Skip to content

Commit

Permalink
Add confirm_validate and confirm_close as sensitive actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@eldy
eldy committed Sep 18, 2021
1 parent f054743 commit 858a5ab
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions htdocs/main.inc.php
View file
Expand Up @@ -465,6 +465,7 @@ function analyseVarsForSqlAndScriptsInjection(&$var, $type)
$arrayofactiontoforcetokencheck = array(
'activate', 'add', 'addrights', 'addtimespent',
'confirm_create_user', 'confirm_create_thirdparty', 'confirm_delete', 'confirm_deletedir', 'confirm_deletefile', 'confirm_purge', 'confirm_reject_check',
'confirm_validate', 'confirm_close',
'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'delrights',
'disable',
'doprev', 'donext', 'dvprev', 'dvnext',
Expand Down
2 changes: 1 addition & 1 deletion htdocs/recruitment/recruitmentcandidature_card.php
View file
Expand Up @@ -567,7 +567,7 @@
if ($object->status == $object::STATUS_DRAFT) {
if ($permissiontoadd) {
if (empty($object->table_element_line) || (is_array($object->lines) && count($object->lines) > 0)) {
print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=confirm_validate&confirm=yes">'.$langs->trans("Validate").'</a>';
print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=confirm_validate&token='.newToken().'&confirm=yes">'.$langs->trans("Validate").'</a>';
} else {
$langs->load("errors");
print '<a class="butActionRefused" href="" title="'.$langs->trans("ErrorAddAtLeastOneLineFirst").'">'.$langs->trans("Validate").'</a>';
Expand Down
2 changes: 1 addition & 1 deletion htdocs/recruitment/recruitmentjobposition_card.php
View file
Expand Up @@ -466,7 +466,7 @@
if ($object->status == $object::STATUS_DRAFT) {
if ($permissiontoadd) {
if (empty($object->table_element_line) || (is_array($object->lines) && count($object->lines) > 0)) {
print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=confirm_validate&confirm=yes">'.$langs->trans("Validate").'</a>';
print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&action=confirm_validate&token='.newToken().'&confirm=yes">'.$langs->trans("Validate").'</a>';
} else {
$langs->load("errors");
print '<a class="butActionRefused" href="" title="'.$langs->trans("ErrorAddAtLeastOneLineFirst").'">'.$langs->trans("Validate").'</a>';
Expand Down

0 comments on commit 858a5ab

Please sign in to comment.