Add CORS and CSRF checks to ensure unauthorized access to the backend is not possible.

Signed-off-by: DL6ER <dl6er@dl6er.de>
2025-12-24 12:48:29 +00:00 · 2019-12-13 17:39:45 +00:00
parent 3b7e50713f
commit aa764ad22d
5 changed files with 63 additions and 48 deletions
--- a/scripts/pi-hole/js/groups-adlists.js
+++ b/scripts/pi-hole/js/groups-adlists.js
@@ -1,4 +1,6 @@
-var table, groups;
+var table;
+var groups = [];
+const token = $("#token").html();

 function showAlert(type, message)
 {
@@ -23,7 +25,7 @@ function showAlert(type, message)

 function get_groups()
 {
-    $.get("scripts/pi-hole/php/groups.php", { 'action': 'get_groups' },
+    $.post("scripts/pi-hole/php/groups.php", { 'action': 'get_groups', "token":token },
    function(data) {
        groups = data.data;
    }, "json");
@@ -52,7 +54,11 @@ $(document).ready(function() {
      });

    table = $("#adlistsTable").DataTable( {
-        "ajax": "scripts/pi-hole/php/groups.php?action=get_adlists",
+        "ajax": {
+            "url": "scripts/pi-hole/php/groups.php",
+            "data": {"action": "get_adlists", "token": token},
+            "type": "POST"
+        },
        order: [[ 1, 'asc' ]],
        columns: [
            { data: "address" },
@@ -135,7 +141,7 @@ function addAdlist()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "add_adlist", "address": address, "comment": comment},
+        data: {"action": "add_adlist", "address": address, "comment": comment, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
@@ -166,7 +172,7 @@ function editAdlist()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "edit_adlist", "id": id, "comment": comment, "status": status, "groups": groups},
+        data: {"action": "edit_adlist", "id": id, "comment": comment, "status": status, "groups": groups, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
@@ -191,7 +197,7 @@ function deleteAdlist()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "delete_adlist", "id": id},
+        data: {"action": "delete_adlist", "id": id, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
--- a/scripts/pi-hole/js/groups-clients.js
+++ b/scripts/pi-hole/js/groups-clients.js
@@ -1,4 +1,6 @@
-var table, groups;
+var table;
+var groups = [];
+const token = $("#token").html();

 function showAlert(type, message)
 {
@@ -23,7 +25,7 @@ function showAlert(type, message)

 function reload_client_suggestions()
 {
-    $.get("scripts/pi-hole/php/groups.php", { 'action': 'get_unconfigured_clients' },
+    $.post("scripts/pi-hole/php/groups.php", { 'action': 'get_unconfigured_clients', "token":token },
    function(data) {
        var sel = $("#select");
        sel.empty();
@@ -36,7 +38,7 @@ function reload_client_suggestions()

 function get_groups()
 {
-    $.get("scripts/pi-hole/php/groups.php", { 'action': 'get_groups' },
+    $.post("scripts/pi-hole/php/groups.php", { 'action': 'get_groups', "token":token },
    function(data) {
        groups = data.data;
    }, "json");
@@ -61,7 +63,11 @@ $(document).ready(function() {
      });

    table = $("#clientsTable").DataTable( {
-        "ajax": "scripts/pi-hole/php/groups.php?action=get_clients",
+        "ajax": {
+            "url": "scripts/pi-hole/php/groups.php",
+            "data": {"action": "get_clients", "token": token},
+            "type": "POST"
+        },
        order: [[ 1, 'asc' ]],
        columns: [
            { data: "ip" },
@@ -137,7 +143,7 @@ function addClient()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "add_client", "ip": ip},
+        data: {"action": "add_client", "ip": ip, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
@@ -165,7 +171,7 @@ function editClient()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "edit_client", "id": id, "groups": groups},
+        data: {"action": "edit_client", "id": id, "groups": groups, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
@@ -190,7 +196,7 @@ function deleteClient()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "delete_client", "id": id},
+        data: {"action": "delete_client", "id": id, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
--- a/scripts/pi-hole/js/groups-domains.js
+++ b/scripts/pi-hole/js/groups-domains.js
@@ -1,4 +1,6 @@
-var table, groups;
+var table;
+var groups = [];
+const token = $("#token").html();

 function showAlert(type, message)
 {
@@ -53,7 +55,11 @@ $(document).ready(function() {
      });

    table = $("#domainsTable").DataTable( {
-        "ajax": "scripts/pi-hole/php/groups.php?action=get_domains",
+        "ajax": {
+            "url": "scripts/pi-hole/php/groups.php",
+            "data": {"action": "get_domains", "token": token},
+            "type": "POST"
+        },
        order: [[ 1, 'asc' ]],
        columns: [
            { data: "domain" },
@@ -145,7 +151,7 @@ function addDomain()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "add_domain", "domain": domain, "type": type, "comment": comment},
+        data: {"action": "add_domain", "domain": domain, "type": type, "comment": comment, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
@@ -177,7 +183,7 @@ function editDomain()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "edit_domain", "id": id, "type": type, "comment": comment, "status": status, "groups": groups},
+        data: {"action": "edit_domain", "id": id, "type": type, "comment": comment, "status": status, "groups": groups, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
@@ -202,7 +208,7 @@ function deleteDomain()
        url: "scripts/pi-hole/php/groups.php",
        method: "post",
        dataType: 'json',
-        data: {"action": "delete_domain", "id": id},
+        data: {"action": "delete_domain", "id": id, "token":token},
        success: function(response) {
            if (response.success) {
                showAlert('success');
--- a/scripts/pi-hole/js/groups.js
+++ b/scripts/pi-hole/js/groups.js
@@ -1,4 +1,5 @@
 var table;
+const token = $("#token").html();

 function showAlert(type, message)
 {
@@ -26,7 +27,11 @@ $(document).ready(function() {
    $('#btnAdd').on('click', addGroup);

    table = $("#groupsTable").DataTable( {
-        "ajax": "scripts/pi-hole/php/groups.php?action=get_groups",
+        "ajax": {
+            "url": "scripts/pi-hole/php/groups.php",
+            "data": {"action": "get_groups", "token": token},
+            "type": "POST"
+        },
        order: [[ 1, 'asc' ]],
        columns: [
            { data: "id", width: "60px" },