From 2d365ba900e40494abeb306e3a881c91e2099ba6 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Thu, 17 Jan 2013 11:05:16 -0500 Subject: Allow friend collection names to store arbitrary plain text --- actions/friends/collections/add.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actions') diff --git a/actions/friends/collections/add.php b/actions/friends/collections/add.php index 9dc17b37e..e63a149f7 100644 --- a/actions/friends/collections/add.php +++ b/actions/friends/collections/add.php @@ -6,7 +6,7 @@ * @subpackage Friends.Collections */ -$collection_name = get_input('collection_name'); +$collection_name = htmlspecialchars(get_input('collection_name', '', false), ENT_QUOTES, 'UTF-8'); $friends = get_input('friends_collection'); if (!$collection_name) { -- cgit v1.2.3 From db59f4448e66fbed3fbfe2ace074cf75548f1a7e Mon Sep 17 00:00:00 2001 From: hellekin Date: Mon, 4 Mar 2013 06:59:41 -0300 Subject: Actually delete user when registration fails --- actions/register.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'actions') diff --git a/actions/register.php b/actions/register.php index 810ceaf27..73926232c 100644 --- a/actions/register.php +++ b/actions/register.php @@ -45,7 +45,9 @@ if (elgg_get_config('allow_registration')) { // @todo should registration be allowed no matter what the plugins return? if (!elgg_trigger_plugin_hook('register', 'user', $params, TRUE)) { + $ia = elgg_set_ignore_access(true); $new_user->delete(); + elgg_set_ignore_access($ia); // @todo this is a generic messages. We could have plugins // throw a RegistrationException, but that is very odd // for the plugin hooks system. -- cgit v1.2.3 From ed7210a35f3367bf6325ec805fcc7cad01f94c4c Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Tue, 19 Feb 2013 22:06:25 -0500 Subject: Auto-prepend "http://" to URL profile fields without it --- actions/profile/edit.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'actions') diff --git a/actions/profile/edit.php b/actions/profile/edit.php index 89bf2bc0b..63fb31600 100644 --- a/actions/profile/edit.php +++ b/actions/profile/edit.php @@ -48,6 +48,10 @@ foreach ($profile_fields as $shortname => $valuetype) { forward(REFERER); } + if ($valuetype == 'url' && !preg_match('~^https?\://~i', $value)) { + $value = "http://$value"; + } + if ($valuetype == 'tags') { $value = string_to_tag_array($value); } -- cgit v1.2.3 From 4da579033674ecdb134bc921f3f0666072419e6c Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Wed, 20 Mar 2013 21:00:41 -0400 Subject: Fixes #5232 handling empty profile url field --- actions/profile/edit.php | 2 +- mod/profile/views/default/profile/details.php | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) (limited to 'actions') diff --git a/actions/profile/edit.php b/actions/profile/edit.php index 63fb31600..b817463ac 100644 --- a/actions/profile/edit.php +++ b/actions/profile/edit.php @@ -48,7 +48,7 @@ foreach ($profile_fields as $shortname => $valuetype) { forward(REFERER); } - if ($valuetype == 'url' && !preg_match('~^https?\://~i', $value)) { + if ($value && $valuetype == 'url' && !preg_match('~^https?\://~i', $value)) { $value = "http://$value"; } diff --git a/mod/profile/views/default/profile/details.php b/mod/profile/views/default/profile/details.php index 167f995ae..15df6c2fd 100644 --- a/mod/profile/views/default/profile/details.php +++ b/mod/profile/views/default/profile/details.php @@ -22,13 +22,13 @@ if (is_array($profile_fields) && sizeof($profile_fields) > 0) { } $value = $user->$shortname; - // validate urls - if ($valtype == 'url' && !preg_match('~^https?\://~i', $value)) { - $value = "http://$value"; - } - if (!empty($value)) { - //This function controls the alternating class + // validate urls + if ($valtype == 'url' && !preg_match('~^https?\://~i', $value)) { + $value = "http://$value"; + } + + // this controls the alternating class $even_odd = ( 'odd' != $even_odd ) ? 'odd' : 'even'; ?>
