[geeklog-cvs] Geeklog-1.x/public_html/admin user.php,1.204,1.205
Dirk Haun
dhaun at qs1489.pair.com
Thu May 22 08:06:08 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin
In directory qs1489.pair.com:/tmp/cvs-serv29433/public_html/admin
Modified Files:
user.php
Log Message:
More CSRF protection; also fixed a few issues with the batch import and sending of reminders
Index: user.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/user.php,v
retrieving revision 1.204
retrieving revision 1.205
diff -C2 -d -r1.204 -r1.205
*** user.php 18 May 2008 08:19:35 -0000 1.204
--- user.php 22 May 2008 12:06:06 -0000 1.205
***************
*** 361,365 ****
global $_CONF, $_TABLES, $LANG_ADMIN, $LANG28, $_IMAGE_TYPE;
! require_once( $_CONF['path_system'] . 'lib-admin.php' );
$retval = '';
--- 361,365 ----
global $_CONF, $_TABLES, $LANG_ADMIN, $LANG28, $_IMAGE_TYPE;
! require_once $_CONF['path_system'] . 'lib-admin.php';
$retval = '';
***************
*** 373,377 ****
}
! $header_arr = array( # dislay 'text' and use table field 'field'
array('text' => $LANG_ADMIN['edit'], 'field' => 'edit', 'sort' => false),
array('text' => $LANG28[37], 'field' => $_TABLES['users'] . '.uid', 'sort' => true),
--- 373,377 ----
}
! $header_arr = array( # display 'text' and use table field 'field'
array('text' => $LANG_ADMIN['edit'], 'field' => 'edit', 'sort' => false),
array('text' => $LANG28[37], 'field' => $_TABLES['users'] . '.uid', 'sort' => true),
***************
*** 674,678 ****
}
! require_once( $_CONF['path_system'] . 'lib-admin.php' );
$usr_type = '';
--- 674,678 ----
}
! require_once $_CONF['path_system'] . 'lib-admin.php';
$usr_type = '';
***************
*** 735,739 ****
$desc = $user_templates->finish($user_templates->get_var('form'));
! $header_arr = array( # dislay 'text' and use table field 'field'
array('text' => $LANG28[37], 'field' => $_TABLES['users'] . '.uid', 'sort' => true),
array('text' => $LANG28[3], 'field' => 'username', 'sort' => true),
--- 735,739 ----
$desc = $user_templates->finish($user_templates->get_var('form'));
! $header_arr = array( # display 'text' and use table field 'field'
array('text' => $LANG28[37], 'field' => $_TABLES['users'] . '.uid', 'sort' => true),
array('text' => $LANG28[3], 'field' => 'username', 'sort' => true),
***************
*** 828,844 ****
);
! $user_templates->set_var('lang_reminder',$LANG28[77]);
! $user_templates->set_var('action_reminder',$LANG28[78]);
! $user_templates->parse('test','reminder');
$form_arr['top'] = $user_templates->get_var('test');
! $display .= ADMIN_list ("user", "ADMIN_getListField_users", $header_arr, $text_arr,
! $query_arr, $defsort_arr, '', '', $listoptions,$form_arr);
// $display .= "<input type=\"hidden\" name=\"mode\" value=\"batchdeleteexec\"" . XHTML . "></form>" . LB;
- return $display;
- //
}
/**
* This function deletes the users selected in the batchdeletelist function
--- 828,848 ----
);
! $user_templates->set_var('lang_reminder', $LANG28[77]);
! $user_templates->set_var('action_reminder', $LANG28[78]);
! $user_templates->parse('test', 'reminder');
$form_arr['top'] = $user_templates->get_var('test');
! $token = SEC_createToken();
! $form_arr['bottom'] = "<input type=\"hidden\" name=\"" . CSRF_TOKEN
! . "\" value=\"{$token}\"" . XHTML . ">";
! $display .= ADMIN_list('user', 'ADMIN_getListField_users', $header_arr,
! $text_arr, $query_arr, $defsort_arr, '', '',
! $listoptions, $form_arr);
// $display .= "<input type=\"hidden\" name=\"mode\" value=\"batchdeleteexec\"" . XHTML . "></form>" . LB;
+ return $display;
}
+
/**
* This function deletes the users selected in the batchdeletelist function
***************
*** 850,853 ****
--- 854,858 ----
{
global $_CONF, $LANG28;
+
$msg = '';
$user_list = array();
***************
*** 872,884 ****
}
! // Since this function is used for deletion only, its necessary to say that
! // zero where deleted instead of just leaving this message away.
