Build shared-hosting news site with ad flow and themes#29
Build shared-hosting news site with ad flow and themes#29
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| <?php | ||
| require_once __DIR__ . '/../app/lib/auth.php'; | ||
| admin_logout(); | ||
| header('Location: ' . BASE_URL . '/admin/login.php'); |
There was a problem hiding this comment.
The logout handler calls admin_logout() (which only runs session_destroy()) without ever starting the session. Without session_start(), PHP ignores the destroy request and leaves the existing admin_id session cookie intact, so hitting /admin/logout.php does not actually log the user out—subsequent admin pages still see the old session. Start the session (and ideally clear session data) before destroying it to ensure logout works.
Useful? React with 👍 / 👎.
| $id = (int)($_GET['id'] ?? 0); | ||
| if ($id) { | ||
| $stmt = db()->prepare('DELETE FROM articles WHERE id=:id'); | ||
| $stmt->execute([':id'=>$id]); | ||
| } |
There was a problem hiding this comment.
post_delete.php performs destructive deletion on a GET request with no CSRF validation. A logged-in admin who follows a crafted link can trigger an article delete without confirmation, bypassing the CSRF protections used elsewhere. This should be converted to a POST action guarded by csrf_verify() (and ideally removed from GET links) to prevent cross-site deletion.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
Codex Task