]> git.mxchange.org Git - friendica.git/commitdiff
XSRF protection and PHPdoc for mod/admin.php
authorTobias Hößl <tobias@hoessl.eu>
Wed, 18 Apr 2012 07:24:47 +0000 (07:24 +0000)
committerTobias Hößl <tobias@hoessl.eu>
Wed, 18 Apr 2012 07:24:47 +0000 (07:24 +0000)
mod/admin.php
view/admin_logs.tpl
view/admin_site.tpl
view/admin_users.tpl
view/theme/diabook-aerith/admin_users.tpl
view/theme/diabook-blue/admin_users.tpl
view/theme/diabook-red/admin_users.tpl
view/theme/diabook/admin_users.tpl

index 7386dc5a3c0a1e3d93b5f3b732aff73d6d62a0bf..8cee6ed5b2e880eff75df8923416fb41eced47b8 100644 (file)
@@ -4,7 +4,11 @@
   * Friendica admin
   */
 require_once("include/remoteupdate.php");
+
+
+/**
+ * @param App $a
+ */
 function admin_post(&$a){
 
 
@@ -67,6 +71,10 @@ function admin_post(&$a){
        return; // NOTREACHED   
 }
 
+/**
+ * @param App $a
+ * @return string
+ */
 function admin_content(&$a) {
 
        if(!is_site_admin()) {
@@ -74,7 +82,7 @@ function admin_content(&$a) {
        }
 
        if(x($_SESSION,'submanage') && intval($_SESSION['submanage']))
-               return;
+               return "";
 
        /**
         * Side bar links
@@ -147,6 +155,7 @@ function admin_content(&$a) {
        if(is_ajax()) {
                echo $o; 
                killme();
+               return '';
        } else {
                return $o;
        }
@@ -155,6 +164,8 @@ function admin_content(&$a) {
 
 /**
  * Admin Summary Page
+ * @param App $a
+ * @return string
  */
 function admin_page_summary(&$a) {
        $r = q("SELECT `page-flags`, COUNT(uid) as `count` FROM `user` GROUP BY `page-flags`");
@@ -188,12 +199,15 @@ function admin_page_summary(&$a) {
 
 /**
  * Admin Site Page
+ *  @param App $a
  */
 function admin_page_site_post(&$a){
        if (!x($_POST,"page_site")){
                return;
        }
 
+    check_form_security_token_redirectOnErr('/admin/site', 'admin_site');
+
        $sitename                       =       ((x($_POST,'sitename'))                 ? notags(trim($_POST['sitename']))                      : '');
        $banner                         =       ((x($_POST,'banner'))                   ? trim($_POST['banner'])                                        : false);
        $language                       =       ((x($_POST,'language'))                 ? notags(trim($_POST['language']))                      : '');
@@ -298,7 +312,7 @@ function admin_page_site_post(&$a){
        } else {
                set_config('system','directory_submit_url', $global_directory);
        }
-       set_config('system','directory_search_url', $global_search_url);
+
        set_config('system','block_extended_register', $no_multi_reg);
        set_config('system','no_openid', $no_openid);
        set_config('system','no_regfullname', $no_regfullname);
@@ -317,7 +331,11 @@ function admin_page_site_post(&$a){
        return; // NOTREACHED   
        
 }
+
+/**
+ * @param  App $a
+ * @return string
+ */
 function admin_page_site(&$a) {
        
        /* Installed langs */
@@ -408,6 +426,7 @@ function admin_page_site(&$a) {
                '$proxy'                        => array('proxy', t("Proxy URL"), get_config('system','proxy'), ""),
                '$timeout'                      => array('timeout', t("Network timeout"), (x(get_config('system','curl_timeout'))?get_config('system','curl_timeout'):60), t("Value is in seconds. Set to 0 for unlimited (not recommended).")),
 
+        '$form_security_token' => get_form_security_token("admin_site"),
                        
        ));
 
