diff --git a/core/user_settings/user_setting_edit.php b/core/user_settings/user_setting_edit.php index b5fbd529cf..7efb2b050e 100644 --- a/core/user_settings/user_setting_edit.php +++ b/core/user_settings/user_setting_edit.php @@ -17,7 +17,7 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2015 + Portions created by the Initial Developer are Copyright (C) 2008-2019 the Initial Developer. All Rights Reserved. Contributor(s): @@ -93,6 +93,14 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) { $user_setting_uuid = $_POST["user_setting_uuid"]; } + //validate the token + $token = new token; + if (!$token->validate($_SERVER['PHP_SELF'])) { + message::add($text['message-invalid_token'],'negative'); + header('Location: ../users/user_edit.php?id='.$user_uuid); + exit; + } + //check for all required/authorized data if (strlen($user_setting_category) == 0 || (is_array($allowed_categories) && sizeof($allowed_categories) > 0 && !in_array(strtolower($user_setting_category), $allowed_categories))) { $msg .= $text['message-required'].$text['label-category']."
\n"; } if (strlen($user_setting_subcategory) == 0) { $msg .= $text['message-required'].$text['label-subcategory']."
\n"; } @@ -330,6 +338,10 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) { unset($sql, $parameters, $row); } +//create token + $object = new token; + $token = $object->create($_SERVER['PHP_SELF']); + //show the header require_once "resources/header.php"; if ($action == "update") { @@ -700,6 +712,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) { if ($action == "update") { echo " \n"; } + echo " \n"; echo "
"; echo " \n"; echo " \n";