Normalize use of form security tokens in Admin modules
# Conflicts: # src/Module/Admin/Logs/Settings.php
This commit is contained in:
parent
2ce15cae1a
commit
9bc2c5a52e
|
@ -42,6 +42,8 @@ class Details extends BaseAdmin
|
||||||
include_once 'addon/' . $addon . '/' . $addon . '.php';
|
include_once 'addon/' . $addon . '/' . $addon . '.php';
|
||||||
|
|
||||||
if (function_exists($addon . '_addon_admin_post')) {
|
if (function_exists($addon . '_addon_admin_post')) {
|
||||||
|
self::checkFormSecurityTokenRedirectOnError($redirect, 'admin_addons_details');
|
||||||
|
|
||||||
$func = $addon . '_addon_admin_post';
|
$func = $addon . '_addon_admin_post';
|
||||||
$func(DI::app());
|
$func(DI::app());
|
||||||
}
|
}
|
||||||
|
@ -66,7 +68,7 @@ class Details extends BaseAdmin
|
||||||
}
|
}
|
||||||
|
|
||||||
if (($_GET['action'] ?? '') == 'toggle') {
|
if (($_GET['action'] ?? '') == 'toggle') {
|
||||||
self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
|
self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons_details', 't');
|
||||||
|
|
||||||
// Toggle addon status
|
// Toggle addon status
|
||||||
if (Addon::isEnabled($addon)) {
|
if (Addon::isEnabled($addon)) {
|
||||||
|
@ -124,7 +126,7 @@ class Details extends BaseAdmin
|
||||||
'$screenshot' => '',
|
'$screenshot' => '',
|
||||||
'$readme' => $readme,
|
'$readme' => $readme,
|
||||||
|
|
||||||
'$form_security_token' => self::getFormSecurityToken('admin_addons'),
|
'$form_security_token' => self::getFormSecurityToken('admin_addons_details'),
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ class Index extends BaseAdmin
|
||||||
|
|
||||||
// reload active themes
|
// reload active themes
|
||||||
if (!empty($_GET['action'])) {
|
if (!empty($_GET['action'])) {
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
|
self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
|
||||||
|
|
||||||
switch ($_GET['action']) {
|
switch ($_GET['action']) {
|
||||||
case 'reload':
|
case 'reload':
|
||||||
|
@ -73,7 +73,7 @@ class Index extends BaseAdmin
|
||||||
'$addons' => $addons,
|
'$addons' => $addons,
|
||||||
'$pcount' => count($addons),
|
'$pcount' => count($addons),
|
||||||
'$noplugshint' => DI::l10n()->t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'),
|
'$noplugshint' => DI::l10n()->t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'),
|
||||||
'$form_security_token' => parent::getFormSecurityToken('admin_addons'),
|
'$form_security_token' => self::getFormSecurityToken('admin_addons'),
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,12 +34,12 @@ class Contact extends BaseAdmin
|
||||||
{
|
{
|
||||||
parent::post($parameters);
|
parent::post($parameters);
|
||||||
|
|
||||||
|
self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock');
|
||||||
|
|
||||||
$contact_url = $_POST['contact_url'] ?? '';
|
$contact_url = $_POST['contact_url'] ?? '';
|
||||||
$block_reason = $_POST['contact_block_reason'] ?? '';
|
$block_reason = $_POST['contact_block_reason'] ?? '';
|
||||||
$contacts = $_POST['contacts'] ?? [];
|
$contacts = $_POST['contacts'] ?? [];
|
||||||
|
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock');
|
|
||||||
|
|
||||||
if (!empty($_POST['page_contactblock_block'])) {
|
if (!empty($_POST['page_contactblock_block'])) {
|
||||||
$contact_id = Model\Contact::getIdForURL($contact_url);
|
$contact_id = Model\Contact::getIdForURL($contact_url);
|
||||||
if ($contact_id) {
|
if ($contact_id) {
|
||||||
|
@ -89,7 +89,7 @@ class Contact extends BaseAdmin
|
||||||
'$h_newblock' => DI::l10n()->t('Block New Remote Contact'),
|
'$h_newblock' => DI::l10n()->t('Block New Remote Contact'),
|
||||||
'$th_contacts' => [DI::l10n()->t('Photo'), DI::l10n()->t('Name'), DI::l10n()->t('Reason')],
|
'$th_contacts' => [DI::l10n()->t('Photo'), DI::l10n()->t('Name'), DI::l10n()->t('Reason')],
|
||||||
|
|
||||||
'$form_security_token' => parent::getFormSecurityToken('admin_contactblock'),
|
'$form_security_token' => self::getFormSecurityToken('admin_contactblock'),
|
||||||
|
|
||||||
// values //
|
// values //
|
||||||
'$baseurl' => DI::baseUrl()->get(true),
|
'$baseurl' => DI::baseUrl()->get(true),
|
||||||
|
|
|
@ -36,7 +36,7 @@ class Server extends BaseAdmin
