Changeset 4508

Timestamp:

Dec 17, 2009, 11:47:31 PM (14 years ago)

Author:

plg

Message:

bug 1328: implement check_pwg_token for emails on user comments management.

The check_pwg_token and get_pwg_token functions were moved to the public side
(for use on comments.php)

The email sent to admins on new user comment does not directly includes
validate/delete actions.

Location:

branches/2.0

Files:

• admin/include/functions.php (modified) (1 diff)
• comments.php (modified) (4 diffs)
• include/functions.inc.php (modified) (1 diff)
• include/functions_comment.inc.php (modified) (2 diffs)

branches/2.0/admin/include/functions.php

@@ -23 +23 @@
 
 include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
-
-/**
- * check token comming from form posted or get params to prevent csrf attacks
- * if pwg_token is empty action doesn't require token
- * else pwg_token is compare to server token
- *
- * @return void access denied if token given is not equal to server token 
- */
-function check_pwg_token()
-{
-  $valid_token = get_pwg_token();
-  $given_token = null;
-
-  if (!empty($_POST['pwg_token']))
-  {
-    $given_token = $_POST['pwg_token'];
-  }
-  elseif (!empty($_GET['pwg_token']))
-  {
-    $given_token = $_GET['pwg_token'];
-  }
-  if ($given_token != $valid_token)
-  {
-    access_denied();    
-  }
-}
-
-function get_pwg_token()
-{
-  global $conf;
-
-  return hash_hmac('md5', session_id(), $conf['secret_key']);
-}
 
 // The function delete_site deletes a site and call the function

branches/2.0/comments.php

@@ -114 +114 @@
 }
 
+// search a specific comment (if you're coming directly from an admin
+// notification email)
+if (!empty($_GET['comment_id']))
+{
+  check_input_parameter('comment_id', $_GET['comment_id'], false, PATTERN_ID);
+
+  // currently, the $_GET['comment_id'] is only used by admins from email
+  // for management purpose (validate/delete)
+  if (!is_admin())
+  {
+    $login_url =
+      get_root_url().'identification.php?redirect='
+      .urlencode(urlencode($_SERVER['REQUEST_URI']))
+      ;
+    redirect($login_url);
+  }
+
+  $page['where_clauses'][] = 'com.id = '.$_GET['comment_id'];
+}
+
 // search a substring among comments content
 if (!empty($_GET['keyword']))
@@ -153 +173 @@
 // |                         comments management                           |
 // +-----------------------------------------------------------------------+
-if (isset($_GET['delete']) and is_numeric($_GET['delete'])
-      and !is_adviser() )
-{// comments deletion
-  check_status(ACCESS_ADMINISTRATOR);
-  $query = '
-DELETE FROM '.COMMENTS_TABLE.'
-  WHERE id='.$_GET['delete'].'
-;';
-  pwg_query($query);
-}
-
-if (isset($_GET['validate']) and is_numeric($_GET['validate'])
-      and !is_adviser() )
-{  // comments validation
-  check_status(ACCESS_ADMINISTRATOR);
-  $query = '
+
+if (isset($_GET['delete']) or isset($_GET['validate']))
+{
+  check_pwg_token();
+  
+  if (!is_adviser())
+  {
+    check_status(ACCESS_ADMINISTRATOR);
+
+    if (isset($_GET['delete']))
+    {
+      check_input_parameter('delete', $_GET['delete'], false, PATTERN_ID);
+      
+      $query = '
+DELETE
+  FROM '.COMMENTS_TABLE.'
+  WHERE id = '.$_GET['delete'].'
+;';
+      pwg_query($query);
+    }
+
+    if (isset($_GET['validate']))
+    {
+      check_input_parameter('validate', $_GET['validate'], false, PATTERN_ID);
+      
+      $query = '
 UPDATE '.COMMENTS_TABLE.'
-  SET validated = \'true\'
-  , validation_date = NOW()
-  WHERE id='.$_GET['validate'].'
-;';
-  pwg_query($query);
+  SET validated = "true"
+    , validation_date = NOW()
+  WHERE id = '.$_GET['validate'].'
+;';
+      pwg_query($query);
+    }
+
+    $redirect_url =
+      PHPWG_ROOT_PATH
+      .'comments.php'
+      .get_query_string_diff(array('delete','validate','pwg_token'));
+    redirect($redirect_url);
+  }
 }
 
