diff --git a/Web/Presenters/AdminPresenter.php b/Web/Presenters/AdminPresenter.php index 4dea28d1..02e4086e 100644 --- a/Web/Presenters/AdminPresenter.php +++ b/Web/Presenters/AdminPresenter.php @@ -87,6 +87,8 @@ final class AdminPresenter extends OpenVKPresenter function renderQuickBan(int $id): void { + $this->assertNoCSRF(); + $user = $this->users->get($id); if(!$user) exit(json_encode([ "error" => "User does not exist" ])); @@ -97,6 +99,8 @@ final class AdminPresenter extends OpenVKPresenter function renderQuickWarn(int $id): void { + $this->assertNoCSRF(); + $user = $this->users->get($id); if(!$user) exit(json_encode([ "error" => "User does not exist" ])); diff --git a/Web/Presenters/templates/User/View.xml b/Web/Presenters/templates/User/View.xml index f9f46276..096f7934 100644 --- a/Web/Presenters/templates/User/View.xml +++ b/Web/Presenters/templates/User/View.xml @@ -465,7 +465,7 @@ (function() { res = document.querySelector("#uBanMsgInput").value; xhr = new XMLHttpRequest(); - xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res, true); + xhr.open("GET", "/admin/ban.pl/" + {$user->getId()} + "?reason=" + res + "&hash=" + {rawurlencode($csrfToken)}, true); xhr.onload = (function() { if(xhr.responseText.indexOf("reason") === -1) MessageBox("Ошибка", "Не удалось забанить пользователя...", ["OK"], [Function.noop]); @@ -487,7 +487,7 @@ (function() { res = document.querySelector("#uWarnMsgInput").value; xhr = new XMLHttpRequest(); - xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res, true); + xhr.open("GET", "/admin/warn.pl/" + {$user->getId()} + "?message=" + res + "&hash=" + {rawurlencode($csrfToken)}, true); xhr.onload = (function() { if(xhr.responseText.indexOf("message") === -1) MessageBox("Ошибка", "Не удалось отправить предупреждение...", ["OK"], [Function.noop]);