! COM_numberFormat($c); // just in case we have more than 999)..
$msg .= "{$LANG28[71]}: $c<br" . XHTML . ">\n";
return $msg;
}
-
/**
* This function used to send out reminders to users to access the site or account may be deleted
--- 877,889 ----
}
! // Since this function is used for deletion only, it's necessary to say that
! // zero were deleted instead of just leaving this message away.
! COM_numberFormat($c); // just in case we have more than 999 ...
$msg .= "{$LANG28[71]}: $c<br" . XHTML . ">\n";
+
return $msg;
}
/**
* This function used to send out reminders to users to access the site or account may be deleted
***************
*** 889,893 ****
function batchreminders()
{
! global $_CONF, $_TABLES, $LANG28;
$msg = '';
$user_list = array();
--- 894,899 ----
function batchreminders()
{
! global $_CONF, $_TABLES, $LANG04, $LANG28;
!
$msg = '';
$user_list = array();
***************
*** 897,901 ****
if (count($user_list) == 0) {
! $msg = $LANG28[79] . "<br>";
}
$c = 0;
--- 903,907 ----
if (count($user_list) == 0) {
! $msg = $LANG28[79] . '<br' . XHTML . '>';
}
$c = 0;
***************
*** 917,921 ****
$template->set_var ('username', $username);
$template->set_var ('name', COM_getDisplayName ($uid));
! $template->set_var ('lastlogin',$lasttime[0]);
$template->parse ('output', 'mail');
--- 923,927 ----
$template->set_var ('username', $username);
$template->set_var ('name', COM_getDisplayName ($uid));
! $template->set_var ('lastlogin', $lasttime[0]);
$template->parse ('output', 'mail');
***************
*** 925,935 ****
$mailtext = $LANG28[83] . "\n\n";
} else {
! $mailtext = sprintf($LANG28[82],$lasttime[0]) . "\n\n";
}
! $mailtext .= sprintf($LANG28[84],$username) . "\n";
! $mailtext .= sprintf($LANG28[85],$_CONF['site_url'] . '/users.php?mode=getpassword') . "\n\n";
}
! $subject = sprintf($LANG28[81],$_CONF['site_name']);
if ($_CONF['site_mail'] !== $_CONF['noreply_mail']) {
$mailfrom = $_CONF['noreply_mail'];
--- 931,942 ----
$mailtext = $LANG28[83] . "\n\n";
} else {
! $mailtext = sprintf($LANG28[82], $lasttime[0]) . "\n\n";
}
! $mailtext .= sprintf($LANG28[84], $username) . "\n";
! $mailtext .= sprintf($LANG28[85], $_CONF['site_url']
! . '/users.php?mode=getpassword') . "\n\n";
}
! $subject = sprintf($LANG28[81], $_CONF['site_name']);
if ($_CONF['site_mail'] !== $_CONF['noreply_mail']) {
$mailfrom = $_CONF['noreply_mail'];
***************
*** 952,958 ****
// zero where deleted instead of just leaving this message away.
COM_numberFormat($c); // just in case we have more than 999)..
! $msg .= "{$LANG28[80]}: $c<br>\n";
! return $msg;
}
--- 959,965 ----
// zero where deleted instead of just leaving this message away.
COM_numberFormat($c); // just in case we have more than 999)..
