aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-21 01:30:09 +0000
committerbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-21 01:30:09 +0000
commit0c5b4c242b0805c55ca3b1a887eb222844a66400 (patch)
treef3455e9dcac50226d33ab3048a691f90ee82d5c5
parent3d9fb93c8c91e45b88dfeb816960049e0cb33231 (diff)
downloadelgg-0c5b4c242b0805c55ca3b1a887eb222844a66400.tar.gz
elgg-0c5b4c242b0805c55ca3b1a887eb222844a66400.tar.bz2
Fixes #750: All actions require __elgg_ts and __elgg_token.
git-svn-id: http://code.elgg.org/elgg/trunk@3821 36083f99-b078-4883-b0ff-0f9b5a30f544
-rw-r--r--engine/lib/actions.php33
-rw-r--r--views/default/account/forms/forgotten_password.php10
-rw-r--r--views/default/basic_elements/welcome.php3
-rw-r--r--views/default/canvas/layouts/widgets.php10
-rw-r--r--views/default/css.php4
-rw-r--r--views/default/object/default.php8
-rw-r--r--views/default/page_elements/elgg_topbar.php6
-rw-r--r--views/default/page_elements/spotlight.php6
-rw-r--r--views/default/welcome/logged_in.php5
9 files changed, 53 insertions, 32 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index ac4d70555..ad5f0c208 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -21,6 +21,15 @@
function action($action, $forwarder = "") {
global $CONFIG;
+ // All actions require a token.
+ if (!action_gatekeeper()) {
+ $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins.";
+
+ error_log($message);
+ register_error($message);
+ forward();
+ }
+
// if there are any query parameters, make them available from get_input
if (strpos($_SERVER['REQUEST_URI'], '?') !== FALSE) {
$query = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], '?') + 1);
@@ -34,7 +43,7 @@ function action($action, $forwarder = "") {
}
}
}
-
+
$forwarder = str_replace($CONFIG->url, "", $forwarder);
$forwarder = str_replace("http://", "", $forwarder);
$forwarder = str_replace("@", "", $forwarder);
@@ -56,18 +65,6 @@ function action($action, $forwarder = "") {
// since i assume this will be handled in the hook itself.
// TODO make this better!
if ($event_result) {
- /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */
- if (!validate_action_token(false)) {
- // Display a temporary warning message -
- // in future versions this will be a hard fail via an action gatekeeper.
- $message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'.";
-
- //if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning))
- // register_error($message);
-
- error_log($message);
- }
-
if (!include($CONFIG->actions[$action]['file'])) {
register_error(sprintf(elgg_echo('actionundefined'),$action));
}
@@ -138,7 +135,7 @@ function validate_action_token($visibleerrors = true) {
$generated_token = generate_action_token($ts);
// Validate token
- if (strcmp($token, $generated_token)==0) {
+ if ($token == $generated_token) {
$hour = 60*60;
$now = time();
@@ -169,7 +166,7 @@ function validate_action_token($visibleerrors = true) {
register_error(elgg_echo('actiongatekeeper:missingfields'));
}
- return false;
+ return FALSE;
}
/**
@@ -181,7 +178,7 @@ function validate_action_token($visibleerrors = true) {
*/
function action_gatekeeper() {
if (validate_action_token()) {
- return true;
+ return TRUE;
}
forward();
@@ -210,7 +207,7 @@ function generate_action_token($timestamp) {
return md5($site_secret.$timestamp.$session_id.$ua.$st);
}
- return false;
+ return FALSE;
}
/**
@@ -223,7 +220,7 @@ function init_site_secret() {
return $secret;
}
- return false;
+ return FALSE;
}
/**
diff --git a/views/default/account/forms/forgotten_password.php b/views/default/account/forms/forgotten_password.php
index 5e760cef3..5ffb1be1a 100644
--- a/views/default/account/forms/forgotten_password.php
+++ b/views/default/account/forms/forgotten_password.php
@@ -9,11 +9,17 @@
*/
$form_body = "<p>" . elgg_echo('user:password:text') . "</p>";
-$form_body .= "<p><label>". elgg_echo('username') . " " . elgg_view('input/text', array('internalname' => 'username')) . "</label></p>";
+$form_body .= "<p><label>". elgg_echo('username') . " "
+ . elgg_view('input/text', array('internalname' => 'username')) . "</label></p>";
$form_body .= elgg_view('input/captcha');
$form_body .= "<p>" . elgg_view('input/submit', array('value' => elgg_echo('request'))) . "</p>";
?>
<div class="contentWrapper">
-<?php echo elgg_view('input/form', array('action' => "{$vars['url']}action/user/requestnewpassword", 'body' => $form_body)); ?>
+<?php
+echo elgg_view('input/form', array(
+ 'action' => "{$vars['url']}action/user/requestnewpassword",
+ 'body' => $form_body)
+);
+?>
</div> \ No newline at end of file
diff --git a/views/default/basic_elements/welcome.php b/views/default/basic_elements/welcome.php
index 297daa830..979f32b4f 100644
--- a/views/default/basic_elements/welcome.php
