From 06c3b6e3c41c629e510c55199bd19914273b0e64 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 23 Feb 2013 14:16:29 -0500 Subject: Fixes #4997 stop requesting a token after a failed request --- languages/en.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'languages/en.php') diff --git a/languages/en.php b/languages/en.php index 353896047..fe450b8a2 100644 --- a/languages/en.php +++ b/languages/en.php @@ -1189,7 +1189,7 @@ You cannot reply to this email.", * Action gatekeeper */ 'actiongatekeeper:missingfields' => 'Form is missing __token or __ts fields', - 'actiongatekeeper:tokeninvalid' => "We encountered an error (token mismatch). This probably means that the page you were using expired.", + 'actiongatekeeper:tokeninvalid' => "The page you were using had expired. Please try again.", 'actiongatekeeper:timeerror' => 'The page you were using has expired. Please refresh and try again.', 'actiongatekeeper:pluginprevents' => 'A extension has prevented this form from being submitted.', 'actiongatekeeper:uploadexceeded' => 'The size of file(s) uploaded exceeded the limit set by your site administrator', @@ -1211,7 +1211,7 @@ You cannot reply to this email.", * Javascript */ - 'js:security:token_refresh_failed' => 'Cannot contact %s. You may experience problems saving content.', + 'js:security:token_refresh_failed' => 'Failed to contact %s. You may experience problems saving content. Please refresh this page.', 'js:security:token_refreshed' => 'Connection to %s restored!', /** -- cgit v1.2.3 From 2c7fe16e6d8d135109c6da60739e4ffad99876d5 Mon Sep 17 00:00:00 2001 From: Paweł Sroka Date: Wed, 6 Mar 2013 19:04:35 +0100 Subject: Refs #5199 - Adds additional info to locate output start in case of headers already sent exception --- engine/lib/elgglib.php | 4 ++-- languages/en.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'languages/en.php') diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php index 74b70f9fb..2ae307392 100644 --- a/engine/lib/elgglib.php +++ b/engine/lib/elgglib.php @@ -128,7 +128,7 @@ function elgg_load_library($name) { * @throws SecurityException */ function forward($location = "", $reason = 'system') { - if (!headers_sent()) { + if (!headers_sent($file, $line)) { if ($location === REFERER) { $location = $_SERVER['HTTP_REFERER']; } @@ -147,7 +147,7 @@ function forward($location = "", $reason = 'system') { exit; } } else { - throw new SecurityException(elgg_echo('SecurityException:ForwardFailedToRedirect')); + throw new SecurityException(elgg_echo('SecurityException:ForwardFailedToRedirect', array($file, $line))); } } diff --git a/languages/en.php b/languages/en.php index fe450b8a2..501855f02 100644 --- a/languages/en.php +++ b/languages/en.php @@ -175,7 +175,7 @@ $english = array( 'ConfigurationException:NoSiteID' => "No site ID has been specified.", 'SecurityException:APIAccessDenied' => "Sorry, API access has been disabled by the administrator.", 'SecurityException:NoAuthMethods' => "No authentication methods were found that could authenticate this API request.", - 'SecurityException:ForwardFailedToRedirect' => 'Redirect could not be issued due to headers already being sent. Halting execution for security. Search http://docs.elgg.org/ for more information.', + 'SecurityException:ForwardFailedToRedirect' => 'Redirect could not be issued due to headers already being sent. Halting execution for security. Output started in file %s at line %d. Search http://docs.elgg.org/ for more information.', 'InvalidParameterException:APIMethodOrFunctionNotSet' => "Method or function not set in call in expose_method()", 'InvalidParameterException:APIParametersArrayStructure' => "Parameters array structure is incorrect for call to expose method '%s'", 'InvalidParameterException:UnrecognisedHttpMethod' => "Unrecognised