From bd438e4f3962668f62738c8d56eb07f9d371f0f3 Mon Sep 17 00:00:00 2001
From: Nate <github@najo.com>
Date: Thu, 19 Sep 2019 08:04:04 -0600
Subject: [PATCH] Groups: Token integration.

---
 core/groups/groupmemberadd.php | 8 ++++++++
 core/groups/groupmembers.php   | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/core/groups/groupmemberadd.php b/core/groups/groupmemberadd.php
index a8294a9001..6da2c01620 100644
--- a/core/groups/groupmemberadd.php
+++ b/core/groups/groupmemberadd.php
@@ -50,6 +50,14 @@
 	$group_name = $_POST["group_name"];
 	$user_uuid = $_POST["user_uuid"];
 
+//validate the token
+	$token = new token;
+	if (!$token->validate('/core/groups/groupmembers.php')) {
+		message::add($text['message-invalid_token'],'negative');
+		header('Location: groups.php');
+		exit;
+	}
+
 //add the user to the group
 	if (is_uuid($user_uuid) && is_uuid($group_uuid) && strlen($group_name) > 0) {
 		$array['user_groups'][0]['user_group_uuid'] = uuid();
diff --git a/core/groups/groupmembers.php b/core/groups/groupmembers.php
index ce1ceeda43..3e37511b7d 100644
--- a/core/groups/groupmembers.php
+++ b/core/groups/groupmembers.php
@@ -109,6 +109,10 @@
 	$result = $database->select($sql, $parameters, 'all');
 	unset($sql, $parameters);
 
+//create token
+	$object = new token;
+	$token = $object->create('/core/groups/groupmembers.php');
+
 //include the header
 	require_once "resources/header.php";
 	$document['title'] = $text['title-group_members'];
@@ -141,6 +145,7 @@
 		echo "			<input type='hidden' name='domain_uuid' value='".(($domain_uuid != '') ? $domain_uuid : $_SESSION['domain_uuid'])."'>";
 		echo "			<input type='hidden' name='group_uuid' value='".$group_uuid."'>";
 		echo "			<input type='hidden' name='group_name' value='".$group_name."'>";
+		echo "			<input type='hidden' name='".$token['name']."' value='".$token['hash']."'>\n";
 		echo "			<input type='submit' class='btn' value='".$text['button-add_member']."'>";
 		echo "			</form>";
 		echo "		</td>\n";