From 0c5b4c242b0805c55ca3b1a887eb222844a66400 Mon Sep 17 00:00:00 2001
From: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Thu, 21 Jan 2010 01:30:09 +0000
Subject: Fixes #750: All actions require __elgg_ts and __elgg_token.

git-svn-id: http://code.elgg.org/elgg/trunk@3821 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 views/default/account/forms/forgotten_password.php | 10 ++++++++--
 views/default/basic_elements/welcome.php           |  3 ++-
 views/default/canvas/layouts/widgets.php           | 10 +++++++++-
 views/default/css.php                              |  4 ++++
 views/default/object/default.php                   |  8 ++++++--
 views/default/page_elements/elgg_topbar.php        |  6 ++++--
 views/default/page_elements/spotlight.php          |  6 +++---
 views/default/welcome/logged_in.php                |  5 ++---
 8 files changed, 38 insertions(+), 14 deletions(-)

(limited to 'views/default')

diff --git a/views/default/account/forms/forgotten_password.php b/views/default/account/forms/forgotten_password.php
index 5e760cef3..5ffb1be1a 100644
--- a/views/default/account/forms/forgotten_password.php
+++ b/views/default/account/forms/forgotten_password.php
@@ -9,11 +9,17 @@
  */
 
 $form_body = "<p>" . elgg_echo('user:password:text') . "</p>";
-$form_body .= "<p><label>". elgg_echo('username') . " " . elgg_view('input/text', array('internalname' => 'username')) . "</label></p>";
+$form_body .= "<p><label>". elgg_echo('username') . " "
+	. elgg_view('input/text', array('internalname' => 'username')) . "</label></p>";
 $form_body .= elgg_view('input/captcha');
 $form_body .= "<p>" . elgg_view('input/submit', array('value' => elgg_echo('request'))) . "</p>";
 
 ?>
 <div class="contentWrapper">
-<?php echo elgg_view('input/form', array('action' => "{$vars['url']}action/user/requestnewpassword", 'body' => $form_body)); ?>
+<?php
+echo elgg_view('input/form', array(
+	'action' => "{$vars['url']}action/user/requestnewpassword",
+	'body' => $form_body)
+);
+?>
 </div>
\ No newline at end of file
diff --git a/views/default/basic_elements/welcome.php b/views/default/basic_elements/welcome.php
index 297daa830..979f32b4f 100644
--- a/views/default/basic_elements/welcome.php
+++ b/views/default/basic_elements/welcome.php
@@ -13,4 +13,5 @@ $user = $vars['name'];
 ?>
 
 <p><?php echo sprintf(elgg_echo('welcome:user'), $user); ?></p>
-<p><a href="<?php echo $vars['url']; ?>action/logout">[logout]</a></p>
\ No newline at end of file
+<p><?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?></p>
+
diff --git a/views/default/canvas/layouts/widgets.php b/views/default/canvas/layouts/widgets.php
index f6c9dec79..6b89d5435 100644
--- a/views/default/canvas/layouts/widgets.php
+++ b/views/default/canvas/layouts/widgets.php
@@ -235,6 +235,14 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE
 
 <input type="hidden" name="context" value="<?php echo get_context(); ?>" />
 <input type="hidden" name="owner" value="<?php echo page_owner(); ?>" />
+
+<?php
+$ts = time();
+$token = generate_action_token($ts);
+?>
+<input type="hidden" name="__elgg_ts" value="<?php echo $ts; ?>" />
+<input type="hidden" name="__elgg_token" value="<?php echo $token; ?>" />
+
 <input type="submit" value="<?php echo elgg_echo('save'); ?>" class="submit_button" onclick="$('a.toggle_customise_edit_panel').click();" />
 <input type="button" value="<?php echo elgg_echo('cancel'); ?>" class="cancel_button" onclick="$('a.toggle_customise_edit_panel').click();" />
 
@@ -315,4 +323,4 @@ if (is_array($widgettypes) && sizeof($widgettypes) > 0 && $owner && $owner->canE
 
 	</td>
 	</tr>
-</table>
\ No newline at end of file
+</table>
diff --git a/views/default/css.php b/views/default/css.php
index d70e18ee6..75b20b141 100644
--- a/views/default/css.php
+++ b/views/default/css.php
@@ -2524,3 +2524,7 @@ div.ajax_loader {
 	float: left;
 	padding-right: 1em;
 }
+
+.draggable {
+	cursor: move;
+}
\ No newline at end of file
diff --git a/views/default/object/default.php b/views/default/object/default.php
index 3ace73d7f..b6fe8a518 100644
--- a/views/default/object/default.php
+++ b/views/default/object/default.php
@@ -30,7 +30,11 @@ if ($vars['full']) {
 
 	$controls = "";
 	if ($vars['entity']->canEdit()) {
-		$controls .= " (<a href=\"{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}\">" . elgg_echo('delete') . "</a>)";
+		$delete = elgg_view('output/confirm_link', array(
+			'href' = "{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}", 
+			'text' => elgg_echo('delete')
+		);
+		$controls .= " ($delete)";
 	}
 
 	$info = "<div><p><b><a href=\"" . $vars['entity']->getUrl() . "\">" . $title . "</a></b> $controls </p></div>";
@@ -56,4 +60,4 @@ if ($vars['full']) {
 	$icon = "<span title=\"" . elgg_echo('entity:default:missingsupport:popup') . "\">$icon</span>";
 
 	echo elgg_view_listing($icon, $info);
-}
\ No newline at end of file
+}
diff --git a/views/default/page_elements/elgg_topbar.php b/views/default/page_elements/elgg_topbar.php
index 00240f35e..d871d622e 100644
--- a/views/default/page_elements/elgg_topbar.php
+++ b/views/default/page_elements/elgg_topbar.php
@@ -62,7 +62,9 @@
 
 
 <div id="elgg_topbar_container_right">
-		<a href="<?php echo $vars['url']; ?>action/logout"><small><?php echo elgg_echo('logout'); ?></small></a>
+		<small>
+			<?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?>
+		</small>
 </div>
 
 <div id="elgg_topbar_container_search">
@@ -74,4 +76,4 @@
 <div class="clearfloat"></div>
 
 <?php
-	}
\ No newline at end of file
+	}
diff --git a/views/default/page_elements/spotlight.php b/views/default/page_elements/spotlight.php
index 670e0e4c5..1c32f9b1d 100644
--- a/views/default/page_elements/spotlight.php
+++ b/views/default/page_elements/spotlight.php
@@ -28,11 +28,11 @@
 	}
 	if ($closed) {
 ?>
-		<a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=false')">+</a>
+		<a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=false"); ?>')">+</a>
 <?php
 		} else {
 ?>
-		<a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=true')">-</a>
+		<a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=true"); ?>')">-</a>
 <?php
 
 		}
@@ -54,4 +54,4 @@
 </div><!-- /.collapsable_box -->
 
 </div><!-- /#wrapper_spotlight -->
-</div><!-- /#layout_spotlight -->
\ No newline at end of file
+</div><!-- /#layout_spotlight -->
diff --git a/views/default/welcome/logged_in.php b/views/default/welcome/logged_in.php
index 8f70d3005..180746f22 100644
--- a/views/default/welcome/logged_in.php
+++ b/views/default/welcome/logged_in.php
@@ -11,11 +11,10 @@
 //add various views to area1
 $area1 = "<h2>" . sprintf(elgg_echo("welcome:user"),$vars['user']->name) . "</h2>";
 $area1 .= "<p>" . elgg_echo("welcome_message") . "</p><br />";
-$url = $vars['url'] . "action/logout";
-$area1 .= "<a href=" . $url . ">" . elgg_echo('logout') . "</a>";
+$area1 .= elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout')));
 
 //send area one to the appropriate canvas layout
 $body = elgg_view_layout("one_column", $area1);
 
 //draw to screen
-echo $body;
\ No newline at end of file
+echo $body;
-- 
cgit v1.2.3