-- cgit v1.2.3 From e579d5b32ea0f12450520a6d45183018e0851757 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 30 Mar 2013 13:29:51 -0400 Subject: Fixes #2682 strips tags from site name --- actions/admin/site/update_basic.php | 2 +- install/ElggInstaller.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'actions') diff --git a/actions/admin/site/update_basic.php b/actions/admin/site/update_basic.php index 97d258b65..9765182cc 100644 --- a/actions/admin/site/update_basic.php +++ b/actions/admin/site/update_basic.php @@ -16,7 +16,7 @@ if ($site = elgg_get_site_entity()) { } $site->description = get_input('sitedescription'); - $site->name = get_input('sitename'); + $site->name = strip_tags(get_input('sitename')); $site->email = get_input('siteemail'); $site->save(); diff --git a/install/ElggInstaller.php b/install/ElggInstaller.php index 93716f7cd..78cdde90f 100644 --- a/install/ElggInstaller.php +++ b/install/ElggInstaller.php @@ -1414,7 +1414,7 @@ class ElggInstaller { $submissionVars['wwwroot'] = sanitise_filepath($submissionVars['wwwroot']); $site = new ElggSite(); - $site->name = $submissionVars['sitename']; + $site->name = strip_tags($submissionVars['sitename']); $site->url = $submissionVars['wwwroot']; $site->access_id = ACCESS_PUBLIC; $site->email = $submissionVars['siteemail']; -- cgit v1.2.3 From 7b002adf2fd383e6a0e7e4b93890720d99750282 Mon Sep 17 00:00:00 2001 From: Jeff Tilson Date: Tue, 9 Apr 2013 11:19:49 -0400 Subject: Removing redundant logged in user check from pages annotation delete action (also from the comments delete core action) --- actions/comments/delete.php | 5 ----- mod/pages/actions/annotations/page/delete.php | 5 ----- 2 files changed, 10 deletions(-) (limited to 'actions') diff --git a/actions/comments/delete.php b/actions/comments/delete.php index f2c058ff4..c6b481da4 100644 --- a/actions/comments/delete.php +++ b/actions/comments/delete.php @@ -5,11 +5,6 @@ * @package Elgg */ -// Ensure we're logged in -if (!elgg_is_logged_in()) { - forward(); -} - // Make sure we can get the comment in question $annotation_id = (int) get_input('annotation_id'); $comment = elgg_get_annotation_from_id($annotation_id); diff --git a/mod/pages/actions/annotations/page/delete.php b/mod/pages/actions/annotations/page/delete.php index 792b7c0bc..156b516d2 100644 --- a/mod/pages/actions/annotations/page/delete.php +++ b/mod/pages/actions/annotations/page/delete.php @@ -5,11 +5,6 @@ * @package ElggPages */ -// Ensure we're logged in -if (!elgg_is_logged_in()) { - forward(); -} - // Make sure we can get the annotations and entity in question $annotation_id = (int) get_input('annotation_id'); $annotation = elgg_get_annotation_from_id($annotation_id); -- cgit v1.2.3 From 6c7ec418fc0a5b35489614325c807d6f523844df Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Mon, 15 Apr 2013 21:03:00 -0400 Subject: Fixes #5363: Append trailing slash to site URL if missing --- actions/admin/site/update_advanced.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'actions') diff --git a/actions/admin/site/update_advanced.php b/actions/admin/site/update_advanced.php index 0fd8d1f35..4888b0a8d 100644 --- a/actions/admin/site/update_advanced.php +++ b/actions/admin/site/update_advanced.php @@ -14,10 +14,10 @@ if ($site = elgg_get_site_entity()) { throw new InstallationException(elgg_echo('InvalidParameterException:NonElggSite')); } - $site->url = get_input('wwwroot'); + $site->url = rtrim(get_input('wwwroot', '', false), '/') . '/'; - datalist_set('path', sanitise_filepath(get_input('path'))); - $dataroot = sanitise_filepath(get_input('dataroot')); + datalist_set('path', sanitise_filepath(get_input('path', '', false))); + $dataroot = sanitise_filepath(get_input('dataroot', '', false)); // check for relative paths if (stripos(PHP_OS, 'win') === 0) { -- cgit v1.2.3 From dd9df95001f5293e7a3a93a365c64842fe3650e4 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Wed, 29 May 2013 13:13:16 -0400 Subject: Fix avatar edit permissions (by Jerôme Bakker) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- actions/avatar/remove.php | 52 ++++++++++++++++++++++++----------------------- languages/en.php | 1 + pages/avatar/edit.php | 5 +++++ 3 files changed, 33 insertions(+), 25 deletions(-) (limited to 'actions') diff --git a/actions/avatar/remove.php b/actions/avatar/remove.php index cd38e456a..9cb40a760 100644 --- a/actions/avatar/remove.php +++ b/actions/avatar/remove.php @@ -3,32 +3,34 @@ * Avatar remove action */ -$guid = get_input('guid'); -$user = get_entity($guid); -if ($user) { - // Delete all icons from diskspace - $icon_sizes = elgg_get_config('icon_sizes'); - foreach ($icon_sizes as $name => $size_info) { - $file = new ElggFile(); - $file->owner_guid = $guid; - $file->setFilename("profile/{$guid}{$name}.jpg"); - $filepath = $file->getFilenameOnFilestore(); - if (!