From f3062fb5d328b1a0b0a522e7cb1d6367311b3fcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Sun, 17 Oct 2021 16:48:18 +0200
Subject: [PATCH 1/9] implement csrf token check for popup message

---
 .../modules/documents-files/documents_files_function.php     | 2 +-
 adm_program/system/js/common_functions.js                    | 5 +++--
 adm_program/system/popup_message.php                         | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/adm_program/modules/documents-files/documents_files_function.php b/adm_program/modules/documents-files/documents_files_function.php
index 57d432f1f..737ff9729 100644
--- a/adm_program/modules/documents-files/documents_files_function.php
+++ b/adm_program/modules/documents-files/documents_files_function.php
@@ -68,7 +68,7 @@
 }
 
 // check the CSRF token of the form against the session token
-if(in_array($getMode, array(3, 4, 7)))
+if(in_array($getMode, array(2, 3, 4, 5, 7)))
 {
     try
     {
diff --git a/adm_program/system/js/common_functions.js b/adm_program/system/js/common_functions.js
index 05191c45a..a87768bcb 100644
--- a/adm_program/system/js/common_functions.js
+++ b/adm_program/system/js/common_functions.js
@@ -32,13 +32,14 @@ function showHideBlock(elementId) {
  * the element will be hidden otherwise the data will be shown in an error block.
  * @param {string}   elementId  This is the id of a html element that should be hidden.
  * @param {string}   url        This is the url that will be called.
+ * @param {string}   csrfToken  If this is set than it will be added to the post request.
  * @param {function} [callback] A name of a function that should be called if the return was positive.
  */
-function callUrlHideElement(elementId, url, callback) {
+function callUrlHideElement(elementId, url, csrfToken, callback) {
     var entryDeleted = document.getElementById(elementId);
 
     // send RequestObject and delete entry
-    $.get(url, function(data) {
+    $.post(url, {"admidio-csrf-token": csrfToken}, function(data) {
         if (data === "done") {
             $("#admidio-modal").modal("hide");
 
diff --git a/adm_program/system/popup_message.php b/adm_program/system/popup_message.php
index 97af06bf0..71ef0e28f 100644
--- a/adm_program/system/popup_message.php
+++ b/adm_program/system/popup_message.php
@@ -159,7 +159,7 @@
     <div id="message_text" class="col-10">'.$gL10n->get($text, array($getName, '')).'</div>
 </div>
 <div class="modal-footer">
-    <button id="btn_yes" class="btn btn-primary" type="button" onclick="callUrlHideElement(\''.$getElementId.'\', \''.$url.'\''.$callbackFunction.')">
+    <button id="btn_yes" class="btn btn-primary" type="button" onclick="callUrlHideElement(\''.$getElementId.'\', \''.$url.'\', \''.$gCurrentSession->getCsrfToken().'\''.$callbackFunction.')">
         <i class="fas fa-check-circle"></i>'.$gL10n->get('SYS_YES').'&nbsp;&nbsp;
     </button>
     <button id="btn_no" class="btn btn-secondary" type="button" data-dismiss="modal">

From 844bec551bb51f8f3dd9454954c0e7cf2f3cb4e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Mon, 18 Oct 2021 09:34:22 +0200
Subject: [PATCH 2/9] add csrf token check to more delete methods

---
 .../announcements/announcements_function.php  | 19 ++++++++--
 .../modules/backup/backup_file_function.php   | 29 +++++++++------
 adm_program/modules/categories/categories.php |  6 ++--
 .../categories/categories_function.php        | 36 ++++++++++++-------
 adm_program/system/classes/TableCategory.php  | 17 +++++----
 adm_program/system/js/common_functions.js     | 23 ++++++------
 6 files changed, 85 insertions(+), 45 deletions(-)

diff --git a/adm_program/modules/announcements/announcements_function.php b/adm_program/modules/announcements/announcements_function.php
index da8036565..745904e90 100644
--- a/adm_program/modules/announcements/announcements_function.php
+++ b/adm_program/modules/announcements/announcements_function.php
@@ -55,6 +55,22 @@
 
 $_SESSION['announcements_request'] = $_POST;
 
+try
+{
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $e)
+{
+    if($getMode === 1) {
+        $e->showHtml();
+    }
+    else {
+        $e->showText();
+    }
+    // => EXIT
+}
+
 if($getMode === 1)
 {
     if(strlen($_POST['ann_headline']) === 0)
@@ -79,9 +95,6 @@
 
     try
     {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-
         // write POST parameters in announcement object
         foreach($_POST as $key => $value) // TODO possible security issue
         {
diff --git a/adm_program/modules/backup/backup_file_function.php b/adm_program/modules/backup/backup_file_function.php
index 130da1d0a..7eeac8c3c 100644
--- a/adm_program/modules/backup/backup_file_function.php
+++ b/adm_program/modules/backup/backup_file_function.php
@@ -1,7 +1,7 @@
 <?php
 /**
  ***********************************************************************************************
- * Backup
+ * Backup functions
  *
  * @copyright 2004-2021 The Admidio Team
  * @see https://www.admidio.org/
@@ -9,9 +9,9 @@
  *
  * Parameters:
  *
- * job      - get_file : die uebergebene Backupdatei wird heruntergeladen
- *          - delete   : die uebergebene Backupdatei wird geloescht
- * filename : Der Name der Datei, welche heruntergeladen werden soll
+ * job - get_file : download backup file
+ *     - delete   : delete backup file
+ * filename       : The name of the file to be used
  ***********************************************************************************************
  */
 require_once(__DIR__ . '/../../system/common.php');
@@ -30,10 +30,10 @@
 
 $backupAbsolutePath = ADMIDIO_PATH . FOLDER_DATA . '/backup/'; // make sure to include trailing slash
 
-// kompletten Pfad der Datei holen
+// get complete path of the file
 $completePath = $backupAbsolutePath.$getFilename;
 
-// pruefen ob File ueberhaupt physikalisch existiert
+// check if file exists physically at all
 if(!is_file($completePath))
 {
     $gMessage->show($gL10n->get('SYS_FILE_NOT_EXIST'));
@@ -43,11 +43,11 @@
 switch($getJob)
 {
     case 'get_file':
-        // Dateigroese ermitteln
+        // Determine file size
         $fileSize = filesize($completePath);
         $filename = FileSystemUtils::getSanitizedPathEntry($getFilename);
 
-        // Passenden Datentyp erzeugen.
+        // Create suitable data type
         header('Content-Type: application/octet-stream');
         header('Content-Length: '.$fileSize);
         header('Content-Disposition: attachment; filename="'.$filename.'"');
@@ -56,17 +56,26 @@
         header('Cache-Control: private');
         header('Pragma: public');
 
-        // Datei ausgeben.
+        // get file output
         readfile($completePath);
         break;
 
     case 'delete':
-        // Backupdatei loeschen
+        // Delete backup file
+
         try
         {
+            // check the CSRF token of the form against the session token
+            SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+
             FileSystemUtils::deleteFileIfExists($completePath);
             echo 'done';
         }
+        catch(AdmException $e)
+        {
+            $e->showText();
+            // => EXIT
+        }
         catch (\RuntimeException $exception)
         {
             $gLogger->error('Could not delete file!', array('filePath' => $completePath));
diff --git a/adm_program/modules/categories/categories.php b/adm_program/modules/categories/categories.php
index 4b8f6c38b..373988c7a 100644
--- a/adm_program/modules/categories/categories.php
+++ b/adm_program/modules/categories/categories.php
@@ -194,10 +194,12 @@
     if($category->getValue('cat_system') == 0 || $getType !== 'USF')
     {
         $htmlMoveRow = '<a class="admidio-icon-link" href="javascript:void(0)" onclick="moveTableRow(\''.TableCategory::MOVE_UP.'\', \'row_'.$categoryUuid.'\',
-                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/categories/categories_function.php', array('type' => $getType, 'mode' => 4, 'cat_uuid' => $categoryUuid, 'sequence' => TableCategory::MOVE_UP)) . '\')">'.
+                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/categories/categories_function.php', array('type' => $getType, 'mode' => 4, 'cat_uuid' => $categoryUuid, 'sequence' => TableCategory::MOVE_UP)) . '\',
+                            \''.$gCurrentSession->getCsrfToken().'\')">'.
                             '<i class="fas fa-chevron-circle-up" data-toggle="tooltip" title="' . $gL10n->get('SYS_MOVE_UP', array($addButtonText)) . '"></i></a>
                         <a class="admidio-icon-link" href="javascript:void(0)" onclick="moveTableRow(\''.TableCategory::MOVE_DOWN.'\', \'row_'.$categoryUuid.'\',
-                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/categories/categories_function.php', array('type' => $getType, 'mode' => 4, 'cat_uuid' => $categoryUuid, 'sequence' => TableCategory::MOVE_DOWN)) . '\')">'.
+                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/categories/categories_function.php', array('type' => $getType, 'mode' => 4, 'cat_uuid' => $categoryUuid, 'sequence' => TableCategory::MOVE_DOWN)) . '\',
+                            \''.$gCurrentSession->getCsrfToken().'\')">'.
                             '<i class="fas fa-chevron-circle-down" data-toggle="tooltip" title="' . $gL10n->get('SYS_MOVE_DOWN', array($addButtonText)) . '"></i></a>';
     }
 
diff --git a/adm_program/modules/categories/categories_function.php b/adm_program/modules/categories/categories_function.php
index 40235baf5..c3c09c93c 100644
--- a/adm_program/modules/categories/categories_function.php
+++ b/adm_program/modules/categories/categories_function.php
@@ -28,7 +28,6 @@
 $getCatUuid = admFuncVariableIsValid($_GET, 'cat_uuid', 'string');
 $getType    = admFuncVariableIsValid($_GET, 'type',   'string', array('requireValue' => true, 'validValues' => array('ROL', 'LNK', 'USF', 'ANN', 'DAT', 'AWA')));
 $getMode    = admFuncVariableIsValid($_GET, 'mode',   'int',    array('requireValue' => true));
-$getTitle   = admFuncVariableIsValid($_GET, 'title',  'string', array('defaultValue' => $gL10n->get('SYS_CATEGORY')));
 
 // set text strings for the different modules
 switch ($getType)
@@ -58,6 +57,22 @@
         $component = '';
 }
 
+try
+{
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception)
+{
+    if($getMode === 1) {
+        $exception->showHtml();
+    }
+    else {
+        $exception->showText();
+    }
+    // => EXIT
+}
+
 // check if the current user has the right to
 if(!Component::isAdministrable($component))
 {
@@ -99,17 +114,6 @@
 
     $_SESSION['categories_request'] = $_POST;
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     if((!array_key_exists('cat_name', $_POST) || $_POST['cat_name'] === '') && $category->getValue('cat_system') == 0)
     {
         $gMessage->show($gL10n->get('SYS_FIELD_EMPTY', array($gL10n->get('SYS_NAME'))));
@@ -268,6 +272,7 @@
         if($category->delete())
         {
             echo 'done';
+            exit();
         }
     }
     catch(AdmException $e)
@@ -281,6 +286,11 @@
     // Kategoriereihenfolge aktualisieren
     $getSequence = admFuncVariableIsValid($_GET, 'sequence', 'string', array('validValues' => array(TableCategory::MOVE_UP, TableCategory::MOVE_DOWN)));
 
