mirror of
https://github.com/ellite/Wallos.git
synced 2026-05-12 14:58:31 -05:00
csrf on settings / theme
This commit is contained in:
Miguel Ribeiro
@@ -1,44 +1,34 @@
|
||||
<?php
|
||||
|
||||
require_once '../../includes/connect_endpoint.php';
|
||||
require_once '../../includes/validate_endpoint.php';
|
||||
|
||||
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
|
||||
// Valiudate input, should be a color from the allowed list
|
||||
$allowedColors = ['blue', 'red', 'green', 'yellow', 'purple'];
|
||||
if (!isset($data['color']) || !in_array($data['color'], $allowedColors)) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate('session_expired', $i18n)
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
$color = $data['color'];
|
||||
|
||||
// Valiudate input, should be a color from the allowed list
|
||||
$allowedColors = ['blue', 'red', 'green', 'yellow', 'purple'];
|
||||
if (!isset($data['color']) || !in_array($data['color'], $allowedColors)) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
$stmt = $db->prepare('UPDATE settings SET color_theme = :color WHERE user_id = :userId');
|
||||
$stmt->bindParam(':color', $color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
$color = $data['color'];
|
||||
|
||||
$stmt = $db->prepare('UPDATE settings SET color_theme = :color WHERE user_id = :userId');
|
||||
$stmt->bindParam(':color', $color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
@@ -1,37 +1,29 @@
|
||||
<?php
|
||||
|
||||
require_once '../../includes/connect_endpoint.php';
|
||||
require_once '../../includes/validate_endpoint.php';
|
||||
|
||||
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
|
||||
$customCss = $data['customCss'];
|
||||
|
||||
$stmt = $db->prepare('DELETE FROM custom_css_style WHERE user_id = :userId');
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
$stmt->execute();
|
||||
|
||||
$stmt = $db->prepare('INSERT INTO custom_css_style (css, user_id) VALUES (:customCss, :userId)');
|
||||
$stmt->bindParam(':customCss', $customCss, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate('session_expired', $i18n)
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
|
||||
$customCss = $data['customCss'];
|
||||
|
||||
$stmt = $db->prepare('DELETE FROM custom_css_style WHERE user_id = :userId');
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
$stmt->execute();
|
||||
|
||||
$stmt = $db->prepare('INSERT INTO custom_css_style (css, user_id) VALUES (:customCss, :userId)');
|
||||
$stmt->bindParam(':customCss', $customCss, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,58 +1,48 @@
|
||||
<?php
|
||||
|
||||
require_once '../../includes/connect_endpoint.php';
|
||||
require_once '../../includes/validate_endpoint.php';
|
||||
|
||||
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
|
||||
$main_color = $data['mainColor'];
|
||||
$accent_color = $data['accentColor'];
|
||||
$hover_color = $data['hoverColor'];
|
||||
|
||||
// Validate input, should be a color in #RRGGBB format
|
||||
if (!preg_match('/^#[0-9A-Fa-f]{6}$/', $main_color) || !preg_match('/^#[0-9A-Fa-f]{6}$/', $accent_color) || !preg_match('/^#[0-9A-Fa-f]{6}$/', $hover_color)) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate('session_expired', $i18n)
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
|
||||
$main_color = $data['mainColor'];
|
||||
$accent_color = $data['accentColor'];
|
||||
$hover_color = $data['hoverColor'];
|
||||
|
||||
// Validate input, should be a color in #RRGGBB format
|
||||
if (!preg_match('/^#[0-9A-Fa-f]{6}$/', $main_color) || !preg_match('/^#[0-9A-Fa-f]{6}$/', $accent_color) || !preg_match('/^#[0-9A-Fa-f]{6}$/', $hover_color)) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
if ($main_color == $accent_color) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("main_accent_color_error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
$stmt = $db->prepare('DELETE FROM custom_colors WHERE user_id = :userId');
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
$stmt->execute();
|
||||
|
||||
$stmt = $db->prepare('INSERT INTO custom_colors (main_color, accent_color, hover_color, user_id) VALUES (:main_color, :accent_color, :hover_color, :userId)');
|
||||
$stmt->bindParam(':main_color', $main_color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':accent_color', $accent_color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':hover_color', $hover_color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
if ($main_color == $accent_color) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("main_accent_color_error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
?>
|
||||
$stmt = $db->prepare('DELETE FROM custom_colors WHERE user_id = :userId');
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
$stmt->execute();
|
||||
|
||||
$stmt = $db->prepare('INSERT INTO custom_colors (main_color, accent_color, hover_color, user_id) VALUES (:main_color, :accent_color, :hover_color, :userId)');
|
||||
$stmt->bindParam(':main_color', $main_color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':accent_color', $accent_color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':hover_color', $hover_color, SQLITE3_TEXT);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
@@ -1,29 +1,19 @@
|
||||
<?php
|
||||
|
||||
require_once '../../includes/connect_endpoint.php';
|
||||
require_once '../../includes/validate_endpoint.php';
|
||||
|
||||