http method %s for api method '%s'", -- cgit v1.2.3 From a4874cba03660c3c2169c71c1d32e5474304d984 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Sun, 31 Mar 2013 20:22:53 -0400 Subject: Fixes #5297: Improve error message in cases of suspected cross-domain login --- engine/lib/actions.php | 73 ++++++++++++++++++++++++++++++++++---------------- htaccess_dist | 8 ++++++ languages/en.php | 1 + 3 files changed, 59 insertions(+), 23 deletions(-) (limited to 'languages/en.php') diff --git a/engine/lib/actions.php b/engine/lib/actions.php index f78ca63df..56936f582 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -74,8 +74,7 @@ function action($action, $forwarder = "") { ); if (!in_array($action, $exceptions)) { - // All actions require a token. - action_gatekeeper(); + action_gatekeeper($action); } $forwarder = str_replace(elgg_get_site_url(), "", $forwarder); @@ -187,6 +186,26 @@ function elgg_unregister_action($action) { } } +/** + * Is the token timestamp within acceptable range? + * + * @param int $ts timestamp from the CSRF token + * + * @return bool + */ +function _elgg_validate_token_timestamp($ts) { + $action_token_timeout = elgg_get_config('action_token_timeout'); + // default is 2 hours + $timeout = ($action_token_timeout !== null) ? $action_token_timeout : 2; + + $hour = 60 * 60; + $timeout = $timeout * $hour; + $now = time(); + + // Validate time to ensure its not crazy + return ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)); +} + /** * Validate an action token. * @@ -205,8 +224,6 @@ function elgg_unregister_action($action) { * @access private */ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) { - global $CONFIG; - if (!$token) { $token = get_input('__elgg_token'); } @@ -215,29 +232,18 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) $ts = get_input('__elgg_ts'); } - if (!isset($CONFIG->action_token_timeout)) { - // default to 2 hours - $timeout = 2; - } else { - $timeout = $CONFIG->action_token_timeout; - } - $session_id = session_id(); if (($token) && ($ts) && ($session_id)) { // generate token, check with input and forward if invalid - $generated_token = generate_action_token($ts); + $required_token = generate_action_token($ts); // Validate token - if ($token == $generated_token) { - $hour = 60 * 60; - $timeout = $timeout * $hour; - $now = time(); - - // Validate time to ensure its not crazy - if ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)) { + if ($token == $required_token) { + + if (_elgg_validate_token_timestamp($ts)) { // We have already got this far, so unless anything - // else says something to the contry we assume we're ok + // else says something to the contrary we assume we're ok $returnval = true; $returnval = elgg_trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array( @@ -293,12 +299,33 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) * This function verifies form input for security features (like a generated token), * and forwards if they are invalid. * + * @param string $action The action being performed + * * @return mixed True if valid or redirects. * @access private */ -function action_gatekeeper() { - if (validate_action_token()) { - return TRUE; +function action_gatekeeper($action) { + if ($action === 'login') { + if (validate_action_token(false)) { + return true; + } + + $token = get_input('__elgg_token'); + $ts = (int)get_input('__elgg_ts'); + if ($token && _elgg_validate_token_timestamp($ts)) { + // The tokens are present and the time looks valid: this is probably a mismatch due to the + // login form being on a different domain. + register_error(elgg_echo('actiongatekeeper:crosssitelogin')); + + + forward('login', 'csrf'); + } + + // let the validator send an appropriate msg + validate_action_token(); + + } elseif (validate_action_token()) { + return true; } forward(REFERER, 'csrf'); diff --git a/htaccess_dist b/htaccess_dist index 898fa22fb..44d129475 100644 --- a/htaccess_dist +++ b/htaccess_dist @@ -112,6 +112,14 @@ RewriteEngine on # #RewriteBase / + +# If your users receive the message "Sorry, logging in from a different domain is not permitted" +# you must make sure your login form is served from the same hostname as your site pages. +# See http://docs.elgg.org/wiki/Login_token_mismatch_error for more info. +# +# If you must add RewriteRules to change hostname, add them directly below (above all the others) + + # In for backwards compatibility RewriteRule ^pg\/([A-Za-z0-9\_\-]+)$ engine/handlers/page_handler.php?handler=$1&%{QUERY_STRING} [L] RewriteRule ^pg\/([A-Za-z0-9\_\-]+)\/(.*)$ engine/handlers/page_handler.php?handler=$1&page=$2&%{QUERY_STRING} [L] diff --git a/languages/en.php b/languages/en.php index 501855f02..a3c6cf2bf 100644 --- a/languages/en.php +++ b/languages/en.php @@ -1193,6 +1193,7 @@ You cannot reply to this email.", 'actiongatekeeper:timeerror' => 'The page you were using has expired. Please refresh and try again.', 'actiongatekeeper:pluginprevents' => 'A extension has prevented this form from being submitted.', 'actiongatekeeper:uploadexceeded' => 'The size of file(s) uploaded exceeded the limit set by your site administrator', + 'actiongatekeeper:crosssitelogin' => "Sorry, logging in from a different domain is not permitted.", /** -- cgit v1.2.3 From 9b526b7867a461841e4f990d4ea7945660dac18d Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 13 Apr 2013 10:01:39 -0400 Subject: Refs #5297 encourage users to try again now that they have been forwarded to the correct domain --- languages/en.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'languages/en.php') diff --git a/languages/en.php b/languages/en.php index a3c6cf2bf..be86e12e6 100644 --- a/languages/en.php +++ b/languages/en.php @@ -1193,7 +1193,7 @@ You cannot reply to this email.", 'actiongatekeeper:timeerror' => 'The page you were using has expired. Please refresh and try again.', 'actiongatekeeper:pluginprevents' => 'A extension has prevented this form from being submitted.', 'actiongatekeeper:uploadexceeded' => 'The size of file(s) uploaded exceeded the limit set by your site administrator', - 'actiongatekeeper:crosssitelogin' => "Sorry, logging in from a different domain is not permitted.", + 'actiongatekeeper:crosssitelogin' => "Sorry, logging in from a different domain is not permitted. Please try again.", /** -- cgit v1.2.3 From dd9df95001f5293e7a3a93a365c64842fe3650e4 Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Wed, 29 May 2013 13:13:16 -0400 Subject: Fix avatar edit permissions (by Jerôme Bakker) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- actions/avatar/remove.php | 52 ++++++++++++++++++++++++----------------------- languages/en.php | 1 + pages/avatar/edit.php | 5 +++++ 3 files changed, 33 insertions(+), 25 deletions(-) (limited to 'languages/en.php') diff --git a/actions/avatar/remove.php b/actions/avatar/remove.php index cd38e456a..9cb40a760 100644 --- a/actions/avatar/remove.php +++ b/actions/avatar/remove.php @@ -3,32 +3,34 @@ * Avatar remove action */ -$guid = get_input('guid'); -$user = get_entity($guid); -if ($user) { - // Delete all icons from diskspace - $icon_sizes = elgg_get_config('icon_sizes'); - foreach ($icon_sizes as $name => $size_info) { - $file = new ElggFile(); - $file->owner_guid = $guid; - $file->setFilename("profile/{$guid}{$name}.jpg"); - $filepath = $file->getFilenameOnFilestore(); - if (!$file->delete()) { - elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING'); - } - } - - // Remove crop coords - unset($user->x1); - unset($user->x2); - unset($user->y1); - unset($user->y2); - - // Remove icon - unset($user->icontime); - system_message(elgg_echo('avatar:remove:success')); -} else { +$user_guid = get_input('guid'); +$user = get_user($user_guid); + +if (!