-    $category->moveSequence($getSequence);
+    if($category->moveSequence($getSequence)) {
+        echo 'done';
+    }
+    else {
+        echo 'Sequence could not be changed.';
+    }
     exit();
 }
diff --git a/adm_program/system/classes/TableCategory.php b/adm_program/system/classes/TableCategory.php
index 5d90dbfb9..93cd8e727 100644
--- a/adm_program/system/classes/TableCategory.php
+++ b/adm_program/system/classes/TableCategory.php
@@ -277,11 +277,10 @@ public function isVisible()
     /**
      * Change the internal sequence of this category. It can be moved one place up or down
      * @param string $mode This could be **UP** or **DOWN**.
+     * @return Return true if the sequence of the category could be changed, otherwise false.
      */
     public function moveSequence($mode)
     {
-        global $gCurrentOrganization;
-
         $catType = $this->getValue('cat_type');
 
         // count all categories that are organization independent because these categories should not
@@ -300,12 +299,12 @@ public function moveSequence($mode)
         $sql = 'UPDATE '.TBL_CATEGORIES.'
                    SET cat_sequence = ? -- $catSequence
                  WHERE cat_type     = ? -- $catType
-                   AND ( cat_org_id = ? -- $gCurrentOrganization->getValue(\'org_id\')
+                   AND ( cat_org_id = ? -- $GLOBALS[\'gCurrentOrganization\']->getValue(\'org_id\')
                        OR cat_org_id IS NULL )
                    AND cat_sequence = ? -- $catSequence';
-        $queryParams = array($catSequence, $catType, (int) $gCurrentOrganization->getValue('org_id'));
+        $queryParams = array($catSequence, $catType, (int) $GLOBALS['gCurrentOrganization']->getValue('org_id'));
 
-        // die Kategorie wird um eine Nummer gesenkt und wird somit in der Liste weiter nach oben geschoben
+        // the category is lowered by one number and is thus moved up in the list
         if ($mode === self::MOVE_UP)
         {
             if ($catOrgId === 0 || $catSequence > $rowCount + 1)
@@ -315,7 +314,7 @@ public function moveSequence($mode)
                 $this->setValue('cat_sequence', $catSequence - 1);
             }
         }
-        // die Kategorie wird um eine Nummer erhoeht und wird somit in der Liste weiter nach unten geschoben
+        // the category will be increased by one number and thus will be moved further down in the list
         elseif ($mode === self::MOVE_DOWN)
         {
             if ($catOrgId > 0 || $catSequence < $rowCount)
@@ -325,8 +324,12 @@ public function moveSequence($mode)
                 $this->setValue('cat_sequence', $catSequence + 1);
             }
         }
+        else
+        {
+            return false;
+        }
 
-        $this->save();
+        return $this->save();
     }
 
     /**
diff --git a/adm_program/system/js/common_functions.js b/adm_program/system/js/common_functions.js
index a87768bcb..454070f9c 100644
--- a/adm_program/system/js/common_functions.js
+++ b/adm_program/system/js/common_functions.js
@@ -161,16 +161,19 @@ function redirectPost(url, data) {
  *                 Valid values are UP or DOWN.
  * @param {string} elementId Id of the row that should be moved
  * @param {string} updateSequenceUrl Url to update the sequence of the element in the database
+ * @param {string} csrfToken  If this is set than it will be added to the post request.
  */
-function moveTableRow(direction, elementId, updateSequenceUrl) {
-    var id = "#"+elementId;
-    $(".admidio-icon-link .fas").tooltip("hide");
-
-    if (direction === "UP") {
-        $(id).prev().before($(id));
-    } else {
-        $(id).next().after($(id));
-    }
+function moveTableRow(direction, elementId, updateSequenceUrl, csrfToken) {
+    $.post(updateSequenceUrl, {"admidio-csrf-token": csrfToken}, function(data) {
+        if (data === "done") {
+            var id = "#" + elementId;
+            $(".admidio-icon-link .fas").tooltip("hide");
 
-    $.get(updateSequenceUrl);
+            if (direction === "UP") {
+                $(id).prev().before($(id));
+            } else {
+                $(id).next().after($(id));
+            }
+        }
+    });
 }

From dcb1ccc902ae2d1cb560a750a8e167624af6b9ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Mon, 18 Oct 2021 11:28:37 +0200
Subject: [PATCH 3/9] add more csrf token checks

---
 adm_program/modules/menu/menu.php             |  6 ++--
 adm_program/modules/menu/menu_function.php    | 33 +++++++++++--------
 .../modules/profile-fields/profile_fields.php |  8 +++--
 .../profile_fields_function.php               | 20 +++++++++--
 .../profile-fields/profile_fields_new.php     |  2 +-
 adm_program/system/classes/TableCategory.php  |  2 +-
 adm_program/system/classes/TableMenu.php      |  7 ++--
 adm_program/system/classes/TableUserField.php |  6 ++--
 adm_program/system/js/common_functions.js     |  4 +++
 9 files changed, 62 insertions(+), 26 deletions(-)

diff --git a/adm_program/modules/menu/menu.php b/adm_program/modules/menu/menu.php
index 0985862b4..61fcdb246 100644
--- a/adm_program/modules/menu/menu.php
+++ b/adm_program/modules/menu/menu.php
@@ -96,10 +96,12 @@
         }
 
         $htmlMoveRow = '<a class="admidio-icon-link" href="javascript:moveTableRow(\'UP\', \'row_men_'.$menuRow['men_uuid'].'\',
-                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/menu/menu_function.php', array('mode' => 3, 'menu_uuid' => $menuRow['men_uuid'], 'sequence' => 'UP')) . '\')">'.
+                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/menu/menu_function.php', array('mode' => 3, 'menu_uuid' => $menuRow['men_uuid'], 'sequence' => 'UP')) . '\',
+                            \''.$gCurrentSession->getCsrfToken().'\')">'.
                             '<i class="fas fa-chevron-circle-up" data-toggle="tooltip" title="' . $gL10n->get('SYS_MOVE_UP', array($headline)) . '"></i></a>
                         <a class="admidio-icon-link" href="javascript:moveTableRow(\'DOWN\', \'row_men_'.$menuRow['men_uuid'].'\',
-                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/menu/menu_function.php', array('mode' => 3, 'menu_uuid' => $menuRow['men_uuid'], 'sequence' => 'DOWN')) . '\')">'.
+                            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/menu/menu_function.php', array('mode' => 3, 'menu_uuid' => $menuRow['men_uuid'], 'sequence' => 'DOWN')) . '\',
+                            \''.$gCurrentSession->getCsrfToken().'\')">'.
                             '<i class="fas fa-chevron-circle-down" data-toggle="tooltip" title="' . $gL10n->get('SYS_MOVE_DOWN', array($headline)) . '"></i></a>';
 
         $htmlStandardMenu = '&nbsp;';
diff --git a/adm_program/modules/menu/menu_function.php b/adm_program/modules/menu/menu_function.php
index 4673e1c90..e79f3a01a 100644
--- a/adm_program/modules/menu/menu_function.php
+++ b/adm_program/modules/menu/menu_function.php
@@ -41,22 +41,24 @@
     $menu->readDataByUuid($getMenuUuid);
 }
 
+try {
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception) {
+    if($getMode === 1) {
+        $exception->showHtml();
+    } else {
+        $exception->showText();
+    }
+    // => EXIT
+}
+
 // create menu or update it
 if($getMode === 1)
 {
     $_SESSION['menu_request'] = $_POST;
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     $postIdParent = admFuncVariableIsValid($_POST, 'men_men_id_parent', 'int');
     $postComId    = admFuncVariableIsValid($_POST, 'men_com_id',        'int');
     $postName     = admFuncVariableIsValid($_POST, 'men_name',          'string', array('default' => ''));
@@ -152,10 +154,15 @@
     {
         echo 'done';
     }
+    exit();
 }
 elseif($getMode === 3)
 {
-    // Update menu order
-    $menu->moveSequence($getSequence);
+    // Update menu sequence
+    if($menu->moveSequence($getSequence)) {
+        echo 'done';
+    } else {
+        echo 'Sequence could not be changed.';
+    }
     exit();
 }
diff --git a/adm_program/modules/profile-fields/profile_fields.php b/adm_program/modules/profile-fields/profile_fields.php
index 7561c9d71..d041e4dda 100644
--- a/adm_program/modules/profile-fields/profile_fields.php
+++ b/adm_program/modules/profile-fields/profile_fields.php
@@ -12,7 +12,7 @@
 require_once(__DIR__ . '/../../system/common.php');
 require(__DIR__ . '/../../system/login_valid.php');
 
-// nur berechtigte User duerfen die Profilfelder bearbeiten
+// only authorized users can edit the profile fields
 if (!$gCurrentUser->isAdministrator())
 {
     $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
@@ -201,10 +201,12 @@
     $columnValues = array(
         '<a href="'.SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/profile-fields/profile_fields_new.php', array('usf_uuid' => $usfUuid)).'">'.$userField->getValue('usf_name').'</a>',
         '<a class="admidio-icon-link" href="javascript:void(0)" onclick="moveTableRow(\''.TableUserField::MOVE_UP.'\', \'row_usf_'.$usfUuid.'\',
-            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile-fields/profile_fields_function.php', array('mode' => 4, 'usf_uuid' => $usfUuid, 'sequence' => TableUserField::MOVE_UP)) . '\')">'.
+            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile-fields/profile_fields_function.php', array('mode' => 4, 'usf_uuid' => $usfUuid, 'sequence' => TableUserField::MOVE_UP)) . '\',
+            \''.$gCurrentSession->getCsrfToken().'\')">'.
             '<i class="fas fa-chevron-circle-up" data-toggle="tooltip" title="' . $gL10n->get('SYS_MOVE_UP', array('SYS_PROFILE_FIELD')) . '"></i></a>
         <a class="admidio-icon-link" href="javascript:void(0)" onclick="moveTableRow(\''.TableUserField::MOVE_DOWN.'\', \'row_usf_'.$usfUuid.'\',
-            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile-fields/profile_fields_function.php', array('mode' => 4, 'usf_uuid' => $usfUuid, 'sequence' => TableUserField::MOVE_DOWN)) . '\')">'.
+            \''.SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile-fields/profile_fields_function.php', array('mode' => 4, 'usf_uuid' => $usfUuid, 'sequence' => TableUserField::MOVE_DOWN)) . '\',
+            \''.$gCurrentSession->getCsrfToken().'\')">'.
             '<i class="fas fa-chevron-circle-down" data-toggle="tooltip" title="' . $gL10n->get('SYS_MOVE_DOWN', array('SYS_PROFILE_FIELD')) . '"></i></a>
         <a class="admidio-icon-link">'.
             '<i class="fas fa-arrows-alt handle" data-toggle="tooltip" title="' . $gL10n->get('SYS_MOVE_VAR', array('SYS_PROFILE_FIELD')) . '"></i></a>
diff --git a/adm_program/modules/profile-fields/profile_fields_function.php b/adm_program/modules/profile-fields/profile_fields_function.php
index 358f75e0a..e82051834 100644
--- a/adm_program/modules/profile-fields/profile_fields_function.php
+++ b/adm_program/modules/profile-fields/profile_fields_function.php
@@ -29,8 +29,20 @@
 $getSequence = admFuncVariableIsValid($_GET, 'sequence', 'string', array('validValues' => array(TableUserField::MOVE_UP, TableUserField::MOVE_DOWN)));
 $getOrder    = admFuncVariableIsValid($_GET, 'order',    'array');
 
