mirror of
https://github.com/e107inc/e107.git
synced 2025-01-17 20:58:30 +01:00
Added token to x-editable
This commit is contained in:
Cameron
parent
a6cb884277
commit
00e2663162
@ -5576,11 +5576,13 @@ class e_admin_ui extends e_admin_controller_ui
|
||||
|
||||
$_name = $_POST['name'];
|
||||
$_value = $_POST['value'];
|
||||
$_token = $_POST['token'];
|
||||
|
||||
$parms = $this->fields[$_name]['readParms'] ? $this->fields[$_name]['readParms'] : '';
|
||||
if(!is_array($parms)) parse_str($parms, $parms);
|
||||
if(!empty($parms['editable'])) $this->fields[$_name]['inline'] = true;
|
||||
|
||||
if(vartrue($this->fields[$_name]['noedit']) || vartrue($this->fields[$_name]['nolist']) || empty($this->fields[$_name]['inline']))
|
||||
if(!empty($this->fields[$_name]['noedit']) || !empty($this->fields[$_name]['nolist']) || empty($this->fields[$_name]['inline']) || empty($_token) || !password_verify(session_id(),$_token))
|
||||
{
|
||||
header($protocol.': 403 Forbidden', true, 403);
|
||||
header("Status: 403 Forbidden", true, 403);
|
||||
@ -5593,10 +5595,14 @@ class e_admin_ui extends e_admin_controller_ui
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
$model = $this->getModel()->load($this->getId());
|
||||
$_POST = array(); //reset post
|
||||
$_POST[$_name] = $_value; // set current field only
|
||||
|
||||
// print_r($_POST);
|
||||
|
||||
// generic handler - same as regular edit form submit
|
||||
|
||||
$this->convertToData($_POST);
|
||||
@ -5641,6 +5647,7 @@ class e_admin_ui extends e_admin_controller_ui
|
||||
$message .= print_r($_POST,true);
|
||||
$message .= "\n_GET\n";
|
||||
$message .= print_r($_GET,true);
|
||||
|
||||
$message .= "---------------";
|
||||
|
||||
file_put_contents(e_LOG.'uiAjaxResponseInline.log', $message."\n\n", FILE_APPEND);
|
||||
|
||||
@ -4413,15 +4413,24 @@ class e_form
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Inline Token
|
||||
* @return string
|
||||
*/
|
||||
private function inlineToken()
|
||||
{
|
||||
return password_hash(session_id(), PASSWORD_DEFAULT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an Inline Edit link.
|
||||
* @param $dbField : field being edited //TODO allow for an array of all data here.
|
||||
* @param $pid : primary ID of the row being edited.
|
||||
* @param $fieldName - Description of the field name (caption)
|
||||
* @param $curVal : existing value of in the field
|
||||
* @param $linkText : existing value displayed
|
||||
* @param $type text|textarea|select|date|checklist
|
||||
* @param $array : array data used in dropdowns etc.
|
||||
* @param string $dbField : field being edited
|
||||
* @param int $pid : primary ID of the row being edited.
|
||||
* @param string $fieldName - Description of the field name (caption)
|
||||
* @param mixed $curVal : existing value of in the field
|
||||
* @param mixed $linkText : existing value displayed
|
||||
* @param string $type text|textarea|select|date|checklist
|
||||
* @param array $array : array data used in dropdowns etc.
