From 58254f21da64258d2025b15615d7848ef9257e8c Mon Sep 17 00:00:00 2001
From: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Tue, 12 May 2009 10:04:23 +0000
Subject: Closes #749: Warning message on missing token.

git-svn-id: https://code.elgg.org/elgg/trunk@3281 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/actions.php | 52 ++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 40 insertions(+), 12 deletions(-)

(limited to 'engine/lib/actions.php')

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 8935a324a..88dfde97c 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -23,7 +23,8 @@
     
         function action($action, $forwarder = "") {
             
-            global $CONFIG;
+            global $CONFIG;
+            
             
 	        $query = parse_url($_SERVER['REQUEST_URI']);
 			if (isset($query['query'])) {
@@ -61,7 +62,19 @@
 	                	
 	                	// Include action
 	                	if ($event_result) // Event_result being false doesn't produce an error - since i assume this will be handled in the hook itself. TODO make this better!
-	                	{
+	                	{
+				            /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */
+				            if (!validate_action_token())
+				            { 
+				            	// Display a temporary warning message - in future versions this will be a hard fail via an action gatekeeper.
+				            	$message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'.";
+				            	
+				            	//if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning))
+				            	//	register_error($message);
+				            		
+				            	error_log($message);
+				            }
+				            
 			                if (@include($CONFIG->actions[$action]['file'])) {
 			                } else {
 			                    register_error(sprintf(elgg_echo('actionundefined'),$action));
@@ -73,7 +86,9 @@
             	}
             } else {
             	register_error(sprintf(elgg_echo('actionundefined'),$action));
-            }
+            }
+            
+            
             forward($CONFIG->url . $forwarder);
             
         }
@@ -117,15 +132,13 @@
         	register_action("error");
         	return true;
         }
-
-       	/**
-       	 * Action gatekeeper.
-       	 * This function verifies form input for security features (like a generated token), and forwards
-       	 * the page if they are invalid.
-       	 * 
-       	 * Place at the head of actions.
-       	 */
-        function action_gatekeeper()
+        
+        /**
+         * Validate an action token, returning true if valid and false if not
+         *
+         * @return unknown
+         */
+        function validate_action_token()
         {
         	$token = get_input('__elgg_token');
         	$ts = get_input('__elgg_ts');
@@ -166,6 +179,21 @@
         	else
         		register_error(elgg_echo('actiongatekeeper:missingfields'));
         		
+        	return false;
+        }
+
+       	/**
+       	 * Action gatekeeper.
+       	 * This function verifies form input for security features (like a generated token), and forwards
+       	 * the page if they are invalid.
+       	 * 
+       	 * Place at the head of actions.
+       	 */
+        function action_gatekeeper()
+        {
+        	if (validate_action_token())
+        		return true;
+        		
         	forward();
         	exit;
         }
-- 
cgit v1.2.3