Token fix.

2025-08-02 20:57:26 +02:00 · 2018-07-16 12:39:32 -07:00
parent 1ad363881a
commit bac96528fc
2 changed files with 8 additions and 3 deletions
--- a/e107_admin/users.php
+++ b/e107_admin/users.php
@@ -10,6 +10,11 @@
 *
 */
 if(!empty($_POST) && !isset($_POST['e-token']))
 {
 	$_POST['e-token'] = ''; // make sure e-token hasn't been deliberately removed.
 }
 if (!defined('e107_INIT'))
 {
 	require_once("../class2.php");
@@ -149,7 +154,7 @@ JS;
 				case 'deluser':
 					if($_POST['userid'])
 					{
-						$id = $_POST['userid'];
+						$id = (int) $_POST['userid'];
 						$_POST['etrigger_delete'] = array($id => $id);
 						$user = e107::getDb()->retrieve('user', 'user_email, user_name', 'user_id='.$id);
 						$rplc_from = array('[x]', '[y]', '[z]');
@@ -960,7 +965,7 @@ class users_admin_ui extends e_admin_ui
 		$response->appendBody($frm->open('adminperms'))
 			->appendBody($prm->renderPermTable('grouped', $sysuser->getValue('perms')))
 			->appendBody($prm->renderCheckAllButtons())
-			->appendBody($prm->renderSubmitButtons())
+			->appendBody($prm->renderSubmitButtons().$frm->token())
 			->appendBody($frm->close());
 		$this->addTitle(str_replace(array('[x]', '[y]'), array($sysuser->getName(), $sysuser->getValue('email')), USRLAN_230));
--- a/e107_handlers/admin_ui.php
+++ b/e107_handlers/admin_ui.php
@@ -6682,7 +6682,7 @@ class e_admin_form_ui extends e_form
 			'table_rows' => '', // rows array (<td> tags)
 			'table_body' => '', // string body - used only if rows empty
 			'pre_triggers' => '',
-			'triggers' => array('hidden' => $this->hidden('etrigger_delete['.$ids.']', $ids), 'delete_confirm' => array(LAN_CONFDELETE, 'confirm', $ids), 'cancel' => array(LAN_CANCEL, 'cancel')),
+			'triggers' => array('hidden' => $this->hidden('etrigger_delete['.$ids.']', $ids) . $this->token(), 'delete_confirm' => array(LAN_CONFDELETE, 'confirm', $ids), 'cancel' => array(LAN_CANCEL, 'cancel')),
 		);
 		if($delcount > 1)
 		{