diff options
Diffstat (limited to 'actions')
-rw-r--r-- | actions/admin/site/regenerate_secret.php | 11 | ||||
-rw-r--r-- | actions/admin/site/update_advanced.php | 6 | ||||
-rw-r--r-- | actions/admin/site/update_basic.php | 2 | ||||
-rw-r--r-- | actions/avatar/remove.php | 52 | ||||
-rw-r--r-- | actions/comments/delete.php | 5 | ||||
-rw-r--r-- | actions/friends/collections/add.php | 2 | ||||
-rw-r--r-- | actions/login.php | 5 | ||||
-rw-r--r-- | actions/profile/edit.php | 9 | ||||
-rw-r--r-- | actions/register.php | 2 |
9 files changed, 57 insertions, 37 deletions
diff --git a/actions/admin/site/regenerate_secret.php b/actions/admin/site/regenerate_secret.php new file mode 100644 index 000000000..3112fb5f3 --- /dev/null +++ b/actions/admin/site/regenerate_secret.php @@ -0,0 +1,11 @@ +<?php +/** + * Generate a new site secret + */ + +init_site_secret(); +elgg_reset_system_cache(); + +system_message(elgg_echo('admin:site:secret_regenerated')); + +forward(REFERER); diff --git a/actions/admin/site/update_advanced.php b/actions/admin/site/update_advanced.php index 0fd8d1f35..4888b0a8d 100644 --- a/actions/admin/site/update_advanced.php +++ b/actions/admin/site/update_advanced.php @@ -14,10 +14,10 @@ if ($site = elgg_get_site_entity()) { throw new InstallationException(elgg_echo('InvalidParameterException:NonElggSite')); } - $site->url = get_input('wwwroot'); + $site->url = rtrim(get_input('wwwroot', '', false), '/') . '/'; - datalist_set('path', sanitise_filepath(get_input('path'))); - $dataroot = sanitise_filepath(get_input('dataroot')); + datalist_set('path', sanitise_filepath(get_input('path', '', false))); + $dataroot = sanitise_filepath(get_input('dataroot', '', false)); // check for relative paths if (stripos(PHP_OS, 'win') === 0) { diff --git a/actions/admin/site/update_basic.php b/actions/admin/site/update_basic.php index 97d258b65..9765182cc 100644 --- a/actions/admin/site/update_basic.php +++ b/actions/admin/site/update_basic.php @@ -16,7 +16,7 @@ if ($site = elgg_get_site_entity()) { } $site->description = get_input('sitedescription'); - $site->name = get_input('sitename'); + $site->name = strip_tags(get_input('sitename')); $site->email = get_input('siteemail'); $site->save(); diff --git a/actions/avatar/remove.php b/actions/avatar/remove.php index cd38e456a..9cb40a760 100644 --- a/actions/avatar/remove.php +++ b/actions/avatar/remove.php @@ -3,32 +3,34 @@ * Avatar remove action */ -$guid = get_input('guid'); -$user = get_entity($guid); -if ($user) { - // Delete all icons from diskspace - $icon_sizes = elgg_get_config('icon_sizes'); - foreach ($icon_sizes as $name => $size_info) { - $file = new ElggFile(); - $file->owner_guid = $guid; - $file->setFilename("profile/{$guid}{$name}.jpg"); - $filepath = $file->getFilenameOnFilestore(); - if (!$file->delete()) { - elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING'); - } - } - - // Remove crop coords - unset($user->x1); - unset($user->x2); - unset($user->y1); - unset($user->y2); - - // Remove icon - unset($user->icontime); - system_message(elgg_echo('avatar:remove:success')); -} else { +$user_guid = get_input('guid'); +$user = get_user($user_guid); + +if (!$user || !$user->canEdit()) { register_error(elgg_echo('avatar:remove:fail')); + forward(REFERER); } +// Delete all icons from diskspace +$icon_sizes = elgg_get_config('icon_sizes'); +foreach ($icon_sizes as $name => $size_info) { + $file = new ElggFile(); + $file->owner_guid = $user_guid; + $file->setFilename("profile/{$user_guid}{$name}.jpg"); + $filepath = $file->getFilenameOnFilestore(); + if (!