Properly handles the case where an admin search for a good looking IP-address that...

[platal.git] / modules / xnetlists.php

diff --git a/modules/xnetlists.php b/modules/xnetlists.php
index f442fea..a22bf1d 100644 (file)
--- a/modules/xnetlists.php
+++ b/modules/xnetlists.php
@@ -19,7 +19,7 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
-require_once dirname(__FILE__).'/lists.php';
+Platal::load('lists');
 
 class XnetListsModule extends ListsModule
 {
@@ -32,6 +32,7 @@ class XnetListsModule extends ListsModule
             '%grp/lists/create'    => $this->make_hook('create',    AUTH_MDP, 'groupmember'),
 
             '%grp/lists/members'   => $this->make_hook('members',   AUTH_COOKIE),
+            '%grp/lists/csv'       => $this->make_hook('csv',       AUTH_COOKIE),
             '%grp/lists/annu'      => $this->make_hook('annu',      AUTH_COOKIE),
             '%grp/lists/archives'  => $this->make_hook('archives',  AUTH_COOKIE),
             '%grp/lists/archives/rss' => $this->make_hook('rss',    AUTH_PUBLIC),
@@ -56,8 +57,7 @@ class XnetListsModule extends ListsModule
     function prepare_client(&$page)
     {
         global $globals;
-
-        require_once dirname(__FILE__).'/lists/lists.inc.php';
+        Platal::load('lists', 'lists.inc.php');
 
         $this->client = new MMList(S::v('uid'), S::v('password'),
                                    $globals->asso('mail_domain'));
@@ -79,15 +79,19 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/index.tpl');
 
         if (Get::has('del')) {
+            S::assert_xsrf_token();
             $this->client->unsubscribe(Get::v('del'));
             pl_redirect('lists');
         }
         if (Get::has('add')) {
+            S::assert_xsrf_token();
             $this->client->subscribe(Get::v('add'));
             pl_redirect('lists');
         }
 
         if (Post::has('del_alias') && may_update()) {
+            S::assert_xsrf_token();
+
             $alias = Post::v('del_alias');
             // prevent group admin from erasing aliases from other groups
             $alias = substr($alias, 0, strpos($alias, '@')).'@'.$globals->asso('mail_domain');
@@ -125,6 +129,8 @@ class XnetListsModule extends ListsModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         if (!Post::has('liste')) {
@@ -154,7 +160,7 @@ class XnetListsModule extends ListsModule
         $ret = $this->client->create_list(
                     $liste, utf8_decode(Post::v('desc')), Post::v('advertise'),
                     Post::v('modlevel'), Post::v('inslevel'),
-                    array(S::v('forlife')), array(S::v('forlife')));
+                    array(S::user()->forlifeEmail()), array(S::user()->forlifeEmail()));
 
         $dom = strtolower($globals->asso("mail_domain"));
         $red = $dom.'_'.$liste;
@@ -189,6 +195,7 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/sync.tpl');
 
         if (Env::has('add')) {
+            S::assert_xsrf_token();
             $this->client->mass_subscribe($liste, array_keys(Env::v('add')));
         }
 
@@ -234,6 +241,8 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/alias-admin.tpl');
 
         if (Env::has('add_member')) {
+            S::assert_xsrf_token();
+
             $add = Env::v('add_member');
             if (strstr($add, '@')) {
                 list($mbox,$dom) = explode('@', strtolower($add));
@@ -269,6 +278,7 @@ class XnetListsModule extends ListsModule
         }
 
         if (Env::has('del_member')) {
+            S::assert_xsrf_token();
             XDB::query(
                     "DELETE FROM  x4dat.virtual_redirect
                            USING  x4dat.virtual_redirect
@@ -308,6 +318,8 @@ class XnetListsModule extends ListsModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         if (!Post::has('liste')) {