XSRF protection and PHPdoc for mod/admin.php

3 files changed, 15 insertions, 6 deletions

diff --git a/mod/admin.php b/mod/admin.php
index 8cee6ed5b..cdc45c8e3 100644
--- a/mod/admin.php
+++ b/mod/admin.php
@@ -616,6 +616,8 @@ function admin_page_plugins(&$a){
 		}
 		
 		if (x($_GET,"a") && $_GET['a']=="t"){
+            check_form_security_token_redirectOnErr('/admin/plugins', 'admin_themes', 't');
+
 			// Toggle plugin status
 			$idx = array_search($plugin, $a->plugins);
 			if ($idx !== false){
@@ -673,7 +675,9 @@ function admin_page_plugins(&$a){
 			'$admin_form' => $admin_form,
 			'$function' => 'plugins',
 			'$screenshot' => '',
-			'$readme' => $readme
+			'$readme' => $readme,
+
+            '$form_security_token' => get_form_security_token("admin_themes"),
 		));
 	} 
 	 
@@ -702,7 +706,8 @@ function admin_page_plugins(&$a){
 		'$submit' => t('Submit'),
 		'$baseurl' => $a->get_baseurl(true),
 		'$function' => 'plugins',	
-		'$plugins' => $plugins
+		'$plugins' => $plugins,
+        '$form_security_token' => get_form_security_token("admin_themes"),
 	));
 }
 
@@ -810,6 +815,7 @@ function admin_page_themes(&$a){
 		}
 		
 		if (x($_GET,"a") && $_GET['a']=="t"){
+            check_form_security_token_redirectOnErr('/admin/themes', 'admin_themes', 't');
 
 			// Toggle theme status
 
@@ -873,7 +879,9 @@ function admin_page_themes(&$a){
 			'$str_author' => t('Author: '),
 			'$str_maintainer' => t('Maintainer: '),
 			'$screenshot' => $screenshot,
-			'$readme' => $readme
+			'$readme' => $readme,
+
+			'$form_security_token' => get_form_security_token("admin_themes"),
 		));
 	} 
 	 
@@ -899,7 +907,8 @@ function admin_page_themes(&$a){
 		'$function' => 'themes',
 		'$plugins' => $xthemes,
 		'$experimental' => t('[Experimental]'),
-		'$unsupported' => t('[Unsupported]')
+		'$unsupported' => t('[Unsupported]'),
+        '$form_security_token' => get_form_security_token("admin_themes"),
 	));
 }
 
diff --git a/view/admin_plugins.tpl b/view/admin_plugins.tpl
index 8367ff6a1..74b56bb4e 100644
--- a/view/admin_plugins.tpl
+++ b/view/admin_plugins.tpl
@@ -4,7 +4,7 @@
 		<ul id='pluginslist'>
 		{{ for $plugins as $p }}
 			<li class='plugin $p.1'>
-				<a class='toggleplugin' href='$baseurl/admin/$function/$p.0?a=t' title="{{if $p.1==on }}Disable{{ else }}Enable{{ endif }}" ><span class='icon $p.1'></span></a>
+				<a class='toggleplugin' href='$baseurl/admin/$function/$p.0?a=t&amp;t=$form_security_token' title="{{if $p.1==on }}Disable{{ else }}Enable{{ endif }}" ><span class='icon $p.1'></span></a>
 				<a href='$baseurl/admin/$function/$p.0'><span class='name'>$p.2.name</span></a> - <span class="version">$p.2.version</span>
 				{{ if $p.2.experimental }} $experimental {{ endif }}{{ if $p.2.unsupported }} $unsupported {{ endif }}
 
diff --git a/view/admin_plugins_details.tpl b/view/admin_plugins_details.tpl
index aaa366f65..931c7b83c 100644
--- a/view/admin_plugins_details.tpl
+++ b/view/admin_plugins_details.tpl
@@ -1,7 +1,7 @@
 <div id='adminpage'>
 	<h1>$title - $page</h1>
 	
-	<p><span class='toggleplugin icon $status'></span> $info.name - $info.version : <a href="$baseurl/admin/$function/$plugin/?a=t">$action</a></p>
+	<p><span class='toggleplugin icon $status'></span> $info.name - $info.version : <a href="$baseurl/admin/$function/$plugin/?a=t&amp;t=$form_security_token">$action</a></p>
 	<p>$info.description</p>
 	
 	<p class="author">$str_author