Changeset 5195

Timestamp:

Mar 19, 2010, 11:25:39 PM (14 years ago)

Author:

plg

Message:

bug 1328: backport the pwg_token on trunk

bug 1329: backport the check_input_parameter on trunk

feature 1026: add pwg_token feature for edit/delete comment. Heavy refactoring
on this feature to make the code simpler and easier to maintain (I hope).

Location:

trunk

Files:

• admin/cat_list.php (modified) (4 diffs)
• admin/element_set.php (modified) (1 diff)
• admin/element_set_global.php (modified) (1 diff)
• admin/group_list.php (modified) (3 diffs)
• admin/include/functions.php (modified) (1 diff)
• admin/include/uploadify/uploadify.php (modified) (1 diff)
• admin/photos_add_direct.php (modified) (2 diffs)
• admin/picture_modify.php (modified) (1 diff)
• admin/plugins_list.php (modified) (5 diffs)
• admin/plugins_new.php (modified) (2 diffs)
• admin/plugins_update.php (modified) (3 diffs)
• admin/site_manager.php (modified) (3 diffs)
• admin/tags.php (modified) (2 diffs)
• admin/themes/default/template/cat_list.tpl (modified) (2 diffs)
• admin/themes/default/template/group_list.tpl (modified) (1 diff)
• admin/themes/default/template/site_manager.tpl (modified) (2 diffs)
• admin/themes/default/template/tags.tpl (modified) (1 diff)
• comments.php (modified) (5 diffs)
• feed.php (modified) (1 diff)
• include/constants.php (modified) (1 diff)
• include/functions.inc.php (modified) (1 diff)
• include/functions_comment.inc.php (modified) (4 diffs)
• include/functions_user.inc.php (modified) (1 diff)
• include/picture_comment.inc.php (modified) (2 diffs)
• picture.php (modified) (2 diffs)
• search.php (modified) (2 diffs)

trunk/admin/cat_list.php

@@ -34 +34 @@
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST) or isset($_GET['delete']))
+{
+  check_pwg_token();
+}
+
 // +-----------------------------------------------------------------------+
 // |                               functions                               |
@@ -65 +70 @@
 // +-----------------------------------------------------------------------+
 
+check_input_parameter('parent_id', $_GET, false, PATTERN_ID);
+
 $categories = array();
 
@@ -186 +193 @@
   'CATEGORIES_NAV'=>$navigation,
   'F_ACTION'=>$form_action,
+  'PWG_TOKEN' => get_pwg_token(),
  ));
 
@@ -261 +269 @@
   {
     $tpl_cat['U_DELETE'] = $self_url.'&delete='.$category['id'];
+    $tpl_cat['U_DELETE'].= '&pwg_token='.get_pwg_token();
   }
 

trunk/admin/element_set.php

@@ -40 +40 @@
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('selection', $_POST, true, PATTERN_ID);
+
 // +-----------------------------------------------------------------------+
 // |                          caddie management                            |

trunk/admin/element_set_global.php

@@ -43 +43 @@
 // |                         deletion form submission                      |
 // +-----------------------------------------------------------------------+
+
+// the $_POST['selection'] was already checked in element_set.php
+check_input_parameter('del_tags', $_POST, true, PATTERN_ID);
+check_input_parameter('associate', $_POST, false, PATTERN_ID);
+check_input_parameter('dissociate', $_POST, false, PATTERN_ID);
 
 if (isset($_POST['delete']))

trunk/admin/group_list.php

@@ -33 +33 @@
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
+
+if (!empty($_POST) or isset($_GET['delete']) or isset($_GET['toggle_is_default']))
+{
+  check_pwg_token();
+}
 