|
||||
*/
|
||||
public function renderInline($dbField, $pid, $fieldName, $curVal, $linkText, $type='text', $array=null, $options=array())
|
||||
{
|
||||
@ -4458,6 +4467,8 @@ class e_form
|
||||
$text .= (is_array($array)) ? "data-source='".$source."' " : "";
|
||||
$text .= " title=\"".$title."\" data-type='".$type."' data-inputclass='x-editable-".$this->name2id($dbField)." ".$class."' data-value=\"{$curVal}\" href='#' ";
|
||||
|
||||
$options['token'] = $this->inlineToken();
|
||||
|
||||
if(!empty($options))
|
||||
{
|
||||
foreach($options as $k=>$opt)
|
||||
@ -4724,19 +4735,18 @@ class e_form
|
||||
{
|
||||
case 'number':
|
||||
if(!$value) $value = '0';
|
||||
|
||||
if($parms)
|
||||
{
|
||||
if(!isset($parms['sep'])) $value = number_format($value, varset($parms['decimals'],0));
|
||||
else $value = number_format($value, $parms['decimals'], vartrue($parms['point'], '.'), vartrue($parms['sep'], ' '));
|
||||
}
|
||||
|
||||
|
||||
if(empty($attributes['noedit']) && !empty($parms['editable']) && empty($parms['link'])) // avoid bad markup, better solution coming up
|
||||
{
|
||||
$mode = preg_replace('/[^\w]/', '', vartrue($_GET['mode'], ''));
|
||||
$value = "<a class='e-tip e-editable editable-click' data-name='".$field."' title=\"".LAN_EDIT." ".$attributes['title']."\" data-type='text' data-pk='".$id."' data-url='".e_SELF."?mode={$mode}&action=inline&id={$id}&ajax_used=1' href='#'>".$value."</a>";
|
||||
$value = $this->renderInline($field,$id,$attributes['title'],$value, $value);
|
||||
}
|
||||
else
|
||||
elseif(!empty($parms['link']))
|
||||
{
|
||||
$value = $this->renderLink($value,$parms,$id);
|
||||
}
|
||||
@ -4747,7 +4757,19 @@ class e_form
|
||||
break;
|
||||
|
||||
case 'country':
|
||||
$value = $this->getCountry($value);
|
||||
|
||||
$_value = $this->getCountry($value);
|
||||
|
||||
if(empty($attributes['noedit']) && !empty($parms['editable']) && empty($parms['link'])) // avoid bad markup, better solution coming up
|
||||
{
|
||||
$arr = $this->getCountry();
|
||||
$value = $this->renderInline($field,$id,$attributes['title'],$value, $_value, 'select', $arr);
|
||||
}
|
||||
else
|
||||
{
|
||||
$value = $_value;
|
||||
}
|
||||
|
||||
break;
|
||||
|
||||
case 'ip':
|
||||
@ -4842,15 +4864,9 @@ class e_form
|
||||
|
||||
$value = ($value ? vartrue($parms['pre']).defset($value, $value).vartrue($parms['post']) : '');
|
||||
|
||||
// Inline Editing.
|
||||
// Inline Editing with 'comma' @SecretR - please FIXME - empty values added. @see news 'render type' or 'media-manager' category for test examples.
|
||||
if(!vartrue($attributes['noedit']) && vartrue($parms['editable']) && !vartrue($parms['link'])) // avoid bad markup, better solution coming up
|
||||
if(empty($attributes['noedit']) && !empty($parms['editable']) && empty($parms['link'])) // avoid bad markup, better solution coming up
|
||||
{
|
||||
$xtype = ($attributes['type'] == 'dropdown') ? 'select' : 'checklist';
|
||||
|
||||
// $value = "<a class='e-tip e-editable editable-click' data-name='".$field."' data-value='{$_value}' data-source=\"".$source."\" title=\"".LAN_EDIT." ".$attributes['title']."\" data-type='".$xtype."' data-pk='".$id."' data-url='".e_SELF."?mode=&action=inline&id={$id}&ajax_used=1' href='#'>".$value."</a>";
|
||||
|
||||
|
||||
$value = $this->renderInline($field, $id, $attributes['title'], $_value, $value, $xtype, $wparms);
|
||||
}
|
||||
|
||||
@ -4858,7 +4874,9 @@ class e_form
|
||||
break;
|
||||
|
||||
case 'radio':
|
||||
if($parms && is_array($parms)) // FIXME - add support for multi-level arrays (option groups)
|
||||
|
||||
|
||||
if($parms && isset($parms[$value])) // FIXME - add support for multi-level arrays (option groups)
|
||||
{
|
||||
$value = vartrue($parms['pre']).vartrue($parms[$value]).vartrue($parms['post']);
|
||||
break;
|
||||
@ -4869,6 +4887,11 @@ class e_form
|
||||
if(!empty($attributes['writeParms']['optArray']))
|
||||
{
|
||||
$radioValue = $attributes['writeParms']['optArray'][$value];
