diff --git a/bureau/admin/menu.php b/bureau/admin/menu.php index 03ddf696..1c0a4026 100644 --- a/bureau/admin/menu.php +++ b/bureau/admin/menu.php @@ -76,7 +76,8 @@ foreach ($obj_menu as $k => $m ) { echo " \n"; if (!empty($m['links'])) { - echo "
"; + if ( $m['visibility']) $visible=""; else $visible="style=\"display: none\""; + echo "
"; echo "
"; } echo "
"; - if (! $m['visibility']) echo "\n"; } diff --git a/bureau/admin/tempovars.php b/bureau/admin/tempovars.php index 76fc97eb..5df5e578 100644 --- a/bureau/admin/tempovars.php +++ b/bureau/admin/tempovars.php @@ -1,12 +1,12 @@ voir commentaire en bas de la classe m_mem - +define("NOCSRF","1"); // no csrf for js-posted data require_once("../class/config.php"); -// Don't uset getfields because we could have serialised object - +// but (csrf) we check POST, not REQUEST! if ( empty($_POST['key']) || empty($_POST['val']) ) { die('1'); } diff --git a/bureau/class/config.php b/bureau/class/config.php index 27cc6508..75a0227f 100755 --- a/bureau/class/config.php +++ b/bureau/class/config.php @@ -180,15 +180,16 @@ if ((variable_get('force_https', '0', "This variable is set to 0 (default) if us // CHECK CSRF for ALL POSTS : // you MUST add csrf_get(); after ALL
in AlternC ! -if (count($_POST)) { + +$fatalcsrf=false; +if (count($_POST) && !defined("NOCSRF")) { if (csrf_check()<=0) { $error=$err->errstr(); - require_once("main.php"); - exit(); + // We will trigger the error LATER in the code => need initialization of classes + $fatalcsrf=true; } } - /* Check the User identity (if required) */ if (!defined('NOCHECK')) { if (!$mem->checkid()) { @@ -238,3 +239,9 @@ if ((variable_get('sql_max_username_length', NULL)==NULL)||(variable_get('sql_ma } } + +if ($fatalcsrf) { + require_once("main.php"); + exit(); +} +