Context Navigation

Changeset 4503

Timestamp:

Dec 16, 2009, 12:22:49 AM (15 years ago)

Author:

plg

Message:

bug 1328: first specific implementation of the check_pwg_token for the
admin/tags page (all actions : add/edit/delete).

The "check_token" function was renammed into check_pwg_token because the
word "token" is too much generic.

Location:

branches/2.0/admin

Files:

-                      r4502
+                      r4503
  * @return void access denied if token given is not equal to server token
  */
+function check_token()
+function check_pwg_token()
+{
+  $valid_token = get_pwg_token();
+  $given_token = null;
+  if (!empty($_POST['pwg_token']))
+  {
+    $given_token = $_POST['pwg_token'];
+  }
+  elseif (!empty($_GET['pwg_token']))
+  {
+    $given_token = $_GET['pwg_token'];
+  }
+  if ($given_token != $valid_token)
+  {
+    access_denied();
+  }
+}
+function get_pwg_token()
+{
   global $conf;
+  $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']);
+  $given_token = null;
+  if (!empty($_POST['pwg_token']))
+  {
+    $given_token = $_POST['pwg_token'];
+  }
+  elseif (!empty($_GET['pwg_token']))
+  {
+    $given_token = $_GET['pwg_token'];
+  }
+  if ($given_token != $valid_token)
+  {
+    access_denied();
+  }
+  return hash_hmac('md5', session_id(), $conf['secret_key']);
+}

-                      r3046
+                      r4503
 include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 check_status(ACCESS_ADMINISTRATOR);
+if (!empty($_POST))
+{
+  check_pwg_token();
+}
 // +-----------------------------------------------------------------------+
 …
 $template->assign(
   array(
+    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags'
+    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags',
+    'PWG_TOKEN' => get_pwg_token(),
+    )
   );

r2531	r4503
5	5
6	6	<form action="{$F_ACTION}" method="post">
	7	<input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
7	8
8	9	{if isset($EDIT_TAGS_LIST)}

Note: See TracChangeset for help on using the changeset viewer.