From 475fe47984df6209cebc741fba02ee65f84e0a4d Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sun, 29 Aug 2021 16:05:33 +0200
Subject: [PATCH] Checking token on adding and deleting favorites

---
 web/add/favorite/index.php    | 7 +++----
 web/delete/favorite/index.php | 5 +++++
 web/js/init.js                | 5 +++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/web/add/favorite/index.php b/web/add/favorite/index.php
index e9f2e828de..a3054d9990 100644
--- a/web/add/favorite/index.php
+++ b/web/add/favorite/index.php
@@ -7,10 +7,9 @@
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 // Check token
-//    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
-//        header('location: /login/');
-//        exit();
-//    }
+if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+    die("Wrong token");
+}
 
     // Protect input
     $v_section = escapeshellarg($_REQUEST['v_section']);
diff --git a/web/delete/favorite/index.php b/web/delete/favorite/index.php
index 9f471b9bda..093566f9a2 100644
--- a/web/delete/favorite/index.php
+++ b/web/delete/favorite/index.php
@@ -5,6 +5,11 @@
 
     include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+    // Check token
+    if ((!isset($_REQUEST['token'])) || ($_SESSION['token'] != $_REQUEST['token'])) {
+        die("Wrong token");
+    }
+
     unset($_SESSION['favourites'][strtoupper($_REQUEST['v_section'])][$_REQUEST['v_unit_id']]);
 
     $v_section = escapeshellarg($_REQUEST['v_section']);
diff --git a/web/js/init.js b/web/js/init.js
index 3ac6175e3e..6c60ff85dc 100644
--- a/web/js/init.js
+++ b/web/js/init.js
@@ -128,6 +128,7 @@ $(document).ready(function(){
 
               $('.l-unit .l-icon-star').click(function(){
                 var l_unit = $(this).parents('.l-unit');
+                var token = $('#token').attr('token');
 
                 if(l_unit.hasClass('l-unit--starred')){
                   // removing star
@@ -135,7 +136,7 @@ $(document).ready(function(){
                   $.ajax({
                     method: "POST",
                     url: "/delete/favorite/index.php",
-                    data: { v_section: l_unit.attr('v_section'), v_unit_id: l_unit.attr('v_unit_id') }
+                    data: { v_section: l_unit.attr('v_section'), v_unit_id: l_unit.attr('v_unit_id'), token: token }
                   });
 
                   l_unit.attr({'sort-star': 0});
@@ -145,7 +146,7 @@ $(document).ready(function(){
                   $.ajax({
                     method: "POST",
                     url: "/add/favorite/index.php",
-                    data: { v_unit_id: l_unit.attr('v_unit_id'), v_section: l_unit.attr('v_section') }
+                    data: { v_unit_id: l_unit.attr('v_unit_id'), v_section: l_unit.attr('v_section'), token: token }
                   });
 
                   l_unit.attr({'sort-star': 1});