Refs #2833, #2956. Merged 1.7's action timeout changes to 1.8.

git-svn-id: http://code.elgg.org/elgg/trunk@8366 36083f99-b078-4883-b0ff-0f9b5a30f544

1 files changed, 12 insertions, 3 deletions

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 26611e2d8..1a26018ab 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -201,6 +201,8 @@ function elgg_register_action($action, $filename = "", $access = 'logged_in') {
  * @link http://docs.elgg.org/Actions/Tokens
  */
 function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) {
+	global $CONFIG;
+
 	if (!$token) {
 		$token = get_input('__elgg_token');
 	}
@@ -209,6 +211,13 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
 		$ts = get_input('__elgg_ts');
 	}
 
+	if (!isset($CONFIG->action_token_timeout)) {
+		// default to 2 hours
+		$timeout = 2;
+	} else {
+		$timeout = $CONFIG->action_token_timeout;
+	}
+
 	$session_id = session_id();
 
 	if (($token) && ($ts) && ($session_id)) {
@@ -218,10 +227,11 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
 		// Validate token
 		if ($token == $generated_token) {
 			$hour = 60 * 60;
+			$timeout = $timeout * $hour;
 			$now = time();
 
 			// Validate time to ensure its not crazy
-			if (($ts > $now - $hour) && ($ts < $now + $hour)) {
+			if ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)) {
 				// We have already got this far, so unless anything
 				// else says something to the contry we assume we're ok
 				$returnval = true;
@@ -266,8 +276,7 @@ function action_gatekeeper() {
 		return TRUE;
 	}
 
-	forward('', 'csrf');
-	exit;
+	forward(REFERER, 'csrf');
 }
 
 /**