$user || !$user->canEdit()) { register_error(elgg_echo('avatar:remove:fail')); + forward(REFERER); } +// Delete all icons from diskspace +$icon_sizes = elgg_get_config('icon_sizes'); +foreach ($icon_sizes as $name => $size_info) { + $file = new ElggFile(); + $file->owner_guid = $user_guid; + $file->setFilename("profile/{$user_guid}{$name}.jpg"); + $filepath = $file->getFilenameOnFilestore(); + if (!$file->delete()) { + elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING'); + } +} + +// Remove crop coords +unset($user->x1); +unset($user->x2); +unset($user->y1); +unset($user->y2); + +// Remove icon +unset($user->icontime); + +system_message(elgg_echo('avatar:remove:success')); forward(REFERER); diff --git a/languages/en.php b/languages/en.php index be86e12e6..49e366484 100644 --- a/languages/en.php +++ b/languages/en.php @@ -359,6 +359,7 @@ $english = array( 'friendspicker:chararray' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'avatar' => 'Avatar', + 'avatar:noaccess' => "You're not allowed to edit this user's avatar", 'avatar:create' => 'Create your avatar', 'avatar:edit' => 'Edit avatar', 'avatar:preview' => 'Preview', diff --git a/pages/avatar/edit.php b/pages/avatar/edit.php index c71633b8b..56aede887 100644 --- a/pages/avatar/edit.php +++ b/pages/avatar/edit.php @@ -11,6 +11,11 @@ elgg_set_context('profile_edit'); $title = elgg_echo('avatar:edit'); $entity = elgg_get_page_owner_entity(); +if (!elgg_instanceof($entity, 'user') || !$entity->canEdit()) { + register_error(elgg_echo('avatar:noaccess')); + forward(REFERER); +} + $content = elgg_view('core/avatar/upload', array('entity' => $entity)); // only offer the crop view if an avatar has been uploaded -- cgit v1.2.3 From c301e22224db8b064c1de68799b8e49cc1259e2e Mon Sep 17 00:00:00 2001 From: cash Date: Fri, 5 Jul 2013 21:21:00 -0400 Subject: Refs #5662 added error message for what should be impossible condition --- engine/classes/ElggPlugin.php | 2 +- engine/classes/ElggPluginPackage.php | 1 + languages/en.php | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) (limited to 'languages/en.php') diff --git a/engine/classes/ElggPlugin.php b/engine/classes/ElggPlugin.php index 3cc90f623..7bf6eb1df 100644 --- a/engine/classes/ElggPlugin.php +++ b/engine/classes/ElggPlugin.php @@ -549,7 +549,7 @@ class ElggPlugin extends ElggObject { * Returns if the plugin is complete, meaning has all required files * and Elgg can read them and they make sense. * - * @todo bad name? This could be confused with isValid() from ElggPackage. + * @todo bad name? This could be confused with isValid() from ElggPluginPackage. * * @return bool */ diff --git a/engine/classes/ElggPluginPackage.php b/engine/classes/ElggPluginPackage.php index 209242288..37eb4bf4d 100644 --- a/engine/classes/ElggPluginPackage.php +++ b/engine/classes/ElggPluginPackage.php @@ -294,6 +294,7 @@ class ElggPluginPackage { return true; } + $this->errorMsg = elgg_echo('unknown_error'); return false; } diff --git a/languages/en.php b/languages/en.php index 49e366484..1721865f7 100644 --- a/languages/en.php +++ b/languages/en.php @@ -903,6 +903,7 @@ $english = array( 'total' => 'Total', 'learnmore' => "Click here to learn more.", + 'unknown_error' => 'Unknown error', 'content' => "content", 'content:latest' => 'Latest activity', -- cgit v1.2.3 From b3cf5a302d25b06421a055f280ca4f654bd8e6a7 Mon Sep 17 00:00:00 2001 From: beck24 Date: Sun, 13 Oct 2013 00:03:11 -0700 Subject: Fixes #6177 - refuse to deactive plugins used as dependencies --- engine/lib/plugins.php | 35 +++++++++++++++++++++++++++++++++++ languages/en.php | 2 ++ 2 files changed, 