diff options
author | Tobias Hößl <tobias@hoessl.eu> | 2012-04-18 07:24:47 +0000 |
---|---|---|
committer | Tobias Hößl <tobias@hoessl.eu> | 2012-04-18 07:24:47 +0000 |
commit | d7e750ad74c8a43d54e9ca95631fa754831bf581 (patch) | |
tree | 5c17c9cdd679bc6ef8326b8aeab218ebba95afe0 | |
parent | 1b6c84d8f453ff591451e3304547b239a3d86c5b (diff) | |
download | volse-hubzilla-d7e750ad74c8a43d54e9ca95631fa754831bf581.tar.gz volse-hubzilla-d7e750ad74c8a43d54e9ca95631fa754831bf581.tar.bz2 volse-hubzilla-d7e750ad74c8a43d54e9ca95631fa754831bf581.zip |
XSRF protection and PHPdoc for mod/admin.php
-rw-r--r-- | mod/admin.php | 103 | ||||
-rw-r--r-- | view/admin_logs.tpl | 1 | ||||
-rw-r--r-- | view/admin_site.tpl | 3 | ||||
-rw-r--r-- | view/admin_users.tpl | 5 | ||||
-rw-r--r-- | view/theme/diabook-aerith/admin_users.tpl | 7 | ||||
-rw-r--r-- | view/theme/diabook-blue/admin_users.tpl | 7 | ||||
-rw-r--r-- | view/theme/diabook-red/admin_users.tpl | 5 | ||||
-rw-r--r-- | view/theme/diabook/admin_users.tpl | 5 |
8 files changed, 103 insertions, 33 deletions
diff --git a/mod/admin.php b/mod/admin.php index 7386dc5a3..8cee6ed5b 100644 --- a/mod/admin.php +++ b/mod/admin.php @@ -4,7 +4,11 @@ * Friendica admin */ require_once("include/remoteupdate.php"); - + + +/** + * @param App $a + */ function admin_post(&$a){ @@ -67,6 +71,10 @@ function admin_post(&$a){ return; // NOTREACHED } +/** + * @param App $a + * @return string + */ function admin_content(&$a) { if(!is_site_admin()) { @@ -74,7 +82,7 @@ function admin_content(&$a) { } if(x($_SESSION,'submanage') && intval($_SESSION['submanage'])) - return; + return ""; /** * Side bar links @@ -147,6 +155,7 @@ function admin_content(&$a) { if(is_ajax()) { echo $o; killme(); + return ''; } else { return $o; } @@ -155,6 +164,8 @@ function admin_content(&$a) { /** * Admin Summary Page + * @param App $a + * @return string */ function admin_page_summary(&$a) { $r = q("SELECT `page-flags`, COUNT(uid) as `count` FROM `user` GROUP BY `page-flags`"); @@ -188,12 +199,15 @@ function admin_page_summary(&$a) { /** * Admin Site Page + * @param App $a */ function admin_page_site_post(&$a){ if (!x($_POST,"page_site")){ return; } + check_form_security_token_redirectOnErr('/admin/site', 'admin_site'); + $sitename = ((x($_POST,'sitename')) ? notags(trim($_POST['sitename'])) : ''); $banner = ((x($_POST,'banner')) ? trim($_POST['banner']) : false); $language = ((x($_POST,'language')) ? notags(trim($_POST['language'])) : ''); @@ -298,7 +312,7 @@ function admin_page_site_post(&$a){ } else { set_config('system','directory_submit_url', $global_directory); } - set_config('system','directory_search_url', $global_search_url); + set_config('system','block_extended_register', $no_multi_reg); set_config('system','no_openid', $no_openid); set_config('system','no_regfullname', $no_regfullname); @@ -317,7 +331,11 @@ function admin_page_site_post(&$a){ return; // NOTREACHED } - + +/** + * @param App $a + * @return string + */ function admin_page_site(&$a) { /* Installed langs */ @@ -408,6 +426,7 @@ function admin_page_site(&$a) { '$proxy' => array('proxy', t("Proxy URL"), get_config('system','proxy'), ""), '$timeout' => array('timeout', t("Network timeout"), (x(get_config('system','curl_timeout'))?get_config('system','curl_timeout'):60), t("Value is in seconds. Set to 0 for unlimited (not recommended).")), + '$form_security_token' => get_form_security_token("admin_site"), )); @@ -416,11 +435,15 @@ function admin_page_site(&$a) { /** * Users admin page + * + * @param App $a */ function admin_page_users_post(&$a){ $pending = ( x($_POST, 'pending') ? $_POST['pending'] : Array() ); $users = ( x($_POST, 'user') ? $_POST['user'] : Array() ); - + + check_form_security_token_redirectOnErr('/admin/users', 'admin_users'); + if (x($_POST,'page_users_block')){ foreach($users as $uid){ q("UPDATE `user` SET `blocked`=1-`blocked` WHERE `uid`=%s", @@ -452,7 +475,11 @@ function admin_page_users_post(&$a){ goaway($a->get_baseurl(true) . '/admin/users' ); return; // NOTREACHED } - + +/** + * @param App $a + * @return string + */ function admin_page_users(&$a){ if ($a->argc>2) { $uid = $a->argv[3]; @@ -460,10 +487,11 @@ function admin_page_users(&$a){ if (count($user)==0){ notice( 'User not found' . EOL); goaway($a->get_baseurl(true) . '/admin/users' ); - return; // NOTREACHED + return ''; // NOTREACHED } switch($a->argv[2]){ case "delete":{ + check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't'); // delete user require_once("include/Contact.php"); user_remove($uid); @@ -471,6 +499,7 @@ function admin_page_users(&$a){ notice( sprintf(t("User '%s' deleted"), $user[0]['username']) . EOL); }; break; case "block":{ + check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't'); q("UPDATE `user` SET `blocked`=%d WHERE `uid`=%s", intval( 1-$user[0]['blocked'] ), intval( $uid ) @@ -479,7 +508,7 @@ function admin_page_users(&$a){ }; break; } goaway($a->get_baseurl(true) . '/admin/users' ); - return; // NOTREACHED + return ''; // NOTREACHED } @@ -555,6 +584,7 @@ function admin_page_users(&$a){ '$confirm_delete_multi' => t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'), '$confirm_delete' => t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'), + '$form_security_token' => get_form_security_token("admin_users"), // values // '$baseurl' => $a->get_baseurl(true), @@ -567,10 +597,12 @@ function admin_page_users(&$a){ } -/* +/** * Plugins admin page + * + * @param App $a + * @return string */ - function admin_page_plugins(&$a){ /** @@ -580,7 +612,7 @@ function admin_page_plugins(&$a){ $plugin = $a->argv[2]; if (!is_file("addon/$plugin/$plugin.php")){ notice( t("Item not found.") ); - return; + return ''; } if (x($_GET,"a") && $_GET['a']=="t"){ @@ -597,7 +629,7 @@ function admin_page_plugins(&$a){ } set_config("system","addon", implode(", ",$a->plugins)); goaway($a->get_baseurl(true) . '/admin/plugins' ); - return; // NOTREACHED + return ''; // NOTREACHED } // display plugin details require_once('library/markdown.php'); @@ -674,6 +706,11 @@ function admin_page_plugins(&$a){ )); } +/** + * @param array $themes + * @param string $th + * @param int $result + */ function toggle_theme(&$themes,$th,&$result) { for($x = 0; $x < count($themes); $x ++) { if($themes[$x]['name'] === $th) { @@ -689,6 +726,11 @@ function toggle_theme(&$themes,$th,&$result) { } } +/** + * @param array $themes + * @param string $th + * @return int + */ function theme_status($themes,$th) { for($x = 0; $x < count($themes); $x ++) { if($themes[$x]['name'] === $th) { @@ -702,9 +744,12 @@ function theme_status($themes,$th) { } return 0; } - +/** + * @param array $themes + * @return string + */ function rebuild_theme_table($themes) { $o = ''; if(count($themes)) { @@ -720,10 +765,12 @@ function rebuild_theme_table($themes) { } -/* +/** * Themes admin page + * + * @param App $a + * @return string */ - function admin_page_themes(&$a){ $allowed_themes_str = get_config('system','allowed_themes'); @@ -740,7 +787,7 @@ function admin_page_themes(&$a){ foreach($files as $file) { $f = basename($file); $is_experimental = intval(file_exists($file . '/experimental')); - $is_unsupported = 1-(intval(file_exists($file . '/unsupported'))); + $is_supported = 1-(intval(file_exists($file . '/unsupported'))); // Is not used yet $is_allowed = intval(in_array($f,$allowed_themes)); $themes[] = array('name' => $f, 'experimental' => $is_experimental, 'supported' => $is_supported, 'allowed' => $is_allowed); } @@ -748,7 +795,7 @@ function admin_page_themes(&$a){ if(! count($themes)) { notice( t('No themes found.')); - return; + return ''; } /** @@ -759,7 +806,7 @@ function admin_page_themes(&$a){ $theme = $a->argv[2]; if(! is_dir("view/theme/$theme")){ notice( t("Item not found.") ); - return; + return ''; } if (x($_GET,"a") && $_GET['a']=="t"){ @@ -775,7 +822,7 @@ function admin_page_themes(&$a){ set_config('system','allowed_themes',$s); goaway($a->get_baseurl(true) . '/admin/themes' ); - return; // NOTREACHED + return ''; // NOTREACHED } // display theme details @@ -859,10 +906,13 @@ function admin_page_themes(&$a){ /** * Logs admin page + * + * @param App $a */ function admin_page_logs_post(&$a) { if (x($_POST,"page_logs")) { + check_form_security_token_redirectOnErr('/admin/logs', 'admin_logs'); $logfile = ((x($_POST,'logfile')) ? notags(trim($_POST['logfile'])) : ''); $debugging = ((x($_POST,'debugging')) ? true : false); @@ -879,7 +929,11 @@ function admin_page_logs_post(&$a) { goaway($a->get_baseurl(true) . '/admin/logs' ); return; // NOTREACHED } - + +/** + * @param App $a + * @return string + */ function admin_page_logs(&$a){ $log_choices = Array( @@ -937,9 +991,14 @@ readable."); '$debugging' => array('debugging', t("Debugging"),get_config('system','debugging'), ""), '$logfile' => array('logfile', t("Log file"), get_config('system','logfile'), t("Must be writable by web server. Relative to your Friendica top-level directory.")), '$loglevel' => array('loglevel', t("Log level"), get_config('system','loglevel'), "", $log_choices), + + '$form_security_token' => get_form_security_token("admin_logs"), )); } +/** + * @param App $a + */ function admin_page_remoteupdate_post(&$a) { // this function should be called via ajax post if(!is_site_admin()) { @@ -958,6 +1017,10 @@ function admin_page_remoteupdate_post(&$a) { killme(); } +/** + * @param App $a + * @return string + */ function admin_page_remoteupdate(&$a) { if(!is_site_admin()) { return login(false); diff --git a/view/admin_logs.tpl b/view/admin_logs.tpl index 9d133b155..b777cf420 100644 --- a/view/admin_logs.tpl +++ b/view/admin_logs.tpl @@ -2,6 +2,7 @@ <h1>$title - $page</h1> <form action="$baseurl/admin/logs" method="post"> + <input type='hidden' name='form_security_token' value='$form_security_token'> {{ inc field_checkbox.tpl with $field=$debugging }}{{ endinc }} {{ inc field_input.tpl with $field=$logfile }}{{ endinc }} diff --git a/view/admin_site.tpl b/view/admin_site.tpl index 9de6bd9c5..2b9db9f35 100644 --- a/view/admin_site.tpl +++ b/view/admin_site.tpl @@ -38,7 +38,8 @@ <h1>$title - $page</h1> <form action="$baseurl/admin/site" method="post"> - + <input type='hidden' name='form_security_token' value='$form_security_token'> + {{ inc field_input.tpl with $field=$sitename }}{{ endinc }} {{ inc field_textarea.tpl with $field=$banner }}{{ endinc }} {{ inc field_select.tpl with $field=$language }}{{ endinc }} diff --git a/view/admin_users.tpl b/view/admin_users.tpl index bde7edb59..f67e4a0f7 100644 --- a/view/admin_users.tpl +++ b/view/admin_users.tpl @@ -14,6 +14,7 @@ <h1>$title - $page</h1> <form action="$baseurl/admin/users" method="post"> + <input type='hidden' name='form_security_token' value='$form_security_token'> <h3>$h_pending</h3> {{ if $pending }} @@ -72,8 +73,8 @@ <td class='login_date'>$u.page-flags</td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="tools"> - <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> - <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon