diff --git a/web/concrete/controllers/single_page/dashboard/pages/themes.php b/web/concrete/controllers/single_page/dashboard/pages/themes.php index 19184c7f34d..8686721d2df 100644 --- a/web/concrete/controllers/single_page/dashboard/pages/themes.php +++ b/web/concrete/controllers/single_page/dashboard/pages/themes.php @@ -33,13 +33,18 @@ public function view() { } public function save_mobile_theme() { - $pt = PageTheme::getByID($this->post('MOBILE_THEME_ID')); - if (is_object($pt)) { - Config::save('concrete.misc.mobile_theme_id', $pt->getThemeID()); + if ($this->token->validate('save_mobile_theme')) { + $pt = PageTheme::getByID($this->post('MOBILE_THEME_ID')); + if (is_object($pt)) { + Config::save('concrete.misc.mobile_theme_id', $pt->getThemeID()); + } else { + Config::save('concrete.misc.mobile_theme_id', 0); + } + $this->redirect('/dashboard/pages/themes', 'mobile_theme_saved'); } else { - Config::save('concrete.misc.mobile_theme_id', 0); + $this->error->add(t('Invalid CSRF token. Please refresh and try again.')); + $this->view(); } - $this->redirect('/dashboard/pages/themes', 'mobile_theme_saved'); } public function mobile_theme_saved() { diff --git a/web/concrete/controllers/single_page/dashboard/system/attributes/types.php b/web/concrete/controllers/single_page/dashboard/system/attributes/types.php index b9ec288dae9..c0bb0cec830 100644 --- a/web/concrete/controllers/single_page/dashboard/system/attributes/types.php +++ b/web/concrete/controllers/single_page/dashboard/system/attributes/types.php @@ -9,7 +9,7 @@ use Loader; class Types extends DashboardPageController { - + public function add_attribute_type() { $pat = PendingType::getByHandle($this->post('atHandle')); if (is_object($pat)) { @@ -19,18 +19,22 @@ public function add_attribute_type() { } public function save_attribute_type_associations() { - $list = Category::getList(); - foreach($list as $cat) { - $cat->clearAttributeKeyCategoryTypes(); - if (is_array($this->post($cat->getAttributeKeyCategoryHandle()))) { - foreach($this->post($cat->getAttributeKeyCategoryHandle()) as $id) { - $type = Type::getByID($id); - $cat->associateAttributeKeyType($type); - } - } - } + if ($this->token->validate('save_attribute_type_associations')) { + $list = Category::getList(); + foreach ($list as $cat) { + $cat->clearAttributeKeyCategoryTypes(); + if (is_array($this->post($cat->getAttributeKeyCategoryHandle()))) { + foreach ($this->post($cat->getAttributeKeyCategoryHandle()) as $id) { + $type = Type::getByID($id); + $cat->associateAttributeKeyType($type); + } + } + } - $this->redirect('dashboard/system/attributes/types', 'saved', 'associations_updated'); + $this->redirect('dashboard/system/attributes/types', 'saved', 'associations_updated'); + } else { + $this->error->add(t('Invalid CSRF token. Please refresh and try again.')); + } } public function saved($mode = false) { @@ -46,5 +50,5 @@ public function saved($mode = false) { } } } - -} \ No newline at end of file + +} diff --git a/web/concrete/controllers/single_page/dashboard/system/basics/accessibility.php b/web/concrete/controllers/single_page/dashboard/system/basics/accessibility.php index f2854ec3f0b..ae28812117a 100644 --- a/web/concrete/controllers/single_page/dashboard/system/basics/accessibility.php +++ b/web/concrete/controllers/single_page/dashboard/system/basics/accessibility.php @@ -23,6 +23,10 @@ public function saved() public function save() { + if (!