 // +-----------------------------------------------------------------------+
@@ -156 +161 @@
     'F_ADD_ACTION' => get_root_url().'admin.php?page=group_list',
     'U_HELP' => get_root_url().'popuphelp.php?page=group_list',
+    'PWG_TOKEN' => get_pwg_token(),
     )
   );
@@ -192 +198 @@
       'MEMBERS' => l10n_dec('%d member', '%d members', $counter),
       'U_MEMBERS' => $members_url.$row['id'],
-      'U_DELETE' => $del_url.$row['id'],
+      'U_DELETE' => $del_url.$row['id'].'&pwg_token='.get_pwg_token(),
       'U_PERM' => $perm_url.$row['id'],
-      'U_ISDEFAULT' => $toggle_is_default_url.$row['id']
+      'U_ISDEFAULT' => $toggle_is_default_url.$row['id'].'&pwg_token='.get_pwg_token(),
       )
     );

trunk/admin/include/functions.php

@@ -23 +23 @@
 
 include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
-
-/**
- * check token comming from form posted or get params to prevent csrf attacks
- * if pwg_token is empty action doesn't require token
- * else pwg_token is compare to server token
- *
- * @return void access denied if token given is not equal to server token 
- */
-function check_token()
-{
-  global $conf;
-
-  $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']);
-  $given_token = null;
-
-  if (!empty($_POST['pwg_token']))
-  {
-    $given_token = $_POST['pwg_token'];
-  }
-  elseif (!empty($_GET['pwg_token']))
-  {
-    $given_token = $_GET['pwg_token'];
-  }
-  if ($given_token != $valid_token)
-  {
-    access_denied();    
-  }
-}
 
 // The function delete_site deletes a site and call the function

trunk/admin/include/uploadify/uploadify.php

@@ -9 +9 @@
 include_once(PHPWG_ROOT_PATH.'admin/include/functions_upload.inc.php');
 
-// check_pwg_token();
+check_pwg_token();
 
 ob_start();

trunk/admin/photos_add_direct.php

@@ -31 +31 @@
 if (isset($_GET['batch']))
 {
-  check_input_parameter('batch', $_GET['batch'], false, '/^\d+(,\d+)*$/');
+  check_input_parameter('batch', $_GET, false, '/^\d+(,\d+)*$/');
 
   $query = '
@@ -348 +348 @@
       'upload_id' => md5(rand()),
       'session_id' => session_id(),
-      'pwg_token' => '1234abcd5678efgh',// get_pwg_token(),
+      'pwg_token' => get_pwg_token(),
     )
   );

trunk/admin/picture_modify.php

@@ -34 +34 @@
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('image_id', $_GET, false, PATTERN_ID);
+check_input_parameter('cat_id', $_GET, false, PATTERN_ID);
+
 // +-----------------------------------------------------------------------+
 // |                          synchronize metadata                         |

trunk/admin/plugins_list.php

@@ -33 +33 @@
 $order = isset($_GET['order']) ? $_GET['order'] : 'name';
 $base_url = get_root_url().'admin.php?page='.$page['page'].'&order='.$order;
+$action_url = $base_url.'&plugin='.'%s'.'&pwg_token='.get_pwg_token();
 
 $plugins = new plugins();
@@ -39 +40 @@
 if (isset($_GET['action']) and isset($_GET['plugin']) and !is_adviser())
 {
+  check_pwg_token();
+  
   $page['errors'] = $plugins->perform_action($_GET['action'], $_GET['plugin']);
 
@@ -97 +100 @@
           'VERSION' => $fs_plugin['version'],
           'DESCRIPTION' => $desc,
-          'U_ACTION' => $base_url.'&plugin='.$plugin_id);
+          'U_ACTION' => sprintf($action_url, $plugin_id));
 
