csrf-proofing for extensions
This commit is contained in:
Shish
parent
6cd53fed8a
commit
18403a3fa6
@ -52,7 +52,7 @@ class AdminPage implements Extension {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(($event instanceof PageRequestEvent) && $event->page_matches("admin_utils")) {
|
if(($event instanceof PageRequestEvent) && $event->page_matches("admin_utils")) {
|
||||||
if($user->is_admin()) {
|
if($user->is_admin() && $user->check_auth_token()) {
|
||||||
log_info("admin", "Util: {$_POST['action']}");
|
log_info("admin", "Util: {$_POST['action']}");
|
||||||
set_time_limit(0);
|
set_time_limit(0);
|
||||||
$redirect = false;
|
$redirect = false;
|
||||||
|
|||||||
@ -17,8 +17,11 @@ class AdminPageTheme extends Themelet {
|
|||||||
* 'purge unused tags'
|
* 'purge unused tags'
|
||||||
*/
|
*/
|
||||||
public function display_form(Page $page) {
|
public function display_form(Page $page) {
|
||||||
|
global $user;
|
||||||
|
|
||||||
$html = "
|
$html = "
|
||||||
<p><form action='".make_link("admin_utils")."' method='POST'>
|
<p><form action='".make_link("admin_utils")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<select name='action'>
|
<select name='action'>
|
||||||
<option value='lowercase all tags'>All tags to lowercase</option>
|
<option value='lowercase all tags'>All tags to lowercase</option>
|
||||||
<option value='recount tag use'>Recount tag use</option>
|
<option value='recount tag use'>Recount tag use</option>
|
||||||
|
|||||||
@ -58,13 +58,13 @@ class Blotter extends SimpleExtension {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
public function onPageRequest(Event $event) {
|
public function onPageRequest(Event $event) {
|
||||||
|
global $page, $database, $user;
|
||||||
if($event->page_matches("blotter")) {
|
if($event->page_matches("blotter")) {
|
||||||
switch($event->get_arg(0)) {
|
switch($event->get_arg(0)) {
|
||||||
case "editor":
|
case "editor":
|
||||||
/**
|
/**
|
||||||
* Displays the blotter editor.
|
* Displays the blotter editor.
|
||||||
*/
|
*/
|
||||||
global $page, $database, $user;
|
|
||||||
if(!$user->is_admin()) {
|
if(!$user->is_admin()) {
|
||||||
$this->theme->display_permission_denied($page);
|
$this->theme->display_permission_denied($page);
|
||||||
} else {
|
} else {
|
||||||
@ -76,8 +76,7 @@ class Blotter extends SimpleExtension {
|
|||||||
/**
|
/**
|
||||||
* Adds an entry
|
* Adds an entry
|
||||||
*/
|
*/
|
||||||
global $page, $database, $user;
|
if(!$user->is_admin() || !$user->check_auth_token()) {
|
||||||
if(!$user->is_admin()) {
|
|
||||||
$this->theme->display_permission_denied($page);
|
$this->theme->display_permission_denied($page);
|
||||||
} else {
|
} else {
|
||||||
$entry_text = $_POST['entry_text'];
|
$entry_text = $_POST['entry_text'];
|
||||||
@ -95,8 +94,7 @@ class Blotter extends SimpleExtension {
|
|||||||
/**
|
/**
|
||||||
* Removes an entry
|
* Removes an entry
|
||||||
*/
|
*/
|
||||||
global $page, $database, $user;
|
if(!$user->is_admin() || !$user->check_auth_token()) {
|
||||||
if(!$user->is_admin()) {
|
|
||||||
$this->theme->display_permission_denied($page);
|
$this->theme->display_permission_denied($page);
|
||||||
} else {
|
} else {
|
||||||
$id = int_escape($_POST['id']);
|
$id = int_escape($_POST['id']);
|
||||||
@ -111,7 +109,6 @@ class Blotter extends SimpleExtension {
|
|||||||
/**
|
/**
|
||||||
* Displays all blotter entries
|
* Displays all blotter entries
|
||||||
*/
|
*/
|
||||||
global $database, $user;
|
|
||||||
$entries = $database->get_all("SELECT * FROM blotter ORDER BY id DESC");
|
$entries = $database->get_all("SELECT * FROM blotter ORDER BY id DESC");
|
||||||
$this->theme->display_blotter_page($entries);
|
$this->theme->display_blotter_page($entries);
|