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist');
|
self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist');
|
||||||
|
|
||||||
if (!empty($_POST['page_blocklist_save'])) {
|
if (!empty($_POST['page_blocklist_save'])) {
|
||||||
// Add new item to blocklist
|
// Add new item to blocklist
|
||||||
|
@ -108,7 +108,7 @@ class Server extends BaseAdmin
|
||||||
'$entries' => $blocklistform,
|
'$entries' => $blocklistform,
|
||||||
'$baseurl' => DI::baseUrl()->get(true),
|
'$baseurl' => DI::baseUrl()->get(true),
|
||||||
'$confirm_delete' => DI::l10n()->t('Delete entry from blocklist?'),
|
'$confirm_delete' => DI::l10n()->t('Delete entry from blocklist?'),
|
||||||
'$form_security_token' => parent::getFormSecurityToken("admin_blocklist")
|
'$form_security_token' => self::getFormSecurityToken("admin_blocklist")
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,7 +32,7 @@ class Features extends BaseAdmin
|
||||||
{
|
{
|
||||||
parent::post($parameters);
|
parent::post($parameters);
|
||||||
|
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
|
self::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
|
||||||
|
|
||||||
$features = Feature::get(false);
|
$features = Feature::get(false);
|
||||||
|
|
||||||
|
@ -80,7 +80,7 @@ class Features extends BaseAdmin
|
||||||
|
|
||||||
$tpl = Renderer::getMarkupTemplate('admin/features.tpl');
|
$tpl = Renderer::getMarkupTemplate('admin/features.tpl');
|
||||||
$o = Renderer::replaceMacros($tpl, [
|
$o = Renderer::replaceMacros($tpl, [
|
||||||
'$form_security_token' => parent::getFormSecurityToken("admin_manage_features"),
|
'$form_security_token' => self::getFormSecurityToken("admin_manage_features"),
|
||||||
'$baseurl' => DI::baseUrl()->get(true),
|
'$baseurl' => DI::baseUrl()->get(true),
|
||||||
'$title' => DI::l10n()->t('Manage Additional Features'),
|
'$title' => DI::l10n()->t('Manage Additional Features'),
|
||||||
'$features' => $features,
|
'$features' => $features,
|
||||||
|
|
|
@ -37,7 +37,7 @@ class Delete extends BaseAdmin
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem');
|
self::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem');
|
||||||
|
|
||||||
if (!empty($_POST['page_deleteitem_submit'])) {
|
if (!empty($_POST['page_deleteitem_submit'])) {
|
||||||
$guid = trim(Strings::escapeTags($_POST['deleteitemguid']));
|
$guid = trim(Strings::escapeTags($_POST['deleteitemguid']));
|
||||||
|
@ -68,7 +68,7 @@ class Delete extends BaseAdmin
|
||||||
'$intro1' => DI::l10n()->t('On this page you can delete an item from your node. If the item is a top level posting, the entire thread will be deleted.'),
|
'$intro1' => DI::l10n()->t('On this page you can delete an item from your node. If the item is a top level posting, the entire thread will be deleted.'),
|
||||||
'$intro2' => DI::l10n()->t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'),
|
'$intro2' => DI::l10n()->t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'),
|
||||||
'$deleteitemguid' => ['deleteitemguid', DI::l10n()->t("GUID"), '', DI::l10n()->t("The GUID of the item you want to delete."), 'required', 'autofocus'],
|
'$deleteitemguid' => ['deleteitemguid', DI::l10n()->t("GUID"), '', DI::l10n()->t("The GUID of the item you want to delete."), 'required', 'autofocus'],
|
||||||
'$form_security_token' => parent::getFormSecurityToken("admin_deleteitem")
|
'$form_security_token' => self::getFormSecurityToken("admin_deleteitem")
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,25 +33,26 @@ class Settings extends BaseAdmin
|
||||||
{
|
{
|
||||||
parent::post($parameters);
|
parent::post($parameters);
|
||||||
|
|
||||||
if (!empty($_POST['page_logs'])) {
|
if (empty($_POST['page_logs'])) {
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
|
return;
|
||||||
|
|
||||||
$logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : '');
|
|
||||||
$debugging = !empty($_POST['debugging']);
|
|
||||||
$loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR;
|
|
||||||
|
|
||||||
if (is_file($logfile) &&
|
|
||||||
!is_writeable($logfile)) {
|
|
||||||
notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile));
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
