Changeset 4508


Ignore:
Timestamp:
Dec 17, 2009, 11:47:31 PM (11 years ago)
Author:
plg
Message:

bug 1328: implement check_pwg_token for emails on user comments management.

The check_pwg_token and get_pwg_token functions were moved to the public side
(for use on comments.php)

The email sent to admins on new user comment does not directly includes
validate/delete actions.

Location:
branches/2.0
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/admin/include/functions.php

    r4503 r4508  
    2323
    2424include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
    25 
    26 /**
    27  * check token comming from form posted or get params to prevent csrf attacks
    28  * if pwg_token is empty action doesn't require token
    29  * else pwg_token is compare to server token
    30  *
    31  * @return void access denied if token given is not equal to server token
    32  */
    33 function check_pwg_token()
    34 {
    35   $valid_token = get_pwg_token();
    36   $given_token = null;
    37 
    38   if (!empty($_POST['pwg_token']))
    39   {
    40     $given_token = $_POST['pwg_token'];
    41   }
    42   elseif (!empty($_GET['pwg_token']))
    43   {
    44     $given_token = $_GET['pwg_token'];
    45   }
    46   if ($given_token != $valid_token)
    47   {
    48     access_denied();   
    49   }
    50 }
    51 
    52 function get_pwg_token()
    53 {
    54   global $conf;
    55 
    56   return hash_hmac('md5', session_id(), $conf['secret_key']);
    57 }
    5825
    5926// The function delete_site deletes a site and call the function
  • branches/2.0/comments.php

    r4191 r4508  
    114114}
    115115
     116// search a specific comment (if you're coming directly from an admin
     117// notification email)
     118if (!empty($_GET['comment_id']))
     119{
     120  check_input_parameter('comment_id', $_GET['comment_id'], false, PATTERN_ID);
     121
     122  // currently, the $_GET['comment_id'] is only used by admins from email
     123  // for management purpose (validate/delete)
     124  if (!is_admin())
     125  {
     126    $login_url =
     127      get_root_url().'identification.php?redirect='
     128      .urlencode(urlencode($_SERVER['REQUEST_URI']))
     129      ;
     130    redirect($login_url);
     131  }
     132
     133  $page['where_clauses'][] = 'com.id = '.$_GET['comment_id'];
     134}
     135
    116136// search a substring among comments content
    117137if (!empty($_GET['keyword']))
     
    153173// |                         comments management                           |
    154174// +-----------------------------------------------------------------------+
    155 if (isset($_GET['delete']) and is_numeric($_GET['delete'])
    156       and !is_adviser() )
    157 {// comments deletion
    158   check_status(ACCESS_ADMINISTRATOR);
    159   $query = '
    160 DELETE FROM '.COMMENTS_TABLE.'
    161   WHERE id='.$_GET['delete'].'
    162 ;';
    163   pwg_query($query);
    164 }
    165 
    166 if (isset($_GET['validate']) and is_numeric($_GET['validate'])
    167       and !is_adviser() )
    168 {  // comments validation
    169   check_status(ACCESS_ADMINISTRATOR);
    170   $query = '
     175
     176if (isset($_GET['delete']) or isset($_GET['validate']))
     177{
     178  check_pwg_token();
     179 
     180  if (!is_adviser())
     181  {
     182    check_status(ACCESS_ADMINISTRATOR);
     183
     184    if (isset($_GET['delete']))
     185    {
     186      check_input_parameter('delete', $_GET['delete'], false, PATTERN_ID);
     187     
     188      $query = '
     189DELETE
     190  FROM '.COMMENTS_TABLE.'
     191  WHERE id = '.$_GET['delete'].'
     192;';
     193      pwg_query($query);
     194    }
     195
     196    if (isset($_GET['validate']))
     197    {
     198      check_input_parameter('validate', $_GET['validate'], false, PATTERN_ID);
     199     
     200      $query = '
    171201UPDATE '.COMMENTS_TABLE.'
    172   SET validated = \'true\'
    173   , validation_date = NOW()
    174   WHERE id='.$_GET['validate'].'
    175 ;';
    176   pwg_query($query);
     202  SET validated = "true"
     203    , validation_date = NOW()
     204  WHERE id = '.$_GET['validate'].'
     205;';
     206      pwg_query($query);
     207    }
     208
     209    $redirect_url =
     210      PHPWG_ROOT_PATH
     211      .'comments.php'
     212      .get_query_string_diff(array('delete','validate','pwg_token'));
     213    redirect($redirect_url);
     214  }
    177215}
    178216
     
