diff options
author | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2011-02-20 19:13:32 +0000 |
---|---|---|
committer | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2011-02-20 19:13:32 +0000 |
commit | 428cf8e4d0012a01247fc8365d25a3a83cf45ccc (patch) | |
tree | 52ec98a98b4238cc158e9be34fa3e8e1341553e1 /engine/lib/actions.php | |
parent | 542a961fc5a956ad9ef753fb2276c5ca7bb619ec (diff) | |
download | elgg-428cf8e4d0012a01247fc8365d25a3a83cf45ccc.tar.gz elgg-428cf8e4d0012a01247fc8365d25a3a83cf45ccc.tar.bz2 |
Refs #2833, #2956. Merged 1.7's action timeout changes to 1.8.
git-svn-id: http://code.elgg.org/elgg/trunk@8366 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib/actions.php')
-rw-r--r-- | engine/lib/actions.php | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 26611e2d8..1a26018ab 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -201,6 +201,8 @@ function elgg_register_action($action, $filename = "", $access = 'logged_in') { * @link http://docs.elgg.org/Actions/Tokens */ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) { + global $CONFIG; + if (!$token) { $token = get_input('__elgg_token'); } @@ -209,6 +211,13 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) $ts = get_input('__elgg_ts'); } + if (!isset($CONFIG->action_token_timeout)) { + // default to 2 hours + $timeout = 2; + } else { + $timeout = $CONFIG->action_token_timeout; + } + $session_id = session_id(); if (($token) && ($ts) && ($session_id)) { @@ -218,10 +227,11 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) // Validate token if ($token == $generated_token) { $hour = 60 * 60; + $timeout = $timeout * $hour; $now = time(); // Validate time to ensure its not crazy - if (($ts > $now - $hour) && ($ts < $now + $hour)) { + if ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)) { // We have already got this far, so unless anything // else says something to the contry we assume we're ok $returnval = true; @@ -266,8 +276,7 @@ function action_gatekeeper() { return TRUE; } - forward('', 'csrf'); - exit; + forward(REFERER, 'csrf'); } /** |