   if (isset($plugins->db_plugins_by_id[$plugin_id]))
@@ -116 +119 @@
 foreach($missing_plugin_ids as $plugin_id)
 {
-  $action_url = $base_url.'&plugin='.$plugin_id;
-
   $template->append( 'plugins',
       array(
@@ -123 +124 @@
         'VERSION' => $plugins->db_plugins_by_id[$plugin_id]['version'],
         'DESCRIPTION' => "ERROR: THIS PLUGIN IS MISSING BUT IT IS INSTALLED! UNINSTALL IT NOW !",
-        'U_ACTION' => $base_url.'&plugin='.$plugin_id,
+        'U_ACTION' => sprintf($action_url, $plugin_id),
         'STATE' => 'missing'
       )

trunk/admin/plugins_new.php

@@ -39 +39 @@
 if (isset($_GET['revision']) and isset($_GET['extension']) and !is_adviser())
 {
+  check_pwg_token();
+  
   $install_status = $plugins->extract_plugin_files('install', $_GET['revision'], $_GET['extension']);
 
@@ -111 +113 @@
     $url_auto_install = htmlentities($base_url)
       . '&revision=' . $plugin['revision_id']
-      . '&extension=' . $plugin['extension_id'];
+      . '&extension=' . $plugin['extension_id']
+      . '&pwg_token='.get_pwg_token()
+    ;
 
     $template->append('plugins', array(

trunk/admin/plugins_update.php

@@ -38 +38 @@
 if (isset($_GET['plugin']) and isset($_GET['revision']) and !is_adviser())
 {
+  check_pwg_token();
+  
   $plugin_id = $_GET['plugin'];
   $revision = $_GET['revision'];
@@ -49 +51 @@
       . '&revision=' . $revision
       . '&plugin=' . $plugin_id
+      . '&pwg_token='.get_pwg_token()
       . '&reactivate=true');
   }
@@ -134 +137 @@
         $url_auto_update = $base_url
           . '&revision=' . $plugin_info['revision_id']
-          . '&plugin=' . $plugin_id;
+          . '&plugin=' . $plugin_id
+          . '&pwg_token='.get_pwg_token()
+          ;
 
         $template->append('plugins_not_uptodate', array(

trunk/admin/site_manager.php

@@ -33 +33 @@
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
+
+if (!empty($_POST) or isset($_GET['action']))
+{
+  check_pwg_token();
+}
 
 /**
@@ -199 +204 @@
 }
 
-$template->assign( array(
-  'U_HELP'    => get_root_url().'popuphelp.php?page=site_manager',
-  'F_ACTION'  => get_root_url().'admin.php'
-                .get_query_string_diff( array('action','site') )
-  ) );
+$template->assign(
+  array(
+    'U_HELP'    => get_root_url().'popuphelp.php?page=site_manager',
+    'F_ACTION'  => get_root_url().'admin.php'.get_query_string_diff(array('action','site','pwg_token')),
+    'PWG_TOKEN' => get_pwg_token(),
+    )
+  );
 
 // +-----------------------------------------------------------------------+
@@ -243 +250 @@
   $base_url.= '?page=site_manager';
   $base_url.= '&site='.$row['id'];
+  $base_url.= '&pwg_token='.get_pwg_token();
   $base_url.= '&action=';
 

trunk/admin/tags.php

@@ -29 +29 @@
 include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 check_status(ACCESS_ADMINISTRATOR);
+
+if (!empty($_POST))
+{
+  check_pwg_token();
+}
 
 // +-----------------------------------------------------------------------+
@@ -190 +195 @@
 $template->assign(
   array(
-    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags'
+    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags',
+    'PWG_TOKEN' => get_pwg_token(),
     )
   );

trunk/admin/themes/default/template/cat_list.tpl

@@ -27 +27 @@
 
 <form id="addVirtual" action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     {'Add a virtual category'|@translate} : <input type="text" name="virtual_name">
@@ -39 +40 @@
 {if count($categories) }
 <form id="categoryOrdering" action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     <input class="submit" name="submitOrder" type="submit" value="{'Save order'|@translate}" {$TAG_INPUT_ENABLED}>

trunk/admin/themes/default/template/group_list.tpl

@@ -4 +4 @@
 
 <form method="post" name="add_user" action="{$F_ADD_ACTION}" class="properties">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <fieldset>
     <legend>{'Add group'|@translate}</legend>

trunk/admin/themes/default/template/site_manager.tpl

@@ -17 +17 @@
 {if isset($local_listing.CREATE)}
 <form action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     {'Create this site'|@translate}:
@@ -64 +65 @@
 