37 insertions(+) (limited to 'languages/en.php') diff --git a/engine/lib/plugins.php b/engine/lib/plugins.php index 74bce45fd..f0d89e92d 100644 --- a/engine/lib/plugins.php +++ b/engine/lib/plugins.php @@ -1104,6 +1104,39 @@ function plugins_test($hook, $type, $value, $params) { return $value; } +function plugins_deactivate_dependency_check($event, $type, $params) { + $plugin_id = $params['plugin_entity']->getManifest()->getPluginID(); + $plugin_name = $params['plugin_entity']->getManifest()->getName(); + + $active_plugins = elgg_get_plugins(); + + $dependents = array(); + foreach ($active_plugins as $plugin) { + $manifest = $plugin->getManifest(); + $requires = $manifest->getRequires(); + + foreach ($requires as $required) { + if ($required['type'] == 'plugin' && $required['name'] == $plugin_id) { + // there are active dependents + $dependents[$manifest->getPluginID()] = $plugin; + } + } + } + + if ($dependents) { + $list = '
    '; + // construct error message and prevent disabling + foreach ($dependents as $dependent) { + $list .= '
  • ' . $dependent->getManifest()->getName() . '
    • '; + } + $list .= '
'; + + register_error(elgg_echo('ElggPlugin:Dependencies:ActiveDependent', array($plugin_name, $list))); + + return false; + } +} + /** * Initialize the plugin system * Listens to system init and registers actions @@ -1115,6 +1148,8 @@ function plugin_init() { run_function_once("plugin_run_once"); elgg_register_plugin_hook_handler('unit_test', 'system', 'plugins_test'); + + elgg_register_event_handler('deactivate', 'plugin', 'plugins_deactivate_dependency_check'); elgg_register_action("plugins/settings/save", '', 'admin'); elgg_register_action("plugins/usersettings/save"); diff --git a/languages/en.php b/languages/en.php index 1721865f7..ad4831db7 100644 --- a/languages/en.php +++ b/languages/en.php @@ -105,6 +105,8 @@ $english = array( 'ElggPlugin:Dependencies:Priority:Before' => 'Before %s', 'ElggPlugin:Dependencies:Priority:Uninstalled' => '%s is not installed', 'ElggPlugin:Dependencies:Suggests:Unsatisfied' => 'Missing', + + 'ElggPlugin:Dependencies:ActiveDependent' => 'There are other plugins that list %s as a dependency. You must disable the following plugins before disabling this one: %s', 'ElggPlugin:InvalidAndDeactivated' => '%s is an invalid plugin and has been deactivated.', -- cgit v1.2.3 From e98f933857548be9cd078416a93011ea9c2f3e3a Mon Sep 17 00:00:00 2001 From: Steve Clay Date: Mon, 10 Jun 2013 23:16:45 -0400 Subject: Allow regenerating site secret --- actions/admin/site/regenerate_secret.php | 11 ++ engine/classes/ElggCrypto.php | 134 +++++++++++++++++++++ engine/lib/actions.php | 27 ++++- engine/lib/admin.php | 2 + ...3060900-1.8.15-site_secret-404fc165cf9e0ac9.php | 13 ++ languages/en.php | 18 ++- .../admin/settings/advanced/site_secret.php | 11 ++ views/default/css/admin.php | 20 +++ .../default/forms/admin/site/regenerate_secret.php | 24 ++++ 9 files changed, 257 insertions(+), 3 deletions(-) create mode 100644 actions/admin/site/regenerate_secret.php create mode 100644 engine/classes/ElggCrypto.php create mode 100644 engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php create mode 100644 views/default/admin/settings/advanced/site_secret.php create mode 100644 views/default/forms/admin/site/regenerate_secret.php (limited to 'languages/en.php') diff --git a/actions/admin/site/regenerate_secret.php b/actions/admin/site/regenerate_secret.php new file mode 100644 index 000000000..3112fb5f3 --- /dev/null +++ b/actions/admin/site/regenerate_secret.php @@ -0,0 +1,11 @@ +='); + } + // /dev/urandom is available on many *nix systems and is considered the + // best commonly available pseudo-random source. + if ($fh = @fopen('/dev/urandom', 'rb')) { + // PHP only performs buffered reads, so in reality it will always read + // at least 4096 bytes. Thus, it costs nothing extra to read and store + // that much so as to speed any additional invocations. + $bytes .