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
|
||||
$stmt = $db->prepare('DELETE FROM custom_colors WHERE user_id = :userId');
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate('session_expired', $i18n)
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
if ($_SERVER["REQUEST_METHOD"] === "DELETE") {
|
||||
$stmt = $db->prepare('DELETE FROM custom_colors WHERE user_id = :userId');
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
}
|
||||
@@ -1,42 +1,32 @@
|
||||
<?php
|
||||
require_once '../../includes/connect_endpoint.php';
|
||||
require_once '../../includes/validate_endpoint.php';
|
||||
|
||||
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
|
||||
$theme = (int) $data['theme'];
|
||||
|
||||
// Validate input, should be an integer (0, 1 or 2)
|
||||
if (!isset($theme) || !is_int($theme) || $theme < 0 || $theme > 2) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate('session_expired', $i18n)
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
if ($_SERVER["REQUEST_METHOD"] === "POST") {
|
||||
$postData = file_get_contents("php://input");
|
||||
$data = json_decode($postData, true);
|
||||
$stmt = $db->prepare('UPDATE settings SET dark_theme = :theme WHERE user_id = :userId');
|
||||
$stmt->bindParam(':theme', $theme, SQLITE3_INTEGER);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
$theme = (int)$data['theme'];
|
||||
|
||||
// Validate input, should be an integer (0, 1 or 2)
|
||||
if (!isset($theme) || !is_int($theme) || $theme < 0 || $theme > 2) {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
|
||||
$stmt = $db->prepare('UPDATE settings SET dark_theme = :theme WHERE user_id = :userId');
|
||||
$stmt->bindParam(':theme', $theme, SQLITE3_INTEGER);
|
||||
$stmt->bindParam(':userId', $userId, SQLITE3_INTEGER);
|
||||
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
if ($stmt->execute()) {
|
||||
die(json_encode([
|
||||
"success" => true,
|
||||
"message" => translate("success", $i18n)
|
||||
]));
|
||||
} else {
|
||||
die(json_encode([
|
||||
"success" => false,
|
||||
"message" => translate("error", $i18n)
|
||||
]));
|
||||
}
|
||||
+33
-16
@@ -13,7 +13,8 @@ function switchTheme() {
|
||||
fetch('endpoints/settings/theme.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify({ theme: themeChoice === 'dark' })
|
||||
})
|
||||
@@ -46,7 +47,8 @@ function setDarkTheme(theme) {
|
||||
fetch('endpoints/settings/theme.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify({ theme: theme })
|
||||
})
|
||||
@@ -134,7 +136,8 @@ function setTheme(themeColor) {
|
||||
fetch('endpoints/settings/colortheme.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify({ color: themeColor })
|
||||
})
|
||||
@@ -156,34 +159,46 @@ function resetCustomColors() {
|
||||
const button = document.getElementById("reset-colors");
|
||||
button.disabled = true;
|
||||
|
||||
fetch('endpoints/settings/resettheme.php', {
|
||||
method: 'DELETE',
|
||||
fetch("endpoints/settings/resettheme.php", {
|
||||
method: "POST",
|
||||
headers: {
|
||||
"X-CSRF-Token": window.csrfToken,
|
||||
},
|
||||
body: new URLSearchParams({
|
||||
action: "reset",
|
||||
}),
|
||||
})
|
||||
.then(response => response.json())
|
||||
.then(data => {
|
||||
if (data.success) {
|
||||
showSuccessMessage(data.message);
|
||||
const custom_theme_colors = document.getElementById('custom_theme_colors');
|
||||
if (custom_theme_colors) {
|
||||
custom_theme_colors.remove();
|
||||
|
||||
const customThemeColors = document.getElementById("custom_theme_colors");
|
||||
if (customThemeColors) {
|
||||
customThemeColors.remove();
|
||||
}
|
||||
document.documentElement.style.removeProperty('--main-color');
|
||||
document.documentElement.style.removeProperty('--accent-color');
|
||||
document.documentElement.style.removeProperty('--hover-color');
|
||||
|
||||
document.documentElement.style.removeProperty("--main-color");
|
||||
document.documentElement.style.removeProperty("--accent-color");
|
||||
document.documentElement.style.removeProperty("--hover-color");
|
||||
|
||||
document.getElementById("mainColor").value = "#FFFFFF";
|
||||
document.getElementById("accentColor").value = "#FFFFFF";
|
||||
document.getElementById("hoverColor").value = "#FFFFFF";
|
||||
} else {
|
||||
showErrorMessage(data.message);
|
||||
showErrorMessage(data.message || translate("failed_reset_colors"));
|
||||
}
|
||||
button.disabled = false;
|
||||
})
|
||||
.catch(error => {
|
||||
showErrorMessage(translate('unknown_error'));
|
||||
console.error(error);
|
||||
showErrorMessage(translate("unknown_error"));
|
||||
})
|
||||
.finally(() => {
|
||||
button.disabled = false;
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
function saveCustomColors() {
|
||||
const button = document.getElementById("save-colors");
|
||||
button.disabled = true;
|
||||
@@ -195,7 +210,8 @@ function saveCustomColors() {
|
||||
fetch('endpoints/settings/customtheme.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify({ mainColor: mainColor, accentColor: accentColor, hoverColor: hoverColor })
|
||||
})
|
||||
@@ -227,7 +243,8 @@ function saveCustomCss() {
|
||||
fetch('endpoints/settings/customcss.php', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json'
|
||||
'Content-Type': 'application/json',
|
||||
'X-CSRF-Token': window.csrfToken,
|
||||
},
|
||||
body: JSON.stringify({ customCss: customCss })
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user