update

autoload/admin/App.php

@@ -43,6 +43,15 @@ class App
     $sa = \Shared\Helpers\Helpers::get( 's-action' );
     if ( !$sa ) return;
 
+    if ( $_SERVER['REQUEST_METHOD'] === 'POST' ) {
+      $csrfToken = isset( $_POST['_csrf_token'] ) ? (string) $_POST['_csrf_token'] : '';
+      if ( !\Shared\Security\CsrfToken::validate( $csrfToken ) ) {
+        \Shared\Helpers\Helpers::alert( 'Nieprawidłowy token bezpieczeństwa. Spróbuj ponownie.' );
+        header( 'Location: /admin/' );
+        exit;
+      }
+    }
+
     $domain      = preg_replace( '/^www\./', '', $_SERVER['SERVER_NAME'] );
     $cookie_name = 'admin_remember_' . str_replace( '.', '-', $domain );
     $users       = new \Domain\User\UserRepository( $mdb );
@@ -84,6 +93,7 @@ class App
             exit;
           }
 
+          \Shared\Security\CsrfToken::regenerate();
           self::finalize_admin_login( $user, $domain, $cookie_name, (bool) \Shared\Helpers\Helpers::get( 'remember' ) );
           header( 'Location: /admin/articles/list/' );
           exit;
@@ -127,6 +137,7 @@ class App
           header( 'Location: /admin/' );
           exit;
         }
+        \Shared\Security\CsrfToken::regenerate();
         self::finalize_admin_login( $user, $domain, $cookie_name, !empty( $pending['remember'] ) );
         header( 'Location: /admin/articles/list/' );
         exit;

autoload/admin/Controllers/ShopPaymentMethodController.php

@@ -184,6 +184,7 @@ class ShopPaymentMethodController
             'apilo_payment_type_id' => $paymentMethod['apilo_payment_type_id'] ?? '',
             'min_order_amount' => $paymentMethod['min_order_amount'] ?? '',
             'max_order_amount' => $paymentMethod['max_order_amount'] ?? '',
+            'is_cod' => (int)($paymentMethod['is_cod'] ?? 0),
         ];
 
         $fields = [
@@ -220,6 +221,10 @@ class ShopPaymentMethodController
                 'tab' => 'settings',
                 'options' => $apiloOptions,
             ]),
+            FormField::switch('is_cod', [
+                'label' => 'Platnosc przy odbiorze',
+                'tab' => 'settings',
+            ]),
             FormField::switch('status', [
                 'label' => 'Aktywny',
                 'tab' => 'settings',

autoload/admin/Support/Forms/FormRequestHandler.php

@@ -32,6 +32,13 @@ class FormRequestHandler
             'data' => []
         ];
 
+        // Walidacja CSRF
+        $csrfToken = isset($postData['_csrf_token']) ? (string) $postData['_csrf_token'] : '';
+        if (!\Shared\Security\CsrfToken::validate($csrfToken)) {
+            $result['errors'] = ['csrf' => 'Nieprawidłowy token bezpieczeństwa. Odśwież stronę i spróbuj ponownie.'];
+            return $result;
+        }
+
         // Walidacja
         $errors = $this->validator->validate($postData, $formViewModel->fields, $formViewModel->languages);