X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fnewmessage.php;h=67695210ec21ebf5db6add7234fbd1f0d2ee1f33;hb=2abe10b8ea4b5d69fc7f6513bf465541454ca2cf;hp=95b98ec4798b1eb21ccb159e68489c8a751f2327;hpb=130ba2888643992943780962dd4efcca3c595735;p=quix0rs-gnu-social.git diff --git a/actions/newmessage.php b/actions/newmessage.php index 95b98ec479..67695210ec 100644 --- a/actions/newmessage.php +++ b/actions/newmessage.php @@ -34,20 +34,32 @@ class NewmessageAction extends Action { } function save_new_message() { - $user = common_current_user(); assert($user); # XXX: maybe an error instead... + + # CSRF protection + + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->show_form(_('There was a problem with your session token. Try again, please.')); + return; + } + $content = $this->trimmed('content'); $to = $this->trimmed('to'); if (!$content) { $this->show_form(_('No content!')); return; - } else if (mb_strlen($content) > 140) { - common_debug("Content = '$content'", __FILE__); - common_debug("mb_strlen(\$content) = " . mb_strlen($content), __FILE__); - $this->show_form(_('That\'s too long. Max message size is 140 chars.')); - return; + } else { + $content_shortened = common_shorten_links($content); + + if (mb_strlen($content_shortened) > 140) { + common_debug("Content = '$content_shortened'", __FILE__); + common_debug("mb_strlen(\$content) = " . mb_strlen($content_shortened), __FILE__); + $this->show_form(_('That\'s too long. Max message size is 140 chars.')); + return; + } } $other = User::staticGet('id', $to); @@ -58,6 +70,9 @@ class NewmessageAction extends Action { } else if (!$user->mutuallySubscribed($other)) { $this->client_error(_('You can\'t send a message to this user.'), 404); return; + } else if ($user->id == $other->id) { + $this->client_error(_('Don\'t send a message to yourself; just say it to yourself quietly instead.'), 403); + return; } $message = Message::saveNew($user->id, $other->id, $content, 'web'); @@ -67,10 +82,9 @@ class NewmessageAction extends Action { return; } - $this->notify($user, $to, $message); + $this->notify($user, $other, $message); - $url = common_local_url('showmessage', - array('message' => $message->id)); + $url = common_local_url('outbox', array('nickname' => $user->nickname)); common_redirect($url, 303); } @@ -80,41 +94,8 @@ class NewmessageAction extends Action { list($content, $user, $to) = $params; assert(!is_null($user)); - - common_element_start('form', array('id' => 'message_form', - 'method' => 'post', - 'action' => $this->self_url())); - - common_element_start('p'); - - $mutual_users = $user->mutuallySubscribedUsers(); - - $mutual = array(); - - while ($mutual_users->fetch()) { - $mutual[$mutual_users->id] = $mutual_users->nickname; - } - $mutual_users->free(); - unset($mutual_users); - - common_dropdown('to', _('To'), $mutual, - _('User you want to send a message to'), FALSE, - $to->id); - - common_element('textarea', array('id' => 'content', - 'cols' => 60, - 'rows' => 3, - 'name' => 'content'), - ($content) ? $content : ''); - - common_element('input', array('id' => 'message_send', - 'name' => 'message_send', - 'type' => 'submit', - 'value' => _('Send'))); - - common_element_end('p'); - common_element_end('form'); + common_message_form($content, $user, $to); } function show_form($msg=NULL) { @@ -122,9 +103,9 @@ class NewmessageAction extends Action { $content = $this->trimmed('content'); $user = common_current_user(); - $to = common_canonical_nickname($this->trimmed('to')); + $to = $this->trimmed('to'); - $other = User::staticGet('nickname', $to); + $other = User::staticGet('id', $to); if (!$other) { $this->client_error(_('No such user'), 404); @@ -137,7 +118,7 @@ class NewmessageAction extends Action { } common_show_header(_('New message'), NULL, - array($content, $user, $to), + array($content, $user, $other), array($this, 'show_top')); if ($msg) {