+try {
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception) {
+    if($getMode === 1) {
+        $exception->showHtml();
+    } else {
+        $exception->showText();
+    }
+    // => EXIT
+}
 
-// nur berechtigte User duerfen die Profilfelder bearbeiten
+// only authorized users can edit the profile fields
 if (!$gCurrentUser->isAdministrator())
 {
     $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
@@ -237,7 +249,11 @@
         $userField->setSequence($getOrder);
     } else {
         // move field up/down by one
-        $userField->moveSequence($getSequence);
+        if($userField->moveSequence($getSequence)) {
+            echo 'done';
+        } else {
+            echo 'Sequence could not be changed.';
+        }
     }
     exit();
 }
diff --git a/adm_program/modules/profile-fields/profile_fields_new.php b/adm_program/modules/profile-fields/profile_fields_new.php
index ba61af139..41b8dbce7 100644
--- a/adm_program/modules/profile-fields/profile_fields_new.php
+++ b/adm_program/modules/profile-fields/profile_fields_new.php
@@ -18,7 +18,7 @@
 // Initialize and check the parameters
 $getUsfUuid = admFuncVariableIsValid($_GET, 'usf_uuid', 'string');
 
-// nur berechtigte User duerfen die Profilfelder bearbeiten
+// only authorized users can edit the profile fields
 if (!$gCurrentUser->isAdministrator())
 {
     $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
diff --git a/adm_program/system/classes/TableCategory.php b/adm_program/system/classes/TableCategory.php
index 93cd8e727..7c5b0cd79 100644
--- a/adm_program/system/classes/TableCategory.php
+++ b/adm_program/system/classes/TableCategory.php
@@ -277,7 +277,7 @@ public function isVisible()
     /**
      * Change the internal sequence of this category. It can be moved one place up or down
      * @param string $mode This could be **UP** or **DOWN**.
-     * @return Return true if the sequence of the category could be changed, otherwise false.
+     * @return bool Return true if the sequence of the category could be changed, otherwise false.
      */
     public function moveSequence($mode)
     {
diff --git a/adm_program/system/classes/TableMenu.php b/adm_program/system/classes/TableMenu.php
index 9e281abd6..889d4e3e8 100644
--- a/adm_program/system/classes/TableMenu.php
+++ b/adm_program/system/classes/TableMenu.php
@@ -116,11 +116,13 @@ public function getValue($columnName, $format = '')
     /**
      * Change the internal sequence of this category. It can be moved one place up or down
      * @param string $mode This could be **UP** or **DOWN**.
+     * @return bool Return true if the sequence of the menu could be changed, otherwise false.
      */
     public function moveSequence($mode)
     {
         $menOrder = (int) $this->getValue('men_order');
         $menIdParent = (int) $this->getValue('men_men_id_parent');
+        $returnCode = false;
 
         // die Sortierung wird um eine Nummer gesenkt und wird somit in der Liste weiter nach oben geschoben
         if($mode === self::MOVE_UP)
@@ -133,7 +135,7 @@ public function moveSequence($mode)
                            AND men_order = ? -- $menOrder - 1';
                 $this->db->queryPrepared($sql, array($menOrder, $menIdParent, $menOrder - 1));
                 $this->setValue('men_order', $menOrder - 1);
-                $this->save();
+                $returnCode = $this->save();
             }
         }
         // die Kategorie wird um eine Nummer erhoeht und wird somit in der Liste weiter nach unten geschoben
@@ -155,9 +157,10 @@ public function moveSequence($mode)
                            AND men_order = ? -- $menOrder + 1';
                 $this->db->queryPrepared($sql, array($menOrder, $menIdParent, $menOrder + 1));
                 $this->setValue('men_order', $menOrder + 1);
-                $this->save();
+                $returnCode = $this->save();
             }
         }
+        return $returnCode;
     }
 
     /**
diff --git a/adm_program/system/classes/TableUserField.php b/adm_program/system/classes/TableUserField.php
index e12be031d..60a174ea3 100644
--- a/adm_program/system/classes/TableUserField.php
+++ b/adm_program/system/classes/TableUserField.php
@@ -300,6 +300,7 @@ public function isVisible()
     /**
      * Profile field will change the sequence one step up or one step down.
      * @param string $mode mode if the profile field move up or down, values are TableUserField::MOVE_UP, TableUserField::MOVE_DOWN
+     * @return bool Return true if the sequence of the category could be changed, otherwise false.
      * @throws AdmException
      */
     public function moveSequence($mode)
@@ -326,12 +327,13 @@ public function moveSequence($mode)
         $this->db->queryPrepared($sql, array($usfSequence, $usfCatId, $newSequence));
 
         $this->setValue('usf_sequence', $newSequence);
-        $this->save();
+        return $this->save();
     }
 
    /**
      * Profile field will change the complete sequence.
      * @param array $sequence the new sequence of profile fields (field IDs)
+     * @return bool Return true if the sequence of the category could be changed, otherwise false.
      * @throws AdmException
      */
     public function setSequence($sequence)
@@ -359,7 +361,7 @@ public function setSequence($sequence)
         if ($newSequence > 0) {
             $this->setValue('usf_sequence', $newSequence);
         }
-        $this->save();
+        return $this->save();
     }
 
     /**
diff --git a/adm_program/system/js/common_functions.js b/adm_program/system/js/common_functions.js
index 454070f9c..6768bb3f6 100644
--- a/adm_program/system/js/common_functions.js
+++ b/adm_program/system/js/common_functions.js
@@ -174,6 +174,10 @@ function moveTableRow(direction, elementId, updateSequenceUrl, csrfToken) {
             } else {
                 $(id).next().after($(id));
             }
+        } else {
+            if(data.length > 0) {
+                alert(data);
+            }
         }
     });
 }

From 7a36bbbfb6f671e33f3e622b88d8c954bde2eb4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Mon, 18 Oct 2021 19:54:09 +0200
Subject: [PATCH 4/9] remove mode 5 from dates_functions

---
 adm_program/modules/dates/dates_function.php | 10 +++++-----
 adm_program/modules/dates/dates_new.php      |  5 +----
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/adm_program/modules/dates/dates_function.php b/adm_program/modules/dates/dates_function.php
index f23f82edb..8fdc18d21 100644
--- a/adm_program/modules/dates/dates_function.php
+++ b/adm_program/modules/dates/dates_function.php
@@ -10,11 +10,10 @@
  * Parameters:
  *
  * dat_id     - ID of the event that should be edited
- * mode   : 1 - Create a new event
+ * mode   : 1 - Create or edit an event
  *          2 - Delete the event
  *          3 - User attends to the event
  *          4 - User cancel the event
- *          5 - Edit an existing event
  *          6 - Export event in ical format
  *          7 - User may participate in the event
  * user_uuid : UUID of the user membership to an event should be edited
@@ -70,7 +69,7 @@
     $user->readDataByUuid($getUserUuid);
 }
 
-if (in_array($getMode, array(1, 2, 5), true))
+if (in_array($getMode, array(1, 2), true))
 {
     if ($getDateUuid !== '')
     {
@@ -92,9 +91,10 @@
     }
 }
 
-if($getMode === 1 || $getMode === 5)  // Create a new event or edit an existing event
+if($getMode === 1)  // Create a new event or edit an existing event
 {
     $_SESSION['dates_request'] = $_POST;
+    $dateIsNew = $date->isNewRecord();
 
     try
     {
@@ -446,7 +446,7 @@
         {
             $notification = new Email();
 
-            if($getMode === 1)
+            if($dateIsNew)
             {
                 $message = $gL10n->get('DAT_EMAIL_NOTIFICATION_MESSAGE_PART1', array($gCurrentOrganization->getValue('org_longname'), $_POST['dat_headline'], $date->getDateTimePeriod(), $calendar))
                           .$gL10n->get('DAT_EMAIL_NOTIFICATION_MESSAGE_PART2', array($ort, $raum, $participants, $gCurrentUser->getValue('FIRST_NAME').' '.$gCurrentUser->getValue('LAST_NAME')))
diff --git a/adm_program/modules/dates/dates_new.php b/adm_program/modules/dates/dates_new.php
index 1b42ce226..9a5f7a41f 100644
--- a/adm_program/modules/dates/dates_new.php
+++ b/adm_program/modules/dates/dates_new.php
@@ -40,17 +40,14 @@
 if($getCopy)
 {
     $headline = $gL10n->get('SYS_COPY_VAR', array($getHeadline));
-    $mode = 5;
 }
 elseif($getDateUuid !== '')
 {
     $headline = $gL10n->get('SYS_EDIT_VAR', array($getHeadline));
-    $mode = 5;
 }
 else
 {
     $headline = $gL10n->get('SYS_CREATE_VAR', array($getHeadline));
-    $mode = 1;
 }
 
 $gNavigation->addUrl(CURRENT_URL, $headline);
@@ -250,7 +247,7 @@ function setLocationCountry() {
 );
 
 // show form
-$form = new HtmlForm('dates_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/dates/dates_function.php', array('dat_uuid' => $getDateUuid, 'mode' => $mode, 'copy' => $getCopy)), $page);
+$form = new HtmlForm('dates_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/dates/dates_function.php', array('dat_uuid' => $getDateUuid, 'mode' => 1, 'copy' => $getCopy)), $page);
 
 $form->openGroupBox('gb_title_location', $gL10n->get('SYS_TITLE').' & '.$gL10n->get('DAT_LOCATION'));
 $form->addInput(

From ac1cde567caadcfbe4ab56f0a23f071a6e9195a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Mon, 18 Oct 2021 20:04:58 +0200
Subject: [PATCH 5/9] add csrf token check to guestbook

---
 adm_program/modules/dates/dates_function.php  |  9 +++++
 .../documents_files_function.php              | 15 ++++----
 .../modules/guestbook/guestbook_function.php  | 37 ++++++++-----------
 3 files changed, 32 insertions(+), 29 deletions(-)

diff --git a/adm_program/modules/dates/dates_function.php b/adm_program/modules/dates/dates_function.php
index 8fdc18d21..0dfac4bc1 100644
--- a/adm_program/modules/dates/dates_function.php
+++ b/adm_program/modules/dates/dates_function.php
@@ -583,6 +583,15 @@
 }
 elseif($getMode === 2)
 {
+    try {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+    }
+    catch(AdmException $exception) {
+        $exception->showText();
+        // => EXIT
+    }
+
     // delete current announcements, right checks were done before
     $date->delete();
 
diff --git a/adm_program/modules/documents-files/documents_files_function.php b/adm_program/modules/documents-files/documents_files_function.php
index 737ff9729..3253bec3c 100644
--- a/adm_program/modules/documents-files/documents_files_function.php
+++ b/adm_program/modules/documents-files/documents_files_function.php
@@ -68,15 +68,16 @@
 }
 
