From e8bb99752ffed6d5955de7168193c66b2ca30fa3 Mon Sep 17 00:00:00 2001
From: onli <onli@paskuda.biz>
Date: Tue, 8 Jun 2021 23:42:59 +0200
Subject: [PATCH] Fix: Deleting a user throw a token not found error message
 Setting POST['serendipity']['user'] triggers the login routine. When that
 happens a new session is generated, and afterwards the token check fails.

---
 include/admin/users.inc.php        | 6 +++---
 templates/2k11/admin/users.inc.tpl | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/admin/users.inc.php b/include/admin/users.inc.php
index ea216972..e3271620 100644
--- a/include/admin/users.inc.php
+++ b/include/admin/users.inc.php
@@ -17,7 +17,7 @@ $data = array();
 /* Delete a user */
 if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
     $data['delete_yes'] = true;
-    $user = serendipity_fetchUsers($serendipity['POST']['user']);
+    $user = serendipity_fetchUsers($serendipity['POST']['userid']);
     if (($serendipity['serendipityUserlevel'] < USERLEVEL_ADMIN && $user[0]['userlevel'] >= $serendipity['serendipityUserlevel']) || !serendipity_checkPermission('adminUsersDelete')) {
         $data['no_delete_permission'] = true;
         $data['no_delete_permission_userlevel'] = false;
@@ -32,7 +32,7 @@ if (isset($_POST['DELETE_YES']) && serendipity_checkFormToken()) {
             $data['delete_permission'] = true;
             serendipity_deleteAuthor($user[0]['authorid']);
             serendipity_plugin_api::hook_event('backend_users_delete', $user[0]);
-            $data['user'] = $serendipity['POST']['user'] ?? null;
+            $data['user'] = $serendipity['POST']['userid'] ?? null;
             $data['realname'] = $user[0]['realname'] ?? null;
         }
     }
@@ -77,7 +77,7 @@ if (isset($_POST['SAVE_NEW']) && serendipity_checkFormToken()) {
                         continue;
                     }
 
-                    if (count($_POST[$item['var']]) < 1) {
+                    if (count($_POST[$item['var']] ?? []) < 1) {
                         $data['no_group_selected'] = true;
                     } else {
                         serendipity_updateGroups($_POST[$item['var']], $serendipity['POST']['user'], false);
diff --git a/templates/2k11/admin/users.inc.tpl b/templates/2k11/admin/users.inc.tpl
index f592e82c..84d613b0 100644
--- a/templates/2k11/admin/users.inc.tpl
+++ b/templates/2k11/admin/users.inc.tpl
@@ -75,9 +75,9 @@
     </form>
 {else}
     {if $delete}
-    <form action="?serendipity[adminModule]=users" method="post">
+    <form action="?serendipity[adminModule]=users" method="POST">
         {$formToken}
-        <input name="serendipity[user]" type="hidden" value="{$userid}">
+        <input name="serendipity[userid]" type="hidden" value="{$userid}">
 
         <div class="users_delete_action">
             <h2>{$CONST.MANAGE_USERS}</h2>