From: Vincent Zanotti Date: Fri, 4 Jul 2008 12:35:17 +0000 (+0200) Subject: Adds XSRF protection to the XnetEvents module. X-Git-Tag: xorg/0.9.17~59 X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=4fcbb455e9147e719be75e173b076ba0009258b5;p=platal.git Adds XSRF protection to the XnetEvents module. Signed-off-by: Vincent Zanotti --- diff --git a/modules/xnetevents.php b/modules/xnetevents.php index 417fb3f..77abf91 100644 --- a/modules/xnetevents.php +++ b/modules/xnetevents.php @@ -58,6 +58,7 @@ class XnetEventsModule extends PLModule if (!may_update()) { return PL_FORBIDDEN; } + S::assert_xsrf_token(); $res = XDB::query("SELECT asso_id, short_name FROM groupex.evenements WHERE eid = {?} AND asso_id = {?}", @@ -202,6 +203,8 @@ class XnetEventsModule extends PLModule if (!Post::has('submit')) { return; + } else { + S::assert_xsrf_token(); } $moments = Post::v('moment', array()); @@ -361,6 +364,8 @@ class XnetEventsModule extends PLModule $page->assign('moments', $moments); if (Post::v('intitule')) { + S::assert_xsrf_token(); + require_once dirname(__FILE__).'/xnetevents/xnetevents.inc.php'; $short_name = event_change_shortname($page, $eid, $infos['short_name'], @@ -525,6 +530,8 @@ class XnetEventsModule extends PLModule } if (may_update() && Post::v('adm')) { + S::assert_xsrf_token(); + $member = get_infos(Post::v('mail')); if (!$member) { $page->trigError("Membre introuvable"); diff --git a/templates/xnetevents/admin.tpl b/templates/xnetevents/admin.tpl index 0028619..55b1136 100644 --- a/templates/xnetevents/admin.tpl +++ b/templates/xnetevents/admin.tpl @@ -239,6 +239,7 @@ Donne ici son mail, ainsi que le nombre de participants.

+ {xsrf_token_field}

@@ -272,6 +273,7 @@ Note que tu peux cliquer sur les noms des membres pour remplir automatiquement l

+ {xsrf_token_field}

Mail : diff --git a/templates/xnetevents/edit.tpl b/templates/xnetevents/edit.tpl index 5a208cc..85f149f 100644 --- a/templates/xnetevents/edit.tpl +++ b/templates/xnetevents/edit.tpl @@ -64,6 +64,7 @@ function deadlineChange(box) {/if} + {xsrf_token_field} diff --git a/templates/xnetevents/index.tpl b/templates/xnetevents/index.tpl index eff4fd5..d090d5c 100644 --- a/templates/xnetevents/index.tpl +++ b/templates/xnetevents/index.tpl @@ -73,7 +73,7 @@ modifier {icon name=date_edit title="Édition de l'événement"}]   - [ + [ {if !$archive} archiver {icon name=package_add title="Archivage"}] @@ -82,7 +82,7 @@ {icon name=package_delete title="Désarchivage"}] {/if}   - [ supprimer {icon name=delete title='Suppression'}] diff --git a/templates/xnetevents/subscribe.tpl b/templates/xnetevents/subscribe.tpl index e0c9e5d..5faab37 100644 --- a/templates/xnetevents/subscribe.tpl +++ b/templates/xnetevents/subscribe.tpl @@ -61,6 +61,7 @@ {/if} + {xsrf_token_field}
{foreach from=$event.moments item=m}
{$m.titre} ({$m.montant} €)