@@ -416,11 +435,15 @@ function admin_page_site(&$a) {
 
 /**
  * Users admin page
+ *
+ * @param App $a
  */
 function admin_page_users_post(&$a){
        $pending = ( x($_POST, 'pending') ? $_POST['pending'] : Array() );
        $users = ( x($_POST, 'user') ? $_POST['user'] : Array() );
-       
+
+    check_form_security_token_redirectOnErr('/admin/users', 'admin_users');
+
        if (x($_POST,'page_users_block')){
                foreach($users as $uid){
                        q("UPDATE `user` SET `blocked`=1-`blocked` WHERE `uid`=%s",
@@ -452,7 +475,11 @@ function admin_page_users_post(&$a){
        goaway($a->get_baseurl(true) . '/admin/users' );
        return; // NOTREACHED   
 }
+
+/**
+ * @param App $a
+ * @return string
+ */
 function admin_page_users(&$a){
        if ($a->argc>2) {
                $uid = $a->argv[3];
@@ -460,10 +487,11 @@ function admin_page_users(&$a){
                if (count($user)==0){
                        notice( 'User not found' . EOL);
                        goaway($a->get_baseurl(true) . '/admin/users' );
-                       return; // NOTREACHED                                           
+                       return ''; // NOTREACHED
                }               
                switch($a->argv[2]){
                        case "delete":{
+                check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
                                // delete user
                                require_once("include/Contact.php");
                                user_remove($uid);
@@ -471,6 +499,7 @@ function admin_page_users(&$a){
                                notice( sprintf(t("User '%s' deleted"), $user[0]['username']) . EOL);
                        }; break;
                        case "block":{
+                check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
                                q("UPDATE `user` SET `blocked`=%d WHERE `uid`=%s",
                                        intval( 1-$user[0]['blocked'] ),
                                        intval( $uid )
@@ -479,7 +508,7 @@ function admin_page_users(&$a){
                        }; break;
                }
                goaway($a->get_baseurl(true) . '/admin/users' );
-               return; // NOTREACHED   
+               return ''; // NOTREACHED
                
        }
        
@@ -555,6 +584,7 @@ function admin_page_users(&$a){
                '$confirm_delete_multi' => t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'),
                '$confirm_delete' => t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'),
 
+        '$form_security_token' => get_form_security_token("admin_users"),
 
                // values //
                '$baseurl' => $a->get_baseurl(true),
@@ -567,10 +597,12 @@ function admin_page_users(&$a){
 }
 
 
-/*
+/**
  * Plugins admin page
+ *
+ * @param App $a
+ * @return string
  */
-
 function admin_page_plugins(&$a){
        
        /**
@@ -580,7 +612,7 @@ function admin_page_plugins(&$a){
                $plugin = $a->argv[2];
                if (!is_file("addon/$plugin/$plugin.php")){
                        notice( t("Item not found.") );
-                       return;
+                       return '';
                }
                
                if (x($_GET,"a") && $_GET['a']=="t"){
@@ -597,7 +629,7 @@ function admin_page_plugins(&$a){
                        }
                        set_config("system","addon", implode(", ",$a->plugins));
                        goaway($a->get_baseurl(true) . '/admin/plugins' );
-                       return; // NOTREACHED   
+                       return ''; // NOTREACHED
                }
                // display plugin details
                require_once('library/markdown.php');
@@ -674,6 +706,11 @@ function admin_page_plugins(&$a){
        ));
 }
 
+/**
+ * @param array $themes
+ * @param string $th
+ * @param int $result
+ */
 function toggle_theme(&$themes,$th,&$result) {
        for($x = 0; $x < count($themes); $x ++) {
                if($themes[$x]['name'] === $th) {
@@ -689,6 +726,11 @@ function toggle_theme(&$themes,$th,&$result) {
        }
 }
 
+/**
+ * @param array $themes
+ * @param string $th
+ * @return int
+ */
 function theme_status($themes,$th) {
        for($x = 0; $x < count($themes); $x ++) {
                if($themes[$x]['name'] === $th) {
@@ -702,9 +744,12 @@ function theme_status($themes,$th) {
        }
        return 0;
 }
-       
 
 
+/**
+ * @param array $themes
+ * @return string
+ */
 function rebuild_theme_table($themes) {
        $o = '';
        if(count($themes)) {
@@ -720,10 +765,12 @@ function rebuild_theme_table($themes) {
 }
 
        
-/*
+/**
  * Themes admin page
+ *
+ * @param App $a
+ * @return string
  */
-
 function admin_page_themes(&$a){
        