 <form action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
   <p>
     <label for="galleries_url" >{'Create a new site : (give its URL to create_listing_file.php)'|@translate}</label>

trunk/admin/themes/default/template/tags.tpl

@@ -4 +4 @@
 
 <form action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
 
   {if isset($EDIT_TAGS_LIST)}

trunk/comments.php

@@ -117 +117 @@
 }
 
+// search a specific comment (if you're coming directly from an admin
+// notification email)
+if (!empty($_GET['comment_id']))
+{
+  check_input_parameter('comment_id', $_GET, false, PATTERN_ID);
+
+  // currently, the $_GET['comment_id'] is only used by admins from email
+  // for management purpose (validate/delete)
+  if (!is_admin())
+  {
+    $login_url =
+      get_root_url().'identification.php?redirect='
+      .urlencode(urlencode($_SERVER['REQUEST_URI']))
+      ;
+    redirect($login_url);
+  }
+
+  $page['where_clauses'][] = 'com.id = '.$_GET['comment_id'];
+}
+
 // search a substring among comments content
 if (!empty($_GET['keyword']))
@@ -156 +176 @@
 // |                         comments management                           |
 // +-----------------------------------------------------------------------+
-if (isset($_GET['delete']) and is_numeric($_GET['delete'])
-    and (is_admin() || $conf['user_can_delete_comment']))
-{// comments deletion
-  delete_user_comment($_GET['delete']);
-}
-
-if (isset($_GET['validate']) and is_numeric($_GET['validate'])
-      and !is_adviser() )
-{  // comments validation
-  check_status(ACCESS_ADMINISTRATOR);
-  $query = '
-UPDATE '.COMMENTS_TABLE.'
-  SET validated = \'true\'
-  , validation_date = NOW()
-  WHERE id='.$_GET['validate'].'
-;';
-  pwg_query($query);
-}
-
-if (isset($_GET['edit']) and is_numeric($_GET['edit'])
-    and (is_admin() || $conf['user_can_edit_comment']))
-{
-  if (!empty($_POST['content']))
+
+$comment_id = null;
+$action = null;
+
+$actions = array('delete', 'validate', 'edit');
+foreach ($actions as $loop_action)
+{
+  if (isset($_GET[$loop_action]))
   {
-    update_user_comment(array('comment_id' => $_GET['edit'],
-                              'image_id' => $_POST['image_id'],
-                              'content' => $_POST['content']),
-                        $_POST['key']
-                        );
-
-    $edit_comment = null;
+    $action = $loop_action;    
+    check_input_parameter($action, $_GET, false, PATTERN_ID);
+    $comment_id = $_GET[$action];
+    break;
   }
-  else
+}
+
+if (isset($action))
+{
+  check_pwg_token();
+
+  $comment_author_id = get_comment_author_id($comment_id);
+    
+  if (can_manage_comment($action, $comment_author_id))
   {
-    $edit_comment = $_GET['edit'];
+    $perform_redirect = false;
+  
+    if ('delete' == $action)
+    {
+      delete_user_comment($comment_id);
+      $perform_redirect = true;
+    }
+
+    if ('validate' == $action)
+    {
+      validate_user_comment($comment_id);
+      $perform_redirect = true;
+    }
+    
+    if ('edit' == $action)
+    {
+      if (!empty($_POST['content']))
+      {
+        update_user_comment(
+          array(
+            'comment_id' => $_GET['edit'],
+            'image_id' => $_POST['image_id'],
+            'content' => $_POST['content']
+            ),
+          $_POST['key']
+          );
+        
+        $edit_comment = null;
+      }
+      else
+      {
+        $edit_comment = $_GET['edit'];
+      }
+    }
+    
+    if ($perform_redirect)
+    {
+      $redirect_url =
+        PHPWG_ROOT_PATH
+        .'comments.php'
+        .get_query_string_diff(array('delete','validate','pwg_token'));
+      
+      redirect($redirect_url);
+    }
   }
 }
@@ -288 +341 @@
 $url = PHPWG_ROOT_PATH
     .'comments.php'
-    .get_query_string_diff(array('start','delete','validate'));
+  .get_query_string_diff(array('start','delete','validate','pwg_token'));
 
