Merge branch 'platal-0.9.17'

Conflicts:

	include/banana/forum.inc.php
	include/common.inc.php
	modules/core.php
	modules/marketing.php
	plugins/modifier.miniwiki.php

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>

diff --git a/ChangeLog b/ChangeLog
index c210cca..6068643 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@ New:
         - Add an anti-XSRF framework, and add protection to most pages     -VZA
         - Add a 'disallow all' robots.txt in development working copies.   -VZA
 
+    * Forums:
+        - Can choose the color of the branches                             -FRU
+
 Bug/Wish:
 
     * Admin:
@@ -21,6 +24,7 @@ Bug/Wish:
 
     * Core:
         - Fix email sending, correcting bugs introduced in r1897           -VZA
+        - #832: Always include the url in bug reports                      -ALK
         - #841: Improves contrast of links in legends in skin 'Espace'     -FRU
         - #844: Uses INT in MySQL to store user ids                        -VZA
         - #851: Adds a direct link to GApps for gapps-active users         -VZA

diff --git a/bin/cron/clean.php b/bin/cron/clean.php
index 9cbc702..9744d97 100755 (executable)
--- a/bin/cron/clean.php
+++ b/bin/cron/clean.php
@@ -30,19 +30,21 @@ function query ($sql) {
 }
 
 // la table des notifs est nettoyée
-$eight_days_ago = date("YmdHis",mktime() - 8*24*60*60);
+$eight_days_ago = date("YmdHis", time() - 8*24*60*60);
 query("DELETE FROM watch_ops WHERE known<$eight_days_ago");
 
 query("DELETE FROM register_pending WHERE TO_DAYS(NOW()) - TO_DAYS(date) >= 365");
-query("delete from register_pending WHERE hash = 'INSCRIT'");
+query("DELETE FROM register_pending WHERE hash = 'INSCRIT'");
 
 // quelques tables sont triées pour que la lecture triée soit plus facile
-query("alter table applis_def order by text");
-query("alter table binets_def order by text");
-query("alter table groupesx_def order by text");
-query("alter table secteur order by text");
-query("alter table sections order by text");
+query("ALTER TABLE applis_def ORDER BY text");
+query("ALTER TABLE binets_def ORDER BY text");
+query("ALTER TABLE groupesx_def ORDER BY text");
+query("ALTER TABLE secteur ORDER BY text");
+query("ALTER TABLE sections ORDER BY text");
 
+// Prunes older autocomplete queries.
+query("DELETE FROM search_autocomplete WHERE generated < DATE_SUB(NOW(), INTERVAL 1 DAY)");
 
 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
 ?>

diff --git a/classes/xnetpage.php b/classes/xnetpage.php
index 293fa9c..77ca8cb 100644 (file)
--- a/classes/xnetpage.php
+++ b/classes/xnetpage.php
@@ -74,7 +74,7 @@ class XnetPage extends PlPage
         $sub = array();
         $sub['liste des groupes'] = 'plan';
         $sub['documentation']     = 'Xnet';
-        $sub['signaler un bug']   = array('href' => 'send_bug', 'class' => 'popup_840x600');
+        $sub['signaler un bug']   = array('href' => 'send_bug/'.$_SERVER['REQUEST_URI'], 'class' => 'popup_840x600');
         $menu["no_title"]   = $sub;
 
         $perms = S::v('perms');

diff --git a/htdocs/css/default.css b/htdocs/css/default.css
index b669e82..8a379b2 100644 (file)
--- a/htdocs/css/default.css
+++ b/htdocs/css/default.css
@@ -286,7 +286,7 @@ div.contact-list div.grayed {
 
 div.contact div.identity {
     float: left;
-    width: 90%;
+    width: 89%;
 }
 
 div.contact div.nom {
@@ -296,6 +296,7 @@ div.contact div.nom {
 div.contact div.bits {
     text-align: right;
     float: right;
+    width: 10%;
 }
 
 div.contact div.long {
@@ -308,8 +309,8 @@ div.contact div.long {
 }
 
 div.long table { width: 100%; }
-div.long td.lt { width: 35%; font-style: italic; }
-div.long td.rt { width: 65%; }
+div.long td.lt { width: 18%; font-style: italic; }
+div.long td.rt { width: 82%; }
 
 /*******************************************************************************
     6   Profil

diff --git a/htdocs/css/keynote.css b/htdocs/css/keynote.css
index 276e590..9ab2eed 100644 (file)
--- a/htdocs/css/keynote.css
+++ b/htdocs/css/keynote.css
@@ -309,7 +309,7 @@ div.contact-list div.contact:hover {
 
 div.contact div.identity {
     float: left;
-    width: 70%;
+    width: 89%;
 }
 
 div.contact div.nom {
@@ -317,6 +317,11 @@ div.contact div.nom {
     padding-left: 2px;
 }
 
+div.contact div.nom a {
+    text-decoration: none;
+    font-size: 100%;
+}
+
 div.contact div.appli {
 }
 
@@ -334,8 +339,8 @@ div.contact div.long {
 }
 
 div.long table { width: 100%; }
-div.long td.lt { width: 25%; font-style: italic; }
-div.long td.rt { width: 75%; }
+div.long td.lt { width: 15%; font-style: italic; }
+div.long td.rt { width: 85%; }
 
 /*******************************************************************************
     6   Profil

diff --git a/include/banana/forum.inc.php b/include/banana/forum.inc.php
index 6cd9f77..53d01c6 100644 (file)
--- a/include/banana/forum.inc.php
+++ b/include/banana/forum.inc.php
@@ -68,15 +68,18 @@ class ForumsBanana extends Banana
 
         // Get user profile from SQL
         $req = XDB::query("SELECT  nom, mail, sig,
-                                   FIND_IN_SET('threads',flags), FIND_IN_SET('automaj',flags)
+                                   FIND_IN_SET('threads',flags), FIND_IN_SET('automaj',flags),
+                                   tree_unread, tree_read
                              FROM  {$globals->banana->table_prefix}profils
                             WHERE  uid={?}", S::i('uid'));
-        if (!(list($nom,$mail,$sig,$disp,$maj) = $req->fetchOneRow())) {
+        if (!(list($nom, $mail, $sig, $disp, $maj, $unread, $read) = $req->fetchOneRow())) {
             $nom  = S::v('prenom')." ".S::v('nom');
             $mail = S::v('forlife')."@" . $globals->mail->domain;
             $sig  = $nom." (".S::v('promo').")";
             $disp = 0;
             $maj  = 1;
+            $unread = 'o';
+            $read   = 'dg';
         }
         if ($maj) {
             $time = time();
@@ -95,6 +98,8 @@ class ForumsBanana extends Banana
         Banana::$profile['autoup']                  = $maj;
         Banana::$profile['lastnews']                = S::v('banana_last');
         Banana::$profile['subscribe']               = $req->fetchColumn();
+        Banana::$tree_unread = $unread;
+        Banana::$tree_read = $read;
 
         // Update the "unread limit"
         if (!is_null($time)) {
@@ -177,10 +182,16 @@ class ForumsBanana extends Banana
         global $globals;
         $page = Platal::page();
 
-        if (Post::has('action') && Post::has('banananame') && Post::has('bananasig')
-                && Post::has('bananadisplay') && Post::has('bananamail')
-                && Post::has('bananaupdate') && Post::v('action')=="Enregistrer" ) {
-            $flags = new PlFlagSet();
+        $colors = glob(dirname(__FILE__) . '/../../htdocs/images/banana/m2*.gif');
+        foreach ($colors as $key=>$path) {
+            $path = basename($path, '.gif');
+            $colors[$key] = substr($path, 2);
+        }
+        $page->assign('colors', $colors);
+
+        if (Post::has('action') && Post::v('action') == 'Enregistrer') {
+            S::assert_xsrf_token();
+            $flags = new FlagSet();
             if (Post::b('bananadisplay')) {
                 $flags->addFlag('threads');
             }
@@ -190,11 +201,15 @@ class ForumsBanana extends Banana
             if (Post::b('bananaxface')) {
                 $flags->addFlag('xface');
             }
-            if (XDB::execute("REPLACE INTO  forums.profils (uid, sig, mail, nom, flags)
-                                VALUES  ({?}, {?}, {?}, {?}, {?})",
-                         S::v('uid'), Post::v('bananasig'),
-                         Post::v('bananamail'), Post::v('banananame'),
-                         $flags)) {
+            $unread = Post::s('unread');
+            $read = Post::s('read');
+            if (!in_array($unread, $colors) || !in_array($read, $colors)) {
+                $page->trigError('Le choix de type pour l\'arborescence est invalide');
+            } elseif (XDB::execute("REPLACE INTO  forums.profils (uid, sig, mail, nom, flags, tree_unread, tree_read)
+                                           VALUES  ({?}, {?}, {?}, {?}, {?}, {?}, {?})",
+                                    S::v('uid'), Post::v('bananasig'),
+                                    Post::v('bananamail'), Post::v('banananame'),
+                                    $flags, $unread, $read)) {
                 $page->trigSuccess("Ton profil a été enregistré avec succès.");
             } else {
                 $page->trigError("Une erreur s'est produite lors de l'enregistrement de ton profil");
@@ -205,16 +220,20 @@ class ForumsBanana extends Banana
             SELECT  nom, mail, sig,
                     FIND_IN_SET('threads', flags),
                     FIND_IN_SET('automaj', flags),
-                    FIND_IN_SET('xface', flags)
+                    FIND_IN_SET('xface', flags),
+                    tree_unread,
+                    tree_read
               FROM  forums.profils
              WHERE  uid = {?}", S::v('uid'));
-        if (!(list($nom, $mail, $sig, $disp, $maj, $xface) = $req->fetchOneRow())) {
+        if (!(list($nom, $mail, $sig, $disp, $maj, $xface, $unread, $read) = $req->fetchOneRow())) {
             $nom   = S::v('prenom').' '.S::v('nom');
             $mail  = S::v('forlife').'@'.$globals->mail->domain;
             $sig   = $nom.' ('.S::v('promo').')';
             $disp  = 0;
             $maj   = 0;
             $xface = 0;
+            $unread = 'o';
+            $read  = 'dg';
         }
         $page->assign('nom' ,  $nom);
         $page->assign('mail',  $mail);
@@ -222,6 +241,8 @@ class ForumsBanana extends Banana
         $page->assign('disp',  $disp);
         $page->assign('maj',   $maj);
         $page->assign('xface', $xface);
+        $page->assign('unread', $unread);
+        $page->assign('read', $read);
         return null;
     }
 }