        $allowed_themes_str = get_config('system','allowed_themes');
@@ -740,7 +787,7 @@ function admin_page_themes(&$a){
         foreach($files as $file) {
             $f = basename($file);
             $is_experimental = intval(file_exists($file . '/experimental'));
-                       $is_unsupported = 1-(intval(file_exists($file . '/unsupported')));
+                       $is_supported = 1-(intval(file_exists($file . '/unsupported'))); // Is not used yet
                        $is_allowed = intval(in_array($f,$allowed_themes));
                        $themes[] = array('name' => $f, 'experimental' => $is_experimental, 'supported' => $is_supported, 'allowed' => $is_allowed);
         }
@@ -748,7 +795,7 @@ function admin_page_themes(&$a){
 
        if(! count($themes)) {
                notice( t('No themes found.'));
-               return;
+               return '';
        }
 
        /**
@@ -759,7 +806,7 @@ function admin_page_themes(&$a){
                $theme = $a->argv[2];
                if(! is_dir("view/theme/$theme")){
                        notice( t("Item not found.") );
-                       return;
+                       return '';
                }
                
                if (x($_GET,"a") && $_GET['a']=="t"){
@@ -775,7 +822,7 @@ function admin_page_themes(&$a){
 
                        set_config('system','allowed_themes',$s);
                        goaway($a->get_baseurl(true) . '/admin/themes' );
-                       return; // NOTREACHED   
+                       return ''; // NOTREACHED
                }
 
                // display theme details
@@ -859,10 +906,13 @@ function admin_page_themes(&$a){
 
 /**
  * Logs admin page
+ *
+ * @param App $a
  */
  
 function admin_page_logs_post(&$a) {
        if (x($_POST,"page_logs")) {
+        check_form_security_token_redirectOnErr('/admin/logs', 'admin_logs');
 
                $logfile                =       ((x($_POST,'logfile'))          ? notags(trim($_POST['logfile']))       : '');
                $debugging              =       ((x($_POST,'debugging'))        ? true                                                          : false);
@@ -879,7 +929,11 @@ function admin_page_logs_post(&$a) {
        goaway($a->get_baseurl(true) . '/admin/logs' );
        return; // NOTREACHED   
 }
+
+/**
+ * @param App $a
+ * @return string
+ */
 function admin_page_logs(&$a){
        
        $log_choices = Array(
@@ -937,9 +991,14 @@ readable.");
                '$debugging'            => array('debugging', t("Debugging"),get_config('system','debugging'), ""),
                '$logfile'                      => array('logfile', t("Log file"), get_config('system','logfile'), t("Must be writable by web server. Relative to your Friendica top-level directory.")),
                '$loglevel'             => array('loglevel', t("Log level"), get_config('system','loglevel'), "", $log_choices),
+
+        '$form_security_token' => get_form_security_token("admin_logs"),
        ));
 }
 
+/**
+ * @param App $a
+ */
 function admin_page_remoteupdate_post(&$a) {
        // this function should be called via ajax post
        if(!is_site_admin()) {
@@ -958,6 +1017,10 @@ function admin_page_remoteupdate_post(&$a) {
        killme();
 }
 
+/**
+ * @param App $a
+ * @return string
+ */
 function admin_page_remoteupdate(&$a) {
        if(!is_site_admin()) {
                return login(false);
index 9d133b1553b22ca8440841af5f91a566abd4c1f0..b777cf420169d10529ac0bd5d44511c704af9f67 100644 (file)
@@ -2,6 +2,7 @@
        <h1>$title - $page</h1>
        
        <form action="$baseurl/admin/logs" method="post">
+    <input type='hidden' name='form_security_token' value='$form_security_token'>
 
        {{ inc field_checkbox.tpl with $field=$debugging }}{{ endinc }}
        {{ inc field_input.tpl with $field=$logfile }}{{ endinc }}
index 9de6bd9c5b3788775b50e44d09e99519bb8894cc..2b9db9f357bb248534e72c41aa16c6d19262ed77 100644 (file)
@@ -38,7 +38,8 @@
        <h1>$title - $page</h1>
        