$this->token->validate('accessibility')) { + $this->error->add(t('Invalid CSRF token. Please refresh and try again.')); + return $this->view(); + } Config::save('concrete.accessibility.toolbar_titles', !!Request::post('show_titles', false)); Config::save('concrete.accessibility.toolbar_large_font', !!Request::post('increase_font_size', false)); Config::save('concrete.accessibility.display_help_system', !!Request::post('display_help', false)); diff --git a/web/concrete/controllers/single_page/dashboard/system/conversations/points.php b/web/concrete/controllers/single_page/dashboard/system/conversations/points.php index 22a023a9720..3860d0f80bf 100644 --- a/web/concrete/controllers/single_page/dashboard/system/conversations/points.php +++ b/web/concrete/controllers/single_page/dashboard/system/conversations/points.php @@ -16,14 +16,22 @@ public function success() { $this->set('message', t('Rating types updated.')); } public function save() { - $db = Loader::db(); - foreach (ConversationRatingType::getList() as $crt) { - $rtID = $crt->getConversationRatingTypeID(); - $rtPoints = $this->post('rtPoints_' . $rtID); - if (is_string($rtPoints) && is_numeric($rtPoints)) { - $db->Execute('UPDATE ConversationRatingTypes SET cnvRatingTypeCommunityPoints = ? WHERE cnvRatingTypeID = ? LIMIT 1', array($rtPoints, $rtID)); + + if ($this->token->validate('conversation_points')) { + + $db = Loader::db(); + foreach (ConversationRatingType::getList() as $crt) { + $rtID = $crt->getConversationRatingTypeID(); + $rtPoints = $this->post('rtPoints_' . $rtID); + if (is_string($rtPoints) && is_numeric($rtPoints)) { + $db->Execute('UPDATE ConversationRatingTypes SET cnvRatingTypeCommunityPoints = ? WHERE cnvRatingTypeID = ? LIMIT 1', + array($rtPoints, $rtID)); + } } + $this->redirect('/dashboard/system/conversations/points', 'success'); + } else { + $this->error->add(t('Invalid CSRF token. Please refresh and try again.')); + $this->view(); } - $this->redirect('/dashboard/system/conversations/points', 'success'); } } diff --git a/web/concrete/controllers/single_page/dashboard/system/optimization/jobs.php b/web/concrete/controllers/single_page/dashboard/system/optimization/jobs.php index 7244902cb16..4f1c8a0aa79 100644 --- a/web/concrete/controllers/single_page/dashboard/system/optimization/jobs.php +++ b/web/concrete/controllers/single_page/dashboard/system/optimization/jobs.php @@ -9,7 +9,7 @@ class Jobs extends DashboardPageController { - function on_start() + function on_start() { parent::on_start(); // clear the environment overrides cache first @@ -17,25 +17,25 @@ function on_start() $env->clearOverrideCache(); $installed = Job::getList(); - $this->set('availableJobs', Job::getAvailableList(0)); - $this->set('installedJobs', $installed); + $this->set('availableJobs', Job::getAvailableList(0)); + $this->set('installedJobs', $installed); $this->set('jobSets', JobSet::getList()); $this->set('auth', Job::generateAuth()); } - public function view() + public function view() { $this->set('jobListSelected', true); } - - public function view_sets() + + public function view_sets() { $this->set('jobSetsSelected', true); } - function install($handle = null) + function install($handle = null) { - if ($handle) + if ($handle) { Job::installByHandle($handle); $this->redirect('/dashboard/system/optimization/jobs', 'job_installed'); @@ -44,65 +44,70 @@ function install($handle = null) } $this->view(); } - - function uninstall($job_id = null) + + function uninstall($job_id = null, $token = null) { - if ($job_id) - { - $job = Job::getByID((int) $job_id); - if ($job) - { - if (!$job->jNotUninstallable) - { - $job->uninstall(); - $this->redirect('/dashboard/system/optimization/jobs', 'job_uninstalled'); - } else { - $this->error->add(t('This job cannot be uninstalled.')); - } - } else { - $this->error->add(t('Job not found.')); - } - } else { - $this->error->add(t('No job specified.')); - } + if ($this->token->validate('uninstall_job', $token)) { + if ($job_id) { + $job = Job::getByID((int)$job_id); + if ($job) { + if (!