diff --git a/include/banana/ml.inc.php b/include/banana/ml.inc.php
index 1a5413f..c2eea5c 100644 (file)
--- a/include/banana/ml.inc.php
+++ b/include/banana/ml.inc.php
@@ -79,6 +79,17 @@ class MLBanana extends Banana
         $sig  = $nom . ' (' . S::v('promo') . ')';
         Banana::$msgedit_headers['X-Org-Mail'] = S::v('forlife') . '@' . $globals->mail->domain;
 
+        // Tree color
+        $req = XDB::query("SELECT  tree_unread, tree_read
+                             FROM  {$globals->banana->table_prefix}profils
+                            WHERE  uid={?}", S::i('uid'));
+        if (!(list($unread, $read) = $req->fetchOneRow())) {
+            $unread = 'o';
+            $read = 'dg';
+        }
+        Banana::$tree_unread = $unread;
+        Banana::$tree_read = $read;
+
         // Build user profile
         Banana::$profile['headers']['From']         = "$nom <$mail>";
         Banana::$profile['headers']['Organization'] = make_Organization();

diff --git a/include/banana/moderate.inc.php b/include/banana/moderate.inc.php
index 62c2dbc..9e5588a 100644 (file)
--- a/include/banana/moderate.inc.php
+++ b/include/banana/moderate.inc.php
@@ -59,6 +59,8 @@ class ModerationBanana extends Banana
 
     function __construct($forlife, $params = null)
     {
+        ini_set('memory_limit', '128M'); 
+
         global $globals;
         ModerationBanana::$client = $params['client'];
         ModerationBanana::$listname = $params['listname'];

diff --git a/include/common.inc.php b/include/common.inc.php
index 35296b4..3b6932e 100644 (file)
--- a/include/common.inc.php
+++ b/include/common.inc.php
@@ -19,20 +19,11 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
-function __autoload($cls)
-{
-    if (!pl_autoload($cls)) {
-        $cls = strtolower($cls);
-        if (substr($cls, -3, 3) == 'req') {
-            @include 'validations.inc.php';
-            return;
-        } else if (substr($cls, 0, 6) == 'banana') {
-            require_once 'banana/banana.inc.php';
-            Banana::load(substr($cls, 6));
-            return;
-        }
-        @include "$cls.inc.php";
+function smarty_function_xsrf_token_field($params, &$smarty) {
+    if (S::has('xsrf_token')) {
+        return '<div style="display: none"><input type="hidden" name="token" value="' . S::v('xsrf_token') . '" /></div>';
     }
+    return '';
 }
 
 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:

diff --git a/include/validations/paiements.inc.php b/include/validations/paiements.inc.php
index 2343ac3..e0eca22 100644 (file)
--- a/include/validations/paiements.inc.php
+++ b/include/validations/paiements.inc.php
@@ -38,7 +38,9 @@ class PayReq extends Validate
     public $evt;
     public $evt_intitule;
 
-    public $rules = "Laisser la validation à un trésorier";
+    public $rules = "Vérifier que les balises <salutation>, <prenom>, <nom> et <montant> n'ont pas été modifiées.
+Vérifier que le demandeur n'a pas laissé les crochets [].
+Si le télépaiement n'est pas lié à un groupe ou supérieur à 51 euros, laisser la validation à un trésorier";
     // }}}
     // {{{ constructor
 

diff --git a/include/vcard.inc.php b/include/vcard.inc.php
index 20aa9ce..6083b25 100644 (file)
--- a/include/vcard.inc.php
+++ b/include/vcard.inc.php
@@ -91,8 +91,8 @@ class VCardIterator implements PlIterator
                 $user['forlife'].'@'.$globals->mail->domain2);
 
         $user['virtualalias'] = $res->fetchOneCell();
-        $user['gpxs_vcardjoin'] = join(',', array_map(array('VCard', 'text_encode'), $user['gpxs_name']));
-        $user['binets_vcardjoin'] = join(',', array_map(array('VCard', 'text_encode'), $user['binets']));
+        $user['gpxs_vcardjoin'] = join(', ', array_map(array('VCard', 'text_encode'), $user['gpxs_name']));
+        $user['binets_vcardjoin'] = join(', ', array_map(array('VCard', 'text_encode'), $user['binets']));
         // get photo
         if ($this->photos) {
             $res = XDB::query(

diff --git a/modules/events.php b/modules/events.php
index cc2e0b0..a5e244b 100644 (file)
--- a/modules/events.php
+++ b/modules/events.php
@@ -59,7 +59,7 @@ class EventsModule extends PLModule
                          'special'   => true);
         }
 
-        $exclude  = is_null($exclude) ? '' : ' AND id != ' . $exclude . ' ';
+        $exclude  = is_null($exclude) ? '' : ' AND id != ' . intval($exclude) . ' ';
         $priority = rand(0, 510);
         do {
             $priority = (int)($priority/2);
@@ -308,6 +308,8 @@ class EventsModule extends PLModule
         } elseif ($action && (!trim($texte) || !trim($titre))) {
             $page->trigError("L'article doit avoir un titre et un contenu");
         } elseif ($action) {
+            S::assert_xsrf_token();
+
             require_once 'validations.inc.php';
             $evtreq = new EvtReq($titre, $texte, $promo_min, $promo_max,
                                  $peremption, $valid_mesg, S::v('uid'), $upload);
@@ -361,13 +363,16 @@ class EventsModule extends PLModule
         }
 
         if (Post::v('action') == 'Pas d\'image' && $eid) {
+            S::assert_xsrf_token();
             $upload->rm();
             XDB::execute("DELETE FROM evenements_photo WHERE eid = {?}", $eid);
             $action = 'edit';
         } elseif (Post::v('action') == 'Supprimer l\'image' && $eid) {
+            S::assert_xsrf_token();
             $upload->rm();
             $action = 'edit';
         } elseif (Post::v('action') == "Proposer" && $eid) {
+            S::assert_xsrf_token();
             $promo_min = Post::i('promo_min');
             $promo_max = Post::i('promo_max');
             if (($promo_min != 0 && ($promo_min <= 1900 || $promo_min >= 2020)) ||
@@ -434,17 +439,20 @@ class EventsModule extends PLModule
         } else {
             switch ($action) {
                 case 'delete':
+                    S::assert_xsrf_token();
                     XDB::execute('DELETE from evenements
                                    WHERE id = {?}', $eid);
                     break;
 
                 case "archive":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = CONCAT(flags,",archive")
                                    WHERE id = {?}', $eid);
                     break;
 
                 case "unarchive":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = REPLACE(flags,"archive","")
                                    WHERE id = {?}', $eid);
@@ -453,12 +461,14 @@ class EventsModule extends PLModule
                     break;
 
                 case "valid":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = CONCAT(flags,",valide")
                                    WHERE id = {?}', $eid);
                     break;
 
                 case "unvalid":
+                    S::assert_xsrf_token();
                     XDB::execute('UPDATE evenements
                                      SET creation_date = creation_date, flags = REPLACE(flags,"valide", "")
                                    WHERE id = {?}', $eid);

diff --git a/modules/lists.php b/modules/lists.php
index c7aed33..cfd2efe 100644 (file)
--- a/modules/lists.php
+++ b/modules/lists.php
@@ -98,14 +98,18 @@ class ListsModule extends PLModule
 
 
         if (Get::has('del')) {
+            S::assert_xsrf_token();
             $this->client->unsubscribe(Get::v('del'));
             pl_redirect('lists');
         }
         if (Get::has('add')) {
+            S::assert_xsrf_token();
             $this->client->subscribe(Get::v('add'));
             pl_redirect('lists');
         }
         if (Post::has('promo_add')) {
+            S::assert_xsrf_token();
+
             $promo = Post::i('promo_add');
             if ($promo >= 1900 and $promo < 2100) {
                 $this->client->subscribe("promo$promo");
@@ -113,6 +117,7 @@ class ListsModule extends PLModule
                 $page->trigSuccess("promo incorrecte, il faut une promo sur 4 chiffres.");
             }
         }
+
         $listes = $this->client->get_lists();
         $owner  = array_filter($listes, 'filter_owner');
         $listes = array_diff_key($listes, $owner);
@@ -134,6 +139,8 @@ class ListsModule extends PLModule
         header('Content-Type: text/html; charset="UTF-8"');
         $domain = $this->prepare_client($page);
         $page->changeTpl('lists/liste.inc.tpl', NO_SKIN);
+        S::assert_xsrf_token();
+
         if (Get::has('unsubscribe')) {
             $this->client->unsubscribe($list);
         }
@@ -213,6 +220,8 @@ class ListsModule extends PLModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         $asso = Post::v('asso');
@@ -295,11 +304,13 @@ class ListsModule extends PLModule
         $page->changeTpl('lists/members.tpl');
 
