ajax.php ACE security patch

public/ajax.php

@@ -6,6 +6,29 @@ loggedinorreturn();
 $action = $_POST['action'] ?? 'noAction';
 $params = $_POST['params'] ?? [];
 
+const ALLOWED_ACTION = [
+    'toggleUserMedalStatus',
+    'attendanceRetroactive',
+    'getPtGen',
+    'addClaim',
+    'removeClaim',
+    'removeUserLeechWarn',
+    'getOffer',
+    'approvalModal',
+    'approval',
+    'addSeedBoxRecord',
+    'removeSeedBoxRecord',
+    'removeHitAndRun',
+    'consumeBenefit',
+    'clearShoutBox',
+    'buyMedal',
+    'giftMedal',
+    'saveUserMedal',
+];
+if(!in_array($action,ALLOWED_ACTION)){
+    do_log('hack attempt '.print_r($CURUSER,true),'error');
+    $action = 'noAction';
+}
 function noAction()
 {
     throw new \RuntimeException("no Action");
@@ -13,6 +36,7 @@ function noAction()
 
 
 try {
+    if(!isset($CURUSER))throw new \RuntimeException('Permission Denied');
     $result = call_user_func($action, $params);
     exit(json_encode(success($result)));
 } catch (\Throwable $exception) {