EONE-62 (New Feature): Introducing user tokens (token logic could change in the future);

init_session automated user token check (POST or GET);
new referal e_form method (hidden field with proper user token value);
Admin UI protects now all its forms;

class2.php

@@ -1603,6 +1603,15 @@ function init_session()
 	$user = e107::getUser();
 
 	define('USERIP', $e107->getip());
+	define('POST_REFERER', md5($user->getToken()));
+
+	// Check for intruders - outside the model for now
+	if((isset($_POST['__referer']) && !$user->checkToken($_POST['__referer']))
+		|| (isset($_GET['__referer']) && !$user->checkToken($_GET['__referer'])))
+	{
+		// Die, die, die! DIE!!!
+		die('Unauthorized access!');
+	}
 
     if(e107::isCli())
 	{

e107_handlers/form_handler.php

@@ -608,6 +608,15 @@ class e_form
 		return "<input type='hidden' name='{$name}' value='{$value}'".$this->get_attributes($options, $name, $value)." />";
 	}
 
+	/**
+	 * Generate hidden security field
+	 * @return string
+	 */
+	function referer()
+	{
+		return "<input type='hidden' name='__referer' value='".defset('POST_REFERER', '')."' id='e-form-referer' />";
+	}
+
 	function submit($name, $value, $options = array())
 	{
 		$options = $this->format_options('submit', $name, $options);
@@ -1667,6 +1676,7 @@ class e_form
 
 	        $text = "
 				<form method='post' action='{$formurl}' id='{$elid}-list-form'>
+				<div>".$this->referer()."
 					".vartrue($options['fieldset_pre'])."
 					<fieldset id='{$elid}-list'>
 						<legend class='e-hideme'>".$options['legend']."</legend>
@@ -1724,6 +1734,7 @@ class e_form
 			$text .= "
 					</fieldset>
 					".vartrue($options['fieldset_post'])."
+				</div>
 				</form>
 			";
 			if(!$nocontainer)
@@ -1785,6 +1796,8 @@ class e_form
 
 			$text .= "
 				<form method='post' action='".$url."' id='{$form['id']}-form' enctype='multipart/form-data'>
+				<div>
+				".$this->referer()."
 			";
 
 			foreach ($form['fieldsets'] as $elid => $data)
@@ -1794,6 +1807,7 @@ class e_form
 			}
 
 			$text .= "
+			</div>
 			</form>
 			";
 			e107::getJs()->footerInline("Form.focusFirstElement('{$form['id']}-form');");
@@ -2057,7 +2071,7 @@ class form {
 		$method = ($form_method ? "method='".$form_method."'" : "");
 		$target = ($form_target ? " target='".$form_target."'" : "");
 		$name = ($form_name ? " id='".$form_name."' " : " id='myform'");
-		return "\n<form action='".$form_action."' ".$method.$target.$name.$form_enctype.$form_js.">";
+		return "\n<form action='".$form_action."' ".$method.$target.$name.$form_enctype.$form_js.">".e107::getForm()->referer();
 	}
 
 	function form_text($form_name, $form_size, $form_value, $form_maxlength = FALSE, $form_class = "tbox", $form_readonly = "", $form_tooltip = "", $form_js = "") {

e107_handlers/user_model.php

@@ -183,6 +183,17 @@ class e_user_model extends e_front_model
 		return ($this->isAdmin() ? $this->get('user_perms') : false);
 	}
 
+	public function getToken()
+	{
+		if($this->isUser()) return '';
+
+		if(null === $this->get('user_token'))
+		{
+			$this->set('user_token', md5($this->get('user_password').$this->get('user_lastvisit').$this->get('user_pwchange').$this->get('user_class')));
+		}
+		return $this->get('user_token');
+	}
+
 	public function isCurrent()
 	{
 		return false;
@@ -294,10 +305,21 @@ class e_user_model extends e_front_model
 		return $editor->isAdmin();
 	}
 
+	/**
+	 * Check passed value against current user token
+	 * @param string $token md5 sum of e.g. posted token
+	 * @return boolean
+	 */
+	final public function checkToken($token)
+	{
+		$utoken = $this->getToken();
+		return (null !== $utoken && $token === md5($utoken));
+	}
+
 	/**
 	 * Bad but required (BC) method of retrieving all user data
 	 * It's here to be used from get_user_data() core function.
-	 * DON'T USE IT unless you have VERY good reason to do it.
+	 * DON'T USE THEM BOTH unless you have VERY good reason to do it.
 	 *
 	 * @return array
 	 */