         if (Get::has('del')) {
+            S::assert_xsrf_token();
             $this->client->unsubscribe($liste);
             pl_redirect('lists/members/'.$liste);
         }
 
         if (Get::has('add')) {
+            S::assert_xsrf_token();
             $this->client->subscribe($liste);
             pl_redirect('lists/members/'.$liste);
         }
@@ -330,10 +341,12 @@ class ListsModule extends PLModule
         $this->prepare_client($page);
 
         if (Get::has('del')) {
+            S::assert_xsrf_token();
             $this->client->unsubscribe($liste);
             pl_redirect('lists/annu/'.$liste);
         }
         if (Get::has('add')) {
+            S::assert_xsrf_token();
             $this->client->subscribe($liste);
             pl_redirect('lists/annu/'.$liste);
         }
@@ -454,6 +467,8 @@ class ListsModule extends PLModule
         $page->register_modifier('hdc', 'list_header_decode');
 
         if (Env::has('sadd') || Env::has('sdel')) {
+            S::assert_xsrf_token();
+
             if (Env::has('sadd')) { /* 4 = SUBSCRIBE */
                 $sub = $this->client->get_pending_sub($liste, Env::v('sadd'));
                 $this->client->handle_request($liste,Env::v('sadd'),4,'');
@@ -484,6 +499,8 @@ class ListsModule extends PLModule
         }
 
         if (Post::has('moderate_mails') && Post::has('select_mails')) {
+            S::assert_xsrf_token();
+
             $mails = array_keys(Post::v('select_mails'));
             foreach($mails as $mail) {
                 $this->moderate_mail($domain, $liste, $mail);
@@ -568,6 +585,8 @@ class ListsModule extends PLModule
         $page->changeTpl('lists/admin.tpl');
 
         if (Env::has('send_mark')) {
+            S::assert_xsrf_token();
+
             $actions = Env::v('mk_action');
             $uids    = Env::v('mk_uid');
             $mails   = Env::v('mk_email');
@@ -598,6 +617,8 @@ class ListsModule extends PLModule
         }
 
         if (Env::has('add_member')) {
+            S::assert_xsrf_token();
+
             require_once('user.func.inc.php');
             $members = get_users_forlife_list(Env::v('add_member'),
                                               false,
@@ -611,6 +632,8 @@ class ListsModule extends PLModule
         }
 
         if (isset($_FILES['add_member_file']) && $_FILES['add_member_file']['tmp_name']) {
+            S::assert_xsrf_token();
+
             $upload =& PlUpload::get($_FILES['add_member_file'], S::v('forlife'), 'list.addmember', true);
             if (!$upload) {
                 $page->trigError('Une erreur s\'est produite lors du téléchargement du fichier');
@@ -628,6 +651,8 @@ class ListsModule extends PLModule
         }
 
         if (Env::has('del_member')) {
+            S::assert_xsrf_token();
+
             if (strpos(Env::v('del_member'), '@') === false) {
                 $this->client->mass_unsubscribe(
                     $liste, array(Env::v('del_member').'@'.$globals->mail->domain));
@@ -638,6 +663,8 @@ class ListsModule extends PLModule
         }
 
         if (Env::has('add_owner')) {
+            S::assert_xsrf_token();
+
             require_once('user.func.inc.php');
             $owners = get_users_forlife_list(Env::v('add_owner'), false, array('ListsModule', 'no_login_callback'));
             if ($owners) {
@@ -650,6 +677,8 @@ class ListsModule extends PLModule
         }
 
         if (Env::has('del_owner')) {
+            S::assert_xsrf_token();
+
             if (strpos(Env::v('del_owner'), '@') === false) {
                 $this->client->del_owner($liste, Env::v('del_owner').'@'.$globals->mail->domain);
             } else {
@@ -689,6 +718,8 @@ class ListsModule extends PLModule
         $page->changeTpl('lists/options.tpl');
 
         if (Post::has('submit')) {
+            S::assert_xsrf_token();
+
             $values = $_POST;
             $values = array_map('utf8_decode', $values);
             $spamlevel = intval($values['bogo_level']);
@@ -724,8 +755,10 @@ class ListsModule extends PLModule
             }
             $this->client->set_owner_options($liste, $values);
         } elseif (isvalid_email(Post::v('atn_add'))) {
+            S::assert_xsrf_token();
             $this->client->add_to_wl($liste, Post::v('atn_add'));
         } elseif (Get::has('atn_del')) {
+            S::assert_xsrf_token();
             $this->client->del_from_wl($liste, Get::v('atn_del'));
             pl_redirect('lists/options/'.$liste);
         }
@@ -761,6 +794,8 @@ class ListsModule extends PLModule
 
         $page->changeTpl('lists/delete.tpl');
         if (Post::v('valid') == 'OUI') {
+            S::assert_xsrf_token();
+
             if ($this->client->delete_list($liste, Post::b('del_archive'))) {
                 foreach (array('', '-owner', '-admin', '-bounces', '-unsubscribe') as $app) {
                     XDB::execute("DELETE FROM  $table
@@ -793,6 +828,8 @@ class ListsModule extends PLModule
         $page->changeTpl('lists/soptions.tpl');
 
         if (Post::has('submit')) {
+            S::assert_xsrf_token();
+
             $values = $_POST;
             $values = array_map('utf8_decode', $values);
             unset($values['submit']);
@@ -820,6 +857,7 @@ class ListsModule extends PLModule
         $page->changeTpl('lists/check.tpl');
 
         if (Post::has('correct')) {
+            S::assert_xsrf_token();
             $this->client->check_options($liste, true);
         }
 

diff --git a/modules/marketing.php b/modules/marketing.php
index 74ee081..fbc9b07 100644 (file)
--- a/modules/marketing.php
+++ b/modules/marketing.php
@@ -105,6 +105,7 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'del') {
+            S::assert_xsrf_token();
             Marketing::clear($uid, $value);
         }
 
@@ -128,6 +129,8 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'relforce') {
+            S::assert_xsrf_token();
+
             $market = Marketing::get($uid, Post::v('to'));
             if (is_null($market)) {
                 $market = new Marketing($uid, Post::v('to'), 'default', null, 'staff');
@@ -137,6 +140,7 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'insrel') {
+            S::assert_xsrf_token();
             if (Marketing::relance($uid)) {
                 $page->trigSuccess('relance faite');
             }
@@ -199,6 +203,8 @@ class MarketingModule extends PLModule
             $email = valide_email(Post::v('mail'));
         }
         if (Post::has('valide') && isvalid_email_redirection($email)) {
+            S::assert_xsrf_token();
+
             // security stuff
             check_email($email, "Proposition d'une adresse surveillee pour " . $user['forlife'] . " par " . S::v('forlife'));
             $res = XDB::query("SELECT  e.flags
@@ -261,6 +267,7 @@ class MarketingModule extends PLModule
             $page->assign('promo', $promo);
 
             if (Post::has('valide')) {
+                S::assert_xstf_token();
                 $email = trim(Post::v('mail'));
 
                 if (!isvalid_email_redirection($email)) {

diff --git a/modules/xnetevents.php b/modules/xnetevents.php
index 136e5b4..6ee5456 100644 (file)
--- a/modules/xnetevents.php
+++ b/modules/xnetevents.php
@@ -58,6 +58,7 @@ class XnetEventsModule extends PLModule
             if (!may_update()) {
                 return PL_FORBIDDEN;
             }
+            S::assert_xsrf_token();
 
             $res = XDB::query("SELECT asso_id, short_name FROM groupex.evenements
                                 WHERE eid = {?} AND asso_id = {?}",
@@ -202,6 +203,8 @@ class XnetEventsModule extends PLModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         $moments = Post::v('moment',    array());
@@ -361,6 +364,8 @@ class XnetEventsModule extends PLModule
         $page->assign('moments', $moments);
 
         if (Post::v('intitule')) {
+            S::assert_xsrf_token();
+
             require_once dirname(__FILE__).'/xnetevents/xnetevents.inc.php';
             $short_name = event_change_shortname($page, $eid,
                                                  $infos['short_name'],
@@ -525,6 +530,8 @@ class XnetEventsModule extends PLModule
         }
 
         if (may_update() && Post::v('adm')) {
+            S::assert_xsrf_token();
+
             $member = get_infos(Post::v('mail'));
             if (!$member) {
                 $page->trigError("Membre introuvable");

diff --git a/modules/xnetlists.php b/modules/xnetlists.php
index f442fea..3c71652 100644 (file)
--- a/modules/xnetlists.php
+++ b/modules/xnetlists.php
@@ -79,15 +79,19 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/index.tpl');
 
         if (Get::has('del')) {
+            S::assert_xsrf_token();
             $this->client->unsubscribe(Get::v('del'));
             pl_redirect('lists');
         }
         if (Get::has('add')) {
+            S::assert_xsrf_token();
             $this->client->subscribe(Get::v('add'));
             pl_redirect('lists');
         }
 
         if (Post::has('del_alias') && may_update()) {
+            S::assert_xsrf_token();
+
             $alias = Post::v('del_alias');
             // prevent group admin from erasing aliases from other groups
             $alias = substr($alias, 0, strpos($alias, '@')).'@'.$globals->asso('mail_domain');
@@ -125,6 +129,8 @@ class XnetListsModule extends ListsModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         if (!Post::has('liste')) {
@@ -189,6 +195,7 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/sync.tpl');
 
         if (Env::has('add')) {
+            S::assert_xsrf_token();
             $this->client->mass_subscribe($liste, array_keys(Env::v('add')));
         }
 