 // check the CSRF token of the form against the session token
-if(in_array($getMode, array(2, 3, 4, 5, 7)))
-{
-    try
-    {
+if(in_array($getMode, array(2, 3, 4, 5, 7))) {
+    try {
         SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
     }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
+    catch(AdmException $exception) {
+        if($getMode === 2 || $getMode === 5) {
+            $exception->showText();
+        } else {
+            $exception->showHtml();
+        }
         // => EXIT
     }
 }
diff --git a/adm_program/modules/guestbook/guestbook_function.php b/adm_program/modules/guestbook/guestbook_function.php
index 9a1a75965..50f95494e 100644
--- a/adm_program/modules/guestbook/guestbook_function.php
+++ b/adm_program/modules/guestbook/guestbook_function.php
@@ -43,6 +43,21 @@
     require(__DIR__ . '/../../system/login_valid.php');
 }
 
+// check the CSRF token of the form against the session token
+if(in_array($getMode, array(1, 2, 3, 4, 5, 8))) {
+    try {
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+    }
+    catch(AdmException $exception) {
+        if($getMode === 2 || $getMode === 5) {
+            $exception->showText();
+        } else {
+            $exception->showHtml();
+        }
+        // => EXIT
+    }
+}
+
 // Erst einmal pruefen ob die noetigen Berechtigungen vorhanden sind
 if ($getMode === 4)
 {
@@ -114,17 +129,6 @@
 {
     $_SESSION['guestbook_entry_request'] = $_POST;
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     if ($getMode === 1)
     {
         // if login and new entry then fill name with login user
@@ -316,17 +320,6 @@
 {
     $_SESSION['guestbook_comment_request'] = $_POST;
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     if ($getMode === 4)
     {
         // if login then fill name with login user

From b54a5e95fc6c3b8c1ac29a69d250be734c7af2a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Mon, 18 Oct 2021 20:15:35 +0200
Subject: [PATCH 6/9] remove mode 3 from links_function

---
 adm_program/modules/links/links_function.php | 21 ++++++++++----------
 adm_program/modules/links/links_new.php      | 17 +++-------------
 2 files changed, 14 insertions(+), 24 deletions(-)

diff --git a/adm_program/modules/links/links_function.php b/adm_program/modules/links/links_function.php
index 518fb877a..45208b77c 100644
--- a/adm_program/modules/links/links_function.php
+++ b/adm_program/modules/links/links_function.php
@@ -54,10 +54,11 @@
     }
 }
 
-$_SESSION['links_request'] = $_POST;
-
-if ($getMode === 1 || ($getMode === 3 && $getLinkUuid !== ''))
+if ($getMode === 1)
 {
+    $_SESSION['links_request'] = $_POST;
+    $weblinkIsNew = $link->isNewRecord();
+
     try
     {
         // check the CSRF token of the form against the session token
@@ -96,7 +97,7 @@
 
     try
     {
-        // POST Variablen in das Ankuendigungs-Objekt schreiben
+        // POST variables to the announcements object
         foreach($_POST as $key => $value) // TODO possible security issue
         {
             if(str_starts_with($key, 'lnk_'))
@@ -110,13 +111,13 @@
         $e->showHtml();
     }
 
-    // Link-Counter auf 0 setzen
-    if ($getMode === 1)
+    // Set link counter to 0
+    if ($weblinkIsNew)
     {
         $link->setValue('lnk_counter', 0);
     }
 
-    // Daten in Datenbank schreiben
+    // save weblink data to database
     $returnCode = $link->save();
 
     if($returnCode === false)
@@ -125,9 +126,9 @@
         // => EXIT
     }
 
-    if($returnCode === true && $getMode === 1)
+    if($returnCode === true && $weblinkIsNew)
     {
-        // Benachrichtigungs-Email für neue Einträge
+        // Notification email for new entries
         $message = $gL10n->get('SYS_LINK_EMAIL_NOTIFICATION_MESSAGE', array($gCurrentOrganization->getValue('org_longname'), $_POST['lnk_url']. ' ('.$_POST['lnk_name'].')', $gCurrentUser->getValue('FIRST_NAME').' '.$gCurrentUser->getValue('LAST_NAME'), date($gSettingsManager->getString('system_date'))));
         try
         {
@@ -146,7 +147,7 @@
     admRedirect($gNavigation->getUrl());
     // => EXIT
 }
-elseif ($getMode === 2 && $getLinkUuid !== '')
+elseif ($getMode === 2)
 {
     // delete current announcements, right checks were done before
     $link->delete();
diff --git a/adm_program/modules/links/links_new.php b/adm_program/modules/links/links_new.php
index 9f750a7f3..0b4ba1e44 100644
--- a/adm_program/modules/links/links_new.php
+++ b/adm_program/modules/links/links_new.php
@@ -55,13 +55,12 @@
 
 if(isset($_SESSION['links_request']))
 {
-    // durch fehlerhafte Eingabe ist der User zu diesem Formular zurueckgekehrt
-    // nun die vorher eingegebenen Inhalte ins Objekt schreiben
+    // due to incorrect input the user has returned to this form
+    // now write the previously entered contents into the object
     $link->setArray($_SESSION['links_request']);
     unset($_SESSION['links_request']);
 }
 
-// Html-Kopf ausgeben
 if($getLinkUuid !== '')
 {
     $headline = $gL10n->get('SYS_EDIT_VAR', array($getHeadline));
@@ -77,18 +76,8 @@
 // create html page object
 $page = new HtmlPage('admidio-weblinks-edit', $headline);
 
-// Html des Modules ausgeben
-if($getLinkUuid !== '')
-{
-    $modeEditOrCreate = '3';
-}
-else
-{
-    $modeEditOrCreate = '1';
-}
-
 // show form
-$form = new HtmlForm('weblinks_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/links/links_function.php', array('link_uuid' => $getLinkUuid, 'headline' => $getHeadline, 'mode' => $modeEditOrCreate)), $page);
+$form = new HtmlForm('weblinks_edit_form', SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/links/links_function.php', array('link_uuid' => $getLinkUuid, 'headline' => $getHeadline, 'mode' => 1)), $page);
 $form->addInput(
     'lnk_name', $gL10n->get('SYS_LINK_NAME'), SecurityUtils::encodeHTML($link->getValue('lnk_name')),
     array('maxLength' => 250, 'property' => HtmlForm::FIELD_REQUIRED)

From d959232988d7bb0b7f33522a1868ae3beff70085 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Mon, 18 Oct 2021 20:26:36 +0200
Subject: [PATCH 7/9] add csrf token to delete function in links and messages
 module

---
 adm_program/modules/links/links_function.php  | 27 ++++++++++---------
 adm_program/modules/messages/messages.php     | 19 ++++++++-----
 .../registration/registration_function.php    |  3 +++
 3 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/adm_program/modules/links/links_function.php b/adm_program/modules/links/links_function.php
index 45208b77c..0aeebc5e8 100644
--- a/adm_program/modules/links/links_function.php
+++ b/adm_program/modules/links/links_function.php
@@ -10,9 +10,8 @@
  * Parameters:
  *
  * link_uuid - UUID of the weblink that should be edited
- * mode      - 1 : Create new link
+ * mode      - 1 : Create or edit a weblink
  *             2 : Delete link
- *             3 : Edit link
  ***********************************************************************************************
  */
 require_once(__DIR__ . '/../../system/common.php');
@@ -22,6 +21,19 @@
 $getLinkUuid = admFuncVariableIsValid($_GET, 'link_uuid','string');
 $getMode     = admFuncVariableIsValid($_GET, 'mode',     'int', array('requireValue' => true));
 
+try {
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+}
+catch(AdmException $exception) {
+    if($getMode === 1) {
+        $exception->showHtml();
+    } else {
+        $exception->showText();
+    }
+    // => EXIT
+}
+
 // check if the module is enabled for use
 if ((int) $gSettingsManager->get('enable_weblinks_module') === 0)
 {
@@ -59,17 +71,6 @@
     $_SESSION['links_request'] = $_POST;
     $weblinkIsNew = $link->isNewRecord();
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     if(strlen(StringUtils::strStripTags($_POST['lnk_name'])) === 0)
     {
         $gMessage->show($gL10n->get('SYS_FIELD_EMPTY', array($gL10n->get('SYS_LINK_NAME'))));
diff --git a/adm_program/modules/messages/messages.php b/adm_program/modules/messages/messages.php
index 802ce9614..17f017902 100644
--- a/adm_program/modules/messages/messages.php
+++ b/adm_program/modules/messages/messages.php
@@ -30,17 +30,24 @@
 
 if ($getMsgUuid !== '')
 {
+    try {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+    }
+    catch(AdmException $exception) {
+        $exception->showText();
+        // => EXIT
+    }
+
     $delMessage = new TableMessage($gDb);
     $delMessage->readDataByUuid($getMsgUuid);
 
     // Function to delete message
-    $delete = $delMessage->delete();
-    if ($delete)
-    {
+    $returnCode = $delMessage->delete();
+
+    if ($returnCode) {
         echo 'done';
-    }
-    else
-    {
+    } else {
         echo 'delete not OK';
     }
     exit();
diff --git a/adm_program/modules/registration/registration_function.php b/adm_program/modules/registration/registration_function.php
index 6917c893c..9478b43c7 100644
--- a/adm_program/modules/registration/registration_function.php
+++ b/adm_program/modules/registration/registration_function.php
@@ -128,6 +128,9 @@
 {
     try
     {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+
         // delete registration
         $registrationUser->delete();
     }

From 3225d937f38d24606d6a42a9fa134d16c9bcc655 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Tue, 19 Oct 2021 07:42:19 +0200
Subject: [PATCH 8/9] add csrf token check to more delete functions

---
 .../groups-roles/groups_roles_function.php    | 66 +++++++------------
 .../modules/photos/photo_album_function.php   | 17 +++--
 adm_program/modules/photos/photo_function.php | 35 +++++-----
 .../modules/profile/profile_function.php      | 10 +++
 .../modules/profile/profile_photo_edit.php    | 14 ++++
 adm_program/modules/rooms/rooms_function.php  | 24 +++----
 .../userrelations/relationtypes_function.php  | 23 +++----
 .../userrelations/userrelations_function.php  | 23 +++----
 8 files changed, 113 insertions(+), 99 deletions(-)

diff --git a/adm_program/modules/groups-roles/groups_roles_function.php b/adm_program/modules/groups-roles/groups_roles_function.php
index 02638e20a..015cca721 100644
--- a/adm_program/modules/groups-roles/groups_roles_function.php
+++ b/adm_program/modules/groups-roles/groups_roles_function.php
@@ -17,7 +17,6 @@
  *         3 - set role inaktive
  *         4 - delete role
  *         5 - set role active
- *         9 - return if role has former members ? Return: 1 und 0
  *
  *****************************************************************************/
 
