aboutsummaryrefslogtreecommitdiff
path: root/engine
diff options
context:
space:
mode:
authorbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2011-02-20 19:13:32 +0000
committerbrettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>2011-02-20 19:13:32 +0000
commit428cf8e4d0012a01247fc8365d25a3a83cf45ccc (patch)
tree52ec98a98b4238cc158e9be34fa3e8e1341553e1 /engine
parent542a961fc5a956ad9ef753fb2276c5ca7bb619ec (diff)
downloadelgg-428cf8e4d0012a01247fc8365d25a3a83cf45ccc.tar.gz
elgg-428cf8e4d0012a01247fc8365d25a3a83cf45ccc.tar.bz2
Refs #2833, #2956. Merged 1.7's action timeout changes to 1.8.
git-svn-id: http://code.elgg.org/elgg/trunk@8366 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine')
-rw-r--r--engine/lib/actions.php15
1 files changed, 12 insertions, 3 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 26611e2d8..1a26018ab 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -201,6 +201,8 @@ function elgg_register_action($action, $filename = "", $access = 'logged_in') {
* @link http://docs.elgg.org/Actions/Tokens
*/
function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) {
+ global $CONFIG;
+
if (!$token) {
$token = get_input('__elgg_token');
}
@@ -209,6 +211,13 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
$ts = get_input('__elgg_ts');
}
+ if (!isset($CONFIG->action_token_timeout)) {
+ // default to 2 hours
+ $timeout = 2;
+ } else {
+ $timeout = $CONFIG->action_token_timeout;
+ }
+
$session_id = session_id();
if (($token) && ($ts) && ($session_id)) {
@@ -218,10 +227,11 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
// Validate token
if ($token == $generated_token) {
$hour = 60 * 60;
+ $timeout = $timeout * $hour;
$now = time();
// Validate time to ensure its not crazy
- if (($ts > $now - $hour) && ($ts < $now + $hour)) {
+ if ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)) {
// We have already got this far, so unless anything
// else says something to the contry we assume we're ok
$returnval = true;
@@ -266,8 +276,7 @@ function action_gatekeeper() {
return TRUE;
}
- forward('', 'csrf');
- exit;
+ forward(REFERER, 'csrf');
}
/**