diff options
| author | nickw <nickw@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-11 23:51:26 +0000 |
|---|---|---|
| committer | nickw <nickw@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-11 23:51:26 +0000 |
| commit | 36b73bf25407fbc0591d33d3b0d39059bdce7005 (patch) | |
| tree | ecccfe1d62e9ad7c2ab68fe40caee60b0ace176e | |
| parent | bff71b273807307eb8c726db04a6b641d4a91669 (diff) | |
| download | elgg-36b73bf25407fbc0591d33d3b0d39059bdce7005.tar.gz elgg-36b73bf25407fbc0591d33d3b0d39059bdce7005.tar.bz2 | |
Always generating action tokens with output/confirmlink.
Includes a check for actions already defining the tokens.
git-svn-id: http://code.elgg.org/elgg/trunk@3799 36083f99-b078-4883-b0ff-0f9b5a30f544
| -rw-r--r-- | engine/lib/elgglib.php | 34 | ||||
| -rw-r--r-- | views/default/output/confirmlink.php | 12 |
2 files changed, 36 insertions, 10 deletions
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php index d5d0828b6..c0d19743a 100644 --- a/engine/lib/elgglib.php +++ b/engine/lib/elgglib.php @@ -2413,6 +2413,40 @@ interface Friendable { public function countObjects($subtype = ""); } +/** + * Rebuilds the parsed URL + * + * @param array $parts Associative array of URL components like parse_url() returns + * @return str Full URL + * @since 1.7 + */ +function elgg_http_build_url(array $parts) { + return "{$parts['scheme']}://{$parts['host']}{$parts['path']}?{$parts['query']}"; +} + +/** + * Ensures action tokens are present in the given link + * + * @param str $link Full action URL + * @return str Validated URL + * @since 1.7 + */ +function elgg_validate_action_url($link) { + $url = parse_url($link); + parse_str($url['query'], $query); + if (array_key_exists('__elgg_token', $query)) { + return $link; + } + + // apend action tokens to the existing query + $query['__elgg_ts'] = time(); + $query['__elgg_token'] = generate_action_token($query['__elgg_ts']); + $url['query'] = http_build_query($query); + + // rebuild the full url + return elgg_http_build_url($url); +} + /** * Server javascript pages. diff --git a/views/default/output/confirmlink.php b/views/default/output/confirmlink.php index e95dd5f31..9377426ad 100644 --- a/views/default/output/confirmlink.php +++ b/views/default/output/confirmlink.php @@ -19,16 +19,8 @@ if (!$confirm) { $confirm = elgg_echo('question:areyousure'); } -$link = $vars['href']; - -if (isset($vars['is_action']) && $vars['is_action']) { - $ts = time(); - $token = generate_action_token($ts); - - $sep = "?"; - if (strpos($link, '?')>0) $sep = "&"; - $link = "$link{$sep}__elgg_token=$token&__elgg_ts=$ts"; -} +// always generate missing action tokens +$link = elgg_validate_action_url($vars['href']); if (isset($vars['class']) && $vars['class']) { $class = 'class="' . $vars['class'] . '"'; |