diff options
author | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-09-06 22:39:07 +0000 |
---|---|---|
committer | marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2008-09-06 22:39:07 +0000 |
commit | 4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9 (patch) | |
tree | a3c668c9c6bc883bb0699632e4d2ab75a698a7a1 /views/default | |
parent | f918ca09cec807801521059bac987793b3685139 (diff) | |
download | elgg-4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9.tar.gz elgg-4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9.tar.bz2 |
Closes #327: Thanks for the pointer. In the end I modified the fix from the patch you sent, it still uses get but the generated token should make a CSRF attack much harder.
git-svn-id: https://code.elgg.org/elgg/trunk@2057 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'views/default')
-rw-r--r-- | views/default/admin/plugins_opt/plugin.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/views/default/admin/plugins_opt/plugin.php b/views/default/admin/plugins_opt/plugin.php index 8db41d30a..21032b33d 100644 --- a/views/default/admin/plugins_opt/plugin.php +++ b/views/default/admin/plugins_opt/plugin.php @@ -19,13 +19,16 @@ $active = $details['active']; $manifest = $details['manifest']; + + $ts = time(); + $token = generate_action_token($ts); ?> <div class="plugin_details <?php if ($active) echo "active"; else echo "not-active" ?>"> <div class="admin_plugin_enable_disable"> <?php if ($active) { ?> - <a href="<?php echo $vars['url']; ?>actions/admin/plugins/disable?plugin=<?php echo $plugin; ?>"><?php echo elgg_echo("disable"); ?></a> + <a href="<?php echo $vars['url']; ?>actions/admin/plugins/disable?plugin=<?php echo $plugin; ?>&__elgg_token=<?php echo $token; ?>&__elgg_ts=<?php echo $ts; ?>"><?php echo elgg_echo("disable"); ?></a> <?php } else { ?> - <a href="<?php echo $vars['url']; ?>actions/admin/plugins/enable?plugin=<?php echo $plugin; ?>"><?php echo elgg_echo("enable"); ?></a> + <a href="<?php echo $vars['url']; ?>actions/admin/plugins/enable?plugin=<?php echo $plugin; ?>&__elgg_token=<?php echo $token; ?>&__elgg_ts=<?php echo $ts; ?>"><?php echo elgg_echo("enable"); ?></a> <?php } ?> </div> |