 $navbar = create_navigation_bar($url,
@@ -379 +432 @@
     // link to the full size picture
     $url = make_picture_url(
-            array(
-              'category' => $categories[ $comment['category_id'] ],
-              'image_id' => $comment['image_id'],
-              'image_file' => $elements[$comment['image_id']]['file'],
-            )
-          );
-
-    $tpl_comment =
       array(
-        'U_PICTURE' => $url,
-        'TN_SRC' => $thumbnail_src,
-        'ALT' => $name,
-        'AUTHOR' => trigger_event('render_comment_author', $comment['author']),
-        'DATE'=>format_date($comment['date'], true),
-        'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
+        'category' => $categories[ $comment['category_id'] ],
+        'image_id' => $comment['image_id'],
+        'image_file' => $elements[$comment['image_id']]['file'],
+        )
+      );
+    
+    $tpl_comment = array(
+      'U_PICTURE' => $url,
+      'TN_SRC' => $thumbnail_src,
+      'ALT' => $name,
+      'AUTHOR' => trigger_event('render_comment_author', $comment['author']),
+      'DATE'=>format_date($comment['date'], true),
+      'CONTENT'=>trigger_event('render_comment_content',$comment['content']),
+      );
+
+    if (can_manage_comment('delete', $comment['author_id']))
+    {
+      $url =
+        get_root_url()
+        .'comments.php'
+        .get_query_string_diff(array('delete','validate','edit', 'pwg_token'));
+      
+      $tpl_comment['U_DELETE'] = add_url_params(
+        $url,
+        array(
+          'delete' => $comment['comment_id'],
+          'pwg_token' => get_pwg_token(),
+          )
         );
-
-    if (can_manage_comment('delete', $comment['author_id']))
-    {
-      $url = get_root_url().'comments.php'
-        .get_query_string_diff(array('delete','validate','edit'));
-      $tpl_comment['U_DELETE'] =
-        add_url_params($url,
-                       array('delete'=>$comment['comment_id'])
-                       );
-    }
+    }
+    
     if (can_manage_comment('edit', $comment['author_id']))
     {
-      $url = get_root_url().'comments.php'
-        .get_query_string_diff(array('edit', 'delete','validate'));
-      $tpl_comment['U_EDIT'] =
-        add_url_params($url,
-                       array('edit'=>$comment['comment_id'])
-                       );
+      $url =
+        get_root_url()
+        .'comments.php'
+        .get_query_string_diff(array('edit', 'delete','validate', 'pwg_token'));
+      
+      $tpl_comment['U_EDIT'] = add_url_params(
+        $url,
+        array(
+          'edit' => $comment['comment_id'],
+          'pwg_token' => get_pwg_token(),
+          )
+        );
+      
       if (isset($edit_comment) and ($comment['comment_id'] == $edit_comment))
       {
@@ -423 +489 @@
     }
 
