From 675761494bfd082f4b41c6f80ea2a7aae75f9344 Mon Sep 17 00:00:00 2001 From: brettp Date: Sun, 24 Jan 2010 18:47:42 +0000 Subject: Fixes #1460, Fixes #1459: Tokens are not required to disable a plugin or install. This allows users to disable plugins that overwrite admin pages without tokens. git-svn-id: http://code.elgg.org/elgg/trunk@3836 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/actions.php | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) (limited to 'engine/lib/actions.php') diff --git a/engine/lib/actions.php b/engine/lib/actions.php index ad5f0c208..eafb42155 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -21,13 +21,23 @@ function action($action, $forwarder = "") { global $CONFIG; - // All actions require a token. - if (!action_gatekeeper()) { - $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins."; - - error_log($message); - register_error($message); - forward(); + // @todo REMOVE THESE EXCEPTIONS IN 1.8. + // These are only to provide a way to disable plugins that overwrite core + // UI without tokens. (And for installation because of session_id problems) + $exceptions = array( + 'systemsettings/install', + 'admin/plugins/disable' + ); + + if (!in_array($action, $exceptions)) { + // All actions require a token. + if (!action_gatekeeper()) { + $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins."; + + error_log($message); + register_error($message); + forward(); + } } // if there are any query parameters, make them available from get_input -- cgit v1.2.3