|
||||
|
||||
if(empty($attributes['noedit']) && !empty($parms['editable']) && empty($parms['link'])) // avoid bad markup, better solution coming up
|
||||
{
|
||||
$radioValue = $this->renderInline($field, $id, $attributes['title'], $value, $radioValue, 'select', $attributes['writeParms']['optArray']);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -4962,7 +4985,7 @@ class e_form
|
||||
$tpl = $this->text($field, $value, 80, $options);
|
||||
|
||||
$mode = preg_replace('/[^\w]/', '', vartrue($_GET['mode'], ''));
|
||||
$value = "<a id='" . $field . '_' . $id . "' class='e-tip e-editable editable-click editable-tags' data-emptytext='-' data-tpl='" . str_replace("'", '"', $tpl) . "' data-name='" . $field . "' title=\"" . LAN_EDIT . " " . $attributes['title'] . "\" data-type='text' data-pk='" . $id . "' " . $setValue . " data-url='" . e_SELF . "?mode={$mode}&action=inline&id={$id}&ajax_used=1' href='#'>" . $value . "</a>";
|
||||
$value = "<a id='" . $field . '_' . $id . "' class='e-tip e-editable editable-click editable-tags' data-emptytext='-' data-tpl='" . str_replace("'", '"', $tpl) . "' data-name='" . $field . "' data-token='".$this->inlineToken()."' title=\"" . LAN_EDIT . " " . $attributes['title'] . "\" data-type='text' data-pk='" . $id . "' " . $setValue . " data-url='" . e_SELF . "?mode={$mode}&action=inline&id={$id}&ajax_used=1' href='#'>" . $value . "</a>";
|
||||
}
|
||||
|
||||
$value = vartrue($parms['pre']) . $value . vartrue($parms['post']);
|
||||
@ -5034,12 +5057,9 @@ class e_form
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
if(!vartrue($attributes['noedit']) && vartrue($parms['editable']) && !vartrue($parms['link'])) // avoid bad markup, better solution coming up
|
||||
if(empty($attributes['noedit']) && !empty($parms['editable']) && empty($parms['link'])) // avoid bad markup, better solution coming up
|
||||
{
|
||||
$mode = preg_replace('/[^\w]/', '', vartrue($_GET['mode'], ''));
|
||||
$value = "<a class='e-tip e-editable editable-click' data-emptytext='-' data-name='".$field."' title=\"".LAN_EDIT." ".$attributes['title']."\" data-type='text' data-pk='".$id."' ".$setValue." data-url='".e_SELF."?mode={$mode}&action=inline&id={$id}&ajax_used=1' href='#'>".$value."</a>";
|
||||
$value = $this->renderInline($field,$id,$attributes['title'],$value, $value);
|
||||
}
|
||||
|
||||
$value = vartrue($parms['pre']).$value.vartrue($parms['post']);
|
||||
@ -5259,25 +5279,28 @@ class e_form
|
||||
break;
|
||||
|
||||
case 'date':
|
||||
|
||||
if(empty($attributes['noedit']) && !empty($parms['editable']) && empty($parms['link'])) // avoid bad markup, better solution coming up
|
||||
{
|
||||
$value = $this->renderInline($field,$id,$attributes['title'],$value, $value);
|
||||
}
|
||||
|
||||
// just show original value
|
||||
break;
|
||||
|
||||
case 'userclass':
|
||||
$dispvalue = $this->_uc->uc_get_classname($value);
|
||||
$dispvalue = $this->_uc->getName($value);
|
||||
// Inline Editing.
|
||||
if(!vartrue($attributes['noedit']) && vartrue($parms['editable']) && !vartrue($parms['link'])) // avoid bad markup, better solution coming up
|
||||
if(empty($attributes['noedit']) && !empty($parms['editable']) && empty($parms['link'])) // avoid bad markup, better solution coming up
|
||||
{
|
||||
$mode = preg_replace('/[^\w]/', '', vartrue($_GET['mode'], ''));
|
||||
// $mode = preg_replace('/[^\w]/', '', vartrue($_GET['mode'], ''));
|
||||
|
||||
$uc_options = vartrue($parms['classlist'], 'public,guest,nobody,member,admin,main,classes'); // defaults to 'public,guest,nobody,member,classes' (userclass handler)
|
||||
unset($parms['classlist']);
|
||||
|
||||
$array = e107::getUserClass()->uc_required_class_list($uc_options); //XXX Ugly looking (non-standard) function naming - TODO discuss name change.
|
||||
$source = str_replace('"',"'",json_encode($array, JSON_FORCE_OBJECT));
|
||||
|
||||
//NOTE Leading ',' required on $value; so it picks up existing value.
