aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCash Costello <cash.costello@gmail.com>2009-10-05 23:20:10 +0000
committerCash Costello <cash.costello@gmail.com>2009-10-05 23:20:10 +0000
commit39060653573bf4dd51e891aecdb571c78a866675 (patch)
treef1fc85cba89454a2eeb588a1f85f7dc49f200c5a
parent9b3cba566de0bc5740e48f3f50eb8b09ffad49dc (diff)
downloadelgg-39060653573bf4dd51e891aecdb571c78a866675.tar.gz
elgg-39060653573bf4dd51e891aecdb571c78a866675.tar.bz2
not using action token validation for image download
-rw-r--r--start.php18
-rw-r--r--views/default/object/image.php6
-rw-r--r--views/default/tidypics/image_menu.php5
-rw-r--r--views/default/tidypics/tagging.php1
4 files changed, 22 insertions, 8 deletions
diff --git a/start.php b/start.php
index a15215118..c777331c6 100644
--- a/start.php
+++ b/start.php
@@ -73,6 +73,9 @@
// slideshow plugin hook
register_plugin_hook('tp_slideshow', 'album', 'tidypics_slideshow');
+
+ // no checking security token for download
+ register_plugin_hook('action', 'tidypics/download', 'tidypics_download_override');
}
/**
@@ -417,6 +420,21 @@
}
+ /**
+ * Called before validating the security token on a download link
+ * We don't need security as this is not a true action (it doesn't change any data)
+ *
+ * @return false (shouldn't return though since the action exits
+ */
+ function tidypics_download_override($hook, $action)
+ {
+ global $CONFIG;
+
+ include $CONFIG->actions[$action]['file'];
+
+ return false;
+ }
+
// Make sure tidypics_init is called on initialisation
register_elgg_event_handler('init','system','tidypics_init');
diff --git a/views/default/object/image.php b/views/default/object/image.php
index 01beb25f6..dd52f872e 100644
--- a/views/default/object/image.php
+++ b/views/default/object/image.php
@@ -149,10 +149,8 @@
// this code controls whether the photo is a hyperlink or not and what it links to
$image_link = false;
if (get_plugin_setting('download_link', 'tidypics') != "disabled") {
- // admin allows downloads so default to download link
- $ts = time();
- $token = generate_action_token($ts);
- $image_link = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid . "&amp;view=inline&amp;__elgg_token={$token}&__elgg_ts={$ts}";
+ // admin allows downloads so default to inline download link
+ $image_link = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid . "&amp;view=inline";
}
// does any plugin want to override the link
$image_link = trigger_plugin_hook('tp_image_link', 'image', $image, $image_link);
diff --git a/views/default/tidypics/image_menu.php b/views/default/tidypics/image_menu.php
index cb004395e..299f4b026 100644
--- a/views/default/tidypics/image_menu.php
+++ b/views/default/tidypics/image_menu.php
@@ -43,10 +43,7 @@
}
if (get_plugin_setting('download_link', 'tidypics') != "disabled") {
- $ts = time();
- $token = generate_action_token($ts);
-
- $download_url = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid . "&amp;__elgg_token={$token}&__elgg_ts={$ts}";
+ $download_url = $vars['url'] . "action/tidypics/download?file_guid=" . $image_guid;
?>
<li id="download_image"><a href="<?php echo $download_url; ?>"><?php echo elgg_echo("image:download"); ?></a></li>
<?php
diff --git a/views/default/tidypics/tagging.php b/views/default/tidypics/tagging.php
index ebaf0dc94..9ebec7c1e 100644
--- a/views/default/tidypics/tagging.php
+++ b/views/default/tidypics/tagging.php
@@ -63,6 +63,7 @@
}
?>
+<div class="clearfloat"></div>
</div>
<div id="tidypics_delete_tag_menu" class="tidypics_popup">
<div class='tidypics_popup_header'><h3><?php echo elgg_echo('tidypics:deltag_title'); ?></h3></div>