From 5eda2a43c4374a2a6b5ba5de5372dc8faa62e6a5 Mon Sep 17 00:00:00 2001
From: ravilrrr <rec@ru63.ru>
Date: Mon, 14 Mar 2016 17:19:01 +0400
Subject: [PATCH 1/5] =?UTF-8?q?=D0=A0=D0=B0=D0=B7=D1=80=D0=B5=D1=88=D0=B8?=
 =?UTF-8?q?=D1=82=D1=8C=20=D1=87=D1=82=D0=B5=D0=BD=D0=B8=D0=B5=20robots.tx?=
 =?UTF-8?q?t?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

иначе индексироваться будет все подряд.
---
 .htaccess | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.htaccess b/.htaccess
index 3293165..31ad65c 100644
--- a/.htaccess
+++ b/.htaccess
@@ -59,5 +59,10 @@ AddDefaultCharset UTF-8
 	Satisfy All
 </FilesMatch>
 
+# Allow read files.
+<Files robots.txt>
+	Allow from all
+</Files>
+
 # Don't show directory listings for URLs which map to a directory.
 Options -Indexes

From f6f428a8710ba237a78a88722f38e8af22fef6d7 Mon Sep 17 00:00:00 2001
From: thoncs <thoncs@gmail.com>
Date: Tue, 15 Mar 2016 23:43:00 -0500
Subject: [PATCH 2/5] changed minified URIs to eliminate query strings

---
 engine/Plugin/Javascript.php | 4 ++--
 engine/Plugin/Stylesheet.php | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/engine/Plugin/Javascript.php b/engine/Plugin/Javascript.php
index 57072c8..5126f98 100644
--- a/engine/Plugin/Javascript.php
+++ b/engine/Plugin/Javascript.php
@@ -59,7 +59,7 @@ class Javascript
     public static function load()
     {
         $backend_site_js_path  = MINIFY . DS . 'backend_site.minify.js';
-        $frontend_site_js_path = MINIFY . DS . 'frontend_site.minify.js';
+        $frontend_site_js_path = MINIFY . DS . 'frontend_site.minify.'.Option::get('javascript_version').'.js';
 
         // Load javascripts
         if (count(Javascript::$javascripts) > 0) {
@@ -122,7 +122,7 @@ class Javascript
             if (BACKEND) {
                 echo '<script type="text/javascript" src="'.Option::get('siteurl').'/tmp/minify/backend_site.minify.js?'.Option::get('javascript_version').'"></script>';
             } else {
-                echo '<script type="text/javascript" src="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.js?'.Option::get('javascript_version').'"></script>'."\n";
+                echo '<script type="text/javascript" src="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.'.Option::get('javascript_version').'.js"></script>'."\n";
             }
         }
     }
diff --git a/engine/Plugin/Stylesheet.php b/engine/Plugin/Stylesheet.php
index 214374d..4907805 100644
--- a/engine/Plugin/Stylesheet.php
+++ b/engine/Plugin/Stylesheet.php
@@ -59,7 +59,7 @@ class Stylesheet
     public static function load()
     {
         $backend_site_css_path  = MINIFY . DS . 'backend_site.minify.css';
-        $frontend_site_css_path = MINIFY . DS . 'frontend_site.minify.css';
+        $frontend_site_css_path = MINIFY . DS . 'frontend_site.minify.'.Option::get('styles_version').'.css';
 
         // Load stylesheets
         if (count(Stylesheet::$stylesheets) > 0) {
@@ -124,7 +124,7 @@ class Stylesheet
             if (BACKEND) {
                 echo '<link rel="stylesheet" href="'.Option::get('siteurl').'/tmp/minify/backend_site.minify.css?'.Option::get('styles_version').'" type="text/css" />';
             } else {
-                echo '<link rel="stylesheet" href="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.css?'.Option::get('styles_version').'" type="text/css" />'."\n";
+                echo '<link rel="stylesheet" href="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.'.Option::get('styles_version').'.css" type="text/css" />'."\n";
             }
         }
     }

