aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornickw <nickw@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-11 23:51:26 +0000
committernickw <nickw@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-11 23:51:26 +0000
commit36b73bf25407fbc0591d33d3b0d39059bdce7005 (patch)
treeecccfe1d62e9ad7c2ab68fe40caee60b0ace176e
parentbff71b273807307eb8c726db04a6b641d4a91669 (diff)
downloadelgg-36b73bf25407fbc0591d33d3b0d39059bdce7005.tar.gz
elgg-36b73bf25407fbc0591d33d3b0d39059bdce7005.tar.bz2
Always generating action tokens with output/confirmlink.
Includes a check for actions already defining the tokens. git-svn-id: http://code.elgg.org/elgg/trunk@3799 36083f99-b078-4883-b0ff-0f9b5a30f544
-rw-r--r--engine/lib/elgglib.php34
-rw-r--r--views/default/output/confirmlink.php12
2 files changed, 36 insertions, 10 deletions
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index d5d0828b6..c0d19743a 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -2413,6 +2413,40 @@ interface Friendable {
public function countObjects($subtype = "");
}
+/**
+ * Rebuilds the parsed URL
+ *
+ * @param array $parts Associative array of URL components like parse_url() returns
+ * @return str Full URL
+ * @since 1.7
+ */
+function elgg_http_build_url(array $parts) {
+ return "{$parts['scheme']}://{$parts['host']}{$parts['path']}?{$parts['query']}";
+}
+
+/**
+ * Ensures action tokens are present in the given link
+ *
+ * @param str $link Full action URL
+ * @return str Validated URL
+ * @since 1.7
+ */
+function elgg_validate_action_url($link) {
+ $url = parse_url($link);
+ parse_str($url['query'], $query);
+ if (array_key_exists('__elgg_token', $query)) {
+ return $link;
+ }
+
+ // apend action tokens to the existing query
+ $query['__elgg_ts'] = time();
+ $query['__elgg_token'] = generate_action_token($query['__elgg_ts']);
+ $url['query'] = http_build_query($query);
+
+ // rebuild the full url
+ return elgg_http_build_url($url);
+}
+
/**
* Server javascript pages.
diff --git a/views/default/output/confirmlink.php b/views/default/output/confirmlink.php
index e95dd5f31..9377426ad 100644
--- a/views/default/output/confirmlink.php
+++ b/views/default/output/confirmlink.php
@@ -19,16 +19,8 @@ if (!$confirm) {
$confirm = elgg_echo('question:areyousure');
}
-$link = $vars['href'];
-
-if (isset($vars['is_action']) && $vars['is_action']) {
- $ts = time();
- $token = generate_action_token($ts);
-
- $sep = "?";
- if (strpos($link, '?')>0) $sep = "&";
- $link = "$link{$sep}__elgg_token=$token&__elgg_ts=$ts";
-}
+// always generate missing action tokens
+$link = elgg_validate_action_url($vars['href']);
if (isset($vars['class']) && $vars['class']) {
$class = 'class="' . $vars['class'] . '"';