aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2009-12-17 22:47:31 +0000
committerplegall <plg@piwigo.org>2009-12-17 22:47:31 +0000
commit2119631cd7e390cb13899f657c9bb96518cae870 (patch)
treefa9fe76cd6acd80cc12596234e27562c018906ff
parent587aaa02102e97f71a7dfb07ec48efc36593b924 (diff)
bug 1328: implement check_pwg_token for emails on user comments management.
The check_pwg_token and get_pwg_token functions were moved to the public side (for use on comments.php) The email sent to admins on new user comment does not directly includes validate/delete actions. git-svn-id: http://piwigo.org/svn/branches/2.0@4508 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r--admin/include/functions.php33
-rw-r--r--comments.php99
-rw-r--r--include/functions.inc.php33
-rw-r--r--include/functions_comment.inc.php22
4 files changed, 113 insertions, 74 deletions
diff --git a/admin/include/functions.php b/admin/include/functions.php
index b0013b29b..1081c9f3d 100644
--- a/admin/include/functions.php
+++ b/admin/include/functions.php
@@ -23,39 +23,6 @@
include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
-/**
- * check token comming from form posted or get params to prevent csrf attacks
- * if pwg_token is empty action doesn't require token
- * else pwg_token is compare to server token
- *
- * @return void access denied if token given is not equal to server token
- */
-function check_pwg_token()
-{
- $valid_token = get_pwg_token();
- $given_token = null;
-
- if (!empty($_POST['pwg_token']))
- {
- $given_token = $_POST['pwg_token'];
- }
- elseif (!empty($_GET['pwg_token']))
- {
- $given_token = $_GET['pwg_token'];
- }
- if ($given_token != $valid_token)
- {
- access_denied();
- }
-}
-
-function get_pwg_token()
-{
- global $conf;
-
- return hash_hmac('md5', session_id(), $conf['secret_key']);
-}
-
// The function delete_site deletes a site and call the function
// delete_categories for each primary category of the site
function delete_site( $id )
diff --git a/comments.php b/comments.php
index 1f0221c08..b30db9fa8 100644
--- a/comments.php
+++ b/comments.php
@@ -113,6 +113,26 @@ if (!empty($_GET['author']))
$page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
}
+// search a specific comment (if you're coming directly from an admin
+// notification email)
+if (!empty($_GET['comment_id']))
+{
+ check_input_parameter('comment_id', $_GET['comment_id'], false, PATTERN_ID);
+
+ // currently, the $_GET['comment_id'] is only used by admins from email
+ // for management purpose (validate/delete)
+ if (!is_admin())
+ {
+ $login_url =
+ get_root_url().'identification.php?redirect='
+ .urlencode(urlencode($_SERVER['REQUEST_URI']))
+ ;
+ redirect($login_url);
+ }
+
+ $page['where_clauses'][] = 'com.id = '.$_GET['comment_id'];
+}
+
// search a substring among comments content
if (!empty($_GET['keyword']))
{
@@ -152,28 +172,46 @@ $page['where_clauses'][] = get_sql_condition_FandF
// +-----------------------------------------------------------------------+
// | comments management |
// +-----------------------------------------------------------------------+
-if (isset($_GET['delete']) and is_numeric($_GET['delete'])
- and !is_adviser() )
-{// comments deletion
- check_status(ACCESS_ADMINISTRATOR);
- $query = '
-DELETE FROM '.COMMENTS_TABLE.'
- WHERE id='.$_GET['delete'].'
+
+if (isset($_GET['delete']) or isset($_GET['validate']))
+{
+ check_pwg_token();
+
+ if (!is_adviser())
+ {
+ check_status(ACCESS_ADMINISTRATOR);
+
+ if (isset($_GET['delete']))
+ {
+ check_input_parameter('delete', $_GET['delete'], false, PATTERN_ID);
+
+ $query = '
+DELETE
+ FROM '.COMMENTS_TABLE.'
+ WHERE id = '.$_GET['delete'].'
;';
- pwg_query($query);
-}
+ pwg_query($query);
+ }
-if (isset($_GET['validate']) and is_numeric($_GET['validate'])
- and !is_adviser() )
-{ // comments validation
- check_status(ACCESS_ADMINISTRATOR);
- $query = '
+ if (isset($_GET['validate']))
+ {
+ check_input_parameter('validate', $_GET['validate'], false, PATTERN_ID);
+
+ $query = '
UPDATE '.COMMENTS_TABLE.'
