diff options
author | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-21 01:30:09 +0000 |
---|---|---|
committer | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-21 01:30:09 +0000 |
commit | 0c5b4c242b0805c55ca3b1a887eb222844a66400 (patch) | |
tree | f3455e9dcac50226d33ab3048a691f90ee82d5c5 | |
parent | 3d9fb93c8c91e45b88dfeb816960049e0cb33231 (diff) | |
download | elgg-0c5b4c242b0805c55ca3b1a887eb222844a66400.tar.gz elgg-0c5b4c242b0805c55ca3b1a887eb222844a66400.tar.bz2 |
Fixes #750: All actions require __elgg_ts and __elgg_token.
git-svn-id: http://code.elgg.org/elgg/trunk@3821 36083f99-b078-4883-b0ff-0f9b5a30f544
-rw-r--r-- | engine/lib/actions.php | 33 | ||||
-rw-r--r-- | views/default/account/forms/forgotten_password.php | 10 | ||||
-rw-r--r-- | views/default/basic_elements/welcome.php | 3 | ||||
-rw-r--r-- | views/default/canvas/layouts/widgets.php | 10 | ||||
-rw-r--r-- | views/default/css.php | 4 | ||||
-rw-r--r-- | views/default/object/default.php | 8 | ||||
-rw-r--r-- | views/default/page_elements/elgg_topbar.php | 6 | ||||
-rw-r--r-- | views/default/page_elements/spotlight.php | 6 | ||||
-rw-r--r-- | views/default/welcome/logged_in.php | 5 |
9 files changed, 53 insertions, 32 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php index ac4d70555..ad5f0c208 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -21,6 +21,15 @@ function action($action, $forwarder = "") { global $CONFIG; + // All actions require a token. + if (!action_gatekeeper()) { + $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins."; + + error_log($message); + register_error($message); + forward(); + } + // if there are any query parameters, make them available from get_input if (strpos($_SERVER['REQUEST_URI'], '?') !== FALSE) { $query = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], '?') + 1); @@ -34,7 +43,7 @@ function action($action, $forwarder = "") { } } } - + $forwarder = str_replace($CONFIG->url, "", $forwarder); $forwarder = str_replace("http://", "", $forwarder); $forwarder = str_replace("@", "", $forwarder); @@ -56,18 +65,6 @@ function action($action, $forwarder = "") { // since i assume this will be handled in the hook itself. // TODO make this better! if ($event_result) { - /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */ - if (!validate_action_token(false)) { - // Display a temporary warning message - - // in future versions this will be a hard fail via an action gatekeeper. - $message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'."; - - //if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning)) - // register_error($message); - - error_log($message); - } - if (!include($CONFIG->actions[$action]['file'])) { register_error(sprintf(elgg_echo('actionundefined'),$action)); } @@ -138,7 +135,7 @@ function validate_action_token($visibleerrors = true) { $generated_token = generate_action_token($ts); // Validate token - if (strcmp($token, $generated_token)==0) { + if ($token == $generated_token) { $hour = 60*60; $now = time(); @@ -169,7 +166,7 @@ function validate_action_token($visibleerrors = true) { register_error(elgg_echo('actiongatekeeper:missingfields')); } - return false; + return FALSE; } /** @@ -181,7 +178,7 @@ function validate_action_token($visibleerrors = true) { */ function action_gatekeeper() { if (validate_action_token()) { - return true; + return TRUE; } forward(); @@ -210,7 +207,7 @@ function generate_action_token($timestamp) { return md5($site_secret.$timestamp.$session_id.$ua.$st); } - return false; + return FALSE; } /** @@ -223,7 +220,7 @@ function init_site_secret() { return $secret; } - return false; + return FALSE; } /** diff --git a/views/default/account/forms/forgotten_password.php b/views/default/account/forms/forgotten_password.php index 5e760cef3..5ffb1be1a 100644 --- a/views/default/account/forms/forgotten_password.php +++ b/views/default/account/forms/forgotten_password.php @@ -9,11 +9,17 @@ */ $form_body = "<p>" . elgg_echo('user:password:text') . "</p>"; -$form_body .= "<p><label>". elgg_echo('username') . " " . elgg_view('input/text', array('internalname' => 'username')) . "</label></p>"; +$form_body .= "<p><label>". elgg_echo('username') . " " + . elgg_view('input/text', array('internalname' => 'username')) . "</label></p>"; $form_body .= elgg_view('input/captcha'); $form_body .= "<p>" . elgg_view('input/submit', array('value' => elgg_echo('request'))) . "</p>"; ?> <div class="contentWrapper"> -<?php echo elgg_view('input/form', array('action' => "{$vars['url']}action/user/requestnewpassword", 'body' => $form_body)); ?> +<?php +echo elgg_view('input/form', array( + 'action' => "{$vars['url']}action/user/requestnewpassword", + 'body' => $form_body) +); +?> </div>