|
||||
$value = "<a class='e-tip e-editable editable-click' data-placement='left' data-value='".$value."' data-name='".$field."' data-source=\"".$source."\" title=\"".LAN_EDIT." ".$attributes['title']."\" data-type='select' data-pk='".$id."' data-url='".e_SELF."?mode={$mode}&action=inline&id={$id}&ajax_used=1' href='#'>".$dispvalue."</a>";
|
||||
|
||||
$value = $this->renderInline($field, $id, $attributes['title'], $value, $dispvalue, 'select', $array, array('placement'=>'left'));
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -5316,7 +5339,7 @@ class e_form
|
||||
$source = str_replace('"',"'",json_encode($array, JSON_FORCE_OBJECT));
|
||||
|
||||
//NOTE Leading ',' required on $value; so it picks up existing value.
|
||||
$value = "<a class='e-tip e-editable editable-click' data-placement='bottom' data-value=',".$value."' data-name='".$field."' data-source=\"".$source."\" title=\"".LAN_EDIT." ".$attributes['title']."\" data-type='checklist' data-pk='".$id."' data-url='".e_SELF."?mode={$mode}&action=inline&id={$id}&ajax_used=1' href='#'>".$dispvalue."</a>";
|
||||
$value = "<a class='e-tip e-editable editable-click' data-placement='bottom' data-value=',".$value."' data-name='".$field."' data-source=\"".$source."\" title=\"".LAN_EDIT." ".$attributes['title']."\" data-type='checklist' data-pk='".$id."' data-token='".$this->inlineToken()." data-url='".e_SELF."?mode={$mode}&action=inline&id={$id}&ajax_used=1' href='#'>".$dispvalue."</a>";
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -5403,7 +5426,7 @@ class e_form
|
||||
|
||||
$tpl = $this->userpicker($fieldID, array('user_id'=>$id, 'user_name'=>$ttl), array('id' => $fieldID, 'inline' => $eEditableID));
|
||||
$mode = preg_replace('/[^\w]/', '', vartrue($_GET['mode'], ''));
|
||||
$value = "<a id='" . $eEditableID . "' class='e-tip e-editable editable-click editable-userpicker' data-clear='false' data-tpl='" . str_replace("'", '"', $tpl) . "' data-name='" . $field . "' title=\"" . LAN_EDIT . " " . $attributes['title'] . "\" data-type='text' data-pk='" . $row_id . "' data-value='" . $id . "' data-url='" . e_SELF . "?mode={$mode}&action=inline&id={$row_id}&ajax_used=1' href='#'>" . $ttl . "</a>";
|
||||
$value = "<a id='" . $eEditableID . "' class='e-tip e-editable editable-click editable-userpicker' data-clear='false' data-token='".$this->inlineToken()."' data-tpl='" . str_replace("'", '"', $tpl) . "' data-name='" . $field . "' title=\"" . LAN_EDIT . " " . $attributes['title'] . "\" data-type='text' data-pk='" . $row_id . "' data-value='" . $id . "' data-url='" . e_SELF . "?mode={$mode}&action=inline&id={$row_id}&ajax_used=1' href='#'>" . $ttl . "</a>";
|
||||
}
|
||||
|
||||
break;
|
||||
|
||||
@ -487,7 +487,9 @@ class user_class
|
||||
}
|
||||
else
|
||||
{
|
||||
$text .= "\n<optgroup label=\"".UC_LAN_INVERTLABEL."\">\n";
|
||||
$text .= "\n";
|
||||
$text .= '<optgroup label=\''.UC_LAN_INVERTLABEL.'\'>';
|
||||
$text .= "\n";
|
||||
}
|
||||
foreach ($show_classes as $k => $v)
|
||||
{
|
||||
@ -724,7 +726,9 @@ class user_class
|
||||
{
|
||||
if ($notCheckbox)
|
||||
{
|
||||
$ret .= "\n<optgroup label=\"".UC_LAN_INVERTLABEL."\">\n";
|
||||
$ret .= "\n";
|
||||
$ret .= '<optgroup label=\''.UC_LAN_INVERTLABEL.'\'>';
|
||||
$ret .= "\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@ -287,8 +287,14 @@ $(document).ready(function()
|
||||
});
|
||||
|
||||
|
||||
|
||||
|
||||
$('div.e-container').editable({
|
||||
selector: '.e-editable',
|
||||
params: function(params) {
|
||||
params.token = $(this).attr('data-token');
|
||||
return params;
|
||||
},
|
||||
display: function (value, sourceData)
|
||||
{
|
||||
// HTML entities decoding... fix for:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user