! $msg .= "{$LANG28[80]}: $c<br" . XHTML . ">\n";
+ return $msg;
}
***************
*** 967,975 ****
* prevent problems in case the list formatting is incorrect.
*
- * @param string $file file to import
* @return string HTML with success or error message
*
*/
! function importusers ($file)
{
global $_CONF, $_TABLES, $LANG04, $LANG28;
--- 974,981 ----
* prevent problems in case the list formatting is incorrect.
*
* @return string HTML with success or error message
*
*/
! function importusers()
{
global $_CONF, $_TABLES, $LANG04, $LANG28;
***************
*** 985,989 ****
// First, upload the file
! require_once ($_CONF['path_system'] . 'classes/upload.class.php');
$upload = new upload ();
--- 991,995 ----
// First, upload the file
! require_once $_CONF['path_system'] . 'classes/upload.class.php';
$upload = new upload ();
***************
*** 991,998 ****
$upload->setAllowedMimeTypes (array ('text/plain' => '.txt'));
$upload->setFileNames ('user_import_file.txt');
! if ($upload->uploadFiles ()) {
// Good, file got uploaded, now install everything
! $thefile = current ($_FILES);
$filename = $_CONF['path_data'] . 'user_import_file.txt';
} else {
// A problem occurred, print debug information
--- 997,1009 ----
$upload->setAllowedMimeTypes (array ('text/plain' => '.txt'));
$upload->setFileNames ('user_import_file.txt');
! if ($upload->uploadFiles()) {
// Good, file got uploaded, now install everything
! $thefile = current($_FILES);
$filename = $_CONF['path_data'] . 'user_import_file.txt';
+ if (!file_exists($filename)) { // empty upload form
+ $retval = COM_refresh($_CONF['site_admin_url']
+ . '/user.php?mode=importform');
+ return $retval;
+ }
} else {
// A problem occurred, print debug information
***************
*** 1000,1004 ****
$retval .= COM_startBlock ($LANG28[24], '',
COM_getBlockTemplate ('_msg_block', 'header'));
! $retval .= $upload->printErrors ();
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
--- 1011,1015 ----
$retval .= COM_startBlock ($LANG28[24], '',
COM_getBlockTemplate ('_msg_block', 'header'));
! $retval .= $upload->printErrors(false);
$retval .= COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
***************
*** 1044,1048 ****
addslashes ($emailAddr));
! if ($ucount == 0 && ecount == 0) {
// user doesn't already exist
$uid = USER_createAccount ($userName, $emailAddr, '',
--- 1055,1059 ----
addslashes ($emailAddr));
! if ($ucount == 0 && $ecount == 0) {
// user doesn't already exist
$uid = USER_createAccount ($userName, $emailAddr, '',
***************
*** 1093,1106 ****
*
*/
! function display_batchAddform ()
{
global $_CONF, $LANG28;
$retval = '<form action="' . $_CONF['site_admin_url']
. '/user.php" method="post" enctype="multipart/form-data"><div>'
! . $LANG28[29] . ': <input type="file" dir="ltr" name="importfile" size="40"' . XHTML . '>'
. '<input type="hidden" name="mode" value="import"' . XHTML . '>'
. '<input type="submit" name="submit" value="' . $LANG28[30]
! . '"' . XHTML . '></div></form>';
return $retval;
--- 1104,1121 ----
*
*/
! function display_batchAddform()
{
global $_CONF, $LANG28;
+ $token = SEC_createToken();
$retval = '<form action="' . $_CONF['site_admin_url']
. '/user.php" method="post" enctype="multipart/form-data"><div>'
! . $LANG28[29]
! . ': <input type="file" dir="ltr" name="importfile" size="40"'