-    if ( is_admin() && $comment['validated'] != 'true')
-    {
-      $tpl_comment['U_VALIDATE'] =
-        add_url_params($url,
-                       array('validate'=>$comment['comment_id'])
-                       );
+    if (can_manage_comment('validate', $comment['author_id']))
+    {
+      if ('true' != $comment['validated'])
+      {
+        $tpl_comment['U_VALIDATE'] = add_url_params(
+          $url,
+          array(
+            'validate'=> $comment['comment_id'],
+            'pwg_token' => get_pwg_token(),
+            )
+          );
+      }
     }
     $template->append('comments', $tpl_comment);

trunk/feed.php

@@ -64 +64 @@
 // +-----------------------------------------------------------------------+
 
-check_input_parameter('feed', @$_GET['feed'], false, '/^[0-9a-z]{50}$/i');
+check_input_parameter('feed', $_GET, false, '/^[0-9a-z]{50}$/i');
 
 $feed_id= isset($_GET['feed']) ? $_GET['feed'] : '';

trunk/include/constants.php

@@ -40 +40 @@
 define('ACCESS_WEBMASTER', 4);
 define('ACCESS_CLOSED', 5);
+
+// Sanity checks
+define('PATTERN_ID', '/^\d+$/');
 
 // Table names

trunk/include/functions.inc.php

@@ -1483 +1483 @@
   return $cache['get_icon'][$date] ? $icon : array();
 }
+
+/**
+ * check token comming from form posted or get params to prevent csrf attacks
+ * if pwg_token is empty action doesn't require token
+ * else pwg_token is compare to server token
+ *
+ * @return void access denied if token given is not equal to server token
+ */
+function check_pwg_token()
+{
+  $valid_token = get_pwg_token();
+  $given_token = null;
+
+  if (!empty($_POST['pwg_token']))
+  {
+    $given_token = $_POST['pwg_token'];
+  }
+  elseif (!empty($_GET['pwg_token']))
+  {
+    $given_token = $_GET['pwg_token'];
+  }
+  if ($given_token != $valid_token)
+  {
+    access_denied();
+  }
+}
+
+function get_pwg_token()
+{
+  global $conf;
+
+  return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
+
+/*
+ * breaks the script execution if the given value doesn't match the given
+ * pattern. This should happen only during hacking attempts.
+ *
+ * @param string param_name
+ * @param array param_array
+ * @param boolean is_array
+ * @param string pattern
+ *
+ * @return void
+ */
+function check_input_parameter($param_name, $param_array, $is_array, $pattern)
+{
+  $param_value = null;
+  if (isset($param_array[$param_name]))
+  {
+    $param_value = $param_array[$param_name];
+  }
+
+  // it's ok if the input parameter is null
+  if (empty($param_value))
+  {
+    return true;
+  }
+
+  if ($is_array)
+  {
+    if (!is_array($param_value))
+    {
+      fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
+    }
+
+    foreach ($param_value as $item_to_check)
+    {
+      if (!preg_match($pattern, $item_to_check))
+      {
+        fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
+      }
+    }
+  }
+  else
+  {
+    if (!preg_match($pattern, $param_value))
+    {
+      fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" is not valid');
+    }
+  }
+}
 ?>

trunk/include/functions_comment.inc.php

@@ -171 +171 @@
     $comm['id'] = pwg_db_insert_id(COMMENTS_TABLE);
 
-    if (($comment_action=='validate' and $conf['email_admin_on_comment']) or
-        ($comment_action!='validate' and $conf['email_admin_on_comment_validation']))
+    if ($conf['email_admin_on_comment']
+        or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
     {
       include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
 
-      $del_url = get_absolute_root_url().'comments.php?delete='.$comm['id'];
+      $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
 
       $keyargs_content = array
@@ -183 +183 @@
         get_l10n_args('Comment: %s', stripslashes($comm['content']) ),
         get_l10n_args('', ''),
-        get_l10n_args('Delete: %s', $del_url)
+        get_l10n_args('Manage this user comment: %s', $comment_url)
       );
 