@@ -30,20 +29,31 @@
 
 // only members who are allowed to create and edit roles should have access to
 // most of these functions
-if($getMode !== 9 && !$gCurrentUser->manageRoles())
+if(!$gCurrentUser->manageRoles())
 {
     $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
     // => EXIT
 }
 
-// Rollenobjekt anlegen
+try {
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+} catch (AdmException $exception) {
+    if ($getMode === 2) {
+        $exception->showHtml();
+    } else {
+        $exception->showText();
+    }
+    // => EXIT
+}
+
 $role = new TableRoles($gDb);
 
 if($getRoleUuid !== '')
 {
     $role->readDataByUuid($getRoleUuid);
 
-    // Pruefung, ob die Rolle zur aktuellen Organisation gehoert
+    // Check if the role belongs to the current organization
     if((int) $role->getValue('cat_org_id') !== (int) $gCurrentOrganization->getValue('org_id') && $role->getValue('cat_org_id') > 0)
     {
         $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
@@ -58,17 +68,6 @@
 {
     // create or edit role
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     if(!array_key_exists('rol_name', $_POST) || $_POST['rol_name'] === '')
     {
         // not all fields are filled
@@ -333,12 +332,9 @@
     // event roles should not set inactive
     // all other roles could now set inactive
     if($role->getValue('cat_name_intern') !== 'EVENTS'
-    && $role->setInactive())
-    {
+    && $role->setInactive()) {
         echo 'done';
-    }
-    else
-    {
+    } else {
         echo $gL10n->get('SYS_NO_RIGHTS');
     }
     exit();
@@ -346,16 +342,13 @@
 elseif($getMode === 4)
 {
     // delete role from database
-    try
-    {
-        if($role->delete())
-        {
+    try {
+        if($role->delete()) {
             echo 'done';
         }
     }
-    catch(AdmException $e)
-    {
-        $e->showHtml();
+    catch(AdmException $e) {
+        $e->showText();
         // => EXIT
     }
     exit();
@@ -365,25 +358,10 @@
     // event roles should not set active
     // all other roles could now set active
     if($role->getValue('cat_name_intern') !== 'EVENTS'
-    && $role->setActive())
-    {
+    && $role->setActive()) {
         echo 'done';
-    }
-    else
-    {
+    } else {
         $gL10n->get('SYS_NO_RIGHTS');
     }
     exit();
 }
-elseif($getMode === 9)
-{
-    if($role->hasFormerMembers())
-    {
-        echo '1';
-    }
-    else
-    {
-        echo '0';
-    }
-    exit();
-}
diff --git a/adm_program/modules/photos/photo_album_function.php b/adm_program/modules/photos/photo_album_function.php
index e90865aa3..5d8c18081 100644
--- a/adm_program/modules/photos/photo_album_function.php
+++ b/adm_program/modules/photos/photo_album_function.php
@@ -37,7 +37,7 @@
 // create photo album object
 $photoAlbum = new TablePhotos($gDb);
 
-if ($getMode !== 'new' && $getPhotoUuid !== '')
+if ($getPhotoUuid !== '')
 {
     $photoAlbum->readDataByUuid($getPhotoUuid);
 }
@@ -55,13 +55,11 @@
 /********************Aenderungen oder Neueintraege kontrollieren***********************************/
 if ($getMode === 'new' || $getMode === 'change')
 {
-    try
-    {
+    try {
         // check the CSRF token of the form against the session token
         SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
     }
-    catch(AdmException $exception)
-    {
+    catch(AdmException $exception) {
         $exception->showHtml();
         // => EXIT
     }
@@ -213,6 +211,15 @@
 // delete photo album
 elseif ($getMode === 'delete')
 {
+    try {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+    }
+    catch(AdmException $exception) {
+        $exception->showText();
+        // => EXIT
+    }
+
     if ($photoAlbum->delete())
     {
         echo 'done';
diff --git a/adm_program/modules/photos/photo_function.php b/adm_program/modules/photos/photo_function.php
index 81867bcf5..0bd499dec 100644
--- a/adm_program/modules/photos/photo_function.php
+++ b/adm_program/modules/photos/photo_function.php
@@ -47,8 +47,6 @@
  */
 function deleteThumbnail(TablePhotos $photoAlbum, $picNr)
 {
-    global $gLogger;
-
     // Ordnerpfad zusammensetzen
     $photoPath = ADMIDIO_PATH . FOLDER_DATA . '/photos/'.$photoAlbum->getValue('pho_begin', 'Y-m-d') . '_' . (int) $photoAlbum->getValue('pho_id') . '/thumbnails/' . $picNr . '.jpg';
     try
@@ -57,7 +55,7 @@ function deleteThumbnail(TablePhotos $photoAlbum, $picNr)
     }
     catch (\RuntimeException $exception)
     {
-        $gLogger->error('Could not delete file!', array('filePath' => $photoPath));
+        $GLOBALS['gLogger']->error('Could not delete file!', array('filePath' => $photoPath));
         // TODO
     }
 }
@@ -69,9 +67,7 @@ function deleteThumbnail(TablePhotos $photoAlbum, $picNr)
  */
 function deletePhoto(TablePhotos $photoAlbum, $picNr)
 {
-    global $gLogger;
-
-    // Speicherort
+    // get album folder path
     $albumPath = ADMIDIO_PATH . FOLDER_DATA . '/photos/' . $photoAlbum->getValue('pho_begin', 'Y-m-d') . '_' . (int) $photoAlbum->getValue('pho_id');
 
     // delete photos
@@ -83,7 +79,7 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
     }
     catch (\RuntimeException $exception)
     {
-        $gLogger->error(
+        $GLOBALS['gLogger']->error(
             'Could not delete file!',
             array('filePaths' => array(
                 $albumPath.'/'.$picNr.'.jpg',
@@ -94,7 +90,7 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
         // TODO
     }
 
-    // Umbenennen der Restbilder und Thumbnails loeschen
+    // Rename the remaining images and delete thumbnails
     $newPicNr = $picNr;
     $thumbnailDelete = false;
 
@@ -112,7 +108,7 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
                 }
                 catch (\RuntimeException $exception)
                 {
-                    $gLogger->error(
+                    $GLOBALS['gLogger']->error(
                         'Could not move file!',
                         array(
                             'from' => array(
@@ -139,12 +135,12 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
 
         if ($thumbnailDelete)
         {
-            // Alle Thumbnails ab dem geloeschten Bild loeschen
+            // Delete all thumbnails starting from the deleted image
             deleteThumbnail($photoAlbum, $actPicNr);
         }
     }//for
 
-    // Aendern der Datenbankeintaege
+    // change quantity of images within the album
     $photoAlbum->setValue('pho_quantity', (int) $photoAlbum->getValue('pho_quantity') - 1);
     $photoAlbum->save();
 }
@@ -163,16 +159,14 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
 // Rotate the photo by 90°
 if ($getJob === 'rotate')
 {
-    // nur bei gueltigen Uebergaben weiterarbeiten
     if ($getDirection !== '')
     {
-        // Thumbnail loeschen
         deleteThumbnail($photoAlbum, $getPhotoNr);
 
-        // Ordnerpfad zusammensetzen
+        // get album folder path with image file name
         $photoPath = ADMIDIO_PATH . FOLDER_DATA . '/photos/' . $photoAlbum->getValue('pho_begin', 'Y-m-d') . '_' . (int) $photoAlbum->getValue('pho_id') . '/' . $getPhotoNr . '.jpg';
 
-        // Bild drehen
+        // rotate image
         $image = new Image($photoPath);
         $image->rotate($getDirection);
         $image->delete();
@@ -181,10 +175,19 @@ function deletePhoto(TablePhotos $photoAlbum, $picNr)
 // delete photo from filesystem and update photo album
 elseif ($getJob === 'delete')
 {
+    try {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+    }
+    catch(AdmException $exception) {
+        $exception->showText();
+        // => EXIT
+    }
+
     deletePhoto($photoAlbum, $getPhotoNr);
 
     $_SESSION['photo_album'] = $photoAlbum;
 
-    // Loeschen erfolgreich -> Rueckgabe fuer XMLHttpRequest
+    // Delete successful -> return for XMLHttpRequest
     echo 'done';
 }
diff --git a/adm_program/modules/profile/profile_function.php b/adm_program/modules/profile/profile_function.php
index 312edb8d0..8f57f0968 100644
--- a/adm_program/modules/profile/profile_function.php
+++ b/adm_program/modules/profile/profile_function.php
@@ -38,6 +38,16 @@
     $gMessage->showHtmlTextOnly(true);
 }
 
+if(in_array($getMode, array(2, 3))) {
+    try {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+    } catch (AdmException $exception) {
+        $exception->showText();
+        // => EXIT
+    }
+}
+
 // create user object
 $user = new User($gDb, $gProfileFields);
 $user->readDataByUuid($getUserUuid);
diff --git a/adm_program/modules/profile/profile_photo_edit.php b/adm_program/modules/profile/profile_photo_edit.php
index 9e0c651bc..04585c241 100644
--- a/adm_program/modules/profile/profile_photo_edit.php
+++ b/adm_program/modules/profile/profile_photo_edit.php
@@ -30,6 +30,20 @@
     $gMessage->showHtmlTextOnly(true);
 }
 
+if(in_array($getMode, array('delete', 'save', 'upload'))) {
+    try {
+        // check the CSRF token of the form against the session token
+        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+    } catch (AdmException $exception) {
+        if ($getMode === 'delete') {
+            $exception->showText();
+        } else {
+            $exception->showHtml();
+        }
+        // => EXIT
+    }
+}
+
 // checks if the server settings for file_upload are set to ON
 if (!PhpIniUtils::isFileUploadEnabled())
 {
diff --git a/adm_program/modules/rooms/rooms_function.php b/adm_program/modules/rooms/rooms_function.php
index 82c124fcc..172fac4d1 100644
--- a/adm_program/modules/rooms/rooms_function.php
+++ b/adm_program/modules/rooms/rooms_function.php
@@ -27,7 +27,18 @@
     // => EXIT
 }
 
-// Raumobjekt anlegen
+try {
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+} catch (AdmException $exception) {
+    if ($getMode === 1) {
+        $exception->showHtml();
+    } else {
+        $exception->showText();
+    }
+    // => EXIT
+}
+
 $room = new TableRooms($gDb);
 
 if ($getRoomUuid !== '')
@@ -39,17 +50,6 @@
 {
     $_SESSION['rooms_request'] = $_POST;
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     if (!array_key_exists('room_name', $_POST) || $_POST['room_name'] === '')
     {
         $gMessage->show($gL10n->get('SYS_FIELD_EMPTY', array($gL10n->get('SYS_ROOM'))));
diff --git a/adm_program/modules/userrelations/relationtypes_function.php b/adm_program/modules/userrelations/relationtypes_function.php
index 55a56715b..faafd9b99 100644
--- a/adm_program/modules/userrelations/relationtypes_function.php
+++ b/adm_program/modules/userrelations/relationtypes_function.php
@@ -37,6 +37,18 @@
     // => EXIT
 }
 
