csfr token in List

server/list.php

@@ -1,4 +1,7 @@
 <?php
 require_once 'ui.php';
-loadtemplate('list.html', ['title' => t("Availability List",false)]);
-bdump($_SESSION);
+if(!isset($_GET["_tracy_bar"])){
+    $_SESSION["token_list"] = bin2hex(random_bytes(64));
+}
+loadtemplate('list.html', ['title' => t("Availability List",false), 'token_list' => $_SESSION['token_list']]);
+bdump($_SESSION);

server/risorse/ajax/ajax_aggiornadispo.php

@@ -2,10 +2,10 @@
 include_once '../../core.php';
 init_class();
 $user->requirelogin();
-if(isset($_POST["change_id"]) && $_POST["dispo"] == 1){
+if(isset($_POST["change_id"]) && $_POST["dispo"] == 1 && $_POST["token_list"] == $_SESSION['token_list']){
      $risultato = $database->exec("UPDATE `%PREFIX%_profiles` SET `available` = '1' WHERE `%PREFIX%_profiles`.`id` = :id;", false, [":id" => $_POST["change_id"]]);
      $user->log("Attivazione disponibilita'", $_POST["change_id"], $user->auth->getUserId(), date("d/m/Y"), date("H:i.s"));
-} else if(isset($_POST["change_id"]) && $_POST["dispo"] == 0){
+} else if(isset($_POST["change_id"]) && $_POST["dispo"] == 0 && $_POST["token_list"] == $_SESSION['token_list']){
      $risultato = $database->exec("UPDATE `%PREFIX%_profiles` SET `available` = '0' WHERE `%PREFIX%_profiles`.`id` = :id;", false, [":id" => $_POST["change_id"]]);
      $user->log("Rimozione disponibilita'", $_POST["change_id"], $user->auth->getUserId(), date("d/m/Y"), date("H:i.s"));
 }

server/templates/edit_service.html

@@ -303,9 +303,6 @@ $( ".tipi" ).val('{{ values.tipo }}');
 $('#note').val('{{ values.note }}');
 //{% endif %}
 $('form').submit(function () {
-    if(!$('#token').val().endsWith("dJN299u49")){
-      $('#token').val($('#token').val() + "");
-    }
     var progressivo_valido = /^[0-9/]{3,6}$/
     var progressivo = $('#progressivo').val();
     if(!progressivo_valido.test(progressivo)){

server/templates/edit_training.html

@@ -276,12 +276,6 @@ $.each('{{ values.personale|striptags|e("js") }}'.split(','), function( index, v
 });
 $('#note').val('{{ values.note|e("js") }}');
 //{% endif %}
-$('form').submit(function () {
-    if(!$('#token').val().endsWith("dJN299u49")){
-      $('#token').val($('#token').val() + "");
-    }
-    return true;
-});
 </script>
 {% endif %}
 {% if training.modalità == "delete" %}

server/templates/edit_user.html

@@ -250,14 +250,6 @@ textarea {
     <button type="submit">{{ 'Submit'|t }}</button>
   </div>
 </form>
-<script>
-$('form').submit(function () {
-    if(!$('#token').val().endsWith("dJN299u49")){
-      $('#token').val($('#token').val() + "");
-    }
-    return true;
-});
-</script>
 {% endif %}
 {% if modalità == "delete" %}
 <style>

server/templates/list.html

@@ -15,7 +15,8 @@
           method: "POST",
           data: {
             change_id: id,
-            dispo: 1
+            dispo: 1,
+            token_list: "{{ token_list }}"
           },
           success: function(data) {
             alert("{{ 'Thanks, %s, you have given your availability in case of alert.'|t|format(user.name) }}");
@@ -30,7 +31,8 @@
           method: "POST",
           data: {
             change_id: id,
-            dispo: 0
+            dispo: 0,
+            token_list: "{{ token_list }}"
           },
           success: function(data) {
             alert("{{ 'Thanks, %s, you have removed your availability in case of alert.'|t|format(user.name) }}");