||||||
break;
|
break;
|
||||||
|
|||||||
@ -28,6 +28,8 @@ class BlotterTheme extends Themelet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private function get_html_for_blotter_editor($entries) {
|
private function get_html_for_blotter_editor($entries) {
|
||||||
|
global $user;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Long function name, but at least I won't confuse it with something else ^_^
|
* Long function name, but at least I won't confuse it with something else ^_^
|
||||||
*/
|
*/
|
||||||
@ -44,6 +46,7 @@ class BlotterTheme extends Themelet {
|
|||||||
$add_new = "
|
$add_new = "
|
||||||
<tr class='even'>
|
<tr class='even'>
|
||||||
<form action='".make_link("blotter/add")."' method='POST'>
|
<form action='".make_link("blotter/add")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<td colspan='2'><textarea style='text-align:left;' name='entry_text' rows='2' /></textarea></td>
|
<td colspan='2'><textarea style='text-align:left;' name='entry_text' rows='2' /></textarea></td>
|
||||||
<td><input type='checkbox' name='important' /></td>
|
<td><input type='checkbox' name='important' /></td>
|
||||||
<td><input type='submit' value='Add'></td>
|
<td><input type='submit' value='Add'></td>
|
||||||
@ -72,6 +75,7 @@ class BlotterTheme extends Themelet {
|
|||||||
<td>$entry_text</td>
|
<td>$entry_text</td>
|
||||||
<td>$important</td>
|
<td>$important</td>
|
||||||
<td><form name='remove$id' method='post' action='".make_link("blotter/remove")."'>
|
<td><form name='remove$id' method='post' action='".make_link("blotter/remove")."'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='hidden' name='id' value='$id' />
|
<input type='hidden' name='id' value='$id' />
|
||||||
<input type='submit' style='width: 100%;' value='Remove' />
|
<input type='submit' style='width: 100%;' value='Remove' />
|
||||||
</form>
|
</form>
|
||||||
|
|||||||
@ -18,9 +18,8 @@ class BulkAdd extends SimpleExtension {
|
|||||||
public function onPageRequest($event) {
|
public function onPageRequest($event) {
|
||||||
global $page, $user;
|
global $page, $user;
|
||||||
if($event->page_matches("bulk_add")) {
|
if($event->page_matches("bulk_add")) {
|
||||||
if($user->is_admin() && isset($_POST['dir'])) {
|
if($user->is_admin() && $user->check_auth_token() && isset($_POST['dir'])) {
|
||||||
set_time_limit(0);
|
set_time_limit(0);
|
||||||
|
|
||||||
$this->add_dir($_POST['dir']);
|
$this->add_dir($_POST['dir']);
|
||||||
$this->theme->display_upload_results($page);
|
$this->theme->display_upload_results($page);
|
||||||
}
|
}
|
||||||
@ -28,8 +27,7 @@ class BulkAdd extends SimpleExtension {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public function onAdminBuilding($event) {
|
public function onAdminBuilding($event) {
|
||||||
global $page;
|
$this->theme->display_admin_block();
|
||||||
$this->theme->display_admin_block($page);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -20,7 +20,8 @@ class BulkAddTheme extends Themelet {
|
|||||||
* links to bulk_add with POST[dir] set to the name of a server-side
|
* links to bulk_add with POST[dir] set to the name of a server-side
|
||||||
* directory full of images
|
* directory full of images
|
||||||
*/
|
*/
|
||||||
public function display_admin_block(Page $page) {
|
public function display_admin_block() {
|
||||||
|
global $page, $user;
|
||||||
$html = "
|
$html = "
|
||||||
Add a folder full of images; any subfolders will have their names
|
Add a folder full of images; any subfolders will have their names
|
||||||
used as tags for the images within.
|
used as tags for the images within.
|
||||||
@ -28,6 +29,7 @@ class BulkAddTheme extends Themelet {
|
|||||||
upload via FTP or something first.
|
upload via FTP or something first.
