franzz/spot
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

Implement CSRF
All checks were successful
Deploy Spot / deploy (push) Successful in 34s
Details

Browse Source
This commit is contained in:
Franzz
2026-05-28 13:22:44 +02:00
parent 8092846d6f
commit fdd0ada815
14 changed files with 129 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
lib/index.php
View File

@@ -9,33 +9,36 @@ ob_start();
$oLoader = require __DIR__.'/../vendor/autoload.php';
use Franzz\Objects\ToolBox;
use Franzz\Objects\Main;
use Franzz\Spot\Spot;
use Franzz\Spot\User;
ToolBox::fixGlobalVars($argv ?? array());
//Available variables
$sAction = $_REQUEST['a'] ?? '';
$sTimezone = $_REQUEST['t'] ?? '';
$sName = $_GET['name'] ?? '';
$sContent = $_GET['content'] ?? '';
$iProjectId = $_REQUEST['id_project'] ?? 0 ;
$sField = $_REQUEST['field'] ?? '';
$oValue = $_REQUEST['value'] ?? '';
$iId = $_REQUEST['id'] ?? 0 ;
$sType = $_REQUEST['type'] ?? '';
$sEmail = $_REQUEST['email'] ?? '';
$sLat = $_REQUEST['latitude'] ?? '';
$sLng = $_REQUEST['longitude'] ?? '';
$iTimestamp = $_REQUEST['timestamp'] ?? 0;
$sAction = $_REQUEST['a'] ?? '';
$sTimezone = $_REQUEST['t'] ?? '';
$sName = $_REQUEST['name'] ?? '';
$sContent = $_REQUEST['content'] ?? '';
$iProjectId = Spot::validatePositiveInt($_REQUEST['id_project'] ?? 0);
$sRefId = $_REQUEST['id'] ?? 0;
$iEntityId = Spot::validatePositiveInt($_REQUEST['id'] ?? 0);
$sField = $_REQUEST['field'] ?? '';
$oValue = $_REQUEST['value'] ?? '';
$sType = $_REQUEST['type'] ?? '';
$sEmail = $_REQUEST['email'] ?? '';
$sLat = $_REQUEST['latitude'] ?? '';
$sLng = $_REQUEST['longitude'] ?? '';
$iTimestamp = Spot::validatePositiveInt($_REQUEST['timestamp'] ?? 0);
$sCsrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ($_POST['csrf_token'] ?? '');
//Initiate class
$oSpot = new Spot(__FILE__, $sTimezone);
$oSpot->setProjectId($iProjectId);
$sResult = '';
if($sAction!='')
$bValidRequest = $oSpot->validateMutationRequest($sAction, $sCsrfToken);
if(!$bValidRequest) $sResult = Spot::getJsonResult(false, Spot::UNAUTHORIZED);
elseif($sAction == '') $sResult = $oSpot->getAppMainPage();
else
{
switch($sAction)
{
@@ -49,10 +52,10 @@ if($sAction!='')
$sResult = $oSpot->getProjectGeoJson();
break;
case 'next_feed':
$sResult = $oSpot->getNextFeed($iId);
$sResult = $oSpot->getNextFeed($sRefId);
break;
case 'new_feed':
$sResult = $oSpot->getNewFeed($iId);
$sResult = $oSpot->getNewFeed($sRefId);
break;
case 'add_post':
$sResult = $oSpot->addPost($sName, $sContent);
@@ -64,7 +67,7 @@ if($sAction!='')
$sResult = $oSpot->unsubscribe();
break;
case 'unsubscribe_email':
$sResult = $oSpot->unsubscribeFromEmail($iId);
$sResult = $oSpot->unsubscribeFromEmail($iEntityId);
break;
case 'update_project':
$sResult = $oSpot->updateProject();
@@ -78,7 +81,7 @@ if($sAction!='')
$sResult = $oSpot->upload();
break;
case 'add_comment':
$sResult = $oSpot->addComment($iId, $sContent);
$sResult = $oSpot->addComment($iEntityId, $sContent);
break;
case 'add_position':
$sResult = $oSpot->addPosition($sLat, $sLng, $iTimestamp);
@@ -87,16 +90,13 @@ if($sAction!='')
$sResult = $oSpot->getAdminSettings();
break;
case 'admin_set':
$sResult = $oSpot->setAdminSettings($sType, $iId, $sField, $oValue);
$sResult = $oSpot->setAdminSettings($sType, $iEntityId, $sField, $oValue);
break;
case 'admin_create':
$sResult = $oSpot->createAdminSettings($sType);
break;
case 'admin_delete':
$sResult = $oSpot->deleteAdminSettings($sType, $iId);
break;
case 'generate_cron':
$sResult = $oSpot->genCronFile();
$sResult = $oSpot->deleteAdminSettings($sType, $iEntityId);
break;
case 'sql':
$sResult = $oSpot->getDbBuildScript();
@@ -105,13 +105,12 @@ if($sAction!='')
$sResult = $oSpot->buildGeoJSON($sName);
break;
default:
$sResult = Main::getJsonResult(false, Main::NOT_FOUND);
$sResult = Spot::getJsonResult(false, Spot::NOT_FOUND);
}
}
else $sResult = Main::getJsonResult(false, Main::NOT_FOUND);
else $sResult = Spot::getJsonResult(false, Spot::NOT_FOUND);
}
}
else $sResult = $oSpot->getAppMainPage();
$sDebug = ob_get_clean();
if(Settings::DEBUG && $sDebug!='') $oSpot->addUncaughtError($sDebug);