remove splattered, duplicated csrf validation code

since we do that always and early, now.
2025-03-01 10:31:47 +00:00 · 2019-07-30 17:05:41 +02:00
parent f989b8060b
commit 87fe8948b8
9 changed files with 104 additions and 136 deletions
--- a/includes/admin.php
+++ b/includes/admin.php
@@ -6,34 +6,30 @@ function DisplayAuthConfig($username, $password)
 {
    $status = new StatusMessages();
    if (isset($_POST['UpdateAdminPassword'])) {
-        if (CSRFValidate()) {
-            if (password_verify($_POST['oldpass'], $password)) {
-                $new_username=trim($_POST['username']);
-                if ($_POST['newpass'] !== $_POST['newpassagain']) {
-                    $status->addMessage('New passwords do not match', 'danger');
-                } elseif ($new_username == '') {
-                    $status->addMessage('Username must not be empty', 'danger');
-                } else {
-                    if (!file_exists(RASPI_ADMIN_DETAILS)) {
-                        $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
-                        fclose($tmpauth);
-                    }
-
-                    if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
-                        fwrite($auth_file, $new_username.PHP_EOL);
-                        fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
-                        fclose($auth_file);
-                        $username = $new_username;
-                        $status->addMessage('Admin password updated');
-                    } else {
-                        $status->addMessage('Failed to update admin password', 'danger');
-                    }
-                }
+        if (password_verify($_POST['oldpass'], $password)) {
+            $new_username=trim($_POST['username']);
+            if ($_POST['newpass'] !== $_POST['newpassagain']) {
+                $status->addMessage('New passwords do not match', 'danger');
+            } elseif ($new_username == '') {
+                $status->addMessage('Username must not be empty', 'danger');
            } else {
-                $status->addMessage('Old password does not match', 'danger');
+                if (!file_exists(RASPI_ADMIN_DETAILS)) {
+                    $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
+                    fclose($tmpauth);
+                }
+
+                if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
+                    fwrite($auth_file, $new_username.PHP_EOL);
+                    fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
+                    fclose($auth_file);
+                    $username = $new_username;
+                    $status->addMessage('Admin password updated');
+                } else {
+                    $status->addMessage('Failed to update admin password', 'danger');
+                }
            }
        } else {
-            error_log('CSRF violation');
+            $status->addMessage('Old password does not match', 'danger');
        }
    }
 ?>