|
||||||
|
|
||||||
<p><form action='".make_link("bulk_add")."' method='POST'>
|
<p><form action='".make_link("bulk_add")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
Directory to add: <input type='text' name='dir' size='40'>
|
Directory to add: <input type='text' name='dir' size='40'>
|
||||||
<input type='submit' value='Add'>
|
<input type='submit' value='Add'>
|
||||||
</form>
|
</form>
|
||||||
|
|||||||
@ -57,7 +57,7 @@ class Favorites extends SimpleExtension {
|
|||||||
|
|
||||||
public function onPageRequest($event) {
|
public function onPageRequest($event) {
|
||||||
global $page, $user;
|
global $page, $user;
|
||||||
if($event->page_matches("change_favorite") && !$user->is_anonymous()) {
|
if($event->page_matches("change_favorite") && !$user->is_anonymous() && $user->check_auth_token()) {
|
||||||
$image_id = int_escape($_POST['image_id']);
|
$image_id = int_escape($_POST['image_id']);
|
||||||
if((($_POST['favorite_action'] == "set") || ($_POST['favorite_action'] == "unset")) && ($image_id > 0)) {
|
if((($_POST['favorite_action'] == "set") || ($_POST['favorite_action'] == "unset")) && ($image_id > 0)) {
|
||||||
send_event(new FavoriteSetEvent($image_id, $user, ($_POST['favorite_action'] == "set")));
|
send_event(new FavoriteSetEvent($image_id, $user, ($_POST['favorite_action'] == "set")));
|
||||||
|
|||||||
@ -5,22 +5,15 @@ class FavoritesTheme extends Themelet {
|
|||||||
global $page, $user;
|
global $page, $user;
|
||||||
|
|
||||||
$i_image_id = int_escape($image->id);
|
$i_image_id = int_escape($image->id);
|
||||||
if(!$is_favorited) {
|
$name = $is_favorited ? "unset" : "set";
|
||||||
$html = "<form action='".make_link("change_favorite")."' method='POST'>
|
$label = $is_favorited ? "Un-Favorite" : "Favorite";
|
||||||
<input type='hidden' name='image_id' value='$i_image_id'>
|
$html = "<form action='".make_link("change_favorite")."' method='POST'>
|
||||||
<input type='hidden' name='favorite_action' value='set'>
|
".$user->get_auth_html()."
|
||||||
<input type='submit' value='Favorite'>
|
<input type='hidden' name='image_id' value='$i_image_id'>
|
||||||
</form>
|
<input type='hidden' name='favorite_action' value='$name'>
|
||||||
";
|
<input type='submit' value='$label'>
|
||||||
}
|
</form>
|
||||||
else {
|
";
|
||||||
$html = "<form action='".make_link("change_favorite")."' method='POST'>
|
|
||||||
<input type='hidden' name='image_id' value='$i_image_id'>
|
|
||||||
<input type='hidden' name='favorite_action' value='unset'>
|
|
||||||
<input type='submit' value='Un-Favorite'>
|
|
||||||
</form>
|
|
||||||
";
|
|
||||||
}
|
|
||||||
|
|
||||||
return $html;
|
return $html;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -27,7 +27,7 @@ class Featured extends SimpleExtension {
|
|||||||
public function onPageRequest($event) {
|
public function onPageRequest($event) {
|
||||||
global $config, $page, $user;
|
global $config, $page, $user;
|
||||||
if($event->page_matches("featured_image")) {
|
if($event->page_matches("featured_image")) {
|
||||||
if($event->get_arg(0) == "set") {
|
if($event->get_arg(0) == "set" && $user->check_auth_token()) {
|
||||||
if($user->is_admin() && isset($_POST['image_id'])) {
|
if($user->is_admin() && isset($_POST['image_id'])) {
|
||||||
$id = int_escape($_POST['image_id']);
|
$id = int_escape($_POST['image_id']);
|
||||||
if($id > 0) {
|
if($id > 0) {
|
||||||
|
|||||||
@ -9,8 +9,10 @@ class FeaturedTheme extends Themelet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public function get_buttons_html($image_id) {
|
public function get_buttons_html($image_id) {
|
||||||
|
global $user;
|
||||||
return "
|
return "
|
||||||
<form action='".make_link("featured_image/set")."' method='POST'>
|
<form action='".make_link("featured_image/set")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='hidden' name='image_id' value='$image_id'>
|
<input type='hidden' name='image_id' value='$image_id'>
|
