use the same csrf token for all the user become forms (#494)

simonLeary42 · web-flow · commit f51eef21609a · 2026-01-05T15:15:14.000-05:00
diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php
@@ -4,6 +4,7 @@
 
 use UnityWebPortal\lib\UnityHTTPD;
 use UnityWebPortal\lib\UserFlag;
+use UnityWebPortal\lib\CSRFToken;
 
 if (!$USER->getFlag(UserFlag::ADMIN)) {
     UnityHTTPD::forbidden("not an admin", "You are not an admin.");
@@ -54,6 +55,7 @@ class="filterSearch"
             "mail" => ["(not found)"]
         ]
     );
+    $csrf_token = htmlspecialchars(CSRFToken::generate());
     usort($user_attributes, fn ($a, $b) => strcmp($a["uid"][0], $b["uid"][0]));
     foreach ($user_attributes as $attributes) {
         $uid = $attributes["uid"][0];
@@ -80,10 +82,9 @@ class="filterSearch"
         }
         echo "</td>";
         echo "<td>";
-        $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
         echo "<form class='viewAsUserForm' action='' method='POST'
         onsubmit='return confirm(\"Are you sure you want to switch to the user $uid?\");'>
-        $CSRFTokenHiddenFormInput
+        <input type='hidden' name='csrf_token' value='$csrf_token'>
         <input type='hidden' name='form_type' value='viewAsUser'>
         <input type='hidden' name='uid' value='$uid'>
         <input type='submit' name='action' value='Access'>
