aboutsummaryrefslogtreecommitdiffstats
path: root/admin
diff options
context:
space:
mode:
Diffstat (limited to 'admin')
-rw-r--r--admin/cat_list.php9
-rw-r--r--admin/element_set.php2
-rw-r--r--admin/element_set_global.php6
-rw-r--r--admin/group_list.php10
-rw-r--r--admin/include/functions.php1
-rw-r--r--admin/picture_modify.php3
-rw-r--r--admin/plugins_list.php4
-rw-r--r--admin/plugins_new.php6
-rw-r--r--admin/plugins_update.php7
-rw-r--r--admin/site_manager.php18
-rw-r--r--admin/tags.php8
-rw-r--r--admin/template/goto/cat_list.tpl2
-rw-r--r--admin/template/goto/group_list.tpl1
-rw-r--r--admin/template/goto/site_manager.tpl2
-rw-r--r--admin/template/goto/tags.tpl1
15 files changed, 68 insertions, 12 deletions
diff --git a/admin/cat_list.php b/admin/cat_list.php
index 3a9a1fc46..1aac22f0d 100644
--- a/admin/cat_list.php
+++ b/admin/cat_list.php
@@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
+if (!empty($_POST) or isset($_GET['delete']))
+{
+ check_pwg_token();
+}
+
// +-----------------------------------------------------------------------+
// | functions |
// +-----------------------------------------------------------------------+
@@ -64,6 +69,8 @@ function save_categories_order($categories)
// | initialization |
// +-----------------------------------------------------------------------+
+check_input_parameter('parent_id', @$_GET['parent_id'], false, PATTERN_ID);
+
$categories = array();
$base_url = get_root_url().'admin.php?page=cat_list';
@@ -161,6 +168,7 @@ if (isset($_GET['parent_id']))
$template->assign(array(
'CATEGORIES_NAV'=>$navigation,
'F_ACTION'=>$form_action,
+ 'PWG_TOKEN' => get_pwg_token(),
));
// +-----------------------------------------------------------------------+
@@ -236,6 +244,7 @@ foreach ($categories as $category)
if (empty($category['dir']))
{
$tpl_cat['U_DELETE'] = $self_url.'&delete='.$category['id'];
+ $tpl_cat['U_DELETE'].= '&pwg_token='.get_pwg_token();
}
if ( array_key_exists($category['id'], $categories_with_images) )
diff --git a/admin/element_set.php b/admin/element_set.php
index 821c4e188..bc722887b 100644
--- a/admin/element_set.php
+++ b/admin/element_set.php
@@ -39,6 +39,8 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
+check_input_parameter('selection', @$_POST['selection'], true, PATTERN_ID);
+
// +-----------------------------------------------------------------------+
// | caddie management |
// +-----------------------------------------------------------------------+
diff --git a/admin/element_set_global.php b/admin/element_set_global.php
index 2ad3ab164..05f4158b7 100644
--- a/admin/element_set_global.php
+++ b/admin/element_set_global.php
@@ -43,6 +43,12 @@ check_status(ACCESS_ADMINISTRATOR);
// | deletion form submission |
// +-----------------------------------------------------------------------+
+// the $_POST['selection'] was already checked in element_set.php
+check_input_parameter('add_tags', @$_POST['add_tags'], true, PATTERN_ID);
+check_input_parameter('del_tags', @$_POST['del_tags'], true, PATTERN_ID);
+check_input_parameter('associate', @$_POST['associate'], false, PATTERN_ID);
+check_input_parameter('dissociate', @$_POST['dissociate'], false, PATTERN_ID);
+
if (isset($_POST['delete']))
{
if (isset($_POST['confirm_deletion']) and 1 == $_POST['confirm_deletion'])
diff --git a/admin/group_list.php b/admin/group_list.php
index ab2e8ae7c..0ab7d3bc3 100644
--- a/admin/group_list.php
+++ b/admin/group_list.php
@@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
+if (!empty($_POST) or isset($_GET['delete']) or isset($_GET['toggle_is_default']))
+{
+ check_pwg_token();
+}
+
// +-----------------------------------------------------------------------+
// | delete a group |
// +-----------------------------------------------------------------------+
@@ -155,6 +160,7 @@ $template->assign(
array(
'F_ADD_ACTION' => get_root_url().'admin.php?page=group_list',
'U_HELP' => get_root_url().'popuphelp.php?page=group_list',
+ 'PWG_TOKEN' => get_pwg_token(),
)
);
@@ -191,9 +197,9 @@ SELECT COUNT(*)
'IS_DEFAULT' => (get_boolean($row['is_default']) ? ' ['.l10n('is_default_group').']' : ''),
'MEMBERS' => l10n_dec('%d member', '%d members', $counter),
'U_MEMBERS' => $members_url.$row['id'],