$file->delete()) { - elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING'); - } - } - - // Remove crop coords - unset($user->x1); - unset($user->x2); - unset($user->y1); - unset($user->y2); - - // Remove icon - unset($user->icontime); - system_message(elgg_echo('avatar:remove:success')); -} else { +$user_guid = get_input('guid'); +$user = get_user($user_guid); + +if (!$user || !$user->canEdit()) { register_error(elgg_echo('avatar:remove:fail')); + forward(REFERER); } +// Delete all icons from diskspace +$icon_sizes = elgg_get_config('icon_sizes'); +foreach ($icon_sizes as $name => $size_info) { + $file = new ElggFile(); + $file->owner_guid = $user_guid; + $file->setFilename("profile/{$user_guid}{$name}.jpg"); + $filepath = $file->getFilenameOnFilestore(); + if (!$file->delete()) { + elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING'); + } +} + +// Remove crop coords +unset($user->x1); +unset($user->x2); +unset($user->y1); +unset($user->y2); + +// Remove icon +unset($user->icontime); + +system_message(elgg_echo('avatar:remove:success')); forward(REFERER); diff --git a/languages/en.php b/languages/en.php index be86e12e6..49e366484 100644 --- a/languages/en.php +++ b/languages/en.php @@ -359,6 +359,7 @@ $english = array( 'friendspicker:chararray' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'avatar' => 'Avatar', + 'avatar:noaccess' => "You're not allowed to edit this user's avatar", 'avatar:create' => 'Create your avatar', 'avatar:edit' => 'Edit avatar', 'avatar:preview' => 'Preview', diff --git a/pages/avatar/edit.php b/pages/avatar/edit.php index c71633b8b..56aede887 100644 --- a/pages/avatar/edit.php +++ b/pages/avatar/edit.php @@ -11,6 +11,11 @@ elgg_set_context('profile_edit'); $title = elgg_echo('avatar:edit'); $entity = elgg_get_page_owner_entity(); +if (!elgg_instanceof($entity, 'user') || !$entity->canEdit()) { + register_error(elgg_echo('avatar:noaccess')); + forward(REFERER); +} + $content = elgg_view('core/avatar/upload', array('entity' => $entity)); // only offer the crop view if an avatar has been uploaded -- cgit v1.2.3 From f4fef67a3833138b5f87227a0297cd66fcf4a207 Mon Sep 17 00:00:00 2001 From: cash Date: Thu, 30 May 2013 18:52:08 -0400 Subject: Fixes #5559 not clearing last_forward_from in session if login fails --- actions/login.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'actions') diff --git a/actions/login.php b/actions/login.php index 1e5e92ede..bd7f91299 100644 --- a/actions/login.php +++ b/actions/login.php @@ -9,7 +9,6 @@ // set forward url if (!empty($_SESSION['last_forward_from'])) { $forward_url = $_SESSION['last_forward_from']; - unset($_SESSION['last_forward_from']); } elseif (get_input('returntoreferer')) { $forward_url = REFERER; } else { @@ -62,5 +61,9 @@ if ($user->language) { $message = elgg_echo('loginok'); } +if (isset($_SESSION['last_forward_from'])) { + unset($_SESSION['last_forward_from']); +} + system_message($message); forward($forward_url); -- cgit v1.2.3 From 50ca9866486b27defa3b327f0b501ee316a5efeb Mon Sep 17 00:00:00 2001 From: Paweł Sroka Date: Fri, 7 Jun 2013 02:37:06 +0200 Subject: Fixes #5587 - Makes profile edit form sticky --- actions/profile/edit.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'actions') diff --git a/actions/profile/edit.php b/actions/profile/edit.php index b817463ac..c2a124309 100644 --- a/actions/profile/edit.php +++ b/actions/profile/edit.php @@ -4,6 +4,8 @@ * */ +elgg_make_sticky_form('profile:edit'); + $guid = get_input('guid'); $owner = get_entity($guid); @@ -107,6 +109,7 @@ if (sizeof($input) > 0) { // Notify of profile update elgg_trigger_event('profileupdate', $owner->type, $owner); + elgg_clear_sticky_form('profile:edit'); system_message(elgg_echo("profile:saved")); } -- cgit v1.2.3 From 666b214e94b80b713797710d04d06d3f11271ff0 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Fri, 7 Jun 2013 18:26:18 -0400 Subject: clearing sticky form after it is used on edit form --- actions/profile/edit.php | 2 +- views/default/forms/profile/edit.php | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) (limited to 'actions') diff --git a/actions/profile/edit.php b/actions/profile/edit.php index c2a124309..e1f066e82 100644 --- a/actions/profile/edit.php +++ b/actions/profile/edit.php @@ -82,7 +82,7 @@ if (sizeof($input) > 0) { ); elgg_delete_metadata($options); - if(!is_null($value) && ($value !