        <form action="$baseurl/admin/site" method="post">
-       
+    <input type='hidden' name='form_security_token' value='$form_security_token'>
+
        {{ inc field_input.tpl with $field=$sitename }}{{ endinc }}
        {{ inc field_textarea.tpl with $field=$banner }}{{ endinc }}
        {{ inc field_select.tpl with $field=$language }}{{ endinc }}
index bde7edb598fa4200d926b538a7894ea9835fc8ee..f67e4a0f74244fffdb599484575aca6c449b13d5 100644 (file)
@@ -14,6 +14,7 @@
        <h1>$title - $page</h1>
        
        <form action="$baseurl/admin/users" method="post">
+        <input type='hidden' name='form_security_token' value='$form_security_token'>
                
                <h3>$h_pending</h3>
                {{ if $pending }}
@@ -72,8 +73,8 @@
                                                <td class='login_date'>$u.page-flags</td>
                                                <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
                                                <td class="tools">
-                                                       <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
-                                                       <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon drop'></span></a>
+                                                       <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
+                                                       <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon drop'></span></a>
                                                </td>
                                        </tr>
                                {{ endfor }}
index 40f94f5fef8aa507e542814c57fd569c0cbc0a55..a03573aac5a1579378b5578666dc417f9bae4716 100644 (file)
@@ -14,7 +14,8 @@
        <h1>$title - $page</h1>
        
        <form action="$baseurl/admin/users" method="post">
-               
+        <input type='hidden' name='form_security_token' value='$form_security_token'>
+
                <h3>$h_pending</h3>
                {{ if $pending }}
                        <table id='pending'>
@@ -72,8 +73,8 @@
                                                <td class='login_date'>$u.page-flags</td>
                                                <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
                                                <td class="tools" style="width:60px;">
-                                                       <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
-                                                       <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
+                                                       <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
+                                                       <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
                                                </td>
                                        </tr>
                                {{ endfor }}
index 40f94f5fef8aa507e542814c57fd569c0cbc0a55..a03573aac5a1579378b5578666dc417f9bae4716 100644 (file)
@@ -14,7 +14,8 @@
        <h1>$title - $page</h1>
        
        <form action="$baseurl/admin/users" method="post">
-               
+        <input type='hidden' name='form_security_token' value='$form_security_token'>
+
                <h3>$h_pending</h3>
                {{ if $pending }}
                        <table id='pending'>
@@ -72,8 +73,8 @@
                                                <td class='login_date'>$u.page-flags</td>
                                                <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
                                                <td class="tools" style="width:60px;">
-                                                       <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
-                                                       <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
+                                                       <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
+                                                       <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
                                                </td>
                                        </tr>
                                {{ endfor }}
index 40f94f5fef8aa507e542814c57fd569c0cbc0a55..b465dc1b08b84e6bf34d152f6a8e48b8d1c27646 100644 (file)
@@ -14,6 +14,7 @@
        <h1>$title - $page</h1>
        
        <form action="$baseurl/admin/users" method="post">
+        <input type='hidden' name='form_security_token' value='$form_security_token'>
                
                <h3>$h_pending</h3>
                {{ if $pending }}
@@ -72,8 +73,8 @@
                                                <td class='login_date'>$u.page-flags</td>
                                                <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
                                                <td class="tools" style="width:60px;">
-                                                       <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
-                                                       <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
+                                                       <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
+                                                       <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
                                                </td>
                                        </tr>
                                {{ endfor }}
index 40f94f5fef8aa507e542814c57fd569c0cbc0a55..b465dc1b08b84e6bf34d152f6a8e48b8d1c27646 100644 (file)
@@ -14,6 +14,7 @@
        <h1>$title - $page</h1>
        
        <form action="$baseurl/admin/users" method="post">
+        <input type='hidden' name='form_security_token' value='$form_security_token'>
                
                <h3>$h_pending</h3>
                {{ if $pending }}
@@ -72,8 +73,8 @@
                                                <td class='login_date'>$u.page-flags</td>
                                                <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
                                                <td class="tools" style="width:60px;">
-                                                       <a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
-                                                       <a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
+                                                       <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
+                                                       <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
                                                </td>
                                        </tr>
                                {{ endfor }}