From 4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9 Mon Sep 17 00:00:00 2001
From: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Sat, 6 Sep 2008 22:39:07 +0000
Subject: Closes #327: Thanks for the pointer. In the end I modified the fix
 from the patch you sent, it still uses get but the generated token should
 make a CSRF attack much harder.

git-svn-id: https://code.elgg.org/elgg/trunk@2057 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 actions/admin/plugins/disable.php          | 3 +++
 actions/admin/plugins/enable.php           | 3 +++
 views/default/admin/plugins_opt/plugin.php | 7 +++++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/actions/admin/plugins/disable.php b/actions/admin/plugins/disable.php
index 355fd2b52..b41a7603e 100644
--- a/actions/admin/plugins/disable.php
+++ b/actions/admin/plugins/disable.php
@@ -15,6 +15,9 @@
 	// block non-admin users
 	admin_gatekeeper();
 	
+	// Validate the action
+	action_gatekeeper();
+	
 	// Get the user 
 	$plugin = get_input('plugin');
 	
diff --git a/actions/admin/plugins/enable.php b/actions/admin/plugins/enable.php
index b13755327..537079112 100644
--- a/actions/admin/plugins/enable.php
+++ b/actions/admin/plugins/enable.php
@@ -15,6 +15,9 @@
 	// block non-admin users
 	admin_gatekeeper();
 	
+	// Validate the action
+	action_gatekeeper();
+	
 	// Get the user 
 	$plugin = get_input('plugin');
 	
diff --git a/views/default/admin/plugins_opt/plugin.php b/views/default/admin/plugins_opt/plugin.php
index 8db41d30a..21032b33d 100644
--- a/views/default/admin/plugins_opt/plugin.php
+++ b/views/default/admin/plugins_opt/plugin.php
@@ -19,13 +19,16 @@
 	
 	$active = $details['active'];
 	$manifest = $details['manifest'];
+	
+	$ts = time();
+	$token = generate_action_token($ts);
 ?>
 <div class="plugin_details <?php if ($active) echo "active"; else echo "not-active" ?>"> 
 	<div class="admin_plugin_enable_disable">
 		<?php if ($active) { ?>
-			<a href="<?php echo $vars['url']; ?>actions/admin/plugins/disable?plugin=<?php echo $plugin; ?>"><?php echo elgg_echo("disable"); ?></a>
+			<a href="<?php echo $vars['url']; ?>actions/admin/plugins/disable?plugin=<?php echo $plugin; ?>&__elgg_token=<?php echo $token; ?>&__elgg_ts=<?php echo $ts; ?>"><?php echo elgg_echo("disable"); ?></a>
 		<?php } else { ?>
-			<a href="<?php echo $vars['url']; ?>actions/admin/plugins/enable?plugin=<?php echo $plugin; ?>"><?php echo elgg_echo("enable"); ?></a>
+			<a href="<?php echo $vars['url']; ?>actions/admin/plugins/enable?plugin=<?php echo $plugin; ?>&__elgg_token=<?php echo $token; ?>&__elgg_ts=<?php echo $ts; ?>"><?php echo elgg_echo("enable"); ?></a>
 		<?php } ?>
 	</div>
 
-- 
cgit v1.2.3