== '')){ + if (!is_null($value) && ($value !== '')) { // only create metadata for non empty values (0 is allowed) to prevent metadata records with empty string values #4858 if (isset($accesslevel[$shortname])) { diff --git a/views/default/forms/profile/edit.php b/views/default/forms/profile/edit.php index aef180f36..cb0a37ca4 100644 --- a/views/default/forms/profile/edit.php +++ b/views/default/forms/profile/edit.php @@ -13,7 +13,7 @@
0) { @@ -42,12 +42,12 @@ if (is_array($profile_fields) && count($profile_fields) > 0) { $access_id = ACCESS_DEFAULT; } - //sticky form values take precedence over saved ones - if (isset($stickyValues[$shortname])) { - $value = $stickyValues[$shortname]; + // sticky form values take precedence over saved ones + if (isset($sticky_values[$shortname])) { + $value = $sticky_values[$shortname]; } - if (isset($stickyValues['accesslevel'][$shortname])) { - $access_id = $stickyValues['accesslevel'][$shortname]; + if (isset($sticky_values['accesslevel'][$shortname])) { + $access_id = $sticky_values['accesslevel'][$shortname]; } ?> @@ -69,6 +69,9 @@ if (is_array($profile_fields) && count($profile_fields) > 0) {
Date: Mon, 10 Jun 2013 23:16:45 -0400 Subject: Allow regenerating site secret --- actions/admin/site/regenerate_secret.php | 11 ++ engine/classes/ElggCrypto.php | 134 +++++++++++++++++++++ engine/lib/actions.php | 27 ++++- engine/lib/admin.php | 2 + ...3060900-1.8.15-site_secret-404fc165cf9e0ac9.php | 13 ++ languages/en.php | 18 ++- .../admin/settings/advanced/site_secret.php | 11 ++ views/default/css/admin.php | 20 +++ .../default/forms/admin/site/regenerate_secret.php | 24 ++++ 9 files changed, 257 insertions(+), 3 deletions(-) create mode 100644 actions/admin/site/regenerate_secret.php create mode 100644 engine/classes/ElggCrypto.php create mode 100644 engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php create mode 100644 views/default/admin/settings/advanced/site_secret.php create mode 100644 views/default/forms/admin/site/regenerate_secret.php (limited to 'actions') diff --git a/actions/admin/site/regenerate_secret.php b/actions/admin/site/regenerate_secret.php new file mode 100644 index 000000000..3112fb5f3 --- /dev/null +++ b/actions/admin/site/regenerate_secret.php @@ -0,0 +1,11 @@ +='); + } + // /dev/urandom is available on many *nix systems and is considered the + // best commonly available pseudo-random source. + if ($fh = @fopen('/dev/urandom', 'rb')) { + // PHP only performs buffered reads, so in reality it will always read + // at least 4096 bytes. Thus, it costs nothing extra to read and store + // that much so as to speed any additional invocations. + $bytes .= fread($fh, max(4096, $count)); + fclose($fh); + } elseif ($php_compatible && function_exists('openssl_random_pseudo_bytes')) { + // openssl_random_pseudo_bytes() will find entropy in a system-dependent + // way. + $bytes .= openssl_random_pseudo_bytes($count - strlen($bytes)); + } + // If /dev/urandom is not available or returns no bytes, this loop will + // generate a good set of pseudo-random bytes on any system. + // Note that it may be important that our $random_state is passed + // through hash() prior to being rolled into $output, that the two hash() + // invocations are different, and that the extra input into the first one - + // the microtime() - is prepended rather than appended. This is to avoid + // directly leaking $random_state via the $output stream, which could + // allow for trivial prediction of further "random" numbers. + while (strlen($bytes) < $count) { + $random_state = hash('sha256', microtime() . mt_rand() . $random_state); + $bytes .