-      if ($comment_action!='validate')
+      if ('moderate' == $comment_action)
       {
-        $keyargs_content[] =
-          get_l10n_args('', '');
-        $keyargs_content[] =
-          get_l10n_args('Validate: %s',
-            get_absolute_root_url().'comments.php?validate='.$comm['id']);
+        $keyargs_content[] = get_l10n_args('', '');
+        $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
       }
 
@@ -213 +210 @@
  * @param comment_id
  */
-
 function delete_user_comment($comment_id) {
   $user_where_clause = '';
@@ -338 +334 @@
                                );
 }
+
+function get_comment_author_id($comment_id, $die_on_error=true)
+{
+  $query = '
+SELECT
+    author_id
+  FROM '.COMMENTS_TABLE.'
+  WHERE id = '.$comment_id.'
+;';
+  $result = pwg_query($query);
+  if (pwg_db_num_rows($result) == 0)
+  {
+    if ($die_on_error)
+    {
+      fatal_error('Unknown comment identifier');
+    }
+    else
+    {
+      return false;
+    }
+  }
+  
+  list($author_id) = pwg_db_fetch_row($result);
+
+  return $author_id;
+}
+
+function validate_user_comment($comment_id)
+{
+  $query = '
+UPDATE '.COMMENTS_TABLE.'
+  SET validated = "true"
+    , validation_date = NOW()
+  WHERE id = '.$comment_id.'
+;';
+  pwg_query($query);
+}
 ?>

trunk/include/functions_user.inc.php

@@ -1247 +1247 @@
 
 /*
- * Return if current user can edit/delete a comment
- * @param action edit/delete
+ * Return if current user can edit/delete/validate a comment
+ * @param action edit/delete/validate
  * @return bool
  */
 function can_manage_comment($action, $comment_author_id)
 {
-  if (!in_array($action, array('delete','edit'))) {
+  global $user, $conf;
+  
+  if (is_a_guest())
+  {
     return false;
   }
-  return (is_admin() ||
-          (($GLOBALS['user']['id'] == $comment_author_id)
-           && !is_a_guest()
-           && $GLOBALS['conf'][sprintf('user_can_%s_comment', $action)]));
+  
+  if (!in_array($action, array('delete','edit', 'validate')))
+  {
+    return false;
+  }
+
+  if (is_admin())
+  {
+    return true;
+  }
+
+  if ('edit' == $action and $conf['user_can_edit_comment'])
+  {
+    if ($comment_author_id == $user['id']) {
+      return true;
+    }
+  }
+
+  if ('delete' == $action and $conf['user_can_delete_comment'])
+  {
+    if ($comment_author_id == $user['id']) {
+      return true;
+    }
+  }
+
+  return false;
 }
 

trunk/include/picture_comment.inc.php

@@ -167 +167 @@
       if (can_manage_comment('delete', $row['author_id']))
       {
-        $tpl_comment['U_DELETE'] =
-          add_url_params($url_self,
-                         array(
-                           'action'=>'delete_comment',
-                           'comment_to_delete'=>$row['id']
-                               )
-                         );
+        $tpl_comment['U_DELETE'] = add_url_params(
+          $url_self,
+          array(
+            'action'=>'delete_comment',
+            'comment_to_delete'=>$row['id'],
+            'pwg_token' => get_pwg_token(),
+            )
+          );
       }
       if (can_manage_comment('edit', $row['author_id']))
       {
-        $tpl_comment['U_EDIT'] =
-          add_url_params($url_self,
-                         array(
-                           'action'=>'edit_comment',
-                           'comment_to_edit'=>$row['id']
-                               )
-                         );
+        $tpl_comment['U_EDIT'] = add_url_params(
+          $url_self,
+          array(
+            'action'=>'edit_comment',
+            'comment_to_edit'=>$row['id'],
+            'pwg_token' => get_pwg_token(),
+            )
+          );
         if (isset($edit_comment) and ($row['id'] == $edit_comment))
         {
@@ -196 +198 @@
         if ($row['validated'] != 'true')
         {
-          $tpl_comment['U_VALIDATE'] =
-            add_url_params($url_self,
-                           array('action' => 'validate_comment',
-                                 'comment_to_validate' => $row['id']
-                                 )
-                           );
+          $tpl_comment['U_VALIDATE'] = add_url_params(
+            $url_self,
+            array(
+              'action' => 'validate_comment',
+              'comment_to_validate' => $row['id'],
+              'pwg_token' => get_pwg_token(),
+              )
+            );
         }
       }

