From 7e05dc02e4236d42c5e5262cdabb6f77b521b4d9 Mon Sep 17 00:00:00 2001 From: Miguel Ribeiro Date: Sat, 18 Oct 2025 14:33:12 +0200 Subject: [PATCH] csrf on settings / budget --- endpoints/user/budget.php | 53 ++++++++++++++++----------------------- scripts/settings.js | 11 +++++--- 2 files changed, 30 insertions(+), 34 deletions(-) diff --git a/endpoints/user/budget.php b/endpoints/user/budget.php index a129882..4fc57b2 100644 --- a/endpoints/user/budget.php +++ b/endpoints/user/budget.php @@ -3,38 +3,29 @@ require_once '../../includes/connect_endpoint.php'; require_once '../../includes/inputvalidation.php'; -if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) { - die(json_encode([ +$postData = file_get_contents("php://input"); +$data = json_decode($postData, true); + +$budget = $data["budget"]; + +$sql = "UPDATE user SET budget = :budget WHERE id = :userId"; +$stmt = $db->prepare($sql); +$stmt->bindValue(':budget', $budget, SQLITE3_TEXT); +$stmt->bindValue(':userId', $userId, SQLITE3_TEXT); +$result = $stmt->execute(); + +if ($result) { + $response = [ + "success" => true, + "message" => translate('user_details_saved', $i18n) + ]; + echo json_encode($response); +} else { + $response = [ "success" => false, - "message" => translate('session_expired', $i18n) - ])); -} - -if ($_SERVER["REQUEST_METHOD"] === "POST") { - $postData = file_get_contents("php://input"); - $data = json_decode($postData, true); - - $budget = $data["budget"]; - - $sql = "UPDATE user SET budget = :budget WHERE id = :userId"; - $stmt = $db->prepare($sql); - $stmt->bindValue(':budget', $budget, SQLITE3_TEXT); - $stmt->bindValue(':userId', $userId, SQLITE3_TEXT); - $result = $stmt->execute(); - - if ($result) { - $response = [ - "success" => true, - "message" => translate('user_details_saved', $i18n) - ]; - echo json_encode($response); - } else { - $response = [ - "success" => false, - "message" => translate('error_updating_user_data', $i18n) - ]; - echo json_encode($response); - } + "message" => translate('error_updating_user_data', $i18n) + ]; + echo json_encode($response); } diff --git a/scripts/settings.js b/scripts/settings.js index 0928c69..ba84b91 100644 --- a/scripts/settings.js +++ b/scripts/settings.js @@ -29,7 +29,10 @@ function saveBudget() { headers: { 'Content-Type': 'application/json' }, - body: JSON.stringify({ budget: budget }) + body: JSON.stringify({ + budget: budget, + csrf_token: window.csrfToken, + }), }) .then(response => response.json()) .then(data => { @@ -38,15 +41,17 @@ function saveBudget() { } else { showErrorMessage(data.message); } - button.disabled = false; }) .catch(error => { + console.error(error); showErrorMessage(translate('unknown_error')); + }) + .finally(() => { button.disabled = false; }); - } + function addMemberButton(memberId) { document.getElementById("addMember").disabled = true; const url = 'endpoints/household/household.php?action=add';