- 'U_DELETE' => $del_url.$row['id'],
+ 'U_DELETE' => $del_url.$row['id'].'&pwg_token='.get_pwg_token(),
'U_PERM' => $perm_url.$row['id'],
- 'U_ISDEFAULT' => $toggle_is_default_url.$row['id']
+ 'U_ISDEFAULT' => $toggle_is_default_url.$row['id'].'&pwg_token='.get_pwg_token(),
)
);
}
diff --git a/admin/include/functions.php b/admin/include/functions.php
index 66d7b52ec..1081c9f3d 100644
--- a/admin/include/functions.php
+++ b/admin/include/functions.php
@@ -23,7 +23,6 @@
include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
-
// The function delete_site deletes a site and call the function
// delete_categories for each primary category of the site
function delete_site( $id )
diff --git a/admin/picture_modify.php b/admin/picture_modify.php
index c142ae955..71b0d7777 100644
--- a/admin/picture_modify.php
+++ b/admin/picture_modify.php
@@ -33,6 +33,9 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
+check_input_parameter('image_id', $_GET['image_id'], false, PATTERN_ID);
+check_input_parameter('cat_id', @$_GET['cat_id'], false, PATTERN_ID);
+
// +-----------------------------------------------------------------------+
// | synchronize metadata |
// +-----------------------------------------------------------------------+
diff --git a/admin/plugins_list.php b/admin/plugins_list.php
index 2b12f171c..708ecd889 100644
--- a/admin/plugins_list.php
+++ b/admin/plugins_list.php
@@ -38,6 +38,8 @@ $plugins = new plugins();
//--------------------------------------------------perform requested actions
if (isset($_GET['action']) and isset($_GET['plugin']) and !is_adviser())
{
+ check_pwg_token();
+
$page['errors'] = $plugins->perform_action($_GET['action'], $_GET['plugin']);
if (empty($page['errors']))
@@ -96,7 +98,7 @@ foreach($plugins->fs_plugins as $plugin_id => $fs_plugin)
array('NAME' => $display_name,
'VERSION' => $fs_plugin['version'],
'DESCRIPTION' => $desc,
- 'U_ACTION' => $base_url.'&plugin='.$plugin_id);
+ 'U_ACTION' => $base_url.'&plugin='.$plugin_id.'&pwg_token='.get_pwg_token());
if (isset($plugins->db_plugins_by_id[$plugin_id]))
{
diff --git a/admin/plugins_new.php b/admin/plugins_new.php
index 56b09d097..857f75bc5 100644
--- a/admin/plugins_new.php
+++ b/admin/plugins_new.php
@@ -38,6 +38,8 @@ $plugins = new plugins();
//------------------------------------------------------automatic installation
if (isset($_GET['revision']) and isset($_GET['extension']) and !is_adviser())
{
+ check_pwg_token();
+
$install_status = $plugins->extract_plugin_files('install', $_GET['revision'], $_GET['extension']);
redirect($base_url.'&installstatus='.$install_status);
@@ -110,7 +112,9 @@ if ($plugins->get_server_plugins(true))
$url_auto_install = htmlentities($base_url)
. '&revision=' . $plugin['revision_id']
- . '&extension=' . $plugin['extension_id'];
+ . '&extension=' . $plugin['extension_id']
+ . '&pwg_token='.get_pwg_token()
+ ;
$template->append('plugins', array(
'EXT_NAME' => $plugin['extension_name'],
diff --git a/admin/plugins_update.php b/admin/plugins_update.php
index e6d6705fe..953fddd8e 100644
--- a/admin/plugins_update.php
+++ b/admin/plugins_update.php
@@ -37,6 +37,8 @@ $plugins = new plugins();
//-----------------------------------------------------------automatic upgrade
if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser())
{
+ check_pwg_token();
+
$plugin_id = $_GET['plugin'];
$revision = $_GET['revision'];
@@ -48,6 +50,7 @@ if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser())
redirect($base_url
. '&revision=' . $revision
. '&plugin=' . $plugin_id
+ . '&pwg_token='.get_pwg_token()
. '&reactivate=true');
}
@@ -133,7 +136,9 @@ if ($plugins->get_server_plugins())
// Plugin need upgrade
$url_auto_update = $base_url
. '&revision=' . $plugin_info['revision_id']
- . '&plugin=' . $plugin_id;
+ . '&plugin=' . $plugin_id
+ . '&pwg_token='.get_pwg_token()
+ ;
$template->append('plugins_not_uptodate', array(
'EXT_NAME' => $fs_plugin['name'],
diff --git a/admin/site_manager.php b/admin/site_manager.php
index 06687a274..7e30090d6 100644
--- a/admin/site_manager.php
+++ b/admin/site_manager.php
@@ -33,6 +33,11 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
+if (!empty($_POST) or isset($_GET['action']))
+{
+ check_pwg_token();
+}
+
/**