@@ -269 +307 @@
 $url = PHPWG_ROOT_PATH
     .'comments.php'
-    .get_query_string_diff(array('start','delete','validate'));
+  .get_query_string_diff(array('start','delete','validate','pwg_token'));
 
 $navbar = create_navigation_bar($url,
@@ -381 +419 @@
     if ( is_admin() )
     {
-      $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate'));
-      $tpl_comment['U_DELETE'] = add_url_params($url,
-                          array('delete'=>$comment['comment_id'])
-                         );
+      $url = get_root_url().'comments.php'.get_query_string_diff(array('delete','validate','pwg_token'));
+      
+      $tpl_comment['U_DELETE'] = add_url_params(
+        $url,
+        array(
+          'delete' => $comment['comment_id'],
+          'pwg_token' => get_pwg_token(),
+          )
+        );
 
       if ($comment['validated'] != 'true')
       {
-        $tpl_comment['U_VALIDATE'] = add_url_params($url,
-                            array('validate'=>$comment['comment_id'])
-                           );
+        $tpl_comment['U_VALIDATE'] = add_url_params(
+          $url,
+          array(
+            'validate' => $comment['comment_id'],
+            'pwg_token' => get_pwg_token(),
+            )
+          );
       }
     }

branches/2.0/include/functions.inc.php

@@ -1536 +1536 @@
   }
 }
+
+/**
+ * check token comming from form posted or get params to prevent csrf attacks
+ * if pwg_token is empty action doesn't require token
+ * else pwg_token is compare to server token
+ *
+ * @return void access denied if token given is not equal to server token 
+ */
+function check_pwg_token()
+{
+  $valid_token = get_pwg_token();
+  $given_token = null;
+
+  if (!empty($_POST['pwg_token']))
+  {
+    $given_token = $_POST['pwg_token'];
+  }
+  elseif (!empty($_GET['pwg_token']))
+  {
+    $given_token = $_GET['pwg_token'];
+  }
+  if ($given_token != $valid_token)
+  {
+    access_denied();    
+  }
+}
+
+function get_pwg_token()
+{
+  global $conf;
+
+  return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
 ?>

branches/2.0/include/functions_comment.inc.php

@@ -167 +167 @@
     $comm['id'] = mysql_insert_id();
 
-    if
-      (
-        ($comment_action=='validate' and $conf['email_admin_on_comment'])
-        or
-        ($comment_action!='validate' and $conf['email_admin_on_comment_validation'])
-      )
+    if ($conf['email_admin_on_comment']
+        or ($conf['email_admin_on_comment_validation'] and 'moderate' == $comment_action))
     {
       include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
 
-      $del_url =
-          get_absolute_root_url().'comments.php?delete='.$comm['id'];
+      $comment_url = get_absolute_root_url().'comments.php?comment_id='.$comm['id'];
 
       $keyargs_content = array
@@ -184 +179 @@
         get_l10n_args('Comment: %s', $comm['content']),
         get_l10n_args('', ''),
-        get_l10n_args('Delete: %s', $del_url)
+        get_l10n_args('Manage this user comment: %s', $comment_url)
       );
 
-      if ($comment_action!='validate')
+      if ('moderate' == $comment_action)
       {
-        $keyargs_content[] =
-          get_l10n_args('', '');
-        $keyargs_content[] =
-          get_l10n_args('Validate: %s',
-            get_absolute_root_url().'comments.php?validate='.$comm['id']);
+        $keyargs_content[] = get_l10n_args('', '');
+        $keyargs_content[] = get_l10n_args('(!) This comment requires validation', '');
       }