! . XHTML . '>'
. '<input type="hidden" name="mode" value="import"' . XHTML . '>'
. '<input type="submit" name="submit" value="' . $LANG28[30]
! . '"' . XHTML . '><input type="hidden" name="' . CSRF_TOKEN
! . "\" value=\"{$token}\"" . XHTML . '></div></form>';
return $retval;
***************
*** 1127,1136 ****
// MAIN
$mode = '';
! if (isset ($_REQUEST['mode'])) {
$mode = $_REQUEST['mode'];
}
! if (isset($_POST["delbutton_x"])) {
! $mode = batchdeleteexec;
}
--- 1142,1151 ----
// MAIN
$mode = '';
! if (isset($_REQUEST['mode'])) {
$mode = $_REQUEST['mode'];
}
! if (isset($_POST['delbutton_x'])) {
! $mode = 'batchdeleteexec';
}
***************
*** 1153,1157 ****
$display .= COM_refresh ($_CONF['site_admin_url'] . '/user.php?msg=67');
}
! } else if (($mode == $LANG_ADMIN['delete']) && !empty ($LANG_ADMIN['delete'])) { // delete
$uid = COM_applyFilter($_POST['uid'], true);
if ($uid <= 1) {
--- 1168,1172 ----
$display .= COM_refresh ($_CONF['site_admin_url'] . '/user.php?msg=67');
}
! } elseif (($mode == $LANG_ADMIN['delete']) && !empty ($LANG_ADMIN['delete'])) { // delete
$uid = COM_applyFilter($_POST['uid'], true);
if ($uid <= 1) {
***************
*** 1187,1191 ****
$display = $tmp;
}
! } else if ($mode == 'edit') {
$display .= COM_siteHeader('menu', $LANG28[1]);
$msg = '';
--- 1202,1206 ----
$display = $tmp;
}
! } elseif ($mode == 'edit') {
$display .= COM_siteHeader('menu', $LANG28[1]);
$msg = '';
***************
*** 1199,1205 ****
$display .= edituser ($uid, $msg);
$display .= COM_siteFooter();
! } else if ($mode == 'import') {
! $display .= importusers ($_POST['file']);
! } else if ($mode == 'importform') {
$display .= COM_siteHeader('menu', $LANG28[24]);
$display .= COM_startBlock ($LANG28[24], '',
--- 1214,1220 ----
$display .= edituser ($uid, $msg);
$display .= COM_siteFooter();
! } elseif (($mode == 'import') && SEC_checkToken()) {
! $display .= importusers();
! } elseif ($mode == 'importform') {
$display .= COM_siteHeader('menu', $LANG28[24]);
$display .= COM_startBlock ($LANG28[24], '',
***************
*** 1209,1217 ****
$display .= COM_endBlock (COM_getBlockTemplate ('_admin_block', 'footer'));
$display .= COM_siteFooter();
! } else if ($mode == 'batchdelete') {
$display .= COM_siteHeader ('menu', $LANG28[54]);
$display .= batchdelete();
$display .= COM_siteFooter();
! } elseif ($mode == 'Send Reminder') {
$msg = batchreminders();
$display .= COM_siteHeader ('menu', $LANG28[11])
--- 1224,1232 ----
$display .= COM_endBlock (COM_getBlockTemplate ('_admin_block', 'footer'));
$display .= COM_siteFooter();
! } elseif ($mode == 'batchdelete') {
$display .= COM_siteHeader ('menu', $LANG28[54]);
$display .= batchdelete();
$display .= COM_siteFooter();
! } elseif (($mode == $LANG28[78]) && !empty($LANG28[78]) && SEC_checkToken()) {
$msg = batchreminders();
$display .= COM_siteHeader ('menu', $LANG28[11])
***************
*** 1219,1223 ****
. batchdelete()
. COM_siteFooter();
! } else if ($mode == 'batchdeleteexec') {
$msg = batchdeleteexec();
$display .= COM_siteHeader ('menu', $LANG28[11])
--- 1234,1238 ----
. batchdelete()
. COM_siteFooter();
! } elseif (($mode == 'batchdeleteexec') && SEC_checkToken()) {
$msg = batchdeleteexec();
$display .= COM_siteHeader ('menu', $LANG28[11])
More information about the geeklog-cvs
mailing list