diff --git a/.gitignore b/.gitignore
index 64d15ac..a33d44e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,4 @@ app/images
*.cache
*.zip
test*.php
+app/admin/backups
diff --git a/app/common.js b/app/common.js
index 4dccf21..29a402d 100644
--- a/app/common.js
+++ b/app/common.js
@@ -643,7 +643,7 @@ function mass_delete(t, ids) {
if(!continue_delete) return;
jQuery.ajax(t + '_view.php', {
type: 'POST',
- data: { delete_x: 1, SelectedID: ids[itrn] },
+ data: { delete_x: 1, SelectedID: ids[itrn], csrf_token: $j('#csrf_token').val() },
success: function(resp) {
if(resp != 'OK') {
jQuery('
' + resp + '').appendTo('.well.details_list ol');
diff --git a/app/datalist.php b/app/datalist.php
index feb1fcb..7497ea7 100644
--- a/app/datalist.php
+++ b/app/datalist.php
@@ -240,6 +240,9 @@ function Render() {
}
elseif($insert_x != '') {
+ // insert only if either a csrf or jwt token is provided
+ if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
+
$error_message = '';
$SelectedID = call_user_func_array(
$this->TableName . '_insert',
@@ -290,6 +293,9 @@ function Render() {
}
elseif($delete_x != '') {
+ // delete only if either a csrf or jwt token is provided
+ if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
+
$delete_res = call_user_func_array($this->TableName.'_delete', array($SelectedID, $this->AllowDeleteOfParents, $SkipChecks));
// handle ajax delete requests
if(is_ajax()) {
@@ -314,6 +320,9 @@ function Render() {
}
elseif($update_x != '') {
+ // update only if either a csrf or jwt token is provided
+ if(!csrf_token(true) && !jwt_check_login()) die($this->translation['csrf token expired or invalid']);
+
$error_message = '';
$updated = call_user_func_array(
$this->TableName . '_update',