projects / platal.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7b64204)
Adds XSRF protection to the Marketing module.
authorVincent Zanotti <vincent.zanotti@polytechnique.org>
Fri, 4 Jul 2008 11:54:20 +0000 (13:54 +0200)
committerVincent Zanotti <vincent.zanotti@polytechnique.org>
Fri, 4 Jul 2008 11:54:20 +0000 (13:54 +0200)
Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
modules/marketing.php patch | blob | blame | history
templates/marketing/broken.tpl patch | blob | blame | history
templates/marketing/private.tpl patch | blob | blame | history
templates/marketing/public.tpl patch | blob | blame | history
templates/marketing/relance.tpl patch | blob | blame | history

diff --git a/modules/marketing.php b/modules/marketing.php
index 83dcd89..6296a6c 100644 (file)
--- a/modules/marketing.php
+++ b/modules/marketing.php
@@ -105,6 +105,7 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'del') {
+            S::assert_xsrf_token();
             Marketing::clear($uid, $value);
         }
 
@@ -128,6 +129,8 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'relforce') {
+            S::assert_xsrf_token();
+
             $market = Marketing::get($uid, Post::v('to'));
             if (is_null($market)) {
                 $market = new Marketing($uid, Post::v('to'), 'default', null, 'staff');
@@ -137,6 +140,7 @@ class MarketingModule extends PLModule
         }
 
         if ($action == 'insrel') {
+            S::assert_xsrf_token();
             if (Marketing::relance($uid)) {
                 $page->trigSuccess('relance faite');
             }
@@ -199,6 +203,8 @@ class MarketingModule extends PLModule
             $email = valide_email(Post::v('mail'));
         }
         if (Post::has('valide') && isvalid_email_redirection($email)) {
+            S::assert_xsrf_token();
+
             // security stuff
             check_email($email, "Proposition d'une adresse surveillee pour " . $user['forlife'] . " par " . S::v('forlife'));
             $res = XDB::query("SELECT  e.flags
@@ -261,6 +267,8 @@ class MarketingModule extends PLModule
             $page->assign('promo', $promo);
 
             if (Post::has('valide')) {
+                S::assert_xstf_token();
+
                 require_once('xorg.misc.inc.php');
                 $email = trim(Post::v('mail'));
 
diff --git a/templates/marketing/broken.tpl b/templates/marketing/broken.tpl
index 330e8a4..634dd7b 100644 (file)
--- a/templates/marketing/broken.tpl
+++ b/templates/marketing/broken.tpl
@@ -69,6 +69,7 @@
 </p>
 
 <form method="post" action="{$platal->path}">
+  {xsrf_token_field}
   <table class="bicol" summary="Fiche camarade">
     <tr><th colspan="2">Proposition d'adresse pour<br />{$user.nom} {$user.prenom} (X{$user.promo})</th></tr>
     <tr class="pair">
diff --git a/templates/marketing/private.tpl b/templates/marketing/private.tpl
index b09926c..042365c 100644 (file)
--- a/templates/marketing/private.tpl
+++ b/templates/marketing/private.tpl
@@ -45,7 +45,7 @@ sa dernière relance date du {$relance|date_format}
 {/if}
 </p>
 
-<p>[<a href='{$path}/insrel'>le relancer</a>]</p>
+<p>[<a href='{$path}/insrel?token={xsrf_token}'>le relancer</a>]</p>
 
 {/if}
 
@@ -69,7 +69,7 @@ sa dernière relance date du {$relance|date_format}
       <td>{$a.last|date_format|default:'-'}</td>
       <td class='center'>{$a.nb|default:"-"}</td>
       <td class='action'>
-        <a href='{$path}/del/{$a.email}'>del</a><br />
+        <a href='{$path}/del/{$a.email}?token={xsrf_token}'>del</a><br />
         <a href='{$path}/rel/{$a.email}'>relance</a>
       </td>
     </tr>
@@ -97,6 +97,7 @@ sa dernière relance date du {$relance|date_format}
 
 {if $rel_to}
 <form action="{$path}/relforce/{$email}" method="post">
+  {xsrf_token_field}
   <table class="bicol">
     <tr class="pair">
       <th colspan="2">Edition du mail de relance</th>
diff --git a/templates/marketing/public.tpl b/templates/marketing/public.tpl
index 34f98f4..a34b929 100644 (file)
--- a/templates/marketing/public.tpl
+++ b/templates/marketing/public.tpl
@@ -74,6 +74,7 @@ peut sans aucun doute l'aider à se décider !
 </p>
 
 <form method="post" action="{$platal->path}">
+  {xsrf_token_field}
   <table class="bicol" summary="Fiche camarade">
     <tr class="impair"><td>Nom&nbsp;:</td><td>{$nom}</td></tr>
     <tr class="pair"><td>Prénom&nbsp;:</td><td>{$prenom}</td></tr>
diff --git a/templates/marketing/relance.tpl b/templates/marketing/relance.tpl
index 2fe9508..46ad33b 100644 (file)
--- a/templates/marketing/relance.tpl
+++ b/templates/marketing/relance.tpl
@@ -28,6 +28,7 @@
 {/foreach}
 
 <form action="marketing/relance" method="post">
+  {xsrf_token_field}
   <table class="bicol" summary="liste des inscriptions non confirmées">
     <tr>
       <th>Date</th>
plat/al