||||||
<input type='submit' value='Feature This'>
|
<input type='submit' value='Feature This'>
|
||||||
</form>
|
</form>
|
||||||
|
|||||||
@ -51,7 +51,7 @@ class IPBan implements Extension {
|
|||||||
|
|
||||||
if(($event instanceof PageRequestEvent) && $event->page_matches("ip_ban")) {
|
if(($event instanceof PageRequestEvent) && $event->page_matches("ip_ban")) {
|
||||||
if($user->is_admin()) {
|
if($user->is_admin()) {
|
||||||
if($event->get_arg(0) == "add") {
|
if($event->get_arg(0) == "add" && $user->check_auth_token()) {
|
||||||
if(isset($_POST['ip']) && isset($_POST['reason']) && isset($_POST['end'])) {
|
if(isset($_POST['ip']) && isset($_POST['reason']) && isset($_POST['end'])) {
|
||||||
if(empty($_POST['end'])) $end = null;
|
if(empty($_POST['end'])) $end = null;
|
||||||
else $end = $_POST['end'];
|
else $end = $_POST['end'];
|
||||||
@ -61,7 +61,7 @@ class IPBan implements Extension {
|
|||||||
$page->set_redirect(make_link("ip_ban/list"));
|
$page->set_redirect(make_link("ip_ban/list"));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if($event->get_arg(0) == "remove") {
|
else if($event->get_arg(0) == "remove" && $user->check_auth_token()) {
|
||||||
if(isset($_POST['id'])) {
|
if(isset($_POST['id'])) {
|
||||||
send_event(new RemoveIPBanEvent($_POST['id']));
|
send_event(new RemoveIPBanEvent($_POST['id']));
|
||||||
$page->set_mode("redirect");
|
$page->set_mode("redirect");
|
||||||
|
|||||||
@ -28,6 +28,7 @@ class IPBanTheme extends Themelet {
|
|||||||
<td width='15%'>{$end_human}</td>
|
<td width='15%'>{$end_human}</td>
|
||||||
<td width='10%'>
|
<td width='10%'>
|
||||||
<form action='".make_link("ip_ban/remove")."' method='POST'>
|
<form action='".make_link("ip_ban/remove")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='hidden' name='id' value='{$ban[$prefix.'id']}'>
|
<input type='hidden' name='id' value='{$ban[$prefix.'id']}'>
|
||||||
<input type='submit' value='Remove'>
|
<input type='submit' value='Remove'>
|
||||||
</form>
|
</form>
|
||||||
@ -47,6 +48,7 @@ class IPBanTheme extends Themelet {
|
|||||||
$h_bans
|
$h_bans
|
||||||
<tfoot><tr>
|
<tfoot><tr>
|
||||||
<form action='".make_link("ip_ban/add")."' method='POST'>
|
<form action='".make_link("ip_ban/add")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<td><input type='text' name='ip'></td>
|
<td><input type='text' name='ip'></td>
|
||||||
<td><input type='text' name='reason'></td>
|
<td><input type='text' name='reason'></td>
|
||||||
<td>{$user->name}</td>
|
<td>{$user->name}</td>
|
||||||
|
|||||||
@ -39,7 +39,7 @@ class NumericScore implements Extension {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(($event instanceof PageRequestEvent) && $event->page_matches("numeric_score_vote")) {
|
if(($event instanceof PageRequestEvent) && $event->page_matches("numeric_score_vote") && $user->check_auth_token()) {
|
||||||
if(!$user->is_anonymous()) {
|
if(!$user->is_anonymous()) {
|
||||||
$image_id = int_escape($_POST['image_id']);
|
$image_id = int_escape($_POST['image_id']);
|
||||||
$char = $_POST['vote'];
|
$char = $_POST['vote'];
|
||||||
|
|||||||
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
class NumericScoreTheme extends Themelet {
|
class NumericScoreTheme extends Themelet {
|
||||||
public function get_voter_html(Image $image) {
|
public function get_voter_html(Image $image) {
|
||||||
|
global $user;
|
||||||
$i_image_id = int_escape($image->id);
|
$i_image_id = int_escape($image->id);
|
||||||
$i_score = int_escape($image->numeric_score);
|
$i_score = int_escape($image->numeric_score);
|
||||||
|
|
||||||
@ -9,18 +10,21 @@ class NumericScoreTheme extends Themelet {
|
|||||||
Current Score: $i_score
|
Current Score: $i_score
|
||||||
|
|
||||||
<p><form action='".make_link("numeric_score_vote")."' method='POST'>
|
<p><form action='".make_link("numeric_score_vote")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='hidden' name='image_id' value='$i_image_id'>
