Checking token on adding and deleting favorites

myvesta · Aug 29, 2021 · 475fe47 · 475fe47
1 parent 5262b3f
commit 475fe47
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/web/add/favorite/index.php b/web/add/favorite/index.php
@@ -7,10 +7,9 @@
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Check token
-//    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
-//        header('location: /login/');
-//        exit();
-//    }
+if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+    die("Wrong token");
+}
 
     // Protect input
     $v_section = escapeshellarg($_REQUEST['v_section']);

diff --git a/web/delete/favorite/index.php b/web/delete/favorite/index.php
@@ -5,6 +5,11 @@
 
     include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+    // Check token
+    if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+        die("Wrong token");
+    }
+
     unset($_SESSION['favourites'][strtoupper($_REQUEST['v_section'])][$_REQUEST['v_unit_id']]);
 
     $v_section = escapeshellarg($_REQUEST['v_section']);

diff --git a/web/js/init.js b/web/js/init.js
@@ -128,14 +128,15 @@ $(document).ready(function(){
 
               $('.l-unit .l-icon-star').click(function(){
                 var l_unit = $(this).parents('.l-unit');
+                var token = $('#token').attr('token');
 
                 if(l_unit.hasClass('l-unit--starred')){
                   // removing star
 
                   $.ajax({
                     method: "POST",
                     url: "/delete/favorite/index.php",
-                    data: { v_section: l_unit.attr('v_section'), v_unit_id: l_unit.attr('v_unit_id') }
+                    data: { v_section: l_unit.attr('v_section'), v_unit_id: l_unit.attr('v_unit_id'), token: token }
                   });
 
                   l_unit.attr({'sort-star': 0});
@@ -145,7 +146,7 @@ $(document).ready(function(){
                   $.ajax({
                     method: "POST",
                     url: "/add/favorite/index.php",
-                    data: { v_unit_id: l_unit.attr('v_unit_id'), v_section: l_unit.attr('v_section') }
+                    data: { v_unit_id: l_unit.attr('v_unit_id'), v_section: l_unit.attr('v_section'), token: token }
                   });
 
                   l_unit.attr({'sort-star': 1});