@@ -234,6 +241,8 @@ class XnetListsModule extends ListsModule
         $page->changeTpl('xnetlists/alias-admin.tpl');
 
         if (Env::has('add_member')) {
+            S::assert_xsrf_token();
+
             $add = Env::v('add_member');
             if (strstr($add, '@')) {
                 list($mbox,$dom) = explode('@', strtolower($add));
@@ -269,6 +278,7 @@ class XnetListsModule extends ListsModule
         }
 
         if (Env::has('del_member')) {
+            S::assert_xsrf_token();
             XDB::query(
                     "DELETE FROM  x4dat.virtual_redirect
                            USING  x4dat.virtual_redirect
@@ -308,6 +318,8 @@ class XnetListsModule extends ListsModule
 
         if (!Post::has('submit')) {
             return;
+        } else {
+            S::assert_xsrf_token();
         }
 
         if (!Post::has('liste')) {

diff --git a/templates/banana/index.tpl b/templates/banana/index.tpl
index 0e811d5..e865ee2 100644 (file)
--- a/templates/banana/index.tpl
+++ b/templates/banana/index.tpl
@@ -38,6 +38,7 @@
 </p>
 
 <form action="banana/profile" method="post">
+  {xsrf_token_field}
   <table class="bicol" cellpadding="3" cellspacing="0" summary="Configuration de Banana">
     <tr>
       <th colspan="2">Profil Banana</th>
@@ -64,6 +65,17 @@
       </td>
     </tr>
     <tr class="pair">
+      <td class="titre">Aspect de l'arborescence</td>
+      <td>
+        {foreach from=$colors item=color}
+          <label>non-lu <input type="radio" name="unread" value="{$color}" {if $unread eq $color}checked="checked"{/if} /></label>
+          <img src="images/banana/m2{$color}.gif" alt="{$color}" />
+          <label><input type="radio" name="read" value="{$color}" {if $read eq $color}checked="checked"{/if} /> lu</label>
+          <br />
+        {/foreach}
+      </td>
+    </tr>
+    <tr class="pair">
       <td class="titre">Mise à jour des messages non lus</td>
       <td>
         <input type="radio" name="bananaupdate" value="1"

diff --git a/templates/carnet/mescontacts.tpl b/templates/carnet/mescontacts.tpl
index 7264691..ebcb45e 100644 (file)
--- a/templates/carnet/mescontacts.tpl
+++ b/templates/carnet/mescontacts.tpl
@@ -26,51 +26,43 @@
   Ma liste personnelle de contacts
 </h1>
 
-<div>
-Ajouter la personne suivante à ma liste de contacts&nbsp;:
-<div style="float: right">
-<form id="add_user" action="carnet/contacts" method="post">
-  {xsrf_token_field}
-  <div>
-  <input type="hidden" name="action" value="ajouter" />
-  <input type="text" size="30" name="user" class="quick_search"
-         value="ajouter prenom.nom"
-         onfocus="if (this.value == 'ajouter prenom.nom') this.value=''"
-         onblur="if (this.value == '') this.value='ajouter prenom.nom'"
-         size="20" maxlength="70"/>
-  <a href="" onclick="document.getElementById('add_user').submit(); return false;">
-    {icon name=add title="Ajouter la personne"}
-  </a>
+<p>
+  <div style="float: right">
+  <form id="add_user" action="carnet/contacts" method="post">
+    {xsrf_token_field}
+    <div>
+    <input type="hidden" name="action" value="ajouter" />
+    <input type="text" size="30" name="user" class="quick_search"
+           value="ajouter prenom.nom"
+           onfocus="if (this.value == 'ajouter prenom.nom') this.value=''"
+           onblur="if (this.value == '') this.value='ajouter prenom.nom'"
+           size="20" maxlength="70"/>
+    <a href="" onclick="document.getElementById('add_user').submit(); return false;">
+      {icon name=add title="Ajouter la personne"}
+    </a>
+    </div>
+  </form>
   </div>
+  Ajouter à tes contacts&nbsp;:
 </p>
-</form>
-</div>
-</div>
 <p style="clear: both">
-  Tu peux également rajouter des camarades dans tes contacts lors d'une recherche dans l'annuaire&nbsp;: 
-  il te suffit de cliquer sur l'icône {icon name=add} en face de son nom dans les résultats !
-</p>  
+    Tu peux également ajouter un(e) camarade à tes contacts en cliquant sur l'icône {icon name=add} en
+    face de son nom dans les résultats d'une recherche dans l'annuaire !
+</p>
 
-{if $plset_count || $smarty.request.quick}
 <p>
-Pour récupérer ta liste de contacts dans un PDF imprimable&nbsp;:<br />
-(attention, les photos font beaucoup grossir les fichiers !)
+  Tu peux télécharger des informations sur tes contacts&nbsp;:
 </p>
+{if $plset_count || $smarty.request.quick}
 <ul>
-  <li>avec les photos&nbsp;:
-  [<a href="carnet/contacts/pdf/promo/photos/mescontacts.pdf" class='popup'><strong>tri par promo</strong></a>]
-  [<a href="carnet/contacts/pdf/photos/mescontacts.pdf" class='popup'><strong>tri par noms</strong></a>]
-  </li>
-  <li>sans les photos&nbsp;:
+  <li>Tes contacts en PDF, sans les photos&nbsp;:
   [<a href="carnet/contacts/pdf/promo/mescontacts.pdf" class='popup'><strong>tri par promo</strong></a>]
   [<a href="carnet/contacts/pdf/mescontacts.pdf" class='popup'><strong>tri par noms</strong></a>]
   </li>
-</ul>
-
-<p>
-  Tu peux télécharger des informations sur tes contacts&nbsp;:
-</p>
-<ul>
+  <li>Avec les photos (attention fichier plus gros)&nbsp;:
+  [<a href="carnet/contacts/pdf/promo/photos/mescontacts.pdf" class='popup'><strong>tri par promo</strong></a>]
+  [<a href="carnet/contacts/pdf/photos/mescontacts.pdf" class='popup'><strong>tri par noms</strong></a>]
+  </li>
   <li>
     {icon name=calendar_view_day title='Anniversaires'} 
     <a href="carnet/contacts/ical/{$smarty.session.forlife}/{$smarty.session.core_rss_hash}/anniv-x.ics" title="Anniversaires">
@@ -96,7 +88,7 @@ Pour récupérer ta liste de contacts dans un PDF imprimable&nbsp;:<br />
       </div>
     </form>
   </div>
-  Tu peux faire une recherche sur tes contacts&nbsp;:
+  Rechercher dans tes contacts&nbsp;:
 </p>
 
 {include file="core/plset.tpl"}

diff --git a/templates/core/bug.tpl b/templates/core/bug.tpl
index 15f36d8..4b3d80a 100644 (file)
--- a/templates/core/bug.tpl
+++ b/templates/core/bug.tpl
@@ -68,7 +68,7 @@ function fillContent()
       <option value="wish">Souhait</option>\r
       <option value="help">Aide/Dépannage</option>\r
     </select>\r
-    &nbsp;&nbsp;Sujet&nbsp;: <input type="text" name="item_summary" id="flyspray_title" value="sur la page {$smarty.server.HTTP_REFERER}" size="50" maxlength="100"/>\r
+    &nbsp;&nbsp;Sujet&nbsp;: <input type="text" name="item_summary" id="flyspray_title" value="sur la page { $location }" size="50" maxlength="100"/>\r
     <textarea name="detailed_desc" id="flyspray_detail" cols="70" rows="10" style="width:100%;margin-top:10px;margin-bottom:10px;height:400px;display:block;" onFocus="cleanContent()" onBlur="fillContent()"></textarea>\r
     <input type="hidden" name="page" value="{$smarty.server.HTTP_REFERER|default:$smarty.request.page}" />\r
     <div class="center">\r

diff --git a/templates/core/vcard.tpl b/templates/core/vcard.tpl
index c3e3097..d0524a1 100644 (file)
--- a/templates/core/vcard.tpl
+++ b/templates/core/vcard.tpl
@@ -75,7 +75,7 @@ URL:{$vcard.web}
 {if strlen(trim($vcard.freetext)) == 0}
 NOTE:(X{$vcard.promo})
 {else}
-NOTE:(X{$vcard.promo})\n{$vcard.freetext|vcard_enc}
+NOTE:(X{$vcard.promo})\n{$vcard.freetext|miniwiki:'no_title':'text'|vcard_enc}
 {/if}
 {if $vcard.section}
 X-SECTION:{$vcard.section}