trunk/picture.php

@@ -312 +312 @@
     case 'edit_comment' :
     {
+      check_pwg_token();
+  
       include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
-      if (isset($_GET['comment_to_edit'])
-          and is_numeric($_GET['comment_to_edit'])
-          and (is_admin() || $conf['user_can_edit_comment']))
+
+      check_input_parameter('comment_to_edit', $_GET, false, PATTERN_ID);
+
+      $author_id = get_comment_author_id($_GET['comment_to_edit']);
+      
+      if (can_manage_comment('edit', $author_id))
       {
         if (!empty($_POST['content']))
         {
-          update_user_comment(array('comment_id' => $_GET['comment_to_edit'],
-                  'image_id' => $page['image_id'],
-                  'content' => $_POST['content']),
-                  $_POST['key']
-                  );
+          update_user_comment(
+            array(
+              'comment_id' => $_GET['comment_to_edit'],
+              'image_id' => $page['image_id'],
+              'content' => $_POST['content']
+              ),
+            $_POST['key']
+            );
+          
           redirect($url_self);
-        } else {
+        }
+        else
+        {
           $edit_comment = $_GET['comment_to_edit'];
           break;
@@ -333 +344 @@
     case 'delete_comment' :
     {
+      check_pwg_token();
+  
       include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
-      if (isset($_GET['comment_to_delete'])
-          and is_numeric($_GET['comment_to_delete'])
-          and (is_admin() || $conf['user_can_delete_comment']))
+      
+      check_input_parameter('comment_to_delete', $_GET, false, PATTERN_ID);
+
+      $author_id = get_comment_author_id($_GET['comment_to_delete']);
+      
+      if (can_manage_comment('delete', $author_id))
       {
         delete_user_comment($_GET['comment_to_delete']);
       }
+      
       redirect($url_self);
     }
     case 'validate_comment' :
     {
+      check_pwg_token();
+  
       include_once(PHPWG_ROOT_PATH.'include/functions_comment.inc.php');
-      if (isset($_GET['comment_to_validate'])
-          and is_numeric($_GET['comment_to_validate'])
-          and is_admin() and !is_adviser() )
+
+      check_input_parameter('comment_to_validate', $_GET, false, PATTERN_ID);
+      
+      $author_id = get_comment_author_id($_GET['comment_to_delete']);
+      
+      if (can_manage_comment('validate', $author_id))
       {
-        $query = '
-UPDATE '.COMMENTS_TABLE.'
-  SET validated = \'true\'
-  , validation_date = NOW()
-  WHERE id='.$_GET['comment_to_validate'].'
-;';
-        pwg_query( $query );
+        validate_user_comment($_GET['comment_to_validate']);
       }
+      
       redirect($url_self);
     }

trunk/search.php

@@ -72 +72 @@
   if (isset($_POST['tags']))
   {
-    check_input_parameter('tags', $_POST['tags'], true, PATTERN_ID);
+    check_input_parameter('tags', $_POST, true, PATTERN_ID);
     
     $search['fields']['tags'] = array(
@@ -93 +93 @@
   if (isset($_POST['cat']))
   {
-    check_input_parameter('cat', $_POST['cat'], true, PATTERN_ID);
+    check_input_parameter('cat', $_POST, true, PATTERN_ID);
     
     $search['fields']['cat'] = array(