diff options
author | rvelices <rv-github@modusoptimus.com> | 2010-03-25 05:59:35 +0000 |
---|---|---|
committer | rvelices <rv-github@modusoptimus.com> | 2010-03-25 05:59:35 +0000 |
commit | 6717089705236eb15e640628f045cc9a74c16c70 (patch) | |
tree | 8d2e8d76f731afbd2619ab1ba97c8ef7c314136b | |
parent | 7fb629e04d6e98eab67cd592b2e0c34b1e9fa296 (diff) |
- fix cat_modify
* missing token in url
* double icon display
- simplified func check_pwg_token
git-svn-id: http://piwigo.org/svn/trunk@5335 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r-- | admin/cat_modify.php | 13 | ||||
-rw-r--r-- | admin/themes/default/template/cat_modify.tpl | 2 | ||||
-rw-r--r-- | include/functions.inc.php | 20 |
3 files changed, 14 insertions, 21 deletions
diff --git a/admin/cat_modify.php b/admin/cat_modify.php index 039317285..cf1556a1f 100644 --- a/admin/cat_modify.php +++ b/admin/cat_modify.php @@ -26,7 +26,6 @@ if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!'); } -include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php'); // +-----------------------------------------------------------------------+ @@ -289,7 +288,7 @@ if ($category['is_virtual']) { $template->assign( array( - 'U_DELETE' => $self_url.'&delete='.$category['id'], + 'U_DELETE' => $self_url.'&delete='.$category['id'].'&pwg_token='.get_pwg_token(), ) ); } @@ -344,12 +343,12 @@ for ($i=0; $i<3; $i++) // 3 fields 'FIELD' => array(''), 'DIRECTION' => array('ASC'), ); - + if ( isset($matches[1][$i]) ) { $tpl_image_order_select['FIELD'] = array($matches[1][$i]); } - + if (isset($matches[2][$i]) and strcasecmp($matches[2][$i],'DESC')==0) { $tpl_image_order_select['DIRECTION'] = array('DESC'); @@ -450,7 +449,7 @@ if (isset($_POST['submitEmail']) and !empty($_POST['group'])) { set_make_full_url(); - /* TODO: if $category['representative_picture_id'] + /* TODO: if $category['representative_picture_id'] is empty find child representative_picture_id */ if (!empty($category['representative_picture_id'])) { @@ -474,7 +473,7 @@ SELECT id, file, path, tn_ext .'" class="thumblnk"><img src="'.get_thumbnail_url($element).'"></a>'; } } - + if (!isset($img_url)) { $img_url = ''; @@ -512,7 +511,7 @@ SELECT WHERE id = '.$_POST['group'].' ;'; list($group_name) = pwg_db_fetch_row(pwg_query($query)); - + array_push( $page['infos'], sprintf( diff --git a/admin/themes/default/template/cat_modify.tpl b/admin/themes/default/template/cat_modify.tpl index 1878da75c..348683003 100644 --- a/admin/themes/default/template/cat_modify.tpl +++ b/admin/themes/default/template/cat_modify.tpl @@ -21,7 +21,7 @@ <li><a href="{$U_MANAGE_PERMISSIONS}" title="{'Permissions'|@translate}"><img src="{$ROOT_URL}{$themeconf.admin_icon_dir}/category_Permissions.png" class="button" alt="{'Permissions'|@translate}"></a></li> {/if} {if isset($U_DELETE) } - <li><a href="{$U_DELETE}" title="{'Are you sure?'|@translate|@escape:'javascript'}');"><img src="{$ROOT_URL}{$themeconf.admin_icon_dir}/category_delete.png" class="button" alt="{'delete'|@translate}" onclick="return confirm('{'Are you sure?'|@translate|@escape:'javascript'}');"><img src="{$ROOT_URL}{$themeconf.admin_icon_dir}/category_delete.png" class="button" alt="{'delete'|@translate}"></a></li> + <li><a href="{$U_DELETE}" title="{'delete'|@translate}"><img src="{$ROOT_URL}{$themeconf.admin_icon_dir}/category_delete.png" class="button" alt="{'delete'|@translate}" onclick="return confirm('{'Are you sure?'|@translate|@escape:javascript}');"></a></li> {/if} </ul> diff --git a/include/functions.inc.php b/include/functions.inc.php index 8a34990fa..5d095eaa1 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1453,21 +1453,15 @@ function get_icon($date, $is_child_date = false) */ function check_pwg_token() { - $valid_token = get_pwg_token(); - $given_token = null; - - if (!empty($_POST['pwg_token'])) - { - $given_token = $_POST['pwg_token']; - } - elseif (!empty($_GET['pwg_token'])) - { - $given_token = $_GET['pwg_token']; - } - if ($given_token != $valid_token) + if (!empty($_REQUEST['pwg_token'])) { - access_denied(); + if (get_pwg_token() != $_REQUEST['pwg_token']) + { + access_denied(); + } } + else + bad_request('missing token'); } function get_pwg_token() |