* requests the given $url (a remote create_listing_file.php) and fills a
* list of lines corresponding to request output
@@ -198,11 +203,13 @@ SELECT galleries_url
}
}
-$template->assign( array(
- 'U_HELP' => get_root_url().'popuphelp.php?page=site_manager',
- 'F_ACTION' => get_root_url().'admin.php'
- .get_query_string_diff( array('action','site') )
- ) );
+$template->assign(
+ array(
+ 'U_HELP' => get_root_url().'popuphelp.php?page=site_manager',
+ 'F_ACTION' => get_root_url().'admin.php'.get_query_string_diff(array('action','site','pwg_token')),
+ 'PWG_TOKEN' => get_pwg_token(),
+ )
+ );
// +-----------------------------------------------------------------------+
// | remote sites list |
@@ -242,6 +249,7 @@ while ($row = mysql_fetch_array($result))
$base_url = PHPWG_ROOT_PATH.'admin.php';
$base_url.= '?page=site_manager';
$base_url.= '&site='.$row['id'];
+ $base_url.= '&pwg_token='.get_pwg_token();
$base_url.= '&action=';
$update_url = PHPWG_ROOT_PATH.'admin.php';
diff --git a/admin/tags.php b/admin/tags.php
index c4548ef8b..ea5ed6001 100644
--- a/admin/tags.php
+++ b/admin/tags.php
@@ -29,6 +29,11 @@ if( !defined("PHPWG_ROOT_PATH") )
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
check_status(ACCESS_ADMINISTRATOR);
+if (!empty($_POST))
+{
+ check_pwg_token();
+}
+
// +-----------------------------------------------------------------------+
// | edit tags |
// +-----------------------------------------------------------------------+
@@ -189,7 +194,8 @@ $template->set_filenames(array('tags' => 'tags.tpl'));
$template->assign(
array(
- 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags'
+ 'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags',
+ 'PWG_TOKEN' => get_pwg_token(),
)
);
diff --git a/admin/template/goto/cat_list.tpl b/admin/template/goto/cat_list.tpl
index f4e39a068..7654a2345 100644
--- a/admin/template/goto/cat_list.tpl
+++ b/admin/template/goto/cat_list.tpl
@@ -27,6 +27,7 @@
<h3>{$CATEGORIES_NAV}</h3>
<form id="addVirtual" action="{$F_ACTION}" method="post">
+ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
<p>
{'cat_add'|@translate} : <input type="text" name="virtual_name" />
<input class="submit" type="submit" value="{'Submit'|@translate}" name="submitAdd" {$TAG_INPUT_ENABLED} />
@@ -39,6 +40,7 @@
{if count($categories) }
<form id="categoryOrdering" action="{$F_ACTION}" method="post">
+ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
<p>
<input class="submit" name="submitOrder" type="submit" value="{'Save order'|@translate}" {$TAG_INPUT_ENABLED} />
<input class="submit" name="submitOrderAlphaNum" type="submit" value="{'Order alphanumerically'|@translate}" {$TAG_INPUT_ENABLED} />
diff --git a/admin/template/goto/group_list.tpl b/admin/template/goto/group_list.tpl
index b21c2ec86..4bc163153 100644
--- a/admin/template/goto/group_list.tpl
+++ b/admin/template/goto/group_list.tpl
@@ -4,6 +4,7 @@
</div>
<form method="post" name="add_user" action="{$F_ADD_ACTION}" class="properties">
+ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
<fieldset>
<legend>{'Add group'|@translate}</legend>
diff --git a/admin/template/goto/site_manager.tpl b/admin/template/goto/site_manager.tpl
index 61c0157cf..570b0a15c 100644
--- a/admin/template/goto/site_manager.tpl
+++ b/admin/template/goto/site_manager.tpl
@@ -17,6 +17,7 @@
{'remote_site_local_found'|@translate} {$local_listing.URL}
{if isset($local_listing.CREATE)}
<form action="{$F_ACTION}" method="post">
+ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
<p>
{'remote_site_local_create'|@translate}:
<input type="hidden" name="no_check" value="1"/>
@@ -64,6 +65,7 @@
{/if}
<form action="{$F_ACTION}" method="post">
+ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
<p>
<label for="galleries_url" >{'site_create'|@translate}</label>
<input type="text" name="galleries_url" id="galleries_url" />
diff --git a/admin/template/goto/tags.tpl b/admin/template/goto/tags.tpl
index b2ce57341..ce7949063 100644
--- a/admin/template/goto/tags.tpl
+++ b/admin/template/goto/tags.tpl
@@ -4,6 +4,7 @@
</div>
<form action="{$F_ACTION}" method="post">
+ <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
{if isset($EDIT_TAGS_LIST)}
<fieldset>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 07:03:53 +0000