= hash('sha256', mt_rand() . $random_state, true); + } + } + $output = substr($bytes, 0, $count); + $bytes = substr($bytes, $count); + return $output; + } + + /** + * Generate a random string of specified length. + * + * Uses supplied character list for generating the new string. + * If no character list provided - uses Base64 URL character set. + * + * @param int $length Desired length of the string + * @param string|null $chars Characters to be chosen from randomly. If not given, the Base64 URL + * charset will be used. + * + * @return string The random string + * + * @throws InvalidArgumentException + * + * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) + * @license http://framework.zend.com/license/new-bsd New BSD License + * + * @see https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L179 + */ + public static function getRandomString($length, $chars = null) + { + if ($length < 1) { + throw new InvalidArgumentException('Length should be >= 1'); + } + + if (empty($chars)) { + $numBytes = ceil($length * 0.75); + $bytes = self::getRandomBytes($numBytes); + $string = substr(rtrim(base64_encode($bytes), '='), 0, $length); + + // Base64 URL + return strtr($string, '+/', '-_'); + } + + $listLen = strlen($chars); + + if ($listLen == 1) { + return str_repeat($chars, $length); + } + + $bytes = self::getRandomBytes($length); + $pos = 0; + $result = ''; + for ($i = 0; $i < $length; $i++) { + $pos = ($pos + ord($bytes[$i])) % $listLen; + $result .= $chars[$pos]; + } + + return $result; + } +} diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 56936f582..8047914ac 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -364,16 +364,19 @@ function generate_action_token($timestamp) { } /** - * Initialise the site secret hash. + * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL). * * Used during installation and saves as a datalist. * + * Note: Old secrets were hex encoded. + * * @return mixed The site secret hash or false * @access private * @todo Move to better file. */ function init_site_secret() { - $secret = md5(rand() . microtime()); + $secret = 'z' . ElggCrypto::getRandomString(31); + if (datalist_set('__site_secret__', $secret)) { return $secret; } @@ -399,6 +402,26 @@ function get_site_secret() { return $secret; } +/** + * Get the strength of the site secret + * + * @return string "strong", "moderate", or "weak" + * @access private + */ +function _elgg_get_site_secret_strength() { + $secret = get_site_secret(); + if ($secret[0] !== 'z') { + $rand_max = getrandmax(); + if ($rand_max < pow(2, 16)) { + return 'weak'; + } + if ($rand_max < pow(2, 32)) { + return 'moderate'; + } + } + return 'strong'; +} + /** * Check if an action is registered and its script exists. * diff --git a/engine/lib/admin.php b/engine/lib/admin.php index 7f82108c0..f36f29668 100644 --- a/engine/lib/admin.php +++ b/engine/lib/admin.php @@ -236,6 +236,7 @@ function admin_init() { elgg_register_action('admin/site/update_advanced', '', 'admin'); elgg_register_action('admin/site/flush_cache', '', 'admin'); elgg_register_action('admin/site/unlock_upgrade', '', 'admin'); + elgg_register_action('admin/site/regenerate_secret', '', 'admin'); elgg_register_action('admin/menu/save', '', 'admin'); @@ -291,6 +292,7 @@ function admin_init() { elgg_register_admin_menu_item('configure', 'settings', null, 100); elgg_register_admin_menu_item('configure', 'basic', 'settings', 10); elgg_register_admin_menu_item('configure', 'advanced', 'settings', 20); + elgg_register_admin_menu_item('configure', 'advanced/site_secret', 'settings', 25); elgg_register_admin_menu_item('configure', 'menu_items', 'appearance', 30); elgg_register_admin_menu_item('configure', 'profile_fields', 'appearance', 40); // default widgets is added via an event handler elgg_default_widgets_init() in widgets.php diff --git a/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php new file mode 100644 index 000000000..b5b614762 --- /dev/null +++ b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php @@ -0,0 +1,13 @@ + 'Settings', 'admin:settings:basic' => 'Basic Settings', 'admin:settings:advanced' => 'Advanced Settings', + 'admin:settings:advanced/site_secret' => 'Site Secret', 'admin:site:description' => "This admin panel allows you to control global settings for your site. Choose an option below to get started.", + 'admin:settings:advanced:site_secret' => 'Site Secret', 'admin:site:opt:linktext' => "Configure site...", 