|
<input type='hidden' name='image_id' value='$i_image_id'>
|
||||||
<input type='hidden' name='vote' value='up'>
|
<input type='hidden' name='vote' value='up'>
|
||||||
<input type='submit' value='Vote Up'>
|
<input type='submit' value='Vote Up'>
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
<form action='".make_link("numeric_score_vote")."' method='POST'>
|
<form action='".make_link("numeric_score_vote")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='hidden' name='image_id' value='$i_image_id'>
|
<input type='hidden' name='image_id' value='$i_image_id'>
|
||||||
<input type='hidden' name='vote' value='null'>
|
<input type='hidden' name='vote' value='null'>
|
||||||
<input type='submit' value='Remove Vote'>
|
<input type='submit' value='Remove Vote'>
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
<form action='".make_link("numeric_score_vote")."' method='POST'>
|
<form action='".make_link("numeric_score_vote")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='hidden' name='image_id' value='$i_image_id'>
|
<input type='hidden' name='image_id' value='$i_image_id'>
|
||||||
<input type='hidden' name='vote' value='down'>
|
<input type='hidden' name='vote' value='down'>
|
||||||
<input type='submit' value='Vote Down'>
|
<input type='submit' value='Vote Down'>
|
||||||
|
|||||||
@ -107,29 +107,30 @@ class PrivMsg extends SimpleExtension {
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case "delete":
|
case "delete":
|
||||||
$pm_id = int_escape($event->get_arg(1));
|
if($user->check_auth_token()) {
|
||||||
$pm = $database->get_row("SELECT * FROM private_message WHERE id = ?", array($pm_id));
|
$pm_id = int_escape($_POST["pm_id"]);
|
||||||
if(is_null($pm)) {
|
$pm = $database->get_row("SELECT * FROM private_message WHERE id = ?", array($pm_id));
|
||||||
$this->theme->display_error($page, "No such PM", "There is no PM #$pm_id");
|
if(is_null($pm)) {
|
||||||
}
|
$this->theme->display_error($page, "No such PM", "There is no PM #$pm_id");
|
||||||
else if(($pm["to_id"] == $user->id) || $user->is_admin()) {
|
}
|
||||||
$database->execute("DELETE FROM private_message WHERE id = ?", array($pm_id));
|
else if(($pm["to_id"] == $user->id) || $user->is_admin()) {
|
||||||
log_info("pm", "Deleted PM #$pm_id");
|
$database->execute("DELETE FROM private_message WHERE id = ?", array($pm_id));
|
||||||
$page->set_mode("redirect");
|
log_info("pm", "Deleted PM #$pm_id");
|
||||||
$page->set_redirect($_SERVER["HTTP_REFERER"]);
|
$page->set_mode("redirect");
|
||||||
}
|
$page->set_redirect($_SERVER["HTTP_REFERER"]);
|
||||||
else {
|
}
|
||||||
// permission denied
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case "send":
|
case "send":
|
||||||
$to_id = int_escape($_POST["to_id"]);
|
if($user->check_auth_token()) {
|
||||||
$from_id = $user->id;
|
$to_id = int_escape($_POST["to_id"]);
|
||||||
$subject = $_POST["subject"];
|
$from_id = $user->id;
|
||||||
$message = $_POST["message"];
|
$subject = $_POST["subject"];
|
||||||
send_event(new SendPMEvent(new PM($from_id, $_SERVER["REMOTE_ADDR"], $to_id, $subject, $message)));
|
$message = $_POST["message"];
|
||||||
$page->set_mode("redirect");
|
send_event(new SendPMEvent(new PM($from_id, $_SERVER["REMOTE_ADDR"], $to_id, $subject, $message)));
|
||||||
$page->set_redirect($_SERVER["HTTP_REFERER"]);
|
$page->set_mode("redirect");
|
||||||
|
$page->set_redirect($_SERVER["HTTP_REFERER"]);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
$this->theme->display_error($page, "Invalid action", "That's not something you can do with a PM");
|
$this->theme->display_error($page, "Invalid action", "That's not something you can do with a PM");
|
||||||
|
|||||||
@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
class PrivMsgTheme extends Themelet {
|
class PrivMsgTheme extends Themelet {
|
||||||
public function display_pms(Page $page, $pms) {
|
public function display_pms(Page $page, $pms) {