= fread($fh, max(4096, $count)); + fclose($fh); + } elseif ($php_compatible && function_exists('openssl_random_pseudo_bytes')) { + // openssl_random_pseudo_bytes() will find entropy in a system-dependent + // way. + $bytes .= openssl_random_pseudo_bytes($count - strlen($bytes)); + } + // If /dev/urandom is not available or returns no bytes, this loop will + // generate a good set of pseudo-random bytes on any system. + // Note that it may be important that our $random_state is passed + // through hash() prior to being rolled into $output, that the two hash() + // invocations are different, and that the extra input into the first one - + // the microtime() - is prepended rather than appended. This is to avoid + // directly leaking $random_state via the $output stream, which could + // allow for trivial prediction of further "random" numbers. + while (strlen($bytes) < $count) { + $random_state = hash('sha256', microtime() . mt_rand() . $random_state); + $bytes .= hash('sha256', mt_rand() . $random_state, true); + } + } + $output = substr($bytes, 0, $count); + $bytes = substr($bytes, $count); + return $output; + } + + /** + * Generate a random string of specified length. + * + * Uses supplied character list for generating the new string. + * If no character list provided - uses Base64 URL character set. + * + * @param int $length Desired length of the string + * @param string|null $chars Characters to be chosen from randomly. If not given, the Base64 URL + * charset will be used. + * + * @return string The random string + * + * @throws InvalidArgumentException + * + * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) + * @license http://framework.zend.com/license/new-bsd New BSD License + * + * @see https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L179 + */ + public static function getRandomString($length, $chars = null) + { + if ($length < 1) { + throw new InvalidArgumentException('Length should be >= 1'); + } + + if (empty($chars)) { + $numBytes = ceil($length * 0.75); + $bytes = self::getRandomBytes($numBytes); + $string = substr(rtrim(base64_encode($bytes), '='), 0, $length); + + // Base64 URL + return strtr($string, '+/', '-_'); + } + + $listLen = strlen($chars); + + if ($listLen == 1) { + return str_repeat($chars, $length); + } + + $bytes = self::getRandomBytes($length); + $pos = 0; + $result = ''; + for ($i = 0; $i < $length; $i++) { + $pos = ($pos + ord($bytes[$i])) % $listLen; + $result .= $chars[$pos]; + } + + return $result; + } +} diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 56936f582..8047914ac 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -364,16 +364,19 @@ function generate_action_token($timestamp) { } /** - * Initialise the site secret hash. + * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL). * * Used during installation and saves as a datalist. * + * Note: Old secrets were hex encoded. + * * @return mixed The site secret hash or false * @access private * @todo Move to better file. */ function init_site_secret() { - $secret = md5(rand() . microtime()); + $secret = 'z' . ElggCrypto::getRandomString(31); + if (datalist_set('__site_secret__', $secret)) { return $secret; } @@ -399,6 +402,26 @@ function get_site_secret() { return $secret; } +/** + * Get the strength of the site secret + * + * @return string "strong", "moderate", or "weak" + * @access private + */ +function _elgg_get_site_secret_strength() { + $secret = get_site_secret(); + if ($secret[0] !