diff options
author | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-24 18:47:42 +0000 |
---|---|---|
committer | brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2010-01-24 18:47:42 +0000 |
commit | 675761494bfd082f4b41c6f80ea2a7aae75f9344 (patch) | |
tree | 9b1137924bc2f63efc1b050ab40d23d187a0209b /engine/lib | |
parent | 728ac2daaeaa95098aa189c03dd908eaa674a3c7 (diff) | |
download | elgg-675761494bfd082f4b41c6f80ea2a7aae75f9344.tar.gz elgg-675761494bfd082f4b41c6f80ea2a7aae75f9344.tar.bz2 |
Fixes #1460, Fixes #1459: Tokens are not required to disable a plugin or install. This allows users to disable plugins that overwrite admin pages without tokens.
git-svn-id: http://code.elgg.org/elgg/trunk@3836 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine/lib')
-rw-r--r-- | engine/lib/actions.php | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php index ad5f0c208..eafb42155 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -21,13 +21,23 @@ function action($action, $forwarder = "") { global $CONFIG; - // All actions require a token. - if (!action_gatekeeper()) { - $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins."; - - error_log($message); - register_error($message); - forward(); + // @todo REMOVE THESE EXCEPTIONS IN 1.8. + // These are only to provide a way to disable plugins that overwrite core + // UI without tokens. (And for installation because of session_id problems) + $exceptions = array( + 'systemsettings/install', + 'admin/plugins/disable' + ); + + if (!in_array($action, $exceptions)) { + // All actions require a token. + if (!action_gatekeeper()) { + $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins."; + + error_log($message); + register_error($message); + forward(); + } } // if there are any query parameters, make them available from get_input |