+++ b/views/default/basic_elements/welcome.php
@@ -13,4 +13,5 @@ $user = $vars['name'];
?>
<p><?php echo sprintf(elgg_echo('welcome:user'), $user); ?></p>
-<p><a href="<?php echo $vars['url']; ?>action/logout">[logout]</a></p> \ No newline at end of file
+<p><?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?></p>
+
diff --git a/views/default/canvas/layouts/widgets.php b/views/default/canvas/layouts/widgets.php
index f6c9dec79..6b89d5435 100644
--- a/views/default/canvas/layouts/widgets.php
+++ b/views/default/canvas/layouts/widgets.php
@@ -235,6 +235,14 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE
<input type="hidden" name="context" value="<?php echo get_context(); ?>" />
<input type="hidden" name="owner" value="<?php echo page_owner(); ?>" />
+
+<?php
+$ts = time();
+$token = generate_action_token($ts);
+?>
+<input type="hidden" name="__elgg_ts" value="<?php echo $ts; ?>" />
+<input type="hidden" name="__elgg_token" value="<?php echo $token; ?>" />
+
<input type="submit" value="<?php echo elgg_echo('save'); ?>" class="submit_button" onclick="$('a.toggle_customise_edit_panel').click();" />
<input type="button" value="<?php echo elgg_echo('cancel'); ?>" class="cancel_button" onclick="$('a.toggle_customise_edit_panel').click();" />
@@ -315,4 +323,4 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE
</td>
</tr>
-</table> \ No newline at end of file
+</table>
diff --git a/views/default/css.php b/views/default/css.php
index d70e18ee6..75b20b141 100644
--- a/views/default/css.php
+++ b/views/default/css.php
@@ -2524,3 +2524,7 @@ div.ajax_loader {
float: left;
padding-right: 1em;
}
+
+.draggable {
+ cursor: move;
+} \ No newline at end of file
diff --git a/views/default/object/default.php b/views/default/object/default.php
index 3ace73d7f..b6fe8a518 100644
--- a/views/default/object/default.php
+++ b/views/default/object/default.php
@@ -30,7 +30,11 @@ if ($vars['full']) {
$controls = "";
if ($vars['entity']->canEdit()) {
- $controls .= " (<a href=\"{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}\">" . elgg_echo('delete') . "</a>)";
+ $delete = elgg_view('output/confirm_link', array(
+ 'href' = "{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}",
+ 'text' => elgg_echo('delete')
+ );
+ $controls .= " ($delete)";
}
$info = "<div><p><b><a href=\"" . $vars['entity']->getUrl() . "\">" . $title . "</a></b> $controls </p></div>";
@@ -56,4 +60,4 @@ if ($vars['full']) {
$icon = "<span title=\"" . elgg_echo('entity:default:missingsupport:popup') . "\">$icon</span>";
echo elgg_view_listing($icon, $info);
-} \ No newline at end of file
+}
diff --git a/views/default/page_elements/elgg_topbar.php b/views/default/page_elements/elgg_topbar.php
index 00240f35e..d871d622e 100644
--- a/views/default/page_elements/elgg_topbar.php
+++ b/views/default/page_elements/elgg_topbar.php
@@ -62,7 +62,9 @@
<div id="elgg_topbar_container_right">
- <a href="<?php echo $vars['url']; ?>action/logout"><small><?php echo elgg_echo('logout'); ?></small></a>
+ <small>
+ <?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?>
+ </small>
</div>
<div id="elgg_topbar_container_search">
@@ -74,4 +76,4 @@
<div class="clearfloat"></div>
<?php
- } \ No newline at end of file
+ }
diff --git a/views/default/page_elements/spotlight.php b/views/default/page_elements/spotlight.php
index 670e0e4c5..1c32f9b1d 100644
--- a/views/default/page_elements/spotlight.php
+++ b/views/default/page_elements/spotlight.php
@@ -28,11 +28,11 @@
}
if ($closed) {
?>
- <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=false')">+</a>
+ <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=false"); ?>')">+</a>
<?php
} else {
?>
- <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=true')">-</a>
+ <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=true"); ?>')">-</a>
<?php
}
@@ -54,4 +54,4 @@
</div><!-- /.collapsable_box -->
</div><!-- /#wrapper_spotlight -->
-</div><!-- /#layout_spotlight --> \ No newline at end of file
+</div><!-- /#layout_spotlight -->
diff --git a/views/default/welcome/logged_in.php b/views/default/welcome/logged_in.php
index 8f70d3005..180746f22 100644
--- a/views/default/welcome/logged_in.php
+++ b/views/default/welcome/logged_in.php
@@ -11,11 +11,10 @@
//add various views to area1
$area1 = "<h2>" . sprintf(elgg_echo("welcome:user"),$vars['user']->name) . "</h2>";
$area1 .= "<p>" . elgg_echo("welcome_message") . "</p><br />";
-$url = $vars['url'] . "action/logout";
-$area1 .= "<a href=" . $url . ">" . elgg_echo('logout') . "</a>";
+$area1 .= elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout')));
//send area one to the appropriate canvas layout
$body = elgg_view_layout("one_column", $area1);
//draw to screen
-echo $body; \ No newline at end of file
+echo $body;