diff options
| author | Tobias Hößl <tobias@hoessl.eu> | 2012-03-12 20:17:37 +0000 |
|---|---|---|
| committer | Tobias Hößl <tobias@hoessl.eu> | 2012-03-12 20:17:37 +0000 |
| commit | 59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445 (patch) | |
| tree | fea25d24a1559d6ce6681a6325b9e392ccace7a2 /mod/profiles.php | |
| parent | 9574f7df03407013fed4feb3922e19b7a94e34be (diff) | |
| download | volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.tar.gz volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.tar.bz2 volse-hubzilla-59766b944c9ea3a45b1d7e8593f7bb5d4a0b8445.zip | |
Some security against XSRF-attacks
Diffstat (limited to 'mod/profiles.php')
| -rwxr-xr-x | mod/profiles.php | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/mod/profiles.php b/mod/profiles.php index ccd7d5474..b307a2d43 100755 --- a/mod/profiles.php +++ b/mod/profiles.php @@ -21,6 +21,9 @@ function profiles_post(&$a) { notice( t('Profile not found.') . EOL); return; } + + check_form_security_token_redirectOnErr('/profiles', 'profile_edit'); + $is_default = (($orig[0]['is-default']) ? 1 : 0); $profile_name = notags(trim($_POST['profile_name'])); @@ -240,6 +243,8 @@ function profiles_content(&$a) { goaway($a->get_baseurl() . '/profiles'); return; // NOTREACHED } + + check_form_security_token_redirectOnErr('/profiles', 'profile_drop', 't'); // move every contact using this profile as their default to the user default @@ -264,6 +269,8 @@ function profiles_content(&$a) { if(($a->argc > 1) && ($a->argv[1] === 'new')) { + + check_form_security_token_redirectOnErr('/profiles', 'profile_new', 't'); $r0 = q("SELECT `id` FROM `profile` WHERE `uid` = %d", intval(local_user())); @@ -291,10 +298,13 @@ function profiles_content(&$a) { info( t('New profile created.') . EOL); if(count($r3) == 1) goaway($a->get_baseurl() . '/profiles/' . $r3[0]['id']); + goaway($a->get_baseurl() . '/profiles'); - } + } if(($a->argc > 2) && ($a->argv[1] === 'clone')) { + + check_form_security_token_redirectOnErr('/profiles', 'profile_clone', 't'); $r0 = q("SELECT `id` FROM `profile` WHERE `uid` = %d", intval(local_user())); @@ -330,9 +340,11 @@ function profiles_content(&$a) { info( t('New profile created.') . EOL); if(count($r3) == 1) goaway($a->get_baseurl() . '/profiles/' . $r3[0]['id']); - goaway($a->get_baseurl() . '/profiles'); - return; // NOTREACHED - } + + goaway($a->get_baseurl() . '/profiles'); + + return; // NOTREACHED + } if(($a->argc > 1) && (intval($a->argv[1]))) { @@ -371,6 +383,9 @@ function profiles_content(&$a) { $is_default = (($r[0]['is-default']) ? 1 : 0); $tpl = get_markup_template("profile_edit.tpl"); $o .= replace_macros($tpl,array( + '$form_security_token' => get_form_security_token("profile_edit"), + '$profile_clone_link' => 'profiles/clone/' . $r[0]['id'] . '?t=' . get_form_security_token("profile_clone"), + '$profile_drop_link' => 'profiles/drop/' . $r[0]['id'] . '?t=' . get_form_security_token("profile_drop"), '$banner' => t('Edit Profile Details'), '$submit' => t('Submit'), '$viewprof' => t('View this profile'), @@ -460,7 +475,8 @@ function profiles_content(&$a) { $o .= replace_macros($tpl_header,array( '$header' => t('Edit/Manage Profiles'), '$chg_photo' => t('Change profile photo'), - '$cr_new' => t('Create New Profile') + '$cr_new' => t('Create New Profile'), + '$cr_new_link' => 'profiles/new?t=' . get_form_security_token("profile_new") )); |