lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Better http message on not allowed access

Browse Source
This commit is contained in:
Laurent Destailleur 2023-04-24 13:20:23 +02:00
parent ec3fcd852a
commit 6b942aed6f
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/ajax/security.php
View File

@ -47,7 +47,7 @@ require '../../main.inc.php';
$action = GETPOST('action'); $action = GETPOST('action');
// Security check // Security check
// None. This is public component with no effect on data. // None. This is public component with no access and effect on data.
/* /*
@ -66,4 +66,8 @@ if ($action) {
$generic = GETPOST('generic') ? true : false; $generic = GETPOST('generic') ? true : false;
echo getRandomPassword($generic); echo getRandomPassword($generic);
} }
} else {
if (GETPOST('errorcode') == 'InvalidToken') {
http_response_code(401);
}
} }

4
htdocs/main.inc.php
View File

@ -603,8 +603,6 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
$savid = ((int) $_POST['id']); $savid = ((int) $_POST['id']);
} }
unset($_POST); unset($_POST);
//unset($_POST['action']); unset($_POST['massaction']);
//unset($_POST['confirm']); unset($_POST['confirmmassaction']);
unset($_GET['confirm']); unset($_GET['confirm']);
unset($_GET['action']); unset($_GET['action']);
unset($_GET['confirmmassaction']); unset($_GET['confirmmassaction']);
@ -613,6 +611,8 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
if (isset($savid)) { if (isset($savid)) {
$_POST['id'] = ((int) $savid); $_POST['id'] = ((int) $savid);
} }
// So rest of code can know something was wrong here
$_GET['errorcode'] = 'InvalidToken';
} }
// Note: There is another CSRF protection into the filefunc.inc.php // Note: There is another CSRF protection into the filefunc.inc.php