diff options
author | Cash Costello <cash.costello@gmail.com> | 2009-10-05 23:20:10 +0000 |
---|---|---|
committer | Cash Costello <cash.costello@gmail.com> | 2009-10-05 23:20:10 +0000 |
commit | 39060653573bf4dd51e891aecdb571c78a866675 (patch) | |
tree | f1fc85cba89454a2eeb588a1f85f7dc49f200c5a | |
parent | 9b3cba566de0bc5740e48f3f50eb8b09ffad49dc (diff) | |
download | elgg-39060653573bf4dd51e891aecdb571c78a866675.tar.gz elgg-39060653573bf4dd51e891aecdb571c78a866675.tar.bz2 |
not using action token validation for image download
-rw-r--r-- | start.php | 18 | ||||
-rw-r--r-- | views/default/object/image.php | 6 | ||||
-rw-r--r-- | views/default/tidypics/image_menu.php | 5 | ||||
-rw-r--r-- | views/default/tidypics/tagging.php | 1 |
4 files changed, 22 insertions, 8 deletions
@@ -73,6 +73,9 @@ // slideshow plugin hook
register_plugin_hook('tp_slideshow', 'album', 'tidypics_slideshow');
+
+ // no checking security token for download
+ register_plugin_hook('action', 'tidypics/download', 'tidypics_download_override');
}
/**
@@ -417,6 +420,21 @@ }
+ /**
+ * Called before validating the security token on a download link
+ * We don't need security as this is not a true action (it doesn't change any data)
+ *
+ * @return false (shouldn't return though since the action exits
+ */
+ function tidypics_download_override($hook, $action)
+ {
+ global $CONFIG;
+
+ include $CONFIG->actions[$action]['file'];
+
+ return false;
+ }
+
// Make sure tidypics_init is called on initialisation
register_elgg_event_handler('init','system','tidypics_init');
diff --git a/views/default/object/image.php b/views/default/object/image.php index 01beb25f6..dd52f872e 100644 --- a/views/default/object/image.php +++ b/views/default/object/image.php @@ -149,10 +149,8 @@ // this code controls whether the photo is a hyperlink or not and what it links to $image_link = false; if (get_plugin_setting('download_link', 'tidypics') != "disabled") { - // admin allows downloads so default to download link - $ts = time(); - $token = generate_action_token($ts); - $image_link = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid . "&view=inline&__elgg_token={$token}&__elgg_ts={$ts}"; + // admin allows downloads so default to inline download link + $image_link = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid . "&view=inline"; } // does any plugin want to override the link $image_link = trigger_plugin_hook('tp_image_link', 'image', $image, $image_link); diff --git a/views/default/tidypics/image_menu.php b/views/default/tidypics/image_menu.php index cb004395e..299f4b026 100644 --- a/views/default/tidypics/image_menu.php +++ b/views/default/tidypics/image_menu.php @@ -43,10 +43,7 @@ }
if (get_plugin_setting('download_link', 'tidypics') != "disabled") {
- $ts = time();
- $token = generate_action_token($ts);
-
- $download_url = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid . "&__elgg_token={$token}&__elgg_ts={$ts}";
+ $download_url = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid;
?>
<li id="download_image"><a href="<?php echo $download_url; ?>"><?php echo elgg_echo("image:download"); ?></a></li>
<?php
diff --git a/views/default/tidypics/tagging.php b/views/default/tidypics/tagging.php index ebaf0dc94..9ebec7c1e 100644 --- a/views/default/tidypics/tagging.php +++ b/views/default/tidypics/tagging.php @@ -63,6 +63,7 @@ }
?>
+<div class="clearfloat"></div>
</div>
<div id="tidypics_delete_tag_menu" class="tidypics_popup">
<div class='tidypics_popup_header'><h3><?php echo elgg_echo('tidypics:deltag_title'); ?></h3></div>
|