+try {
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+} catch (AdmException $exception) {
+    if ($getMode === 1) {
+        $exception->showHtml();
+    } else {
+        $exception->showText();
+    }
+    // => EXIT
+}
+
 $relationType = new TableUserRelationType($gDb);
 
 if($getUrtUuid !== '')
@@ -48,17 +60,6 @@
 {
     // create or edit relationtype
 
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     if(!isset($_POST['urt_edit_user']))
     {
         $_POST['urt_edit_user'] = 0;
diff --git a/adm_program/modules/userrelations/userrelations_function.php b/adm_program/modules/userrelations/userrelations_function.php
index 7dab70429..6c7fdb3d2 100644
--- a/adm_program/modules/userrelations/userrelations_function.php
+++ b/adm_program/modules/userrelations/userrelations_function.php
@@ -39,6 +39,18 @@
     // => EXIT
 }
 
+try {
+    // check the CSRF token of the form against the session token
+    SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
+} catch (AdmException $exception) {
+    if ($getMode === 1) {
+        $exception->showHtml();
+    } else {
+        $exception->showText();
+    }
+    // => EXIT
+}
+
 $relation = new TableUserRelation($gDb);
 $user1 = new User($gDb, $gProfileFields);
 $user2 = new User($gDb, $gProfileFields);
@@ -57,17 +69,6 @@
 
 if($getMode === 1)
 {
-    try
-    {
-        // check the CSRF token of the form against the session token
-        SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
-    }
-    catch(AdmException $exception)
-    {
-        $exception->showHtml();
-        // => EXIT
-    }
-
     $getUserUuid = admFuncVariableIsValid($_GET, 'user_uuid', 'string');
     $user1->readDataByUuid($getUserUuid);
 

From 87f304f5668b8dd957193441b58fa2e60886f4ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20Fa=C3=9Fbender?= <markus.fassbender@gmail.com>
Date: Tue, 19 Oct 2021 23:24:41 +0200
Subject: [PATCH 9/9] add mem_uuid and csrf token check for membership change

---
 adm_program/installation/db_scripts/db.sql    |  2 +
 .../installation/db_scripts/update_4_1.xml    |  3 ++
 adm_program/modules/profile/profile.js        | 14 +++---
 adm_program/modules/profile/profile.php       | 36 +++++++-------
 .../modules/profile/profile_function.php      | 48 ++++++++++---------
 .../modules/profile/roles_functions.php       | 33 +++++++------
 .../system/classes/ChangeNotification.php     |  4 +-
 .../system/classes/ComponentUpdateSteps.php   |  9 ++--
 adm_program/system/classes/HtmlForm.php       | 29 ++++++-----
 adm_program/system/popup_message.php          |  6 +--
 10 files changed, 100 insertions(+), 84 deletions(-)

diff --git a/adm_program/installation/db_scripts/db.sql b/adm_program/installation/db_scripts/db.sql
index 47a69505f..b1e0a68cc 100644
--- a/adm_program/installation/db_scripts/db.sql
+++ b/adm_program/installation/db_scripts/db.sql
@@ -348,6 +348,7 @@ CREATE TABLE %PREFIX%_members
     mem_id                      integer unsigned    NOT NULL    AUTO_INCREMENT,
     mem_rol_id                  integer unsigned    NOT NULL,
     mem_usr_id                  integer unsigned    NOT NULL,
+    mem_uuid                    varchar(36)         NOT NULL,
     mem_begin                   date                NOT NULL,
     mem_end                     date                NOT NULL    DEFAULT '9999-12-31',
     mem_leader                  boolean             NOT NULL    DEFAULT '0',
@@ -365,6 +366,7 @@ DEFAULT character SET = utf8
 COLLATE = utf8_unicode_ci;
 
 CREATE INDEX %PREFIX%_idx_mem_rol_usr_id ON %PREFIX%_members (mem_rol_id, mem_usr_id);
+CREATE UNIQUE INDEX %PREFIX%_idx_mem_uuid ON %PREFIX%_members (mem_uuid);
 
 /*==============================================================*/
 /* Table: adm_menu                                             */
diff --git a/adm_program/installation/db_scripts/update_4_1.xml b/adm_program/installation/db_scripts/update_4_1.xml
index 8ee47d728..975601d45 100644
--- a/adm_program/installation/db_scripts/update_4_1.xml
+++ b/adm_program/installation/db_scripts/update_4_1.xml
@@ -70,6 +70,7 @@
     <step id="335">ALTER TABLE %PREFIX%_rooms ADD COLUMN room_uuid varchar(36)</step>
     <step id="340">ALTER TABLE %PREFIX%_user_fields ADD COLUMN usf_uuid varchar(36)</step>
     <step id="350">ALTER TABLE %PREFIX%_user_relation_types ADD COLUMN urt_uuid varchar(36)</step>
+    <step id="360">ALTER TABLE %PREFIX%_members ADD COLUMN mem_uuid varchar(36)</step>
     <step id="400">ComponentUpdateSteps::updateStep41AddUuid</step>
     <step id="410" database="mysql">ALTER TABLE %PREFIX%_users MODIFY COLUMN usr_uuid varchar(36) NOT NULL</step>
     <step id="420">CREATE UNIQUE INDEX %PREFIX%_idx_usr_uuid ON %PREFIX%_users (usr_uuid)</step>
@@ -109,5 +110,7 @@
     <step id="760">CREATE UNIQUE INDEX %PREFIX%_idx_urt_uuid ON %PREFIX%_user_relation_types (urt_uuid)</step>
     <step id="770" database="mysql">ALTER TABLE %PREFIX%_roles MODIFY COLUMN rol_name varchar(100)</step>
     <step id="780" database="pgsql">ALTER TABLE %PREFIX%_roles ALTER COLUMN rol_name TYPE varchar(100)</step>
+    <step id="790" database="mysql">ALTER TABLE %PREFIX%_members MODIFY COLUMN mem_uuid varchar(36) NOT NULL</step>
+    <step id="800">CREATE UNIQUE INDEX %PREFIX%_idx_mem_uuid ON %PREFIX%_members (mem_uuid)</step>
     <step>stop</step>
 </update>
diff --git a/adm_program/modules/profile/profile.js b/adm_program/modules/profile/profile.js
index 115f6f66c..cfb4c10ca 100644
--- a/adm_program/modules/profile/profile.js
+++ b/adm_program/modules/profile/profile.js
@@ -26,7 +26,7 @@ function ProfileJS(gRootPath) {
                 $(".admMemberInfo").click(function() {
                     showHideMembershipInformation($(this));
                 });
-                formSubmitEvent();
+                formSubmitEvent('#profile_roles_box_body');
             }
         });
     };
@@ -37,7 +37,7 @@ function ProfileJS(gRootPath) {
                 dataType: "html",
                 success: function(responseText) {
                     $("#profile_former_roles_box_body").html(responseText);
-                    formSubmitEvent();
+                    formSubmitEvent('#profile_former_roles_box_body');
                 }
             }
         );
@@ -49,7 +49,7 @@ function ProfileJS(gRootPath) {
                 dataType: "html",
                 success: function(responseText) {
                     $("#profile_future_roles_box_body").html(responseText);
-                    formSubmitEvent();
+                    formSubmitEvent('#profile_future_roles_box_body');
                 }
             }
         );
@@ -74,11 +74,11 @@ function ProfileJS(gRootPath) {
         return "leader-" + number;
     }
 
-    this.toggleDetailsOn = function (memberId) {
-        $("#membership_period_" + memberId).css({"visibility": "visible", "display": "block"});
+    this.toggleDetailsOn = function (memberUuid) {
+        $("#membership_period_" + memberUuid).css({"visibility": "visible", "display": "block"});
     };
 
-    this.toggleDetailsOff = function (memberId) {
-        $("#membership_period_" + memberId).css({"visibility": "hidden", "display": "none"});
+    this.toggleDetailsOff = function (memberUuid) {
+        $("#membership_period_" + memberUuid).css({"visibility": "hidden", "display": "none"});
     };
 }
diff --git a/adm_program/modules/profile/profile.php b/adm_program/modules/profile/profile.php
index 0a01e114a..cce224fb5 100644
--- a/adm_program/modules/profile/profile.php
+++ b/adm_program/modules/profile/profile.php
@@ -149,40 +149,42 @@ function callbackFutureRoles() {
         }
     }
 
-    function formSubmitEvent() {
-        $(".button-membership-period-form").click(function(event) {
-            var memberId  = $(this).attr("data-admidio");
-            var dateStart = $("#membership_start_date_" + memberId).val();
-            var dateEnd   = $("#membership_end_date_" + memberId).val();
-            var action    = $("#membership_period_form_" + memberId).attr("action") + "&membership_start_date_" + memberId + "=" + dateStart + "&membership_end_date_" + memberId + "=" + dateEnd;
-
-            var formAlert = $("#membership_period_form_" + memberId + " .form-alert");
+    function formSubmitEvent(rolesAreaId = "") {
+        $(rolesAreaId + " .admidio-form-membership-period").submit(function(event) {
+            var memberUuid = $(this).attr("data-admidio");
+            var formAlert  = $("#membership_period_form_" + memberUuid + " .form-alert");
+
+            event.preventDefault(); // avoid to execute the actual submit of the form.
             formAlert.hide();
 
-            $.get({
-                url: action,
-                success: function(data) {
+            $.post({
+                url: $(this).attr("action"),
+                data: $(this).serialize(),
+                success: function(data)
+                {
                     if (data === "success") {
                         formAlert.attr("class", "alert alert-success form-alert");
                         formAlert.html("<i class=\"fas fa-check\"></i><strong>'.$gL10n->get('SYS_SAVE_DATA').'</strong>");
                         formAlert.fadeIn("slow");
-                        formAlert.animate({opacity: 1.0}, 2500);
+                        formAlert.animate({opacity: 1.0}, 5000);
                         formAlert.fadeOut("slow");
 
-                        var membershipPeriod = $("#membership_period_" + memberId);
-                        membershipPeriod.animate({opacity: 1.0}, 2500);
+                        var membershipPeriod = $("#membership_period_" + memberUuid);
+                        membershipPeriod.animate({opacity: 1.0}, 5000);
                         membershipPeriod.fadeOut("slow");
 
                         profileJS.reloadRoleMemberships();
                         profileJS.reloadFormerRoleMemberships();
                         profileJS.reloadFutureRoleMemberships();
+                        formSubmitEvent();
                     } else {
                         formAlert.attr("class", "alert alert-danger form-alert");
                         formAlert.fadeIn();
                         formAlert.html("<i class=\"fas fa-exclamation-circle\"></i>" + data);
                     }
                 }
-            });
+             });
+            return false;
         });
     }
 ');
@@ -201,6 +203,7 @@ function formSubmitEvent() {
         todayHighlight: true,
         autoclose: true
     });
+
     formSubmitEvent();',
     true
 );
@@ -709,11 +712,10 @@ function formSubmitEvent() {
     // Roles block
     // *******************************************************************************
 