|
||||||
|
global $user;
|
||||||
|
|
||||||
$html = "
|
$html = "
|
||||||
<script>
|
<script>
|
||||||
$(document).ready(function() {
|
$(document).ready(function() {
|
||||||
@ -20,13 +22,14 @@ class PrivMsgTheme extends Themelet {
|
|||||||
$h_from = html_escape($from_name);
|
$h_from = html_escape($from_name);
|
||||||
$from_url = make_link("user/".url_escape($from_name));
|
$from_url = make_link("user/".url_escape($from_name));
|
||||||
$pm_url = make_link("pm/read/".$pm->id);
|
$pm_url = make_link("pm/read/".$pm->id);
|
||||||
$del_url = make_link("pm/delete/".$pm->id);
|
$del_url = make_link("pm/delete");
|
||||||
$h_date = html_escape($pm->sent_date);
|
$h_date = html_escape($pm->sent_date);
|
||||||
if($pm->is_read) $h_subject = "<b>$h_subject</b>";
|
if($pm->is_read) $h_subject = "<b>$h_subject</b>";
|
||||||
$html .= "<tr class='$oe'><td><a href='$pm_url'>$h_subject</a></td>
|
$html .= "<tr class='$oe'><td><a href='$pm_url'>$h_subject</a></td>
|
||||||
<td><a href='$from_url'>$h_from</a></td><td>$h_date</td>
|
<td><a href='$from_url'>$h_from</a></td><td>$h_date</td>
|
||||||
<td><form action='$del_url'>
|
<td><form action='$del_url' method='POST'>
|
||||||
<input type='hidden' name='q' value='/pm/delete/{$pm->id}'>
|
<input type='hidden' name='pm_id' value='{$pm->id}'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='submit' value='Delete'>
|
<input type='submit' value='Delete'>
|
||||||
</form></td></tr>";
|
</form></td></tr>";
|
||||||
}
|
}
|
||||||
@ -41,8 +44,10 @@ class PrivMsgTheme extends Themelet {
|
|||||||
$post_url = make_link("pm/send");
|
$post_url = make_link("pm/send");
|
||||||
$h_subject = html_escape($subject);
|
$h_subject = html_escape($subject);
|
||||||
$to_id = $to->id;
|
$to_id = $to->id;
|
||||||
|
$auth = $user->get_auth_html();
|
||||||
$html = <<<EOD
|
$html = <<<EOD
|
||||||
<form action="$post_url" method="POST">
|
<form action="$post_url" method="POST">
|
||||||
|
$auth
|
||||||
<input type="hidden" name="to_id" value="$to_id">
|
<input type="hidden" name="to_id" value="$to_id">
|
||||||
<table style="width: 400px;">
|
<table style="width: 400px;">
|
||||||
<tr><td>Subject:</td><td><input type="text" name="subject" value="$h_subject"></td></tr>
|
<tr><td>Subject:</td><td><input type="text" name="subject" value="$h_subject"></td></tr>
|
||||||
|
|||||||
@ -36,52 +36,33 @@ class Tips extends SimpleExtension {
|
|||||||
|
|
||||||
$this->getTip();
|
$this->getTip();
|
||||||
|
|
||||||
if($event->page_matches("tips")) {
|
if($event->page_matches("tips") && $user->is_admin()) {
|
||||||
switch($event->get_arg(0)) {
|
switch($event->get_arg(0)) {
|
||||||
case "list":
|
case "list":
|
||||||
{
|
$this->manageTips();
|
||||||
if($user->is_admin()) {
|
$this->getAll();
|
||||||
$this->manageTips();
|
|
||||||
$this->getAll();
|
|
||||||
}
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
case "new":
|
|
||||||
{
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
case "save":
|
case "save":
|
||||||
{
|
if($user->check_auth_token()) {
|
||||||
if($user->is_admin()) {
|
|
||||||
$this->saveTip();
|
$this->saveTip();
|
||||||
|
|
||||||
$page->set_mode("redirect");
|
$page->set_mode("redirect");
|
||||||
$page->set_redirect(make_link("tips/list"));
|
$page->set_redirect(make_link("tips/list"));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
case "status":
|
case "status":
|
||||||
{
|
// FIXME: HTTP GET CSRF
|
||||||
if($user->is_admin()) {
|
$tipID = int_escape($event->get_arg(1));
|
||||||
$tipID = int_escape($event->get_arg(1));
|
$this->setStatus($tipID);
|
||||||
$this->setStatus($tipID);
|
$page->set_mode("redirect");
|
||||||
|
$page->set_redirect(make_link("tips/list"));
|
||||||
$page->set_mode("redirect");
|
|
||||||
$page->set_redirect(make_link("tips/list"));
|
|
||||||
}
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
case "delete":
|
case "delete":
|
||||||
{
|
// FIXME: HTTP GET CSRF