diff --git a/templates/events/admin.tpl b/templates/events/admin.tpl
index 8584e48..4c6588d 100644 (file)
--- a/templates/events/admin.tpl
+++ b/templates/events/admin.tpl
@@ -66,17 +66,17 @@
     <td class="right">{if !$ev.fvalide}<strong>{/if}{$ev.peremption}{if !$ev.fvalide}</strong>{/if}</td>
     <td class="right" style="width: 42px">
       {if $arch}
-        <a href="admin/events/unarchive/{$ev.id}">{icon name=package_delete title="Désarchiver"}</a><br />
+        <a href="admin/events/unarchive/{$ev.id}?token={xsrf_token}">{icon name=package_delete title="Désarchiver"}</a><br />
       {else}
         {if $ev.fvalide}
-        <a href="admin/events/unvalid/{$ev.id}">{icon name=thumb_down title="Invalider"}</a>
-        <a href="admin/events/archive/{$ev.id}">{icon name=package_add title="Archiver"}</a><br />
+        <a href="admin/events/unvalid/{$ev.id}?token={xsrf_token}">{icon name=thumb_down title="Invalider"}</a>
+        <a href="admin/events/archive/{$ev.id}?token={xsrf_token}">{icon name=package_add title="Archiver"}</a><br />
         {else}
-        <a href="admin/events/valid/{$ev.id}">{icon name=thumb_up title="Valider"}</a><br />
+        <a href="admin/events/valid/{$ev.id}?token={xsrf_token}">{icon name=thumb_up title="Valider"}</a><br />
         {/if}
       {/if}
       <a href="admin/events/edit/{$ev.id}">{icon name=page_edit title="Editer"}</a>
-      <a href="admin/events/delete/{$ev.id}">{icon name=delete title="Supprimer"}</a>
+      <a href="admin/events/delete/{$ev.id}?token={xsrf_token}">{icon name=delete title="Supprimer"}</a>
     </td>
   </tr>
   {if $ev.preview}

diff --git a/templates/events/form.tpl b/templates/events/form.tpl
index 5a224d0..93c83a0 100644 (file)
--- a/templates/events/form.tpl
+++ b/templates/events/form.tpl
@@ -74,6 +74,7 @@
 <br />
 
 <form action="{$platal->path}" method="post" enctype="multipart/form-data">
+  {xsrf_token_field}
   <table class="bicol">
     <tr>
       <th colspan="2">Contenu de l'annonce</th>

diff --git a/templates/include/minifiche.tpl b/templates/include/minifiche.tpl
index bc6246a..862b22b 100644 (file)
--- a/templates/include/minifiche.tpl
+++ b/templates/include/minifiche.tpl
@@ -41,14 +41,9 @@
       {if $c.iso3166}
       <img src='images/flags/{$c.iso3166}.gif' alt='{$c.nat}' height='11' title='{$c.nat}' />&nbsp;
       {/if}
-      (X {$c.promo}{if $c.app0text}, {applis_fmt type=$c.app0type text=$c.app0text url=$c.app0url}{*
-      *}{/if}{if $c.app1text}, {applis_fmt type=$c.app1type text=$c.app1text url=$c.app1url}{/if})
-      {if $c.dcd}décédé{if $c.sexe}e{/if} le {$c.deces|date_format}{/if}
-      {if $smarty.session.auth ge AUTH_COOKIE}
-      {if !$c.dcd && !$c.wasinscrit}
-      <a href="marketing/public/{$c.user_id}" class='popup'>clique ici si tu connais son adresse email !</a>
-      {/if}
-      {/if}
+      X {$c.promo}{if $c.app0text}, {applis_fmt type=$c.app0type text=$c.app0text url=$c.app0url}{*
+      *}{/if}{if $c.app1text}, {applis_fmt type=$c.app1type text=$c.app1text url=$c.app1url}{/if}{*
+      *}{if $c.dcd}, décédé{if $c.sexe}e{/if} le {$c.deces|date_format}{/if}
     </div>
   </div>
 
@@ -82,44 +77,44 @@
 
     {if hasPerm('admin')}
     <div>
-    {if !$c.wasinscrit && !$c.dcd}
-    <a href="marketing/private/{$c.user_id}">{*
-      *}{icon name=email title="marketter user"}</a>
-    {/if}
-    <a href="admin/user/{if $c.wasinscrit}{$c.forlife}{else}{$c.user_id}{/if}">{*
-    *}{icon name=wrench title="administrer user"}</a>
-    <a href="http://www.polytechniciens.com/?page=AX_FICHE_ANCIEN&amp;anc_id={$c.matricule_ax}">{*
-    *}{icon name=user_gray title="fiche AX"}</a>
+      [{if !$c.wasinscrit && !$c.dcd}
+      <a href="marketing/private/{$c.user_id}">{*
+        *}{icon name=email title="marketter user"}</a>
+      {/if}
+      <a href="admin/user/{if $c.wasinscrit}{$c.forlife}{else}{$c.user_id}{/if}">{*
+      *}{icon name=wrench title="administrer user"}</a>
+      <a href="http://www.polytechniciens.com/?page=AX_FICHE_ANCIEN&amp;anc_id={$c.matricule_ax}">{*
+      *}{icon name=user_gray title="fiche AX"}</a>]
     </div>
     {/if}
   </div>
   {/if}
 
   <div class="long">
-  {if $c.wasinscrit}
+  {if $c.wasinscrit || !$c.dcd}
     {if $c.web || $c.mobile || $c.countrytxt || $c.city || $c.region || $c.entreprise || $c.freetext || (!$c.dcd && !$c.actif )}
     <table cellspacing="0" cellpadding="0">
       {if $c.web}
       <tr>
-        <td class="lt">Page web:</td>
+        <td class="lt">Page web&nbsp;:</td>
         <td class="rt"><a href="{$c.web}">{$c.web}</a></td>
       </tr>
       {/if}
       {if $c.countrytxt || $c.city}
       <tr>
-        <td class="lt">Géographie:</td>
+        <td class="lt">Géographie&nbsp;:</td>
         <td class="rt">{$c.city}{if $c.city && $c.countrytxt}, {/if}{$c.countrytxt}</td>
       </tr>
       {/if}
       {if $c.mobile && !$c.dcd}
       <tr>
-        <td class="lt">Mobile:</td>
+        <td class="lt">Mobile&nbsp;:</td>
         <td class="rt">{$c.mobile}</td>
       </tr>
       {/if}
       {if $c.entreprise}
       <tr>
-        <td class="lt">Profession:</td>
+        <td class="lt">Profession&nbsp;:</td>
         <td class="rt">
           {$c.entreprise} {if $c.secteur}({$c.secteur}){/if}
           {if $c.fonction}<br />{$c.fonction}{/if}
@@ -128,17 +123,23 @@
       {/if}
       {if $c.freetext}
       <tr>
-        <td class="lt">Commentaire:</td>
+        <td class="lt">Commentaire&nbsp;:</td>
         <td class="rt">{$c.freetext|nl2br}</td>
       </tr>
       {/if}
-      {if !$c.dcd && !$c.actif && $c.wasinscrit && $smarty.session.auth ge AUTH_COOKIE}
+      {if !$c.dcd && (!$c.actif || !$c.wasinscrit) && $smarty.session.auth ge AUTH_COOKIE}
       <tr>
         <td class="smaller" colspan="2">
-          Ce camarade n'a plus d'adresse de redirection valide.
+          {if !$c.wasinscrit}
+          Ce{if $c.sexe}tte{/if} camarade n'est pas inscrit{if $c.sexe}e{/if}.
+          <a href="marketing/public/{$c.user_id}" class='popup'>Si tu connais son adresse email,
+          <strong>n'hésite pas à nous la transmettre !</a>
+          {elseif !$c.actif}
+          Ce{if $c.sexe}tte{/if} camarade n'a plus d'adresse de redirection valide.
           <a href="marketing/broken/{$c.forlife}">
-            Si tu en connais une, <strong>n'hésite pas à nous la transmettre</strong>
+            Si tu en connais une, <strong>n'hésite pas à nous la transmettre</strong>.
           </a>
+          {/if}
         </td>
       </tr>
       {/if}

diff --git a/templates/lists/admin.tpl b/templates/lists/admin.tpl
index 0adaf22..ff1276c 100644 (file)
--- a/templates/lists/admin.tpl
+++ b/templates/lists/admin.tpl
@@ -60,6 +60,7 @@ mails de marketing. Une fois inscrits à Polytechnique.org, l'inscription à la
 </script>
 
 <form method="post" action='{$smarty.server.REQUEST_URI}'>
+  {xsrf_token_field}
   <table class="bicol">
   {foreach from=$unregistered key=login item=it}
     <tr class="{cycle values="pair,impair"}">
@@ -103,6 +104,7 @@ mails de marketing. Une fois inscrits à Polytechnique.org, l'inscription à la
 </h1>
 
 <form method='post' action='{$smarty.server.REQUEST_URI}'>
+  {xsrf_token_field}
   <table class='tinybicol' cellpadding='0' cellspacing='0'>
     {foreach from=$owners item=xs key=promo}
     <tr>
@@ -140,6 +142,7 @@ mails de marketing. Une fois inscrits à Polytechnique.org, l'inscription à la
 </h1>
 