-    // Alle Rollen auflisten, die dem Mitglied zugeordnet sind
+    // List all roles assigned to the member
     $roleStatement  = getRolesFromDatabase($userId);
     $countRole      = $roleStatement->rowCount();
 
-    // Ausgabe
     $page->addHtml('
     <div class="card admidio-field-group" id="profile_roles_box">
         <div class="card-header">'.$gL10n->get('SYS_ROLE_MEMBERSHIPS'));
diff --git a/adm_program/modules/profile/profile_function.php b/adm_program/modules/profile/profile_function.php
index 8f57f0968..3380bc125 100644
--- a/adm_program/modules/profile/profile_function.php
+++ b/adm_program/modules/profile/profile_function.php
@@ -17,9 +17,9 @@
  *           6 - reload future role memberships
  *           7 - save membership data
  *           8 - Export vCard of role
- * user_uuid : UUID of the user to be edited
- * mem_id    : Id of role membership to should be edited
- * role_uuid : UUID of role from which the user vcards should be exported
+ * user_uuid   : UUID of the user to be edited
+ * member_uuid : UUID of role membership that should be edited
+ * role_uuid   : UUID of role from which the user vcards should be exported
  ***********************************************************************************************
  */
 require_once(__DIR__ . '/../../system/common.php');
@@ -27,19 +27,16 @@
 require(__DIR__ . '/../../system/login_valid.php');
 
 // Initialize and check the parameters
-$getUserUuid = admFuncVariableIsValid($_GET, 'user_uuid', 'string');
-$getRoleUuid = admFuncVariableIsValid($_GET, 'role_uuid', 'string');
-$getMemberId = admFuncVariableIsValid($_GET, 'mem_id',  'int');
-$getMode     = admFuncVariableIsValid($_GET, 'mode',    'int');
+$getUserUuid   = admFuncVariableIsValid($_GET, 'user_uuid',  'string');
+$getRoleUuid   = admFuncVariableIsValid($_GET, 'role_uuid',  'string');
+$getMemberUuid = admFuncVariableIsValid($_GET, 'member_uuid','string');
+$getMode       = admFuncVariableIsValid($_GET, 'mode',       'int');
 
-// in ajax mode only return simple text on error
-if($getMode === 7)
-{
-    $gMessage->showHtmlTextOnly(true);
-}
-
-if(in_array($getMode, array(2, 3))) {
+if(in_array($getMode, array(2, 3, 7))) {
     try {
+        // in ajax mode only return simple text on error
+        $gMessage->showHtmlTextOnly(true);
+
         // check the CSRF token of the form against the session token
         SecurityUtils::validateCsrfToken($_POST['admidio-csrf-token']);
     } catch (AdmException $exception) {
@@ -73,7 +70,8 @@
 elseif($getMode === 2)
 {
     // Cancel membership of role
-    $member = new TableMembers($gDb, $getMemberId);
+    $member = new TableMembers($gDb);
+    $member->readDataByUuid($getMemberUuid);
     $role   = new TableRoles($gDb, (int) $member->getValue('mem_rol_id'));
 
     // if user has the right then cancel membership
@@ -102,7 +100,8 @@
     // Remove former membership of role
     if($gCurrentUser->isAdministrator())
     {
-        $member = new TableMembers($gDb, $getMemberId);
+        $member = new TableMembers($gDb);
+        $member->readDataByUuid($getMemberUuid);
         $member->delete();
 
         // Entfernen erfolgreich -> Rueckgabe fuer XMLHttpRequest
@@ -150,11 +149,14 @@
 }
 elseif($getMode === 7)
 {
+    $gLogger->error('::test::');
+    $gLogger->error(print_r($_POST, true));
     // save membership date changes
-    $getMembershipStart = admFuncVariableIsValid($_GET, 'membership_start_date_'.$getMemberId, 'date', array('requireValue' => true));
-    $getMembershipEnd   = admFuncVariableIsValid($_GET, 'membership_end_date_'.$getMemberId,   'date', array('requireValue' => true));
+    $postMembershipStart = admFuncVariableIsValid($_POST, 'membership_start_date_'.$getMemberUuid, 'date', array('requireValue' => true));
+    $postMembershipEnd   = admFuncVariableIsValid($_POST, 'membership_end_date_'.$getMemberUuid,   'date', array('requireValue' => true));
 
-    $member = new TableMembers($gDb, $getMemberId);
+    $member = new TableMembers($gDb);
+    $member->readDataByUuid($getMemberUuid);
     $role   = new TableRoles($gDb, (int) $member->getValue('mem_rol_id'));
 
     // check if user has the right to edit this membership
@@ -167,7 +169,7 @@
     $formatedEndDate   = '';
 
     // Check das Beginn Datum
-    $startDate = \DateTime::createFromFormat($gSettingsManager->getString('system_date'), $getMembershipStart);
+    $startDate = \DateTime::createFromFormat($gSettingsManager->getString('system_date'), $postMembershipStart);
     if($startDate === false)
     {
         exit($gL10n->get('SYS_DATE_INVALID', array($gL10n->get('SYS_START'), $gSettingsManager->getString('system_date'))));
@@ -179,9 +181,9 @@
     }
 
     // Falls gesetzt wird das Enddatum gecheckt
-    if($getMembershipEnd !== '')
+    if($postMembershipEnd !== '')
     {
-        $endDate = \DateTime::createFromFormat($gSettingsManager->getString('system_date'), $getMembershipEnd);
+        $endDate = \DateTime::createFromFormat($gSettingsManager->getString('system_date'), $postMembershipEnd);
         if($endDate === false)
         {
             exit($gL10n->get('SYS_DATE_INVALID', array($gL10n->get('SYS_END'), $gSettingsManager->getString('system_date'))));
@@ -204,7 +206,7 @@
     }
 
     // save role membership
-    $user->editRoleMembership($getMemberId, $formatedStartDate, $formatedEndDate);
+    $user->editRoleMembership($member->getValue('mem_id'), $formatedStartDate, $formatedEndDate);
 
     echo 'success';
 }
diff --git a/adm_program/modules/profile/roles_functions.php b/adm_program/modules/profile/roles_functions.php
index e987208b9..d0fdfdc3e 100644
--- a/adm_program/modules/profile/roles_functions.php
+++ b/adm_program/modules/profile/roles_functions.php
@@ -138,7 +138,7 @@ function getRoleMemberships($htmlListId, User $user, \PDOStatement $roleStatemen
                 $deleteMode = 'pro_future';
             }
 
-            $memberId = (int) $member->getValue('mem_id');
+            $memberUuid = $member->getValue('mem_uuid');
 
             // create list entry for one role
             $roleMemHTML .= '
@@ -163,7 +163,8 @@ function getRoleMemberships($htmlListId, User $user, \PDOStatement $roleStatemen
 
                             $roleMemHTML .= '&nbsp;
                         </span>
-                        <span class="float-right text-right">';
+                        <span class="float-right text-right">
+                            <span class="mr-2">';
                             if($showRoleEndDate)
                             {
                                 $roleMemHTML .= $gL10n->get('SYS_SINCE_TO', array($member->getValue('mem_begin', $gSettingsManager->getString('system_date')), $member->getValue('mem_end', $gSettingsManager->getString('system_date'))));
@@ -176,18 +177,19 @@ function getRoleMemberships($htmlListId, User $user, \PDOStatement $roleStatemen
                             {
                                 $roleMemHTML .= $gL10n->get('SYS_SINCE', array($member->getValue('mem_begin', $gSettingsManager->getString('system_date'))));
                             }
+                            $roleMemHTML .= '</span>';
 
                             if($role->allowedToAssignMembers($gCurrentUser))
                             {
                                 // do not edit administrator role
                                 if ($row['rol_administrator'] == 0)
                                 {
-                                    $roleMemHTML .= '<a class="admidio-icon-link" style="cursor:pointer;" href="javascript:profileJS.toggleDetailsOn('.$memberId.')"><i
+                                    $roleMemHTML .= '<a class="admidio-icon-link" style="cursor:pointer;" href="javascript:profileJS.toggleDetailsOn(\''.$memberUuid.'\')"><i
                                         class="fas fa-edit" data-toggle="tooltip" title="'.$gL10n->get('PRO_CHANGE_DATE').'"></i></a>';
                                 }
                                 else
                                 {
-                                    $roleMemHTML .= '<i class="fas fa-trash invisible"></i>';
+                                    $roleMemHTML .= '<a><i class="fas fa-edit invisible"></i></a>';
                                 }
 
                                 // You are not allowed to delete your own administrator membership, other roles could be deleted
@@ -195,40 +197,41 @@ class="fas fa-edit" data-toggle="tooltip" title="'.$gL10n->get('PRO_CHANGE_DATE'
                                 || ($role->getValue('rol_administrator') == 0))
                                 {
                                     $roleMemHTML .= '<a class="admidio-icon-link openPopup" href="javascript:void(0);"
-                                        data-href="'.SecurityUtils::encodeUrl(ADMIDIO_URL.'/adm_program/system/popup_message.php', array('type' => $deleteMode, 'element_id' => 'role_'.(int) $role->getValue('rol_id'), 'database_id' => $memberId, 'name' => $role->getValue('rol_name'))).'"><i
+                                        data-href="'.SecurityUtils::encodeUrl(ADMIDIO_URL.'/adm_program/system/popup_message.php', array('type' => $deleteMode, 'element_id' => 'role_'.(int) $role->getValue('rol_id'), 'database_id' => $memberUuid, 'name' => $role->getValue('rol_name'))).'"><i
                                         class="fas fa-trash-alt" data-toggle="tooltip" title="'.$gL10n->get('PRO_CANCEL_MEMBERSHIP').'"></i></a>';
                                 }
                                 else
                                 {
-                                    $roleMemHTML .= '<i class="fas fa-trash invisible"></i>';
+                                    $roleMemHTML .= '<a><i class="fas fa-trash-alt invisible"></i></a>';
                                 }
                             }
 