From 2e2a22ee5aafa28771f87c108edea024b618a8d5 Mon Sep 17 00:00:00 2001
From: Mightyhaggis <will@mightyhaggis.com>
Date: Sun, 27 Mar 2016 19:25:54 +0100
Subject: [PATCH 3/5] User security fix

Fix to resolve #405 by adding a check that compares POST id with SESSION
id for none admin edits
---
 plugins/box/users/users.plugin.php | 45 +++++++++++++++++-------------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/plugins/box/users/users.plugin.php b/plugins/box/users/users.plugin.php
index 2ff9a2a..b41520c 100644
--- a/plugins/box/users/users.plugin.php
+++ b/plugins/box/users/users.plugin.php
@@ -228,27 +228,32 @@ class Users extends Frontend
 
                 // Check csrf
                 if (Security::check(Request::post('csrf'))) {
-
-                    if (Security::safeName(Request::post('login')) != '') {
-                        if (Users::$users->update(Request::post('user_id'),
-                                                                array('login' => Security::safeName(Request::post('login')),
-                                                                      'firstname' => Request::post('firstname'),
-                                                                      'lastname'  => Request::post('lastname'),
-                                                                      'email'     => Request::post('email'),
-                                                                      'skype'     => Request::post('skype'),
-                                                                      'about_me'  => Request::post('about_me'),
-                                                                      'twitter'   => Request::post('twitter')))) {
-
-                            // Change password
-                            if (trim(Request::post('new_password')) != '') {
-                                Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
+                    
+                    // Check for POST data manipulation
+                    if( ((int) Session::get('user_id') == (int) Request::post('user_id')) or (in_array(Session::get('user_role'), array('admin'))) ) {
+                        
+                        if (Security::safeName(Request::post('login')) != '') {
+                            if (Users::$users->update(Request::post('user_id'),
+                                                                    array('login' => Security::safeName(Request::post('login')),
+                                                                          'firstname' => Request::post('firstname'),
+                                                                          'lastname'  => Request::post('lastname'),
+                                                                          'email'     => Request::post('email'),
+                                                                          'skype'     => Request::post('skype'),
+                                                                          'about_me'  => Request::post('about_me'),
+                                                                          'twitter'   => Request::post('twitter')))) {
+    
+                                // Change password
+                                if (trim(Request::post('new_password')) != '') {
+                                    Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
+                                }
+    
+                                Notification::set('success', __('Your changes have been saved.', 'users'));
+                                Request::redirect(Site::url().'/users/'.$user['id']);
                             }
-
-                            Notification::set('success', __('Your changes have been saved.', 'users'));
-                            Request::redirect(Site::url().'/users/'.$user['id']);
-                        }
-                    } else { }
-
+                        } else { }
+                        
+                    } else { die('Monstra says: This is not your profile...'); }
+                        
                 } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
 
             }

From 09fd5c75a74469661a78fc4dafa7a90a4fee3d7d Mon Sep 17 00:00:00 2001
From: Awilum <awilum@msn.com>
Date: Tue, 5 Apr 2016 22:45:17 +0300
Subject: [PATCH 4/5] Update Changelog

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d1cc771..989d045 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+Monstra 3.0.4, 2016-04-05
+------------------------
+- Fixed User Security by adding a check that compares POST id with SESSION
+id for none admin edits
+- Fixed ability to read robots.txt
+- Stylesheet: Changed minified URIs to eliminate query strings
+
+
 Monstra 3.0.3, 2016-01-29
 ------------------------
 - Improved Monstra Security

From 16a0014c2bb2e5d60b7844dceaa58ad7338be0ca Mon Sep 17 00:00:00 2001
From: Awilum <awilum@msn.com>
Date: Tue, 5 Apr 2016 22:48:20 +0300
Subject: [PATCH 5/5] Monstra 3.0.4

---
 engine/Monstra.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/engine/Monstra.php b/engine/Monstra.php
index 3f26cc8..b1a50fb 100644
--- a/engine/Monstra.php
+++ b/engine/Monstra.php
@@ -31,7 +31,7 @@ class Monstra
     /**
      * The version of Monstra
      */
-    const VERSION = '3.0.3';
+    const VERSION = '3.0.4';
 
 
     /**