1 files changed, 40 insertions, 12 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 8935a324a..88dfde97c 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -23,7 +23,8 @@
     
         function action($action, $forwarder = "") {
             
-            global $CONFIG;
+            global $CONFIG;
+            
             
 	        $query = parse_url($_SERVER['REQUEST_URI']);
 			if (isset($query['query'])) {
@@ -61,7 +62,19 @@
 	                	
 	                	// Include action
 	                	if ($event_result) // Event_result being false doesn't produce an error - since i assume this will be handled in the hook itself. TODO make this better!
-	                	{
+	                	{
+				            /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */
+				            if (!validate_action_token())
+				            { 
+				            	// Display a temporary warning message - in future versions this will be a hard fail via an action gatekeeper.
+				            	$message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'.";
+				            	
+				            	//if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning))
+				            	//	register_error($message);
+				            		
+				            	error_log($message);
+				            }
+				            
 			                if (@include($CONFIG->actions[$action]['file'])) {
 			                } else {
 			                    register_error(sprintf(elgg_echo('actionundefined'),$action));
@@ -73,7 +86,9 @@
             	}
             } else {
             	register_error(sprintf(elgg_echo('actionundefined'),$action));
-            }
+            }
+            
+            
             forward($CONFIG->url . $forwarder);
             
         }
@@ -117,15 +132,13 @@
         	register_action("error");
         	return true;
         }
-
-       	/**
-       	 * Action gatekeeper.
-       	 * This function verifies form input for security features (like a generated token), and forwards
-       	 * the page if they are invalid.
-       	 * 
-       	 * Place at the head of actions.
-       	 */
-        function action_gatekeeper()
+        
+        /**
+         * Validate an action token, returning true if valid and false if not
+         *
+         * @return unknown
+         */
+        function validate_action_token()
         {
         	$token = get_input('__elgg_token');
         	$ts = get_input('__elgg_ts');
@@ -166,6 +179,21 @@
         	else
         		register_error(elgg_echo('actiongatekeeper:missingfields'));
         		
+        	return false;
+        }
+
+       	/**
+       	 * Action gatekeeper.
+       	 * This function verifies form input for security features (like a generated token), and forwards
+       	 * the page if they are invalid.
+       	 * 
+       	 * Place at the head of actions.
+       	 */
+        function action_gatekeeper()
+        {
+        	if (validate_action_token())
+        		return true;
+        		
         	forward();
         	exit;
         }