function action($action, $forwarder = "") {
global $CONFIG;
+ // All actions require a token.
+ if (!action_gatekeeper()) {
+ $message = "ERROR: $action was called without an action token and has been ignored. This is usually caused by outdated 3rd party plugins.";
+
+ error_log($message);
+ register_error($message);
+ forward();
+ }
+
// if there are any query parameters, make them available from get_input
if (strpos($_SERVER['REQUEST_URI'], '?') !== FALSE) {
$query = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], '?') + 1);
}
}
}
-
+
$forwarder = str_replace($CONFIG->url, "", $forwarder);
$forwarder = str_replace("http://", "", $forwarder);
$forwarder = str_replace("@", "", $forwarder);
// since i assume this will be handled in the hook itself.
// TODO make this better!
if ($event_result) {
- /** Refs #749: We now warn if action token is missing. Later this will be replaced with action_gatekeeper() as detailed in #750 */
- if (!validate_action_token(false)) {
- // Display a temporary warning message -
- // in future versions this will be a hard fail via an action gatekeeper.
- $message = "WARNING: Action $action was called without an action token. It is stongly recommended that you consider doing this. Plugin authors should use 'input/form' or pass is_action=true to 'output/confirmlink' or 'output/url'.";
-
- //if ((!isset($CONFIG->disable_action_token_warning)) || (!$CONFIG->disable_action_token_warning))
- // register_error($message);
-
- error_log($message);
- }
-
if (!include($CONFIG->actions[$action]['file'])) {
register_error(sprintf(elgg_echo('actionundefined'),$action));
}
$generated_token = generate_action_token($ts);
// Validate token
- if (strcmp($token, $generated_token)==0) {
+ if ($token == $generated_token) {
$hour = 60*60;
$now = time();
register_error(elgg_echo('actiongatekeeper:missingfields'));
}
- return false;
+ return FALSE;
}
/**
*/
function action_gatekeeper() {
if (validate_action_token()) {
- return true;
+ return TRUE;
}
forward();
return md5($site_secret.$timestamp.$session_id.$ua.$st);
}
- return false;
+ return FALSE;
}
/**
return $secret;
}
- return false;
+ return FALSE;
}
/**
*/
$form_body = "<p>" . elgg_echo('user:password:text') . "</p>";
-$form_body .= "<p><label>". elgg_echo('username') . " " . elgg_view('input/text', array('internalname' => 'username')) . "</label></p>";
+$form_body .= "<p><label>". elgg_echo('username') . " "
+ . elgg_view('input/text', array('internalname' => 'username')) . "</label></p>";
$form_body .= elgg_view('input/captcha');
$form_body .= "<p>" . elgg_view('input/submit', array('value' => elgg_echo('request'))) . "</p>";
?>
<div class="contentWrapper">
-<?php echo elgg_view('input/form', array('action' => "{$vars['url']}action/user/requestnewpassword", 'body' => $form_body)); ?>
+<?php
+echo elgg_view('input/form', array(
+ 'action' => "{$vars['url']}action/user/requestnewpassword",
+ 'body' => $form_body)
+);
+?>
</div>
\ No newline at end of file
?>
<p><?php echo sprintf(elgg_echo('welcome:user'), $user); ?></p>
-<p><a href="<?php echo $vars['url']; ?>action/logout">[logout]</a></p>
\ No newline at end of file
+<p><?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?></p>
+
<input type="hidden" name="context" value="<?php echo get_context(); ?>" />
<input type="hidden" name="owner" value="<?php echo page_owner(); ?>" />
+
+<?php
+$ts = time();
+$token = generate_action_token($ts);
+?>
+<input type="hidden" name="__elgg_ts" value="<?php echo $ts; ?>" />
+<input type="hidden" name="__elgg_token" value="<?php echo $token; ?>" />
+
<input type="submit" value="<?php echo elgg_echo('save'); ?>" class="submit_button" onclick="$('a.toggle_customise_edit_panel').click();" />
<input type="button" value="<?php echo elgg_echo('cancel'); ?>" class="cancel_button" onclick="$('a.toggle_customise_edit_panel').click();" />
</td>
</tr>
-</table>
\ No newline at end of file
+</table>
float: left;
padding-right: 1em;
}
+
+.draggable {
+ cursor: move;
+}
\ No newline at end of file
$controls = "";
if ($vars['entity']->canEdit()) {
- $controls .= " (<a href=\"{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}\">" . elgg_echo('delete') . "</a>)";
+ $delete = elgg_view('output/confirm_link', array(
+ 'href' = "{$vars['url']}action/entities/delete?guid={$vars['entity']->guid}",
+ 'text' => elgg_echo('delete')
+ );
+ $controls .= " ($delete)";
}
$info = "<div><p><b><a href=\"" . $vars['entity']->getUrl() . "\">" . $title . "</a></b> $controls </p></div>";
$icon = "<span title=\"" . elgg_echo('entity:default:missingsupport:popup') . "\">$icon</span>";
echo elgg_view_listing($icon, $info);
-}
\ No newline at end of file
+}
<div id="elgg_topbar_container_right">
- <a href="<?php echo $vars['url']; ?>action/logout"><small><?php echo elgg_echo('logout'); ?></small></a>
+ <small>
+ <?php echo elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout'))); ?>
+ </small>
</div>
<div id="elgg_topbar_container_search">
<div class="clearfloat"></div>
<?php
- }
\ No newline at end of file
+ }
}
if ($closed) {
?>
- <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=false')">+</a>
+ <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=false"); ?>')">+</a>
<?php
} else {
?>
- <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo $vars['url']; ?>action/user/spotlight?closed=true')">-</a>
+ <a href="javascript:void(0);" class="toggle_box_contents" onClick="$.post('<?php echo elgg_validate_action_url("{$vars['url']}action/user/spotlight?closed=true"); ?>')">-</a>
<?php
}
</div><!-- /.collapsable_box -->
</div><!-- /#wrapper_spotlight -->
-</div><!-- /#layout_spotlight -->
\ No newline at end of file
+</div><!-- /#layout_spotlight -->
//add various views to area1
$area1 = "<h2>" . sprintf(elgg_echo("welcome:user"),$vars['user']->name) . "</h2>";
$area1 .= "<p>" . elgg_echo("welcome_message") . "</p><br />";
-$url = $vars['url'] . "action/logout";
-$area1 .= "<a href=" . $url . ">" . elgg_echo('logout') . "</a>";
+$area1 .= elgg_view('output/action_link', array('href' => "{$vars['url']}action/logout", 'text' => elgg_echo('logout')));
//send area one to the appropriate canvas layout
$body = elgg_view_layout("one_column", $area1);
//draw to screen
-echo $body;
\ No newline at end of file
+echo $body;
projects / lorea / elgg.git / commitdiff