'admin:site:access:warning' => "Changing the access setting only affects the permissions on content created in the future.", + 'admin:site:secret:intro' => 'Elgg uses a key to create security tokens for various purposes.', + 'admin:site:secret_regenerated' => "Your site secret has been regenerated.", + 'admin:site:secret:regenerate' => "Regenerate site secret", + 'admin:site:secret:regenerate:help' => "Note: This may inconvenience some users by invalidating tokens used in \"remember me\" cookies, e-mail validation requests, invitation codes, etc.", + 'site_secret:current_strength' => 'Key Strength', + 'site_secret:strength:weak' => "Weak", + 'site_secret:strength_msg:weak' => "We strongly recommend that you regenerate your site secret.", + 'site_secret:strength:moderate' => "Moderate", + 'site_secret:strength_msg:moderate' => "We recommend you regenerate your site secret for the best site security.", + 'site_secret:strength:strong' => "Strong", + 'site_secret:strength_msg:strong' => "✓ Your site secret is sufficiently strong.", + 'admin:dashboard' => 'Dashboard', 'admin:widget:online_users' => 'Online users', 'admin:widget:online_users:help' => 'Lists the users currently on the site', @@ -1064,7 +1078,7 @@ Once you have logged in, we highly recommend that you change your password. 'upgrade:unlock' => 'Unlock upgrade', 'upgrade:unlock:confirm' => "The database is locked for another upgrade. Running concurrent upgrades is dangerous. You should only continue if you know there is not another upgrade running. Unlock?", 'upgrade:locked' => "Cannot upgrade. Another upgrade is running. To clear the upgrade lock, visit the Admin section.", - 'upgrade:unlock:success' => "Upgrade unlocked suscessfully.", + 'upgrade:unlock:success' => "Upgrade unlocked successfully.", 'upgrade:unable_to_upgrade' => 'Unable to upgrade.', 'upgrade:unable_to_upgrade_info' => 'This installation cannot be upgraded because legacy views @@ -1079,6 +1093,8 @@ Once you have logged in, we highly recommend that you change your password. 'update:twitter_api:deactivated' => 'Twitter API (previously Twitter Service) was deactivated during the upgrade. Please activate it manually if required.', 'update:oauth_api:deactivated' => 'OAuth API (previously OAuth Lib) was deactivated during the upgrade. Please activate it manually if required.', + 'upgrade:site_secret_warning:moderate' => "You are encouraged to regenerate your site key to improve system security. See Configure > Site Secret", + 'upgrade:site_secret_warning:weak' => "You are strongly encouraged to regenerate your site key to improve system security. See Configure > Site Secret", 'deprecated:function' => '%s() was deprecated by %s()', diff --git a/views/default/admin/settings/advanced/site_secret.php b/views/default/admin/settings/advanced/site_secret.php new file mode 100644 index 000000000..e70ac7ab6 --- /dev/null +++ b/views/default/admin/settings/advanced/site_secret.php @@ -0,0 +1,11 @@ + _elgg_get_site_secret_strength(), +)); diff --git a/views/default/css/admin.php b/views/default/css/admin.php index 3896ded5d..c435621b2 100644 --- a/views/default/css/admin.php +++ b/views/default/css/admin.php @@ -1543,6 +1543,26 @@ table.mceLayout { margin: 0 0 1em 2em; } +/* *************************************** + SITE SECRET +*************************************** */ +.elgg-form-admin-site-regenerate-secret table { + width: 60%; + margin: 1em auto; +} +td.elgg-strength-strong, +td.elgg-strength-strong h4 { + background: #DFF0D8; color: #468847; +} +td.elgg-strength-moderate, +td.elgg-strength-moderate h4 { + background: #FCF8E3; color: #C09853; +} +td.elgg-strength-weak, +td.elgg-strength-weak h4 { + background: #F2DEDE; color: #B94A48; +} + /* *************************************** HELPERS *************************************** */ diff --git a/views/default/forms/admin/site/regenerate_secret.php b/views/default/forms/admin/site/regenerate_secret.php new file mode 100644 index 000000000..af269b801 --- /dev/null +++ b/views/default/forms/admin/site/regenerate_secret.php @@ -0,0 +1,24 @@ + +

+ + + + + + +
+

+
+
+ +
+ elgg_echo('admin:site:secret:regenerate'), + 'class' => 'elgg-requires-confirmation elgg-button elgg-button-submit', + )); ?> +

+
-- cgit v1.2.3