Security: Social: Add sec_token when denying a friend request

Fix GHSA-33gm-vrgh-m239

main/inc/ajax/social.ajax.php

@@ -43,20 +43,22 @@
             echo '';
             break;
         }
-        $relation_type = USER_RELATION_TYPE_UNKNOWN; //Contact unknown
-        if (isset($_GET['is_my_friend'])) {
-            $relation_type = USER_RELATION_TYPE_FRIEND; //my friend
-        }
-        if (isset($_GET['denied_friend_id'])) {
-            SocialManager::invitation_denied($_GET['denied_friend_id'], $current_user_id);
-            Display::addFlash(
-                Display::return_message(get_lang('InvitationDenied'), 'success')
-            );
 
-            header('Location: '.api_get_path(WEB_CODE_PATH).'social/invitations.php');
-            exit;
+        if (Security::check_token('get', null, 'invitation')) {
+            $relation_type = USER_RELATION_TYPE_UNKNOWN; //Contact unknown
+            if (isset($_GET['is_my_friend'])) {
+                $relation_type = USER_RELATION_TYPE_FRIEND; //my friend
+            }
+            if (isset($_GET['denied_friend_id'])) {
+                SocialManager::invitation_denied($_GET['denied_friend_id'], $current_user_id);
+                Display::addFlash(
+                    Display::return_message(get_lang('InvitationDenied'), 'success')
+                );
+            }
         }
-        break;
+
+        header('Location: '.api_get_path(WEB_CODE_PATH).'social/invitations.php');
+        exit;
     case 'delete_friend':
         if (api_is_anonymous()) {
             echo '';

main/social/invitations.php

@@ -145,6 +145,7 @@
             api_get_path(WEB_AJAX_PATH).'social.ajax.php?'.http_build_query([
                 'a' => 'deny_friend',
                 'denied_friend_id' => $sender_user_id,
+                'invitation_sec_token' => Security::get_token('invitation'),
             ]),
             'times',
             'danger',