| 12345678910111213141516171819202122232425262728293031323334353637383940414243 |
- <?php
- require_once "../env.inc.php";
- require_once "../conf.inc.php";
- require_once DIR_PHP_LAYOUTS . "header.php";
- secureSession::start();
- require_once "../access.inc.php";
- require_once DIR_PHP_LAYOUTS . "cms.session.php";
- header('Content-Type: application/json');
- // Validation CSRF pour les requêtes JSON POST
- if ($_SERVER['REQUEST_METHOD'] === 'POST' && core::ifGet("jsonData")) {
- $jsonData = core::getGet("jsonData");
- // Actions sensibles nécessitant une protection CSRF
- $csrfProtectedActions = [
- 'user-delete',
- 'document-delete',
- 'event-delete',
- 'salarie-delete',
- 'client-update',
- 'tag-update'
- ];
- if (in_array($jsonData, $csrfProtectedActions)) {
- if (!csrf::validateHeader('cms-ajax', 'X-CSRF-Token')) {
- error_log("CSRF validation failed for JSON action: $jsonData from IP: " . ($_SERVER['REMOTE_ADDR'] ?? 'unknown'));
- http_response_code(403);
- echo json_encode([
- 'success' => false,
- 'error' => 'csrf_failed',
- 'message' => 'Token de sécurité invalide. Veuillez recharger la page.'
- ]);
- exit();
- }
- }
- }
- get::json();
- get::jsonData();
|