 <form method='post' action='{$smarty.server.REQUEST_URI}' enctype="multipart/form-data">
+  {xsrf_token_field}
   <table class='bicol' cellpadding='0' cellspacing='0'>
     {foreach from=$members item=xs key=promo}
     <tr>
@@ -155,7 +158,7 @@ mails de marketing. Une fois inscrits à Polytechnique.org, l'inscription à la
         {else}
         {$x.l}
         {/if}
-        <a href='{$platal->pl_self(1)}?del_member={$x.l}'>{icon name=cross title='retirer membre'}</a>
+        <a href='{$platal->pl_self(1)}?del_member={$x.l}&amp;token={xsrf_token}'>{icon name=cross title='retirer membre'}</a>
         <br />
         {/foreach}
       </td>

diff --git a/templates/lists/annu.tpl b/templates/lists/annu.tpl
index e03022c..1390e1f 100644 (file)
--- a/templates/lists/annu.tpl
+++ b/templates/lists/annu.tpl
@@ -54,13 +54,13 @@
       {if $details.sub>1}
       Tu es inscrit sur la liste.<br />
       Te désinscrire&nbsp;:
-      <a href='{$platal->pl_self(1)}?del=1'>{icon name=cross title="me désinscrire"}</a>
+      <a href='{$platal->pl_self(1)}?del=1&amp;token={xsrf_token}'>{icon name=cross title="me désinscrire"}</a>
       {elseif $details.sub eq 1}
       Ta demande d'inscription est en cours de validation.
       {else}
       Tu n'es pas inscrit.<br />
       Demander ton inscription&nbsp;:
-      <a href="{$platal->pl_self(1)}?add=1">{icon name=add title="demander mon inscription"}</a>
+      <a href="{$platal->pl_self(1)}?add=1&amp;token={xsrf_token}">{icon name=add title="demander mon inscription"}</a>
       {/if}
     </td>
   </tr>

diff --git a/templates/lists/check.tpl b/templates/lists/check.tpl
index 609b2f8..522fdee 100644 (file)
--- a/templates/lists/check.tpl
+++ b/templates/lists/check.tpl
@@ -36,6 +36,7 @@
   {/foreach}
 </table>
 <form action='{$platal->pl_self(1)}' method='post'>
+  {xsrf_token_field}
   <div class='center'>
     <br />
     <input type='submit' name='correct' value='Corriger les valeurs !' />

diff --git a/templates/lists/create.tpl b/templates/lists/create.tpl
index d642394..81437b7 100644 (file)
--- a/templates/lists/create.tpl
+++ b/templates/lists/create.tpl
@@ -38,6 +38,7 @@ liste :
 </p>
 
 <form action='lists/create' method='post' enctype="multipart/form-data">
+  {xsrf_token_field}
   <table class='bicol' cellspacing='0' cellpadding='2'>
     <tr>
       <th colspan='5'>Caractéristiques de la liste</th>

diff --git a/templates/lists/delete.tpl b/templates/lists/delete.tpl
index 1796e7d..65c25d6 100644 (file)
--- a/templates/lists/delete.tpl
+++ b/templates/lists/delete.tpl
@@ -41,6 +41,7 @@ Tu n'es pas administrateur de la liste, mais du site.
 </h1>
 
 <form method='post' action='{$platal->pl_self(1)}'>
+  {xsrf_token_field}
   <table class='tinybicol' cellpadding='2' cellspacing='0'>
     <tr class='impair'>
       <td>

diff --git a/templates/lists/index.tpl b/templates/lists/index.tpl
index 731a570..bd00c1e 100644 (file)
--- a/templates/lists/index.tpl
+++ b/templates/lists/index.tpl
@@ -93,6 +93,7 @@ Les listes de diffusion publiques sont visibles par tous les X inscrits à Polyt
 {/if}
 
 <form method='post' action='lists'>
+  {xsrf_token_field}
   <table class='tinybicol' cellspacing='0' cellpadding='2'>
     <tr>
       <th colspan='2'>Inscription à une liste de diffusion promo</th>

diff --git a/templates/lists/liste.inc.tpl b/templates/lists/liste.inc.tpl
index a6ae99e..2ebb469 100644 (file)
--- a/templates/lists/liste.inc.tpl
+++ b/templates/lists/liste.inc.tpl
@@ -37,8 +37,8 @@
   {if $liste.subscriptions|@count}
   <strong>&bull; Demandes d'inscription</strong><br />
   {foreach from=$liste.subscriptions item=s}
-    <a href='{$platal->ns}lists/moderate/{$liste.list}?sadd={$s.id}'
-        onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?sadd={$s.id}'));">
+    <a href='{$platal->ns}lists/moderate/{$liste.list}?sadd={$s.id}&amp;token={xsrf_token}'
+        onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?sadd={$s.id}&amp;token={xsrf_token}'));">
       {icon name=add title="Accepter"}
     </a>
     <a href='{$platal->ns}lists/moderate/{$liste.list}?sid={$s.id}'>
@@ -55,12 +55,12 @@
   <strong>&bull; Demandes de modération</strong><br />
   <span class="smaller">
   {foreach from=$liste.mails item=m}
-    <a href='{$platal->ns}lists/moderate/{$liste.list}?mid={$m.id}&amp;mok=1'
-        onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?mid={$m.id}&amp;mok=1'));">
+    <a href='{$platal->ns}lists/moderate/{$liste.list}?mid={$m.id}&amp;mok=1&amp;token={xsrf_token}'
+        onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?mid={$m.id}&amp;mok=1&amp;token={xsrf_token}'));">
       {icon name=add title="Valider le mail"}
     </a>
-    <a href='{$platal->ns}lists/moderate/{$liste.list}?mid={$m.id}&amp;mdel=1'
-        onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?mid={$m.id}&amp;mdel=1'));">
+    <a href='{$platal->ns}lists/moderate/{$liste.list}?mid={$m.id}&amp;mdel=1&amp;token={xsrf_token}'
+        onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?mid={$m.id}&amp;mdel=1&amp;token={xsrf_token}'));">
       {icon name=delete title="Spam"}
     </a>
     De&nbsp;: {$m.sender}<br />
@@ -81,15 +81,15 @@
 <td class='right'>{$liste.nbsub}</td>
 <td class='right'>
   {if $liste.sub eq 2}
-  <a href='{$platal->ns}lists?del={$liste.list}'
-      onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?unsubscribe=1'));">
+  <a href='{$platal->ns}lists?del={$liste.list}&amp;token={xsrf_token}'
+      onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?unsubscribe=1&amp;token={xsrf_token}'));">
     {icon name=cross title="me désinscrire"}
   </a>
   {elseif $liste.sub eq 1}
   {icon name=flag_orange title='inscription en attente de modération'}
   {else}
-  <a href='{$platal->ns}lists?add={$liste.list}'
-      onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?subscribe=1'));">
+  <a href='{$platal->ns}lists?add={$liste.list}&amp;token={xsrf_token}'
+      onclick="return (is_IE || Ajax.update_html('list_{$liste.list}', '{$platal->ns}lists/ajax/{$liste.list}?subscribe=1&amp;token={xsrf_token}'));">
     {icon name=add title="m'inscrire"}
   </a>
   {/if}

diff --git a/templates/lists/members.tpl b/templates/lists/members.tpl
index 135b6b8..b75548a 100644 (file)
--- a/templates/lists/members.tpl
+++ b/templates/lists/members.tpl
@@ -58,13 +58,13 @@
       {if $details.sub>1}
       Tu es inscrit sur la liste.<br />
       Te désinscrire&nbsp;:
-      <a href='{$platal->pl_self(1)}?del=1'>{icon name=cross title="me désinscrire"}</a>
+      <a href='{$platal->pl_self(1)}?del=1&amp;token={xsrf_token}'>{icon name=cross title="me désinscrire"}</a>
       {elseif $details.sub eq 1}
       Ta demande d'inscription est en cours de validation.
       {else}
       Tu n'es pas inscrit.<br />
       Demander ton inscription&nbsp;:
-      <a href="{$platal->pl_self(1)}?add=1">{icon name=add title="demander mon inscription"}</a>
+      <a href="{$platal->pl_self(1)}?add=1&amp;token={xsrf_token}">{icon name=add title="demander mon inscription"}</a>
       {/if}
     </td>
   </tr>

diff --git a/templates/lists/moderate.tpl b/templates/lists/moderate.tpl
index 7bd86d0..704c34f 100644 (file)
--- a/templates/lists/moderate.tpl
+++ b/templates/lists/moderate.tpl
@@ -42,7 +42,7 @@
     </td>
     <td>{$s.addr}</td>
     <td class='action'>
-      <a href='{$platal->pl_self(1)}?sadd={$s.id}'>{icon name=add title="Valider l'inscription"}</a>
+      <a href='{$platal->pl_self(1)}?sadd={$s.id}&amp;token={xsrf_token}'>{icon name=add title="Valider l'inscription"}</a>
       <a href='{$platal->pl_self(1)}?sid={$s.id}'>{icon name=delete title="Refuser l'inscription"}</a>
     </td>
   </tr>
@@ -93,6 +93,7 @@ function toggleAll() {
 //]]></script>
 
 <form method="post" action="{$platal->pl_self(1)}">
+{xsrf_token_field}
 {if $with_fromx}
 <table class="bicol" style="margin-bottom: 1ex">
   <tr>
@@ -125,11 +126,11 @@ function toggleAll() {
       {$m.size} octets</small>
     </td>
     <td class='action'>
-      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mok=1'>{icon name=add title="Accepter le message"}</a>
+      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mok=1&amp;token={xsrf_token}'>{icon name=add title="Accepter le message"}</a>
     </td>
     <td class='action'>
       <a href='{$platal->pl_self(1)}?mid={$m.id}'>{icon name=magnifier title="Voir le message"}</a><br/>
-      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mdel=1'>{icon name=delete title="Spam !"}</a>
+      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mdel=1&amp;token={xsrf_token}'>{icon name=delete title="Spam !"}</a>
     </td>
   </tr>
   {/if}
@@ -167,11 +168,11 @@ function toggleAll() {
       {$m.size} octets</small>
     </td>
     <td class='action'>
-      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mok=1'>{icon name=add title="Accepter le message"}</a>
+      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mok=1&amp;token={xsrf_token}'>{icon name=add title="Accepter le message"}</a>
     </td>
     <td class='action'>
       <a href='{$platal->pl_self(1)}?mid={$m.id}'>{icon name=magnifier title="Voir le message"}</a><br/>
-      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mdel=1'>{icon name=delete title="Spam !"}</a>
+      <a href='{$platal->pl_self(1)}?mid={$m.id}&amp;mdel=1&amp;token={xsrf_token}'>{icon name=delete title="Spam !"}</a>
     </td>
   </tr>
   {/if}

diff --git a/templates/lists/moderate_sub.tpl b/templates/lists/moderate_sub.tpl
index f0a6c85..b1066cc 100644 (file)
--- a/templates/lists/moderate_sub.tpl
+++ b/templates/lists/moderate_sub.tpl
@@ -23,6 +23,7 @@
 <h1>Refuser l'inscription d'un utilisateur</h1>
 