== 'z') { + $rand_max = getrandmax(); + if ($rand_max < pow(2, 16)) { + return 'weak'; + } + if ($rand_max < pow(2, 32)) { + return 'moderate'; + } + } + return 'strong'; +} + /** * Check if an action is registered and its script exists. * diff --git a/engine/lib/admin.php b/engine/lib/admin.php index 7f82108c0..f36f29668 100644 --- a/engine/lib/admin.php +++ b/engine/lib/admin.php @@ -236,6 +236,7 @@ function admin_init() { elgg_register_action('admin/site/update_advanced', '', 'admin'); elgg_register_action('admin/site/flush_cache', '', 'admin'); elgg_register_action('admin/site/unlock_upgrade', '', 'admin'); + elgg_register_action('admin/site/regenerate_secret', '', 'admin'); elgg_register_action('admin/menu/save', '', 'admin'); @@ -291,6 +292,7 @@ function admin_init() { elgg_register_admin_menu_item('configure', 'settings', null, 100); elgg_register_admin_menu_item('configure', 'basic', 'settings', 10); elgg_register_admin_menu_item('configure', 'advanced', 'settings', 20); + elgg_register_admin_menu_item('configure', 'advanced/site_secret', 'settings', 25); elgg_register_admin_menu_item('configure', 'menu_items', 'appearance', 30); elgg_register_admin_menu_item('configure', 'profile_fields', 'appearance', 40); // default widgets is added via an event handler elgg_default_widgets_init() in widgets.php diff --git a/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php new file mode 100644 index 000000000..b5b614762 --- /dev/null +++ b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php @@ -0,0 +1,13 @@ + 'Settings', 'admin:settings:basic' => 'Basic Settings', 'admin:settings:advanced' => 'Advanced Settings', + 'admin:settings:advanced/site_secret' => 'Site Secret', 'admin:site:description' => "This admin panel allows you to control global settings for your site. Choose an option below to get started.", + 'admin:settings:advanced:site_secret' => 'Site Secret', 'admin:site:opt:linktext' => "Configure site...", 'admin:site:access:warning' => "Changing the access setting only affects the permissions on content created in the future.", + 'admin:site:secret:intro' => 'Elgg uses a key to create security tokens for various purposes.', + 'admin:site:secret_regenerated' => "Your site secret has been regenerated.", + 'admin:site:secret:regenerate' => "Regenerate site secret", + 'admin:site:secret:regenerate:help' => "Note: This may inconvenience some users by invalidating tokens used in \"remember me\" cookies, e-mail validation requests, invitation codes, etc.", + 'site_secret:current_strength' => 'Key Strength', + 'site_secret:strength:weak' => "Weak", + 'site_secret:strength_msg:weak' => "We strongly recommend that you regenerate your site secret.", + 'site_secret:strength:moderate' => "Moderate", + 'site_secret:strength_msg:moderate' => "We recommend you regenerate your site secret for the best site security.", + 'site_secret:strength:strong' => "Strong", + 'site_secret:strength_msg:strong' => "✓ Your site secret is sufficiently strong.", + 'admin:dashboard' => 'Dashboard', 'admin:widget:online_users' => 'Online users', 'admin:widget:online_users:help' => 'Lists the users currently on the site', @@ -1064,7 +1078,7 @@ Once you have logged in, we highly recommend that you change your password. 'upgrade:unlock' => 'Unlock upgrade', 'upgrade:unlock:confirm' => "The database is locked for another upgrade. Running concurrent upgrades is dangerous. You should only continue if you know there is not another upgrade running. Unlock?", 'upgrade:locked' => "Cannot upgrade. Another upgrade is running. To clear the upgrade lock, visit the Admin section.", - 'upgrade:unlock:success' => "Upgrade unlocked suscessfully.", + 'upgrade:unlock:success' => "Upgrade unlocked successfully.", 'upgrade:unable_to_upgrade' => 'Unable to upgrade.', 'upgrade:unable_to_upgrade_info' => 'This installation cannot be upgraded because legacy views @@ -1079,6 +1093,8 @@ Once you have logged in, we highly recommend that you change your password. 