- SET validated = \'true\'
- , validation_date = NOW()
- WHERE id='.$_GET['validate'].'
+ SET validated = "true"
+ , validation_date = NOW()
+ WHERE id = '.$_GET['validate'].'
;';
- pwg_query($query);
+ pwg_query($query);
+ }
+
+ $redirect_url =
+ PHPWG_ROOT_PATH
+ .'comments.php'
+ .get_query_string_diff(array('delete','validate','pwg_token'));
+ redirect($redirect_url);
+ }
}
// +-----------------------------------------------------------------------+
@@ -268,7 +306,7 @@ list($counter) = mysql_fetch_row(pwg_query($query));
$url = PHPWG_ROOT_PATH
.'comments.php'
- .get_query_string_diff(array('start','delete','validate'));
+ .get_query_string_diff(array('start','delete','validate','pwg_token'));
$navbar = create_navigation_bar($url,
$counter,
@@ -380,16 +418,25 @@ SELECT id, name, permalink, uppercats
if ( is_admin() )
{
- $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate'));
- $tpl_comment['U_DELETE'] = add_url_params($url,
- array('delete'=>$comment['comment_id'])
- );
+ $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate','pwg_token'));
+
+ $tpl_comment['U_DELETE'] = add_url_params(
+ $url,
+ array(
+ 'delete' => $comment['comment_id'],
+ 'pwg_token' => get_pwg_token(),
+ )
+ );
if ($comment['validated'] != 'true')
{
- $tpl_comment['U_VALIDATE'] = add_url_params($url,
- array('validate'=>$comment['comment_id'])
- );
+ $tpl_comment['U_VALIDATE'] = add_url_params(
+ $url,
+ array(
+ 'validate' => $comment['comment_id'],
+ 'pwg_token' => get_pwg_token(),
+ )
+ );
}
}
$template->append('comments', $tpl_comment);
diff --git a/include/functions.inc.php b/include/functions.inc.php
index dbcaf6a97..6685bba99 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1535,4 +1535,37 @@ function check_input_parameter($param_name, $param_value, $is_array, $pattern)
}
}
}
+
+/**
+ * check token comming from form posted or get params to prevent csrf attacks
+ * if pwg_token is empty action doesn't require token
+ * else pwg_token is compare to server token
+ *
+ * @return void access denied if token given is not equal to server token
+ */
+function check_pwg_token()
+{
+ $valid_token = get_pwg_token();
+ $given_token = null;
+
+ if (!empty($_POST['pwg_token']))
+ {
+ $given_token = $_POST['pwg_token'];
+ }
+ elseif (!empty($_GET['pwg_token']))
+ {
+ $given_token = $_GET['pwg_token'];
+ }
+ if ($given_token != $valid_token)
+ {
+ access_denied();
+ }
+}
+
+function get_pwg_token()
+{
+ global $conf;
+
+ return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
?> \ No newline at end of file
diff --git a/include/functions_comment.inc.php b/include/functions_comment.inc.php
index c8dd6f3e0..53cf4660a 100644
--- a/include/functions_comment.inc.php
+++ b/include/functions_comment.inc.php
@@ -166,33 +166,25 @@ INSERT INTO '.COMMENTS_TABLE.'
$comm['id'] = mysql_insert_id();
- if
- (
- ($comment_action=='validate' and $conf['email_admin_on_comment'])
- or
- ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
- )
+ if ($conf['email_admin_on_comment']
+ or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
{
include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
- $del_url =
- get_absolute_root_url().'comments.php?delete='.$comm['id'];
+ $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
$keyargs_content = array
(
get_l10n_args('Author: %s', $comm['author']),
get_l10n_args('Comment: %s', $comm['content']),
get_l10n_args('', ''),
- get_l10n_args('Delete: %s', $del_url)
+ get_l10n_args('Manage this user comment: %s', $comment_url)
);
- if ($comment_action!='validate')
+ if ('moderate' == $comment_action)
{
- $keyargs_content[] =
- get_l10n_args('', '');
- $keyargs_content[] =
- get_l10n_args('Validate: %s',
- get_absolute_root_url().'comments.php?validate='.$comm['id']);
+ $keyargs_content[] = get_l10n_args('', '');
+ $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
}
pwg_mail_notification_admins