 <form method='post' action='{$platal->pl_self(1)}'>
+  {xsrf_token_field}
   <table class='tinybicol' cellpadding='0' cellspacing='0'>
     <tr>
       <th class='titre'>refuser l'inscription de&nbsp;:</th>

diff --git a/templates/lists/options.tpl b/templates/lists/options.tpl
index e329b6f..9dd310f 100644 (file)
--- a/templates/lists/options.tpl
+++ b/templates/lists/options.tpl
@@ -34,6 +34,7 @@ Tu n'es pas administrateur de la liste, mais du site.
 </h1>
 
 <form method='post' action='{$platal->pl_self(1)}'>
+  {xsrf_token_field}
   <table class='bicol' cellpadding='2' cellspacing='0'>
     <tr><th colspan='2'>Options de la liste {$details.addr}</th></tr>
     <tr class='impair'>
@@ -195,13 +196,14 @@ redirection en mode 'inactif'. le logiciel de mailing list saura se débrouiller
 </p>
 
 <form method='post' action='{$platal->pl_self(1)}'>
+  {xsrf_token_field}
   <table class='tinybicol' cellpadding='2' cellspacing='0'>
     <tr><th>Adresses non modérées</th></tr>
     <tr>
       <td>
         {if $options.accept_these_nonmembers|@count}
         {foreach from=$options.accept_these_nonmembers item=addr}
-        {$addr}<a href='{$platal->pl_self(1)}&amp;atn_del={$addr}'>
+        {$addr}<a href='{$platal->pl_self(1)}&amp;atn_del={$addr}&amp;token={xsrf_token}'>
           {icon name=cross title="retirer de la whitelist"}
         </a><br />
         {/foreach}

diff --git a/templates/lists/soptions.tpl b/templates/lists/soptions.tpl
index b2a3d1b..f2896af 100644 (file)
--- a/templates/lists/soptions.tpl
+++ b/templates/lists/soptions.tpl
@@ -28,6 +28,7 @@
 </h1>
 
 <form method='post' action='{$platal->pl_self(1)}'>
+  {xsrf_token_field}
   <table class='bicol' cellpadding='2' cellspacing='0'>
     <tr><th colspan='2'>Options de la liste {$details.addr}</th></tr>
     <tr class='impair'>

diff --git a/templates/marketing/broken.tpl b/templates/marketing/broken.tpl
index 330e8a4..634dd7b 100644 (file)
--- a/templates/marketing/broken.tpl
+++ b/templates/marketing/broken.tpl
@@ -69,6 +69,7 @@
 </p>
 
 <form method="post" action="{$platal->path}">
+  {xsrf_token_field}
   <table class="bicol" summary="Fiche camarade">
     <tr><th colspan="2">Proposition d'adresse pour<br />{$user.nom} {$user.prenom} (X{$user.promo})</th></tr>
     <tr class="pair">

diff --git a/templates/marketing/private.tpl b/templates/marketing/private.tpl
index b09926c..042365c 100644 (file)
--- a/templates/marketing/private.tpl
+++ b/templates/marketing/private.tpl
@@ -45,7 +45,7 @@ sa dernière relance date du {$relance|date_format}
 {/if}
 </p>
 
-<p>[<a href='{$path}/insrel'>le relancer</a>]</p>
+<p>[<a href='{$path}/insrel?token={xsrf_token}'>le relancer</a>]</p>
 
 {/if}
 
@@ -69,7 +69,7 @@ sa dernière relance date du {$relance|date_format}
       <td>{$a.last|date_format|default:'-'}</td>
       <td class='center'>{$a.nb|default:"-"}</td>
       <td class='action'>
-        <a href='{$path}/del/{$a.email}'>del</a><br />
+        <a href='{$path}/del/{$a.email}?token={xsrf_token}'>del</a><br />
         <a href='{$path}/rel/{$a.email}'>relance</a>
       </td>
     </tr>
@@ -97,6 +97,7 @@ sa dernière relance date du {$relance|date_format}
 
 {if $rel_to}
 <form action="{$path}/relforce/{$email}" method="post">
+  {xsrf_token_field}
   <table class="bicol">
     <tr class="pair">
       <th colspan="2">Edition du mail de relance</th>

diff --git a/templates/marketing/public.tpl b/templates/marketing/public.tpl
index 34f98f4..a34b929 100644 (file)
--- a/templates/marketing/public.tpl
+++ b/templates/marketing/public.tpl
@@ -74,6 +74,7 @@ peut sans aucun doute l'aider à se décider !
 </p>
 
 <form method="post" action="{$platal->path}">
+  {xsrf_token_field}
   <table class="bicol" summary="Fiche camarade">
     <tr class="impair"><td>Nom&nbsp;:</td><td>{$nom}</td></tr>
     <tr class="pair"><td>Prénom&nbsp;:</td><td>{$prenom}</td></tr>

diff --git a/templates/marketing/relance.tpl b/templates/marketing/relance.tpl
index 2fe9508..46ad33b 100644 (file)
--- a/templates/marketing/relance.tpl
+++ b/templates/marketing/relance.tpl
@@ -28,6 +28,7 @@
 {/foreach}
 
 <form action="marketing/relance" method="post">
+  {xsrf_token_field}
   <table class="bicol" summary="liste des inscriptions non confirmées">
     <tr>
       <th>Date</th>

diff --git a/templates/profile/profile.tpl b/templates/profile/profile.tpl
index 0694db3..138fca4 100644 (file)
--- a/templates/profile/profile.tpl
+++ b/templates/profile/profile.tpl
@@ -95,7 +95,7 @@ function chgMainWinLoc(strPage)
         {if $x.dcd}
         Décédé{if $x.sexe}e{/if} le {$x.deces|date_format}
         {elseif !$x.actif}
-        Ce camarade n'a plus d'adresse de redirection valide,<br />
+        Ce{if $c.sexe}tte{/if} camarade n'a plus d'adresse de redirection valide,<br />
         <a href="marketing/broken/{$x.forlife}" class="popup">clique ici si tu connais son adresse email !</a>
         {elseif !$x.inscrit}
         Cette personne n'est pas inscrite à Polytechnique.org,<br />

diff --git a/templates/skin/common.menu.tpl b/templates/skin/common.menu.tpl
index f93a58e..0c3b785 100644 (file)
--- a/templates/skin/common.menu.tpl
+++ b/templates/skin/common.menu.tpl
@@ -75,7 +75,7 @@
 <div class="menu_item"><a href="nl">Lettres mensuelles</a></div>
 <div class="menu_item"><a href="ax">Lettres de l'AX</a></div>
 <div class="menu_item"><a href="Xorg/NousContacter">Nous contacter</a></div>
-<div class="menu_item"><a href="send_bug" class="popup2">Signaler un bug</a></div>
+<div class="menu_item"><a href="send_bug/{ $smarty.server.REQUEST_URI }" class="popup2">Signaler un bug</a></div>
 
 {if hasPerm('admin')}
 <div class="menu_title">***</div>

diff --git a/templates/survey/error.tpl b/templates/survey/error.tpl
index 21e5c22..1eb652a 100644 (file)
--- a/templates/survey/error.tpl
+++ b/templates/survey/error.tpl
@@ -36,7 +36,7 @@
 {elseif $survey_message neq ""}
   {$survey_message}
 {else}
-Une erreur inconnue est survenue dans l'&#233;dition de ce sondage. N'hésite pas &#224; <a href='send_bug'>signaler ce bug</a> si il persiste.
+Une erreur inconnue est survenue dans l'&#233;dition de ce sondage. N'hésite pas &#224; <a href='send_bug/{ $smarty.server.REQUEST_URI }'>signaler ce bug</a> si il persiste.
 {/if}
 <br/>
 <a href="{$survey_link}">Retour</a>

diff --git a/templates/xnet/skin.tpl b/templates/xnet/skin.tpl
index da0beba..a602df0 100644 (file)
--- a/templates/xnet/skin.tpl
+++ b/templates/xnet/skin.tpl
@@ -224,7 +224,7 @@
           <a href="Xnet/APropos">à propos de ce site</a> -
           <a href="mailto:contact@polytechnique.org">nous contacter</a>
           {if $smarty.session.auth}
-            - <a href="send_bug" class="popup_840x600">signaler un bug</a>
+            - <a href="send_bug/{ $smarty.server.REQUEST_URI }" class="popup_840x600">signaler un bug</a>
           {/if}
           <br />
           Plat/al {#globals.version#} - © Copyright 2000-2008 <a href="http://x-org.polytechnique.org/">Association Polytechnique.org</a>

diff --git a/templates/xnetevents/admin.tpl b/templates/xnetevents/admin.tpl
index 0028619..55b1136 100644 (file)
--- a/templates/xnetevents/admin.tpl
+++ b/templates/xnetevents/admin.tpl
@@ -239,6 +239,7 @@ Donne ici son mail, ainsi que le nombre de participants.
 </p>
 