'update:twitter_api:deactivated' => 'Twitter API (previously Twitter Service) was deactivated during the upgrade. Please activate it manually if required.', 'update:oauth_api:deactivated' => 'OAuth API (previously OAuth Lib) was deactivated during the upgrade. Please activate it manually if required.', + 'upgrade:site_secret_warning:moderate' => "You are encouraged to regenerate your site key to improve system security. See Configure > Site Secret", + 'upgrade:site_secret_warning:weak' => "You are strongly encouraged to regenerate your site key to improve system security. See Configure > Site Secret", 'deprecated:function' => '%s() was deprecated by %s()', diff --git a/views/default/admin/settings/advanced/site_secret.php b/views/default/admin/settings/advanced/site_secret.php new file mode 100644 index 000000000..e70ac7ab6 --- /dev/null +++ b/views/default/admin/settings/advanced/site_secret.php @@ -0,0 +1,11 @@ + _elgg_get_site_secret_strength(), +)); diff --git a/views/default/css/admin.php b/views/default/css/admin.php index 3896ded5d..c435621b2 100644 --- a/views/default/css/admin.php +++ b/views/default/css/admin.php @@ -1543,6 +1543,26 @@ table.mceLayout { margin: 0 0 1em 2em; } +/* *************************************** + SITE SECRET +*************************************** */ +.elgg-form-admin-site-regenerate-secret table { + width: 60%; + margin: 1em auto; +} +td.elgg-strength-strong, +td.elgg-strength-strong h4 { + background: #DFF0D8; color: #468847; +} +td.elgg-strength-moderate, +td.elgg-strength-moderate h4 { + background: #FCF8E3; color: #C09853; +} +td.elgg-strength-weak, +td.elgg-strength-weak h4 { + background: #F2DEDE; color: #B94A48; +} + /* *************************************** HELPERS *************************************** */ diff --git a/views/default/forms/admin/site/regenerate_secret.php b/views/default/forms/admin/site/regenerate_secret.php new file mode 100644 index 000000000..af269b801 --- /dev/null +++ b/views/default/forms/admin/site/regenerate_secret.php @@ -0,0 +1,24 @@ + +

+ + + + + + +
+

+
+
+ +
+ elgg_echo('admin:site:secret:regenerate'), + 'class' => 'elgg-requires-confirmation elgg-button elgg-button-submit', + )); ?> +

+
-- cgit v1.2.3 From b0a62995706d2b7796ad30c7e0bc6471cb268de0 Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Wed, 11 Dec 2013 09:28:08 -0500 Subject: Fixed directions for going to the site secret generation page. --- languages/en.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'languages/en.php') diff --git a/languages/en.php b/languages/en.php index 4eed63d4c..07407d1e1 100644 --- a/languages/en.php +++ b/languages/en.php @@ -1093,8 +1093,8 @@ Once you have logged in, we highly recommend that you change your password. 'update:twitter_api:deactivated' => 'Twitter API (previously Twitter Service) was deactivated during the upgrade. Please activate it manually if required.', 'update:oauth_api:deactivated' => 'OAuth API (previously OAuth Lib) was deactivated during the upgrade. Please activate it manually if required.', - 'upgrade:site_secret_warning:moderate' => "You are encouraged to regenerate your site key to improve system security. See Configure > Site Secret", - 'upgrade:site_secret_warning:weak' => "You are strongly encouraged to regenerate your site key to improve system security. See Configure > Site Secret", + 'upgrade:site_secret_warning:moderate' => "You are encouraged to regenerate your site key to improve system security. See Configure > Settings > Site Secret", + 'upgrade:site_secret_warning:weak' => "You are strongly encouraged to regenerate your site key to improve system security. See Configure > Settings > Site Secret", 'deprecated:function' => '%s() was deprecated by %s()', -- cgit v1.2.3