|
||||||
if($user->is_admin()) {
|
$tipID = int_escape($event->get_arg(1));
|
||||||
$tipID = int_escape($event->get_arg(1));
|
$this->deleteTip($tipID);
|
||||||
$this->deleteTip($tipID);
|
$page->set_mode("redirect");
|
||||||
|
$page->set_redirect(make_link("tips/list"));
|
||||||
$page->set_mode("redirect");
|
|
||||||
$page->set_redirect(make_link("tips/list"));
|
|
||||||
}
|
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
class TipsTheme extends Themelet {
|
class TipsTheme extends Themelet {
|
||||||
public function manageTips($url, $images) {
|
public function manageTips($url, $images) {
|
||||||
global $page;
|
global $page, $user;
|
||||||
$select = "<select name='image'><option value=''>- Select Image -</option>";
|
$select = "<select name='image'><option value=''>- Select Image -</option>";
|
||||||
|
|
||||||
foreach($images as $image){
|
foreach($images as $image){
|
||||||
@ -12,6 +12,7 @@ class TipsTheme extends Themelet {
|
|||||||
|
|
||||||
$html = "
|
$html = "
|
||||||
<form action='".make_link("tips/save")."' method='POST'>
|
<form action='".make_link("tips/save")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<td>Enable:</td>
|
<td>Enable:</td>
|
||||||
|
|||||||
@ -91,7 +91,7 @@ class ExtManager extends SimpleExtension {
|
|||||||
global $page, $user;
|
global $page, $user;
|
||||||
if($event->page_matches("ext_manager")) {
|
if($event->page_matches("ext_manager")) {
|
||||||
if($user->is_admin()) {
|
if($user->is_admin()) {
|
||||||
if($event->get_arg(0) == "set") {
|
if($event->get_arg(0) == "set" && $user->check_auth_token()) {
|
||||||
if(is_writable("ext")) {
|
if(is_writable("ext")) {
|
||||||
$this->set_things($_POST);
|
$this->set_things($_POST);
|
||||||
$page->set_mode("redirect");
|
$page->set_mode("redirect");
|
||||||
|
|||||||
@ -2,9 +2,11 @@
|
|||||||
|
|
||||||
class ExtManagerTheme extends Themelet {
|
class ExtManagerTheme extends Themelet {
|
||||||
public function display_table(Page $page, $extensions, $editable) {
|
public function display_table(Page $page, $extensions, $editable) {
|
||||||
|
global $user;
|
||||||
$en = $editable ? "<th>Enabled</th>" : "";
|
$en = $editable ? "<th>Enabled</th>" : "";
|
||||||
$html = "
|
$html = "
|
||||||
<form action='".make_link("ext_manager/set")."' method='POST'>
|
<form action='".make_link("ext_manager/set")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<script>
|
<script>
|
||||||
$(document).ready(function() {
|
$(document).ready(function() {
|
||||||
$(\"#extensions\").tablesorter();
|
$(\"#extensions\").tablesorter();
|
||||||
@ -53,6 +55,7 @@ class ExtManagerTheme extends Themelet {
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
public function display_blocks(Page $page, $extensions) {
|
public function display_blocks(Page $page, $extensions) {
|
||||||
|
global $user;
|
||||||
$n = 0;
|
$n = 0;
|
||||||
$col_1 = "";
|
$col_1 = "";
|
||||||
$col_2 = "";
|
$col_2 = "";
|
||||||
@ -94,6 +97,7 @@ class ExtManagerTheme extends Themelet {
|
|||||||
}
|
}
|
||||||
$html = "
|
$html = "
|
||||||
<form action='".make_link("ext_manager/set")."' method='POST'>
|
<form action='".make_link("ext_manager/set")."' method='POST'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<table border='0'>
|
<table border='0'>
|
||||||
<tr><td width='50%'>$col_1</td><td>$col_2</td></tr>
|
<tr><td width='50%'>$col_1</td><td>$col_2</td></tr>
|
||||||
<tr><td colspan='2'><input type='submit' value='Set Extensions'></td></tr>
|
<tr><td colspan='2'><input type='submit' value='Set Extensions'></td></tr>
|
||||||
|
|||||||
@ -119,7 +119,7 @@ class ImageIO extends SimpleExtension {
|
|||||||
}
|
}
|
||||||
if($event->page_matches("image_admin/delete")) {
|
if($event->page_matches("image_admin/delete")) {
|
||||||
global $page, $user;
|
global $page, $user;
|
||||||
if($user->is_admin() && isset($_POST['image_id'])) {
|
if($user->is_admin() && isset($_POST['image_id']) && $user->check_auth_token()) {
