mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-20 23:41:29 +02:00
Code Issues Releases Wiki Activity

Merge branch '3.1.x' into 3.2.x

Browse Source 
* 3.1.x:
  [ticket/14789] Add form tokens to tests and uncomment add_form_key
  [ticket/14789] Add link hashes and form tokens to all acp links/buttons
This commit is contained in:
Tristan Darricau
2016-09-18 21:14:47 +02:00
parent 47d2f34a1b bc08813866
commit 19bbbfe0f3
9 changed files with 118 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
phpBB/includes/acp/acp_profile.php
View File

@@ -56,6 +56,9 @@ class acp_profile
$error = array();
$form_key = 'acp_profile';
add_form_key($form_key);
if (!$field_id && in_array($action, array('delete','activate', 'deactivate', 'move_up', 'move_down', 'edit')))
{
trigger_error($user->lang['NO_FIELD_ID'] . adm_back_link($this->u_action), E_USER_WARNING);
@@ -166,6 +169,11 @@ class acp_profile
case 'activate':
if (!check_link_hash($request->variable('hash', ''), 'acp_profile'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'SELECT lang_id
FROM ' . LANG_TABLE . "
WHERE lang_iso = '" . $db->sql_escape($config['default_lang']) . "'";
@@ -206,6 +214,11 @@ class acp_profile
case 'deactivate':
if (!check_link_hash($request->variable('hash', ''), 'acp_profile'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'UPDATE ' . PROFILE_FIELDS_TABLE . "
SET field_active = 0
WHERE field_id = $field_id";
@@ -235,6 +248,11 @@ class acp_profile
case 'move_up':
case 'move_down':
if (!check_link_hash($request->variable('hash', ''), 'acp_profile'))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
$sql = 'SELECT field_order
FROM ' . PROFILE_FIELDS_TABLE . "
WHERE field_id = $field_id";
@@ -584,6 +602,11 @@ class acp_profile
if (!sizeof($error))
{
if (!check_form_key($form_key))
{
trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING);
}
if (($step == 3 && (sizeof($this->lang_defs['iso']) == 1 || $save)) || ($action == 'edit' && $save))
{
$this->save_profile_field($cp, $field_type, $action);
@@ -740,12 +763,12 @@ class acp_profile
'FIELD_TYPE' => $profile_field->get_name(),
'L_ACTIVATE_DEACTIVATE' => $user->lang[$active_lang],
'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id",
'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'),
'U_EDIT' => $this->u_action . "&action=edit&field_id=$id",
'U_TRANSLATE' => $this->u_action . "&action=edit&field_id=$id&step=3",
'U_DELETE' => $this->u_action . "&action=delete&field_id=$id",
'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id",
'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id",
'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'),
'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'),
'S_NEED_EDIT' => $s_need_edit)
);