                             // only show info if system setting is activated
                             if((int) $gSettingsManager->get('system_show_create_edit') > 0)
                             {
-                                $roleMemHTML .= '<a class="admidio-icon-link admMemberInfo" id="member_info_'.$memberId.'" href="javascript:void(0)"><i
+                                $roleMemHTML .= '<a class="admidio-icon-link admMemberInfo" id="member_info_'.$memberUuid.'" href="javascript:void(0)"><i
                                     class="fas fa-info-circle" data-toggle="tooltip" title="'.$gL10n->get('SYS_INFORMATIONS').'"></i></a>';
                             }
                         $roleMemHTML .= '</span>
                     </li>
-                    <li class="list-group-item" id="membership_period_'.$memberId.'" style="visibility: hidden; display: none;">';
-                        $form = new HtmlForm('membership_period_form_'.$memberId, SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/profile/profile_function.php', array('mode' => '7', 'user_uuid' => $user->getValue('usr_uuid'), 'mem_id' => $row['mem_id'])), null, array('type' => 'navbar', 'setFocus' => false, 'class' => 'admidio-form-membership-period'));
+                    <li class="list-group-item" id="membership_period_'.$memberUuid.'" style="visibility: hidden; display: none;">';
+                        $form = new HtmlForm('membership_period_form_'.$memberUuid, SecurityUtils::encodeUrl(ADMIDIO_URL.FOLDER_MODULES.'/profile/profile_function.php', array('mode' => '7', 'user_uuid' => $user->getValue('usr_uuid'), 'member_uuid' => $row['mem_uuid'])),
+                            null, array('type' => 'navbar', 'method' => 'post', 'setFocus' => false, 'class' => 'admidio-form-membership-period'));
                         $form->addInput(
-                            'membership_start_date_'.$memberId, $gL10n->get('SYS_START'), $member->getValue('mem_begin', $gSettingsManager->getString('system_date')),
+                            'membership_start_date_'.$memberUuid, $gL10n->get('SYS_START'), $member->getValue('mem_begin', $gSettingsManager->getString('system_date')),
                             array('type' => 'date', 'maxLength' => 10)
                         );
                         $form->addInput(
-                            'membership_end_date_'.$memberId, $gL10n->get('SYS_END'), $member->getValue('mem_end', $gSettingsManager->getString('system_date')),
+                            'membership_end_date_'.$memberUuid, $gL10n->get('SYS_END'), $member->getValue('mem_end', $gSettingsManager->getString('system_date')),
                             array('type' => 'date', 'maxLength' => 10)
                         );
-                        $form->addButton(
-                            'btn_send_'.$memberId, $gL10n->get('SYS_OK'),
-                            array('class' => 'btn btn-primary button-membership-period-form', 'data-admidio' => $memberId)
+                        $form->addSubmitButton(
+                            'btn_send_'.$memberUuid, $gL10n->get('SYS_OK'),
+                            array('class' => 'btn btn-primary button-membership-period-form', 'data-admidio' => $memberUuid)
                         );
                         $roleMemHTML .= $form->show();
                     $roleMemHTML .= '</li>
-                    <li class="list-group-item" id="member_info_'.$memberId.'_Content" style="display: none;">';
+                    <li class="list-group-item" id="member_info_'.$memberUuid.'_Content" style="display: none;">';
                         // show information about user who creates the recordset and changed it
                         $roleMemHTML .= admFuncShowCreateChangeInfoById(
                             (int) $member->getValue('mem_usr_id_create'), $member->getValue('mem_timestamp_create'),
diff --git a/adm_program/system/classes/ChangeNotification.php b/adm_program/system/classes/ChangeNotification.php
index 524e8ed85..f63049a90 100644
--- a/adm_program/system/classes/ChangeNotification.php
+++ b/adm_program/system/classes/ChangeNotification.php
@@ -379,7 +379,9 @@ public function sendNotifications($userId = null)
     {
         global $gSettingsManager, $gL10n, $gCurrentUser;
 
-        if($gSettingsManager->getBool('enable_email_changenotification') && is_object($gCurrentUser))
+        if($gSettingsManager->has('enable_email_changenotification')
+            && $gSettingsManager->getBool('enable_email_changenotification')
+            && is_object($gCurrentUser))
         {
             $currfullname = $gCurrentUser->getValue('FIRST_NAME') . ' ' . $gCurrentUser->getValue('LAST_NAME');
             $currname = $currfullname . ' (login: ' . $gCurrentUser->getValue('usr_login_name') . ')';
diff --git a/adm_program/system/classes/ComponentUpdateSteps.php b/adm_program/system/classes/ComponentUpdateSteps.php
index 6c7a96003..eaa6b2c21 100644
--- a/adm_program/system/classes/ComponentUpdateSteps.php
+++ b/adm_program/system/classes/ComponentUpdateSteps.php
@@ -31,8 +31,6 @@ public static function setDatabase(Database $database)
 	public static function updateStep41AddUuid()
 	{
 	    $updateTablesUuid = array(
-	        array('table' => TBL_USERS, 'column_id' => 'usr_id', 'column_uuid' => 'usr_uuid'),
-            array('table' => TBL_ROLES, 'column_id' => 'rol_id', 'column_uuid' => 'rol_uuid'),
             array('table' => TBL_ANNOUNCEMENTS, 'column_id' => 'ann_id', 'column_uuid' => 'ann_uuid'),
             array('table' => TBL_CATEGORIES, 'column_id' => 'cat_id', 'column_uuid' => 'cat_uuid'),
             array('table' => TBL_DATES, 'column_id' => 'dat_id', 'column_uuid' => 'dat_uuid'),
@@ -44,16 +42,21 @@ public static function updateStep41AddUuid()
             array('table' => TBL_PHOTOS, 'column_id' => 'pho_id', 'column_uuid' => 'pho_uuid'),
             array('table' => TBL_LISTS, 'column_id' => 'lst_id', 'column_uuid' => 'lst_uuid'),
             array('table' => TBL_MENU, 'column_id' => 'men_id', 'column_uuid' => 'men_uuid'),
+            array('table' => TBL_MEMBERS, 'column_id' => 'mem_id', 'column_uuid' => 'mem_uuid'),
             array('table' => TBL_MESSAGES, 'column_id' => 'msg_id', 'column_uuid' => 'msg_uuid'),
             array('table' => TBL_ORGANIZATIONS, 'column_id' => 'org_id', 'column_uuid' => 'org_uuid'),
+            array('table' => TBL_ROLES, 'column_id' => 'rol_id', 'column_uuid' => 'rol_uuid'),
             array('table' => TBL_ROOMS, 'column_id' => 'room_id', 'column_uuid' => 'room_uuid'),
+            array('table' => TBL_USERS, 'column_id' => 'usr_id', 'column_uuid' => 'usr_uuid'),
             array('table' => TBL_USER_FIELDS, 'column_id' => 'usf_id', 'column_uuid' => 'usf_uuid'),
             array('table' => TBL_USER_RELATION_TYPES, 'column_id' => 'urt_id', 'column_uuid' => 'urt_uuid'),
         );
 
 	    foreach($updateTablesUuid as $tableUuid)
         {
-            $sql = 'SELECT ' . $tableUuid['column_id'] . ' FROM ' . $tableUuid['table'];
+            $sql = 'SELECT ' . $tableUuid['column_id'] . '
+                      FROM ' . $tableUuid['table'] . '
+                     WHERE ' . $tableUuid['column_uuid'] . ' IS NULL ';
             $statement = self::$db->queryPrepared($sql);
 
             while($row = $statement->fetch())
diff --git a/adm_program/system/classes/HtmlForm.php b/adm_program/system/classes/HtmlForm.php
index b788e4713..6a33d55c4 100644
--- a/adm_program/system/classes/HtmlForm.php
+++ b/adm_program/system/classes/HtmlForm.php
@@ -88,7 +88,7 @@ class HtmlForm extends HtmlFormBasic
      *                             + **navbar**   : A form that should be used in a navbar. The form content will
      *                               be send with the 'GET' method and this form should not get a default focus.
      *                           - **method** : Method how the values of the form are submitted.
-     *                             Possible values are **get** (default) and **post**.
+     *                             Possible values are **get** and **post** (default).
      *                           - **enableFileUpload** : Set specific parameters that are necessary for file upload with a form
      *                           - **showRequiredFields** : If this is set to **true** (default) then every required field got a special
      *                             css class and also the form got a **div** that explains the required layout.
@@ -100,7 +100,6 @@ class HtmlForm extends HtmlFormBasic
      */
     public function __construct($id, $action = null, HtmlPage $htmlPage = null, array $options = array())
     {
-        global $gCurrentSession;
         // create array with all options
         $optionsDefault = array(
             'type'               => 'default',
@@ -110,14 +109,14 @@ public function __construct($id, $action = null, HtmlPage $htmlPage = null, arra
             'class'              => '',
             'method'             => 'post'
         );
-        $optionsAll = array_replace($optionsDefault, $options);
 
-        // navbar forms should send the data as GET
-        if ($optionsAll['type'] === 'navbar')
-        {
-            $optionsAll['method'] = 'get';
+        // navbar forms should send the data as GET if it's not explicit set
+        if (isset($options['type']) && $options['type'] === 'navbar' && !isset($options['method'])) {
+            $options['method'] = 'get';
         }
 
+        $optionsAll = array_replace($optionsDefault, $options);
+
         parent::__construct($action, $id, $optionsAll['method']);
 
         $this->showRequiredFields = $optionsAll['showRequiredFields'];
@@ -151,12 +150,9 @@ public function __construct($id, $action = null, HtmlPage $htmlPage = null, arra
             $this->addAttribute('enctype', 'multipart/form-data');
         }
 
-        if ($optionsAll['type'] !== 'navbar')
-        {
-            // add a hidden field with the csrf token to each form
-            $this->addInput('admidio-csrf-token', 'csrf-token', $gCurrentSession->getCsrfToken(),
-                array('property' => self::FIELD_HIDDEN));
-        }
+        // add a hidden field with the csrf token to each form
+        $this->addInput('admidio-csrf-token', 'csrf-token', $GLOBALS['gCurrentSession']->getCsrfToken(),
+            array('property' => self::FIELD_HIDDEN));
 
         if ($htmlPage instanceof HtmlPage)
         {
@@ -1860,8 +1856,11 @@ public function addSubmitButton($id, $text, array $options = array())
         $optionsDefault = array('icon' => '', 'link' => '', 'class' => '', 'type' => 'submit');
         $optionsAll     = array_replace($optionsDefault, $options);
 
-        // add default css class
-        $optionsAll['class'] .= ' btn-primary admidio-margin-bottom';
+        // add default css classes
+        $optionsAll['class'] .= ' btn-primary';
+        if($this->type !== 'navbar') {
+            $optionsAll['class'] .= '  admidio-margin-bottom';
+        }
 
         // now add button to form
         $this->addButton($id, $text, $optionsAll);
diff --git a/adm_program/system/popup_message.php b/adm_program/system/popup_message.php
index 71ef0e28f..be76b07da 100644
--- a/adm_program/system/popup_message.php
+++ b/adm_program/system/popup_message.php
@@ -92,17 +92,17 @@
         $callbackFunction = 'callbackProfilePhoto';
         break;
     case 'pro_role':
-        $url  = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile/profile_function.php', array('mode' => 2, 'mem_id' => $getDatabaseId));
+        $url  = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile/profile_function.php', array('mode' => 2, 'member_uuid' => $getDatabaseId));
         $text = 'SYS_MEMBERSHIP_DELETE';
         $callbackFunction = 'callbackRoles';
         break;
     case 'pro_future':
-        $url  = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile/profile_function.php', array('mode' => 3, 'mem_id' => $getDatabaseId));
+        $url  = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile/profile_function.php', array('mode' => 3, 'member_uuid' => $getDatabaseId));
         $text = 'SYS_LINK_MEMBERSHIP_DELETE';
         $callbackFunction = 'callbackFutureRoles';
         break;
     case 'pro_former':
-        $url  = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile/profile_function.php', array('mode' => 3, 'mem_id' => $getDatabaseId));
+        $url  = SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/profile/profile_function.php', array('mode' => 3, 'member_uuid' => $getDatabaseId));
         $text = 'SYS_LINK_MEMBERSHIP_DELETE';
         $callbackFunction = 'callbackFormerRoles';
         break;