    269307$url = PHPWG_ROOT_PATH
    270308    .'comments.php'
    271     .get_query_string_diff(array('start','delete','validate'));
     309  .get_query_string_diff(array('start','delete','validate','pwg_token'));
    272310
    273311$navbar = create_navigation_bar($url,
     
    381419    if ( is_admin() )
    382420    {
    383       $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate'));
    384       $tpl_comment['U_DELETE'] = add_url_params($url,
    385                           array('delete'=>$comment['comment_id'])
    386                          );
     421      $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate','pwg_token'));
     422     
     423      $tpl_comment['U_DELETE'] = add_url_params(
     424        $url,
     425        array(
     426          'delete' => $comment['comment_id'],
     427          'pwg_token' => get_pwg_token(),
     428          )
     429        );
    387430
    388431      if ($comment['validated'] != 'true')
    389432      {
    390         $tpl_comment['U_VALIDATE'] = add_url_params($url,
    391                             array('validate'=>$comment['comment_id'])
    392                            );
     433        $tpl_comment['U_VALIDATE'] = add_url_params(
     434          $url,
     435          array(
     436            'validate' => $comment['comment_id'],
     437            'pwg_token' => get_pwg_token(),
     438            )
     439          );
    393440      }
    394441    }
  • branches/2.0/include/functions.inc.php

    r4495 r4508  
    15361536  }
    15371537}
     1538
     1539/**
     1540 * check token comming from form posted or get params to prevent csrf attacks
     1541 * if pwg_token is empty action doesn't require token
     1542 * else pwg_token is compare to server token
     1543 *
     1544 * @return void access denied if token given is not equal to server token
     1545 */
     1546function check_pwg_token()
     1547{
     1548  $valid_token = get_pwg_token();
     1549  $given_token = null;
     1550
     1551  if (!empty($_POST['pwg_token']))
     1552  {
     1553    $given_token = $_POST['pwg_token'];
     1554  }
     1555  elseif (!empty($_GET['pwg_token']))
     1556  {
     1557    $given_token = $_GET['pwg_token'];
     1558  }
     1559  if ($given_token != $valid_token)
     1560  {
     1561    access_denied();   
     1562  }
     1563}
     1564
     1565function get_pwg_token()
     1566{
     1567  global $conf;
     1568
     1569  return hash_hmac('md5', session_id(), $conf['secret_key']);
     1570}
    15381571?>
  • branches/2.0/include/functions_comment.inc.php

    r3147 r4508  
    167167    $comm['id'] = mysql_insert_id();
    168168
    169     if
    170       (
    171         ($comment_action=='validate' and $conf['email_admin_on_comment'])
    172         or
    173         ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
    174       )
     169    if ($conf['email_admin_on_comment']
     170        or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
    175171    {
    176172      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
    177173
    178       $del_url =
    179           get_absolute_root_url().'comments.php?delete='.$comm['id'];
     174      $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
    180175
    181176      $keyargs_content = array
     
    184179        get_l10n_args('Comment: %s', $comm['content']),
    185180        get_l10n_args('', ''),
    186         get_l10n_args('Delete: %s', $del_url)
     181        get_l10n_args('Manage this user comment: %s', $comment_url)
    187182      );
    188183
    189       if ($comment_action!='validate')
     184      if ('moderate' == $comment_action)
    190185      {
    191         $keyargs_content[] =
    192           get_l10n_args('', '');
    193         $keyargs_content[] =
    194           get_l10n_args('Validate: %s',
    195             get_absolute_root_url().'comments.php?validate='.$comm['id']);
     186        $keyargs_content[] = get_l10n_args('', '');
     187        $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
    196188      }
    197189
Note: See TracChangeset for help on using the changeset viewer.