\ No newline at end of file diff --git a/views/default/basic_elements/welcome.php b/views/default/basic_elements/welcome.php index 297daa830..979f32b4f 100644 --- a/views/default/basic_elements/welcome.php +++ b/views/default/basic_elements/welcome.php @@ -13,4 +13,5 @@ $user = $vars['name']; ?> <p><?php echo sprintf(elgg_echo('welcome:user'), $user); ?></p> -<p><a href="<?php echo $vars['url']; ?>action/logout">[logout]</a></p>
\ No newline at end of file +<p><?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?></p> + diff --git a/views/default/canvas/layouts/widgets.php b/views/default/canvas/layouts/widgets.php index f6c9dec79..6b89d5435 100644 --- a/views/default/canvas/layouts/widgets.php +++ b/views/default/canvas/layouts/widgets.php @@ -235,6 +235,14 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE <input type="hidden" name="context" value="<?php echo get_context(); ?>" /> <input type="hidden" name="owner" value="<?php echo page_owner(); ?>" /> + +<?php +$ts = time(); +$token = generate_action_token($ts); +?> +<input type="hidden" name="__elgg_ts" value="<?php echo $ts; ?>" /> +<input type="hidden" name="__elgg_token" value="<?php echo $token; ?>" /> + <input type="submit" value="<?php echo elgg_echo('save'); ?>" class="submit_button" onclick="$('a.toggle_customise_edit_panel').click();" /> <input type="button" value="<?php echo elgg_echo('cancel'); ?>" class="cancel_button" onclick="$('a.toggle_customise_edit_panel').click();" /> @@ -315,4 +323,4 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE </td> </tr> -</table>
\ No newline at end of file +</table> diff --git a/views/default/css.php b/views/default/css.php index d70e18ee6..75b20b141 100644 --- a/views/default/css.php +++ b/views/default/css.php @@ -2524,3 +2524,7 @@ div.ajax_loader { float: left; padding-right: 1em; } + +.draggable { + cursor: move; +}
\ No newline at end of file diff --git a/views/default/object/default.php b/views/default/object/default.php index 3ace73d7f..b6fe8a518 100644 --- a/views/default/object/default.php +++ b/views/default/object/default.php @@ -30,7 +30,11 @@ if ($vars['full']) { $controls = ""; if ($vars['entity']->canEdit()) { - $controls .= " (<a href=\"{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}\">" . elgg_echo('delete') . "</a>)"; + $delete = elgg_view('output/confirm_link', array( + 'href' = "{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}", + 'text' => elgg_echo('delete') + ); + $controls .= " ($delete)"; } $info = "<div><p><b><a href=\"" . $vars['entity']->getUrl() . "\">" . $title . "</a></b> $controls </p></div>"; @@ -56,4 +60,4 @@ if ($vars['full']) { $icon = "<span title=\"" . elgg_echo('entity:default:missingsupport:popup') . "\">$icon</span>"; echo elgg_view_listing($icon, $info); -}
\ No newline at end of file +} diff --git a/views/default/page_elements/elgg_topbar.php b/views/default/page_elements/elgg_topbar.php index 00240f35e..d871d622e 100644 --- a/views/default/page_elements/elgg_topbar.php +++ b/views/default/page_elements/elgg_topbar.php @@ -62,7 +62,9 @@ <div id="elgg_topbar_container_right"> - <a href="<?php echo $vars['url']; ?>action/logout"><small><?php echo elgg_echo('logout'); ?></small></a> + <small> + <?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?> + </small> </div> <div id="elgg_topbar_container_search"> @@ -74,4 +76,4 @@ <div class="clearfloat"></div> <?php - }
\ No newline at end of file + } diff --git a/views/default/page_elements/spotlight.php b/views/default/page_elements/spotlight.php index 670e0e4c5..1c32f9b1d 100644 --- a/views/default/page_elements/spotlight.php +++ b/views/default/page_elements/spotlight.php @@ -28,11 +28,11 @@ } if ($closed) { ?> - <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=false')">+</a> + <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=false"); ?>')">+</a> <?php } else { ?> - <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=true')">-</a> + <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=true"); ?>')">-</a> <?php } @@ -54,4 +54,4 @@ </div><!-- /.collapsable_box --> </div><!-- /#wrapper_spotlight --> -</div><!-- /#layout_spotlight -->
\ No newline at end of file +</div><!-- /#layout_spotlight --> diff --git a/views/default/welcome/logged_in.php b/views/default/welcome/logged_in.php index 8f70d3005..180746f22 100644 --- a/views/default/welcome/logged_in.php +++ b/views/default/welcome/logged_in.php @@ -11,11 +11,10 @@ //add various views to area1 $area1 = "<h2>" . sprintf(elgg_echo("welcome:user"),$vars['user']->name) . "</h2>"; $area1 .= "<p>" . elgg_echo("welcome_message") . "</p><br />"; -$url = $vars['url'] . "action/logout"; -$area1 .= "<a href=" . $url . ">" . elgg_echo('logout') . "</a>"; +$area1 .= elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); //send area one to the appropriate canvas layout $body = elgg_view_layout("one_column", $area1); //draw to screen -echo $body;
\ No newline at end of file +echo $body; |