|
||||||
$image = Image::by_id($_POST['image_id']);
|
$image = Image::by_id($_POST['image_id']);
|
||||||
if($image) {
|
if($image) {
|
||||||
send_event(new ImageDeletionEvent($image));
|
send_event(new ImageDeletionEvent($image));
|
||||||
|
|||||||
@ -6,10 +6,13 @@ class ImageIOTheme {
|
|||||||
* $image_id = the image to delete
|
* $image_id = the image to delete
|
||||||
*/
|
*/
|
||||||
public function get_deleter_html($image_id) {
|
public function get_deleter_html($image_id) {
|
||||||
|
global $user;
|
||||||
|
|
||||||
$i_image_id = int_escape($image_id);
|
$i_image_id = int_escape($image_id);
|
||||||
$html = "
|
$html = "
|
||||||
<form action='".make_link("image_admin/delete")."' method='POST'>
|
<form action='".make_link("image_admin/delete")."' method='POST'>
|
||||||
<input type='hidden' name='image_id' value='$i_image_id'>
|
<input type='hidden' name='image_id' value='$i_image_id'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<input type='submit' value='Delete'>
|
<input type='submit' value='Delete'>
|
||||||
</form>
|
</form>
|
||||||
";
|
";
|
||||||
|
|||||||
@ -188,7 +188,7 @@ class Setup extends SimpleExtension {
|
|||||||
$this->theme->display_permission_denied($page);
|
$this->theme->display_permission_denied($page);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if($event->get_arg(0) == "save") {
|
if($event->get_arg(0) == "save" && $user->check_auth_token()) {
|
||||||
send_event(new ConfigSaveEvent($config));
|
send_event(new ConfigSaveEvent($config));
|
||||||
$config->save();
|
$config->save();
|
||||||
|
|
||||||
|
|||||||
@ -13,6 +13,8 @@ class SetupTheme extends Themelet {
|
|||||||
* The page should wrap all the options in a form which links to setup_save
|
* The page should wrap all the options in a form which links to setup_save
|
||||||
*/
|
*/
|
||||||
public function display_page(Page $page, SetupPanel $panel) {
|
public function display_page(Page $page, SetupPanel $panel) {
|
||||||
|
global $user;
|
||||||
|
|
||||||
$setupblock_html1 = "";
|
$setupblock_html1 = "";
|
||||||
$setupblock_html2 = "";
|
$setupblock_html2 = "";
|
||||||
|
|
||||||
@ -41,6 +43,7 @@ class SetupTheme extends Themelet {
|
|||||||
|
|
||||||
$table = "
|
$table = "
|
||||||
<form action='".make_link("setup/save")."' method='POST'><table>
|
<form action='".make_link("setup/save")."' method='POST'><table>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<tr><td>$setupblock_html1</td><td>$setupblock_html2</td></tr>
|
<tr><td>$setupblock_html1</td><td>$setupblock_html2</td></tr>
|
||||||
<tr><td colspan='2'><input type='submit' value='Save Settings'></td></tr>
|
<tr><td colspan='2'><input type='submit' value='Save Settings'></td></tr>
|
||||||
</table></form>
|
</table></form>
|
||||||
@ -53,6 +56,8 @@ class SetupTheme extends Themelet {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public function display_advanced(Page $page, $options) {
|
public function display_advanced(Page $page, $options) {
|
||||||
|
global $user;
|
||||||
|
|
||||||
$rows = "";
|
$rows = "";
|
||||||
$n = 0;
|
$n = 0;
|
||||||
ksort($options);
|
ksort($options);
|
||||||
@ -79,6 +84,7 @@ class SetupTheme extends Themelet {
|
|||||||
});
|
});
|
||||||
</script>
|
</script>
|
||||||
<form action='".make_link("setup/save")."' method='POST'><table id='settings' class='zebra'>
|
<form action='".make_link("setup/save")."' method='POST'><table id='settings' class='zebra'>
|
||||||
|
".$user->get_auth_html()."
|
||||||
<thead><tr><th width='25%'>Name</th><th>Value</th></tr></thead>
|
<thead><tr><th width='25%'>Name</th><th>Value</th></tr></thead>
|
||||||
<tbody>$rows</tbody>
|
<tbody>$rows</tbody>
|
||||||
<tfoot><tr><td colspan='2'><input type='submit' value='Save Settings'></td></tr></tfoot>
|
<tfoot><tr><td colspan='2'><input type='submit' value='Save Settings'></td></tr></tfoot>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user