From 7b642046b0dbaf122f12beeb565879f3b3dd8171 Mon Sep 17 00:00:00 2001 From: Vincent Zanotti Date: Fri, 4 Jul 2008 00:51:23 +0200 Subject: [PATCH] Adds XSRF protection to the Events module. Signed-off-by: Vincent Zanotti --- modules/events.php | 10 ++++++++++ templates/events/admin.tpl | 10 +++++----- templates/events/form.tpl | 1 + 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/modules/events.php b/modules/events.php index 1dda5da..12ac485 100644 --- a/modules/events.php +++ b/modules/events.php @@ -308,6 +308,8 @@ class EventsModule extends PLModule } elseif ($action && (!trim($texte) || !trim($titre))) { $page->trigError("L'article doit avoir un titre et un contenu"); } elseif ($action) { + S::assert_xsrf_token(); + require_once 'validations.inc.php'; $evtreq = new EvtReq($titre, $texte, $promo_min, $promo_max, $peremption, $valid_mesg, S::v('uid'), $upload); @@ -361,13 +363,16 @@ class EventsModule extends PLModule } if (Post::v('action') == 'Pas d\'image' && $eid) { + S::assert_xsrf_token(); $upload->rm(); XDB::execute("DELETE FROM evenements_photo WHERE eid = {?}", $eid); $action = 'edit'; } elseif (Post::v('action') == 'Supprimer l\'image' && $eid) { + S::assert_xsrf_token(); $upload->rm(); $action = 'edit'; } elseif (Post::v('action') == "Proposer" && $eid) { + S::assert_xsrf_token(); $promo_min = Post::i('promo_min'); $promo_max = Post::i('promo_max'); if (($promo_min != 0 && ($promo_min <= 1900 || $promo_min >= 2020)) || @@ -434,17 +439,20 @@ class EventsModule extends PLModule } else { switch ($action) { case 'delete': + S::assert_xsrf_token(); XDB::execute('DELETE from evenements WHERE id = {?}', $eid); break; case "archive": + S::assert_xsrf_token(); XDB::execute('UPDATE evenements SET creation_date = creation_date, flags = CONCAT(flags,",archive") WHERE id = {?}', $eid); break; case "unarchive": + S::assert_xsrf_token(); XDB::execute('UPDATE evenements SET creation_date = creation_date, flags = REPLACE(flags,"archive","") WHERE id = {?}', $eid); @@ -453,12 +461,14 @@ class EventsModule extends PLModule break; case "valid": + S::assert_xsrf_token(); XDB::execute('UPDATE evenements SET creation_date = creation_date, flags = CONCAT(flags,",valide") WHERE id = {?}', $eid); break; case "unvalid": + S::assert_xsrf_token(); XDB::execute('UPDATE evenements SET creation_date = creation_date, flags = REPLACE(flags,"valide", "") WHERE id = {?}', $eid); diff --git a/templates/events/admin.tpl b/templates/events/admin.tpl index 8584e48..4c6588d 100644 --- a/templates/events/admin.tpl +++ b/templates/events/admin.tpl @@ -66,17 +66,17 @@ {if !$ev.fvalide}{/if}{$ev.peremption}{if !$ev.fvalide}{/if} {if $arch} - {icon name=package_delete title="Désarchiver"}
+ {icon name=package_delete title="Désarchiver"}
{else} {if $ev.fvalide} - {icon name=thumb_down title="Invalider"} - {icon name=package_add title="Archiver"}
+ {icon name=thumb_down title="Invalider"} + {icon name=package_add title="Archiver"}
{else} - {icon name=thumb_up title="Valider"}
+ {icon name=thumb_up title="Valider"}
{/if} {/if} {icon name=page_edit title="Editer"} - {icon name=delete title="Supprimer"} + {icon name=delete title="Supprimer"} {if $ev.preview} diff --git a/templates/events/form.tpl b/templates/events/form.tpl index 5a224d0..93c83a0 100644 --- a/templates/events/form.tpl +++ b/templates/events/form.tpl @@ -74,6 +74,7 @@
+ {xsrf_token_field} -- 2.1.4
Contenu de l'annonce