$file->delete()) { + elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING'); + } +} + +// Remove crop coords +unset($user->x1); +unset($user->x2); +unset($user->y1); +unset($user->y2); + +// Remove icon +unset($user->icontime); + +system_message(elgg_echo('avatar:remove:success')); forward(REFERER); diff --git a/actions/comments/delete.php b/actions/comments/delete.php index f2c058ff4..c6b481da4 100644 --- a/actions/comments/delete.php +++ b/actions/comments/delete.php @@ -5,11 +5,6 @@ * @package Elgg */ -// Ensure we're logged in -if (!elgg_is_logged_in()) { - forward(); -} - // Make sure we can get the comment in question $annotation_id = (int) get_input('annotation_id'); $comment = elgg_get_annotation_from_id($annotation_id); diff --git a/actions/friends/collections/add.php b/actions/friends/collections/add.php index 9dc17b37e..e63a149f7 100644 --- a/actions/friends/collections/add.php +++ b/actions/friends/collections/add.php @@ -6,7 +6,7 @@ * @subpackage Friends.Collections */ -$collection_name = get_input('collection_name'); +$collection_name = htmlspecialchars(get_input('collection_name', '', false), ENT_QUOTES, 'UTF-8'); $friends = get_input('friends_collection'); if (!$collection_name) { diff --git a/actions/login.php b/actions/login.php index 1e5e92ede..bd7f91299 100644 --- a/actions/login.php +++ b/actions/login.php @@ -9,7 +9,6 @@ // set forward url if (!empty($_SESSION['last_forward_from'])) { $forward_url = $_SESSION['last_forward_from']; - unset($_SESSION['last_forward_from']); } elseif (get_input('returntoreferer')) { $forward_url = REFERER; } else { @@ -62,5 +61,9 @@ if ($user->language) { $message = elgg_echo('loginok'); } +if (isset($_SESSION['last_forward_from'])) { + unset($_SESSION['last_forward_from']); +} + system_message($message); forward($forward_url); diff --git a/actions/profile/edit.php b/actions/profile/edit.php index 89bf2bc0b..e1f066e82 100644 --- a/actions/profile/edit.php +++ b/actions/profile/edit.php @@ -4,6 +4,8 @@ * */ +elgg_make_sticky_form('profile:edit'); + $guid = get_input('guid'); $owner = get_entity($guid); @@ -48,6 +50,10 @@ foreach ($profile_fields as $shortname => $valuetype) { forward(REFERER); } + if ($value && $valuetype == 'url' && !preg_match('~^https?\://~i', $value)) { + $value = "http://$value"; + } + if ($valuetype == 'tags') { $value = string_to_tag_array($value); } @@ -76,7 +82,7 @@ if (sizeof($input) > 0) { ); elgg_delete_metadata($options); - if(!is_null($value) && ($value !== '')){ + if (!is_null($value) && ($value !== '')) { // only create metadata for non empty values (0 is allowed) to prevent metadata records with empty string values #4858 if (isset($accesslevel[$shortname])) { @@ -103,6 +109,7 @@ if (sizeof($input) > 0) { // Notify of profile update elgg_trigger_event('profileupdate', $owner->type, $owner); + elgg_clear_sticky_form('profile:edit'); system_message(elgg_echo("profile:saved")); } diff --git a/actions/register.php b/actions/register.php index 810ceaf27..73926232c 100644 --- a/actions/register.php +++ b/actions/register.php @@ -45,7 +45,9 @@ if (elgg_get_config('allow_registration')) { // @todo should registration be allowed no matter what the plugins return? if (!elgg_trigger_plugin_hook('register', 'user', $params, TRUE)) { + $ia = elgg_set_ignore_access(true); $new_user->delete(); + elgg_set_ignore_access($ia); // @todo this is a generic messages. We could have plugins // throw a RegistrationException, but that is very odd // for the plugin hooks system. |