DI::config()->set('system', 'logfile', $logfile);
|
|
||||||
DI::config()->set('system', 'debugging', $debugging);
|
|
||||||
DI::config()->set('system', 'loglevel', $loglevel);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
info(DI::l10n()->t("Log settings updated."));
|
self::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
|
||||||
|
|
||||||
|
$logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : '');
|
||||||
|
$debugging = !empty($_POST['debugging']);
|
||||||
|
$loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR;
|
||||||
|
|
||||||
|
if (is_file($logfile) &&
|
||||||
|
!is_writeable($logfile)) {
|
||||||
|
notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
DI::config()->set('system', 'logfile', $logfile);
|
||||||
|
DI::config()->set('system', 'debugging', $debugging);
|
||||||
|
DI::config()->set('system', 'loglevel', $loglevel);
|
||||||
|
|
||||||
DI::baseUrl()->redirect('admin/logs');
|
DI::baseUrl()->redirect('admin/logs');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -86,7 +87,7 @@ class Settings extends BaseAdmin
|
||||||
'$debugging' => ['debugging', DI::l10n()->t("Enable Debugging"), DI::config()->get('system', 'debugging'), ""],
|
'$debugging' => ['debugging', DI::l10n()->t("Enable Debugging"), DI::config()->get('system', 'debugging'), ""],
|
||||||
'$logfile' => ['logfile', DI::l10n()->t("Log file"), DI::config()->get('system', 'logfile'), DI::l10n()->t("Must be writable by web server. Relative to your Friendica top-level directory.")],
|
'$logfile' => ['logfile', DI::l10n()->t("Log file"), DI::config()->get('system', 'logfile'), DI::l10n()->t("Must be writable by web server. Relative to your Friendica top-level directory.")],
|
||||||
'$loglevel' => ['loglevel', DI::l10n()->t("Log level"), DI::config()->get('system', 'loglevel'), "", $log_choices],
|
'$loglevel' => ['loglevel', DI::l10n()->t("Log level"), DI::config()->get('system', 'loglevel'), "", $log_choices],
|
||||||
'$form_security_token' => parent::getFormSecurityToken("admin_logs"),
|
'$form_security_token' => self::getFormSecurityToken("admin_logs"),
|
||||||
'$phpheader' => DI::l10n()->t("PHP logging"),
|
'$phpheader' => DI::l10n()->t("PHP logging"),
|
||||||
'$phphint' => DI::l10n()->t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."),
|
'$phphint' => DI::l10n()->t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."),
|
||||||
'$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');",
|
'$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');",
|
||||||
|
|
|
@ -718,7 +718,7 @@ class Site extends BaseAdmin
|
||||||
'$relay_server_tags' => ['relay_server_tags', DI::l10n()->t('Server tags'), DI::config()->get('system', 'relay_server_tags'), DI::l10n()->t('Comma separated list of tags for the "tags" subscription.')],
|
'$relay_server_tags' => ['relay_server_tags', DI::l10n()->t('Server tags'), DI::config()->get('system', 'relay_server_tags'), DI::l10n()->t('Comma separated list of tags for the "tags" subscription.')],
|
||||||
'$relay_user_tags' => ['relay_user_tags', DI::l10n()->t('Allow user tags'), DI::config()->get('system', 'relay_user_tags', true), DI::l10n()->t('If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags".')],
|
'$relay_user_tags' => ['relay_user_tags', DI::l10n()->t('Allow user tags'), DI::config()->get('system', 'relay_user_tags', true), DI::l10n()->t('If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags".')],
|
||||||
|
|
||||||
'$form_security_token' => parent::getFormSecurityToken('admin_site'),
|
'$form_security_token' => self::getFormSecurityToken('admin_site'),
|
||||||
'$relocate_button' => DI::l10n()->t('Start Relocation'),
|
'$relocate_button' => DI::l10n()->t('Start Relocation'),
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
@ -37,7 +37,7 @@ class Index extends BaseAdmin
|
||||||
|
|
||||||
// reload active themes
|
// reload active themes
|
||||||
if (!empty($_GET['action'])) {
|
if (!empty($_GET['action'])) {
|
||||||
parent::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't');
|
self::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't');
|
||||||
|
|
||||||
switch ($_GET['action']) {
|
switch ($_GET['action']) {
|
||||||
case 'reload':
