laurent Destailleur
2020-10-17 14:01:09 +02:00
parent 20b6d3828e
commit 27698ab5c7
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/admin/modules.php
View File

@@ -28,6 +28,8 @@
* \brief Page to activate/disable all modules * \brief Page to activate/disable all modules
*/ */
if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET
require '../main.inc.php'; require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@@ -701,11 +703,11 @@ if ($mode == 'common' || $mode == 'commonkanban')
if (!empty($conf->multicompany->enabled) && $user->entity) $disableSetup++; if (!empty($conf->multicompany->enabled) && $user->entity) $disableSetup++;
} else { } else {
if (!empty($objMod->warnings_unactivation[$mysoc->country_code]) && method_exists($objMod, 'alreadyUsed') && $objMod->alreadyUsed()) { if (!empty($objMod->warnings_unactivation[$mysoc->country_code]) && method_exists($objMod, 'alreadyUsed') && $objMod->alreadyUsed()) {
$codeenabledisable .= '<a class="reposition valignmiddle" href="'.$_SERVER["PHP_SELF"].'?id='.$objMod->numero.'&amp;module_position='.$module_position.'&amp;action=reset_confirm&amp;confirm_message_code='.$objMod->warnings_unactivation[$mysoc->country_code].'&amp;value='.$modName.'&amp;mode='.$mode.$param.'">'; $codeenabledisable .= '<a class="reposition valignmiddle" href="'.$_SERVER["PHP_SELF"].'?id='.$objMod->numero.'&amp;token='.newToken().'&amp;module_position='.$module_position.'&amp;action=reset_confirm&amp;confirm_message_code='.$objMod->warnings_unactivation[$mysoc->country_code].'&amp;value='.$modName.'&amp;mode='.$mode.$param.'">';
$codeenabledisable .= img_picto($langs->trans("Activated"), 'switch_on'); $codeenabledisable .= img_picto($langs->trans("Activated"), 'switch_on');
$codeenabledisable .= '</a>'; $codeenabledisable .= '</a>';
} else { } else {
$codeenabledisable .= '<a class="reposition valignmiddle" href="'.$_SERVER["PHP_SELF"].'?id='.$objMod->numero.'&amp;module_position='.$module_position.'&amp;action=reset&amp;value='.$modName.'&amp;mode='.$mode.'&amp;confirm=yes'.$param.'">'; $codeenabledisable .= '<a class="reposition valignmiddle" href="'.$_SERVER["PHP_SELF"].'?id='.$objMod->numero.'&amp;token='.newToken().'&amp;module_position='.$module_position.'&amp;action=reset&amp;value='.$modName.'&amp;mode='.$mode.'&amp;confirm=yes'.$param.'">';
$codeenabledisable .= img_picto($langs->trans("Activated"), 'switch_on'); $codeenabledisable .= img_picto($langs->trans("Activated"), 'switch_on');
$codeenabledisable .= '</a>'; $codeenabledisable .= '</a>';
} }
@@ -1151,8 +1153,6 @@ if ($mode == 'develop')
print '<tr class="oddeven" height="80">'."\n"; print '<tr class="oddeven" height="80">'."\n";
print '<td class="left">'; print '<td class="left">';
//span class="fa fa-bug"></span>
//print '<img border="0" class="imgautosize imgmaxwidth180" src="'.DOL_URL_ROOT.'/theme/dolibarr_preferred_partner.png">';
print '<div class="imgmaxheight50 logo_setup"></div>'; print '<div class="imgmaxheight50 logo_setup"></div>';
print '</td>'; print '</td>';
print '<td>'.$langs->trans("TryToUseTheModuleBuilder", $langs->transnoentitiesnoconv("ModuleBuilder")).'</td>'; print '<td>'.$langs->trans("TryToUseTheModuleBuilder", $langs->transnoentitiesnoconv("ModuleBuilder")).'</td>';