Merge branch 'platal-0.9.17'

[platal.git] / modules / marketing.php

diff --git a/modules/marketing.php b/modules/marketing.php
index 0500fe1..fbc9b07 100644 (file)
--- a/modules/marketing.php
+++ b/modules/marketing.php
@@ -40,7 +40,7 @@ class MarketingModule extends PLModule
     {
         $page->changeTpl('marketing/index.tpl');
 
-        $page->assign('pl_title','Polytechnique.org - Marketing');
+        $page->setTitle('Polytechnique.org - Marketing');
 
         // Quelques statistiques
 
@@ -105,6 +105,7 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'del') {
+            S::assert_xsrf_token();
             Marketing::clear($uid, $value);
         }
 
@@ -128,6 +129,8 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'relforce') {
+            S::assert_xsrf_token();
+
             $market = Marketing::get($uid, Post::v('to'));
             if (is_null($market)) {
                 $market = new Marketing($uid, Post::v('to'), 'default', null, 'staff');
@@ -137,6 +140,7 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'insrel') {
+            S::assert_xsrf_token();
             if (Marketing::relance($uid)) {
                 $page->trigSuccess('relance faite');
             }
@@ -199,6 +203,8 @@ class MarketingModule extends PLModule
             $email = valide_email(Post::v('mail'));
         }
         if (Post::has('valide') && isvalid_email_redirection($email)) {
+            S::assert_xsrf_token();
+
             // security stuff
             check_email($email, "Proposition d'une adresse surveillee pour " . $user['forlife'] . " par " . S::v('forlife'));
             $res = XDB::query("SELECT  e.flags
@@ -261,7 +267,7 @@ class MarketingModule extends PLModule
             $page->assign('promo', $promo);
 
             if (Post::has('valide')) {
-                require_once('xorg.misc.inc.php');
+                S::assert_xstf_token();
                 $email = trim(Post::v('mail'));
 
                 if (!isvalid_email_redirection($email)) {