aboutsummaryrefslogtreecommitdiff
path: root/engine/lib/actions.php
diff options
context:
space:
mode:
authorbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-24 18:47:42 +0000
committerbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2010-01-24 18:47:42 +0000
commit675761494bfd082f4b41c6f80ea2a7aae75f9344 (patch)
tree9b1137924bc2f63efc1b050ab40d23d187a0209b /engine/lib/actions.php
parent728ac2daaeaa95098aa189c03dd908eaa674a3c7 (diff)
downloadelgg-675761494bfd082f4b41c6f80ea2a7aae75f9344.tar.gz
elgg-675761494bfd082f4b41c6f80ea2a7aae75f9344.tar.bz2
Fixes #1460, Fixes #1459: Tokens are not required to disable a plugin or install. This allows users to disable plugins that overwrite admin pages without tokens.
git-svn-id: http://code.elgg.org/elgg/trunk@3836 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib/actions.php')
-rw-r--r--engine/lib/actions.php24
1 files changed, 17 insertions, 7 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index ad5f0c208..eafb42155 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -21,13 +21,23 @@
function action($action, $forwarder = "") {
global $CONFIG;
- // All actions require a token.
- if (!action_gatekeeper()) {
- $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins.";
-
- error_log($message);
- register_error($message);
- forward();
+ // @todo REMOVE THESE EXCEPTIONS IN 1.8.
+ // These are only to provide a way to disable plugins that overwrite core
+ // UI without tokens. (And for installation because of session_id problems)
+ $exceptions = array(
+ 'systemsettings/install',
+ 'admin/plugins/disable'
+ );
+
+ if (!in_array($action, $exceptions)) {
+ // All actions require a token.
+ if (!action_gatekeeper()) {
+ $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins.";
+
+ error_log($message);
+ register_error($message);
+ forward();
+ }
}
// if there are any query parameters, make them available from get_input