|
case 'reload':
|
||||||
|
@ -119,7 +119,7 @@ class Index extends BaseAdmin
|
||||||
'$noplugshint' => DI::l10n()->t('No themes found on the system. They should be placed in %1$s', '<code>/view/themes</code>'),
|
'$noplugshint' => DI::l10n()->t('No themes found on the system. They should be placed in %1$s', '<code>/view/themes</code>'),
|
||||||
'$experimental' => DI::l10n()->t('[Experimental]'),
|
'$experimental' => DI::l10n()->t('[Experimental]'),
|
||||||
'$unsupported' => DI::l10n()->t('[Unsupported]'),
|
'$unsupported' => DI::l10n()->t('[Unsupported]'),
|
||||||
'$form_security_token' => parent::getFormSecurityToken('admin_themes'),
|
'$form_security_token' => self::getFormSecurityToken('admin_themes'),
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,12 +31,12 @@ class Tos extends BaseAdmin
|
||||||
{
|
{
|
||||||
parent::post($parameters);
|
parent::post($parameters);
|
||||||
|
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
|
|
||||||
|
|
||||||
if (empty($_POST['page_tos'])) {
|
if (empty($_POST['page_tos'])) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
self::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
|
||||||
|
|
||||||
$displaytos = !empty($_POST['displaytos']);
|
$displaytos = !empty($_POST['displaytos']);
|
||||||
$displayprivstatement = !empty($_POST['displayprivstatement']);
|
$displayprivstatement = !empty($_POST['displayprivstatement']);
|
||||||
$tostext = (!empty($_POST['tostext']) ? strip_tags(trim($_POST['tostext'])) : '');
|
$tostext = (!empty($_POST['tostext']) ? strip_tags(trim($_POST['tostext'])) : '');
|
||||||
|
@ -64,7 +64,7 @@ class Tos extends BaseAdmin
|
||||||
'$preview' => DI::l10n()->t('Privacy Statement Preview'),
|
'$preview' => DI::l10n()->t('Privacy Statement Preview'),
|
||||||
'$privtext' => $tos->privacy_complete,
|
'$privtext' => $tos->privacy_complete,
|
||||||
'$tostext' => ['tostext', DI::l10n()->t('The Terms of Service'), DI::config()->get('system', 'tostext'), DI::l10n()->t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')],
|
'$tostext' => ['tostext', DI::l10n()->t('The Terms of Service'), DI::config()->get('system', 'tostext'), DI::l10n()->t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')],
|
||||||
'$form_security_token' => parent::getFormSecurityToken('admin_tos'),
|
'$form_security_token' => self::getFormSecurityToken('admin_tos'),
|
||||||
'$submit' => DI::l10n()->t('Save Settings'),
|
'$submit' => DI::l10n()->t('Save Settings'),
|
||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
@ -36,6 +36,8 @@ class Users extends BaseAdmin
|
||||||
{
|
{
|
||||||
parent::post($parameters);
|
parent::post($parameters);
|
||||||
|
|
||||||
|
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
|
||||||
|
|
||||||
$pending = $_POST['pending'] ?? [];
|
$pending = $_POST['pending'] ?? [];
|
||||||
$users = $_POST['user'] ?? [];
|
$users = $_POST['user'] ?? [];
|
||||||
$nu_name = $_POST['new_user_name'] ?? '';
|
$nu_name = $_POST['new_user_name'] ?? '';
|
||||||
|
@ -43,8 +45,6 @@ class Users extends BaseAdmin
|
||||||
$nu_email = $_POST['new_user_email'] ?? '';
|
$nu_email = $_POST['new_user_email'] ?? '';
|
||||||
$nu_language = DI::config()->get('system', 'language');
|
$nu_language = DI::config()->get('system', 'language');
|
||||||
|
|
||||||
parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
|
|
||||||
|
|
||||||
if ($nu_name !== '' && $nu_email !== '' && $nu_nickname !== '') {
|
if ($nu_name !== '' && $nu_email !== '' && $nu_nickname !== '') {
|
||||||
try {
|
try {
|
||||||
User::createMinimal($nu_name, $nu_email, $nu_nickname, $nu_language);
|
User::createMinimal($nu_name, $nu_email, $nu_nickname, $nu_language);
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
{{if $admin_form}}
|
{{if $admin_form}}
|
||||||
<h3>{{$settings}}</h3>
|
<h3>{{$settings}}</h3>
|
||||||
<form method="post" action="{{$baseurl}}/admin/{{$function}}/{{$addon}}">
|
<form method="post" action="{{$baseurl}}/admin/{{$function}}/{{$addon}}">
|
||||||
|
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
|
||||||
{{$admin_form nofilter}}
|
{{$admin_form nofilter}}
|
||||||
</form>
|
</form>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user