drop'></span></a> + <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> + <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon drop'></span></a> </td> </tr> {{ endfor }} diff --git a/view/theme/diabook-aerith/admin_users.tpl b/view/theme/diabook-aerith/admin_users.tpl index 40f94f5fe..a03573aac 100644 --- a/view/theme/diabook-aerith/admin_users.tpl +++ b/view/theme/diabook-aerith/admin_users.tpl @@ -14,7 +14,8 @@ <h1>$title - $page</h1> <form action="$baseurl/admin/users" method="post"> - + <input type='hidden' name='form_security_token' value='$form_security_token'> + <h3>$h_pending</h3> {{ if $pending }} <table id='pending'> @@ -72,8 +73,8 @@ <td class='login_date'>$u.page-flags</td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="tools" style="width:60px;"> - <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> - <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> + <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> + <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> </td> </tr> {{ endfor }} diff --git a/view/theme/diabook-blue/admin_users.tpl b/view/theme/diabook-blue/admin_users.tpl index 40f94f5fe..a03573aac 100644 --- a/view/theme/diabook-blue/admin_users.tpl +++ b/view/theme/diabook-blue/admin_users.tpl @@ -14,7 +14,8 @@ <h1>$title - $page</h1> <form action="$baseurl/admin/users" method="post"> - + <input type='hidden' name='form_security_token' value='$form_security_token'> + <h3>$h_pending</h3> {{ if $pending }} <table id='pending'> @@ -72,8 +73,8 @@ <td class='login_date'>$u.page-flags</td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="tools" style="width:60px;"> - <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> - <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> + <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> + <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> </td> </tr> {{ endfor }} diff --git a/view/theme/diabook-red/admin_users.tpl b/view/theme/diabook-red/admin_users.tpl index 40f94f5fe..b465dc1b0 100644 --- a/view/theme/diabook-red/admin_users.tpl +++ b/view/theme/diabook-red/admin_users.tpl @@ -14,6 +14,7 @@ <h1>$title - $page</h1> <form action="$baseurl/admin/users" method="post"> + <input type='hidden' name='form_security_token' value='$form_security_token'> <h3>$h_pending</h3> {{ if $pending }} @@ -72,8 +73,8 @@ <td class='login_date'>$u.page-flags</td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="tools" style="width:60px;"> - <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> - <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> + <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> + <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> </td> </tr> {{ endfor }} diff --git a/view/theme/diabook/admin_users.tpl b/view/theme/diabook/admin_users.tpl index 40f94f5fe..b465dc1b0 100644 --- a/view/theme/diabook/admin_users.tpl +++ b/view/theme/diabook/admin_users.tpl @@ -14,6 +14,7 @@ <h1>$title - $page</h1> <form action="$baseurl/admin/users" method="post"> + <input type='hidden' name='form_security_token' value='$form_security_token'> <h3>$h_pending</h3> {{ if $pending }} @@ -72,8 +73,8 @@ <td class='login_date'>$u.page-flags</td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="tools" style="width:60px;"> - <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> - <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> + <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> + <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> </td> </tr> {{ endfor }} |