From 0c5b4c242b0805c55ca3b1a887eb222844a66400 Mon Sep 17 00:00:00 2001 From: brettp Date: Thu, 21 Jan 2010 01:30:09 +0000 Subject: Fixes #750: All actions require __elgg_ts and __elgg_token. git-svn-id: http://code.elgg.org/elgg/trunk@3821 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/actions.php | 33 ++++++++++------------ views/default/account/forms/forgotten_password.php | 10 +++++-- views/default/basic_elements/welcome.php | 3 +- views/default/canvas/layouts/widgets.php | 10 ++++++- views/default/css.php | 4 +++ views/default/object/default.php | 8 ++++-- views/default/page_elements/elgg_topbar.php | 6 ++-- views/default/page_elements/spotlight.php | 6 ++-- views/default/welcome/logged_in.php | 5 ++-- 9 files changed, 53 insertions(+), 32 deletions(-) diff --git a/engine/lib/actions.php b/engine/lib/actions.php index ac4d70555..ad5f0c208 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -21,6 +21,15 @@ function action($action, $forwarder = "") { global $CONFIG; + // All actions require a token. + if (!action_gatekeeper()) { + $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins."; + + error_log($message); + register_error($message); + forward(); + } + // if there are any query parameters, make them available from get_input if (strpos($_SERVER['REQUEST_URI'], '?') !== FALSE) { $query = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], '?') + 1); @@ -34,7 +43,7 @@ function action($action, $forwarder = "") { } } } - + $forwarder = str_replace($CONFIG->url, "", $forwarder); $forwarder = str_replace("http://", "", $forwarder); $forwarder = str_replace("@", "", $forwarder); @@ -56,18 +65,6 @@ function action($action, $forwarder = "") { // since i assume this will be handled in the hook itself. // TODO make this better! if ($event_result) { - /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */ - if (!validate_action_token(false)) { - // Display a temporary warning message - - // in future versions this will be a hard fail via an action gatekeeper. - $message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'."; - - //if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning)) - // register_error($message); - - error_log($message); - } - if (!include($CONFIG->actions[$action]['file'])) { register_error(sprintf(elgg_echo('actionundefined'),$action)); } @@ -138,7 +135,7 @@ function validate_action_token($visibleerrors = true) { $generated_token = generate_action_token($ts); // Validate token - if (strcmp($token, $generated_token)==0) { + if ($token == $generated_token) { $hour = 60*60; $now = time(); @@ -169,7 +166,7 @@ function validate_action_token($visibleerrors = true) { register_error(elgg_echo('actiongatekeeper:missingfields')); } - return false; + return FALSE; } /** @@ -181,7 +178,7 @@ function validate_action_token($visibleerrors = true) { */ function action_gatekeeper() { if (validate_action_token()) { - return true; + return TRUE; } forward(); @@ -210,7 +207,7 @@ function generate_action_token($timestamp) { return md5($site_secret.$timestamp.$session_id.$ua.$st); } - return false; + return FALSE; } /** @@ -223,7 +220,7 @@ function init_site_secret() { return $secret; } - return false; + return FALSE; } /** diff --git a/views/default/account/forms/forgotten_password.php b/views/default/account/forms/forgotten_password.php index 5e760cef3..5ffb1be1a 100644 --- a/views/default/account/forms/forgotten_password.php +++ b/views/default/account/forms/forgotten_password.php @@ -9,11 +9,17 @@ */ $form_body = "

" . elgg_echo('user:password:text') . "

"; -$form_body .= "

"; +$form_body .= "

"; $form_body .= elgg_view('input/captcha'); $form_body .= "

" . elgg_view('input/submit', array('value' => elgg_echo('request'))) . "

"; ?>
- "{$vars['url']}action/user/requestnewpassword", 'body' => $form_body)); ?> + "{$vars['url']}action/user/requestnewpassword", + 'body' => $form_body) +); +?>
\ No newline at end of file diff --git a/views/default/basic_elements/welcome.php b/views/default/basic_elements/welcome.php index 297daa830..979f32b4f 100644 --- a/views/default/basic_elements/welcome.php +++ b/views/default/basic_elements/welcome.php @@ -13,4 +13,5 @@ $user = $vars['name']; ?>

-

[logout]

\ No newline at end of file +

"{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?>

+ diff --git a/views/default/canvas/layouts/widgets.php b/views/default/canvas/layouts/widgets.php index f6c9dec79..6b89d5435 100644 --- a/views/default/canvas/layouts/widgets.php +++ b/views/default/canvas/layouts/widgets.php @@ -235,6 +235,14 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE + + + + + @@ -315,4 +323,4 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE - \ No newline at end of file + diff --git a/views/default/css.php b/views/default/css.php index d70e18ee6..75b20b141 100644 --- a/views/default/css.php +++ b/views/default/css.php @@ -2524,3 +2524,7 @@ div.ajax_loader { float: left; padding-right: 1em; } + +.draggable { + cursor: move; +} \ No newline at end of file diff --git a/views/default/object/default.php b/views/default/object/default.php index 3ace73d7f..b6fe8a518 100644 --- a/views/default/object/default.php +++ b/views/default/object/default.php @@ -30,7 +30,11 @@ if ($vars['full']) { $controls = ""; if ($vars['entity']->canEdit()) { - $controls .= " (guid}\">" . elgg_echo('delete') . ")"; + $delete = elgg_view('output/confirm_link', array( + 'href' = "{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}", + 'text' => elgg_echo('delete') + ); + $controls .= " ($delete)"; } $info = "

getUrl() . "\">" . $title . " $controls

"; @@ -56,4 +60,4 @@ if ($vars['full']) { $icon = "$icon"; echo elgg_view_listing($icon, $info); -} \ No newline at end of file +} diff --git a/views/default/page_elements/elgg_topbar.php b/views/default/page_elements/elgg_topbar.php index 00240f35e..d871d622e 100644 --- a/views/default/page_elements/elgg_topbar.php +++ b/views/default/page_elements/elgg_topbar.php @@ -62,7 +62,9 @@
- + + "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?> +
- \ No newline at end of file + diff --git a/views/default/welcome/logged_in.php b/views/default/welcome/logged_in.php index 8f70d3005..180746f22 100644 --- a/views/default/welcome/logged_in.php +++ b/views/default/welcome/logged_in.php @@ -11,11 +11,10 @@ //add various views to area1 $area1 = "

" . sprintf(elgg_echo("welcome:user"),$vars['user']->name) . "

"; $area1 .= "

" . elgg_echo("welcome_message") . "


"; -$url = $vars['url'] . "action/logout"; -$area1 .= "" . elgg_echo('logout') . ""; +$area1 .= elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); //send area one to the appropriate canvas layout $body = elgg_view_layout("one_column", $area1); //draw to screen -echo $body; \ No newline at end of file +echo $body; -- cgit v1.2.3