 <form action="{$platal->pl_self()}" method="post" id="inscription">
+  {xsrf_token_field}
   <p class="descr">
     <input type="hidden" name="adm" value="nbs" />
 
@@ -272,6 +273,7 @@ Note que tu peux cliquer sur les noms des membres pour remplir automatiquement l
 </p>
 
 <form action="{$platal->pl_self()}" method="post" id="montant">
+  {xsrf_token_field}
   <p class="descr">
   <input type="hidden" name="adm" value="prix" />
   Mail&nbsp;: <input name="mail" size="20" />

diff --git a/templates/xnetevents/edit.tpl b/templates/xnetevents/edit.tpl
index 5a208cc..85f149f 100644 (file)
--- a/templates/xnetevents/edit.tpl
+++ b/templates/xnetevents/edit.tpl
@@ -64,6 +64,7 @@ function deadlineChange(box)
 {/if}
 
 <form method="post" action="{$platal->ns}events/edit/{$url_ref}">
+  {xsrf_token_field}
   <table class='bicol' cellspacing='0' cellpadding='0'>
     <colgroup>
       <col width='25%' />

diff --git a/templates/xnetevents/index.tpl b/templates/xnetevents/index.tpl
index eff4fd5..d090d5c 100644 (file)
--- a/templates/xnetevents/index.tpl
+++ b/templates/xnetevents/index.tpl
@@ -73,7 +73,7 @@
         modifier
         {icon name=date_edit title="Édition de l'événement"}</a>]
       &nbsp;
-      [<a href="javascript:dynpostkv('{$platal->pl_self()}', {if !$archive}'archive'{else}'unarchive'{/if}, {$e.eid})">
+      [<a href="javascript:dynpostkv('{$platal->pl_self()}?token={xsrf_token}', {if !$archive}'archive'{else}'unarchive'{/if}, {$e.eid})">
         {if !$archive}
           archiver
           {icon name=package_add title="Archivage"}</a>]
@@ -82,7 +82,7 @@
           {icon name=package_delete title="Désarchivage"}</a>]
         {/if}
       &nbsp;
-      [<a href="javascript:dynpostkv('{$platal->ns}events', 'del', {$e.eid})"
+      [<a href="javascript:dynpostkv('{$platal->ns}events?token={xsrf_token}', 'del', {$e.eid})"
         onclick="return confirm('Supprimer l\'événement effacera la liste des inscrits et des paiements.\n Es-tu sûr de vouloir supprimer l\'événement ?')">
         supprimer
       {icon name=delete title='Suppression'}</a>]

diff --git a/templates/xnetevents/subscribe.tpl b/templates/xnetevents/subscribe.tpl
index e0c9e5d..5faab37 100644 (file)
--- a/templates/xnetevents/subscribe.tpl
+++ b/templates/xnetevents/subscribe.tpl
@@ -61,6 +61,7 @@
 {/if}
 
 <form action="{$platal->ns}events/sub/{$event.eid}" method="post">
+  {xsrf_token_field}
   <table class="tiny" cellspacing="0" cellpadding="0">
     {foreach from=$event.moments item=m}
     <tr><th>{$m.titre} ({$m.montant} &euro;)</th></tr>

diff --git a/templates/xnetlists/alias-admin.tpl b/templates/xnetlists/alias-admin.tpl
index 1b25671..91ddf3e 100644 (file)
--- a/templates/xnetlists/alias-admin.tpl
+++ b/templates/xnetlists/alias-admin.tpl
@@ -45,7 +45,7 @@
       {if $m.admin}</strong>{/if}
     </td>
     <td class="center">
-      <a href='{$platal->ns}alias/admin/{$platal->argv[1]}?del_member={$m.redirect|urlencode}'>
+      <a href='{$platal->ns}alias/admin/{$platal->argv[1]}?del_member={$m.redirect|urlencode}&amp;token={xsrf_token}'>
       {icon name=delete title='retirer membre'}
       </a>
     </td>
@@ -64,6 +64,7 @@
   <tr>
     <td colspan="3" class="center">
       <form method="post" action="{$platal->ns}alias/admin/{$platal->argv[1]}">
+        {xsrf_token_field}
         <div>
         <input type='text' name='add_member' />
         &nbsp;

diff --git a/templates/xnetlists/alias-create.tpl b/templates/xnetlists/alias-create.tpl
index 243312a..688dd92 100644 (file)
--- a/templates/xnetlists/alias-create.tpl
+++ b/templates/xnetlists/alias-create.tpl
@@ -46,6 +46,7 @@ Pour les autres besoins de communications (notament pour un grand nombre de pers
 de modération), il est recommandé de créer <a href="{$platal->ns}lists/create">une liste de diffusion</a>.
 </p>
 <form action='{$platal->ns}alias/create' method='post'>
+  {xsrf_token_field}
   <table class='large'>
     <tr>
       <th colspan='2'>Caractéristiques de l'alias</th>

diff --git a/templates/xnetlists/create.tpl b/templates/xnetlists/create.tpl
index 21baa74..6bcb001 100644 (file)
--- a/templates/xnetlists/create.tpl
+++ b/templates/xnetlists/create.tpl
@@ -34,6 +34,7 @@ Si tu as besoin de cette fonctionnalité, il faut alors <strong>impérativement<
 <a href="{$platal->ns}alias/create">un alias</a> qui, lui, est capable de regrouper plusieurs listes.
 </p>
 <form action='{$platal->ns}lists/create' method='post'>
+  {xsrf_token_field}
   <table class="large">
     <tr>
       <th colspan='4'>Caractéristiques de la Liste</th>

diff --git a/templates/xnetlists/index.tpl b/templates/xnetlists/index.tpl
index f2ad857..7af568c 100644 (file)
--- a/templates/xnetlists/index.tpl
+++ b/templates/xnetlists/index.tpl
@@ -24,6 +24,7 @@
 
 <p class="error">Es-tu sûr de vouloir supprimer l'alias {$smarty.get.del_alias} ?</p>
 <form action='{$platal->ns}lists' method="post">
+  {xsrf_token_field}
   <div class="center">
     <input type='submit' value="Oui, je suis sûr" />
     <input type='hidden' name='del_alias' value="{$smarty.get.del_alias}" />
@@ -79,11 +80,11 @@ croix verte te permet de t'inscrire, après accord des responsables si l'inscrip
     <td align='right'>{$l.nbsub}</td>
     <td align='center'>
       {if $l.sub eq 2}
-      <a href="{$platal->ns}lists?del={$l.list}">{icon name=cross title="me désinscrire"}</a>
+      <a href="{$platal->ns}lists?del={$l.list}&amp;token={xsrf_token}">{icon name=cross title="me désinscrire"}</a>
       {elseif $l.sub eq 1}
       {icon name=flag_orange title='inscription en attente de modération'}
       {else}
-      <a href="{$platal->ns}lists?add={$l.list}">{icon name=add title="m'inscrire"}</a>
+      <a href="{$platal->ns}lists?add={$l.list}&amp;token={xsrf_token}">{icon name=add title="m'inscrire"}</a>
       {/if}
     </td>
   </tr>

diff --git a/templates/xnetlists/sync.tpl b/templates/xnetlists/sync.tpl
index 8cfad99..b7e979c 100644 (file)
--- a/templates/xnetlists/sync.tpl
+++ b/templates/xnetlists/sync.tpl
@@ -24,7 +24,7 @@
 <h1>Non abonnés à la liste {$platal->argv[1]}@{$asso.mail_domain}</h1>
 
 <form action="{$platal->ns}lists/sync/{$platal->argv[1]}" method="post">
-
+  {xsrf_token_field}
   <table cellspacing="2" cellpadding="0" class="tiny">
     <tr>
       <th colspan="2">Membre</th>

diff --git a/upgrade/0.9.17/04_last_version.sql b/upgrade/0.9.17/04_last_version.sql
new file mode 100644 (file)
index 0000000..c3cde64
--- /dev/null
+++ b/upgrade/0.9.17/04_last_version.sql
@@ -0,0 +1,3 @@
+ALTER TABLE auth_user_quick MODIFY COLUMN last_version VARCHAR(16) NOT NULL DEFAULT '';
+
+# vim:set syntax=mysql:

diff --git a/upgrade/0.9.17/05_forums.sql b/upgrade/0.9.17/05_forums.sql
new file mode 100644 (file)
index 0000000..a03bfc0
--- /dev/null
+++ b/upgrade/0.9.17/05_forums.sql
@@ -0,0 +1,9 @@
+use forums;
+
+alter table profils
+ add column tree_unread varchar(8) not null default 'o',
+ add column tree_read varchar(8) not null default 'dg';
+
+use x4dat;
+
+# vim:set syntax=mysql:

diff --git a/upgrade/0.9.17/06_logger.sql b/upgrade/0.9.17/06_logger.sql
new file mode 100644 (file)
index 0000000..6b790ea
--- /dev/null
+++ b/upgrade/0.9.17/06_logger.sql
@@ -0,0 +1,7 @@
+use logger;
+
+alter table events change column data data text default null;
+
+use x4dat;
+
+# vim:set syntax=mysql: