diff options
author | Tobias Hößl <tobias@hoessl.eu> | 2012-03-12 20:17:37 +0000 |
---|---|---|
committer | Tobias Hößl <tobias@hoessl.eu> | 2012-03-12 20:17:37 +0000 |
commit | 59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445 (patch) | |
tree | fea25d24a1559d6ce6681a6325b9e392ccace7a2 /mod/profile_photo.php | |
parent | 9574f7df03407013fed4feb3922e19b7a94e34be (diff) | |
download | volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.tar.gz volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.tar.bz2 volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.zip |
Some security against XSRF-attacks
Diffstat (limited to 'mod/profile_photo.php')
-rwxr-xr-x | mod/profile_photo.php | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/mod/profile_photo.php b/mod/profile_photo.php index e3dbdaf39..d1fd08eba 100755 --- a/mod/profile_photo.php +++ b/mod/profile_photo.php @@ -15,11 +15,13 @@ function profile_photo_init(&$a) { function profile_photo_post(&$a) { - if(! local_user()) { - notice ( t('Permission denied.') . EOL ); - return; - } - + if(! local_user()) { + notice ( t('Permission denied.') . EOL ); + return; + } + + check_form_security_token_redirectOnErr('/profile_photo', 'profile_photo'); + if((x($_POST,'cropfinal')) && ($_POST['cropfinal'] == 1)) { // phase 2 - we have finished cropping @@ -148,7 +150,9 @@ function profile_photo_content(&$a) { notice( t('Permission denied.') . EOL ); return; }; - + + check_form_security_token_redirectOnErr('/profile_photo', 'profile_photo'); + $resource_id = $a->argv[2]; //die(":".local_user()); $r=q("SELECT * FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s' ORDER BY `scale` ASC", @@ -203,6 +207,7 @@ function profile_photo_content(&$a) { '$lbl_upfile' => t('Upload File:'), '$title' => t('Upload Profile Photo'), '$submit' => t('Upload'), + '$form_security_token' => get_form_security_token("profile_photo"), '$select' => sprintf('%s %s', t('or'), ($newuser) ? '<a href="' . $a->get_baseurl() . '">' . t('skip this step') . '</a>' : '<a href="'. $a->get_baseurl() . '/photos/' . $a->user['nickname'] . '">' . t('select a photo from your photo albums') . '</a>') )); @@ -218,6 +223,7 @@ function profile_photo_content(&$a) { '$image_url' => $a->get_baseurl() . '/photo/' . $filename, '$title' => t('Crop Image'), '$desc' => t('Please adjust the image cropping for optimum viewing.'), + '$form_security_token' => get_form_security_token("profile_photo"), '$done' => t('Done Editing') )); return $o; |