$job->jNotUninstallable) { + $job->uninstall(); + $this->redirect('/dashboard/system/optimization/jobs', 'job_uninstalled'); + } else { + $this->error->add(t('This job cannot be uninstalled.')); + } + } else { + $this->error->add(t('Job not found.')); + } + } else { + $this->error->add(t('No job specified.')); + } + } else { + $this->error->add(t('Invalid CSRF Token.')); + } $this->view(); } - public function job_uninstalled() + public function job_uninstalled() { $this->set('message', t('Job successfully uninstalled.')); $this->view(); } - public function job_installed() + public function job_installed() { $this->set('message', t('Job successfully installed.')); $this->view(); } - - public function reset() + + public function reset($token='') { + if (!$this->token->validate('reset_jobs', $token)) { + $this->error->add(t('Invalid CSRF token. Please refresh and try again.')); + return $this->view(); + } $jobs = Job::getList(); - foreach($jobs as $j) + foreach($jobs as $j) { $j->reset(); } $this->redirect('/dashboard/system/optimization/jobs', 'reset_complete'); } - public function reset_complete() + public function reset_complete() { $this->set('message', t('All running jobs have been reset.')); $this->view(); } - public function set_added() + public function set_added() { $this->set('success', t('Job set added.')); $this->set('jobSetsSelected', true); } - public function edit_set($jsID = false) + public function edit_set($jsID = false) { $this->set('jobSetsSelected', true); $js = JobSet::getByID($jsID); @@ -113,164 +118,174 @@ public function edit_set($jsID = false) } } - public function update_set_jobs() + public function update_set_jobs() { - if ($this->token->validate('update_set_jobs')) - { + if ($this->token->validate('update_set_jobs')) + { $js = JobSet::getByID($this->post('jsID')); - if (!is_object($js)) + if (!is_object($js)) { $this->error->add(t('Invalid Job set.')); } - if (!$this->error->has()) + if (!$this->error->has()) { // go through and add all the attributes that aren't in another set $js->clearJobs(); - if (is_array($this->post('jID'))) + if (is_array($this->post('jID'))) { - foreach($_POST['jID'] as $jID) + foreach($_POST['jID'] as $jID) { $j = Job::getByID($jID); - if(is_object($j)) + if(is_object($j)) { $js->addJob($j); } - } + } } $this->redirect('/dashboard/system/optimization/jobs', 'set_updated'); - } - + } + } else { $this->error->add($this->token->getErrorMessage()); } $this->edit($this->post('asID')); } - - public function set_updated() + + public function set_updated() { $this->set('jobSetsSelected', true); $this->set('success', t('Job Set updated successfully.')); } - public function update_set() + public function update_set() { $this->set('jobSetsSelected', true); - if ($this->token->validate('update_set')) - { + if ($this->token->validate('update_set')) + { $js = JobSet::getByID($this->post('jsID')); - if (!is_object($js)) + if (!is_object($js)) { $this->error->add(t('Invalid Job set.')); } else { - if (!trim($this->post('jsName'))) - { + if (!trim($this->post('jsName'))) + { $this->error->add(t("Specify a name for your Job set.")); } } - - if (!$this->error->has()) + + if (!$this->error->has()) { $js->updateJobSetName($this->post('jsName')); $this->redirect('/dashboard/system/optimization/jobs', 'set_updated'); } - + } else { $this->error->add($this->token->getErrorMessage()); } } - public function set_deleted() + public function set_deleted() { $this->set('jobSetsSelected', true); $this->set('success', t('Group set deleted successfully.')); } - public function delete_set() + public function delete_set() { $this->set('jobSetsSelected', true); - if ($this->token->validate('delete_set')) - { + if ($this->token->validate('delete_set')) + { $js = JobSet::getByID($this->post('jsID')); - if (!$js->canDelete()) + if (!$js->canDelete()) { $this->error->add(t('You cannot delete the default Job set.')); } - if (!is_object($js)) + if (!is_object($js)) { $this->error->add(t('Invalid Job set.')); } - - if (!$this->error->has()) + + if (!$this->error->has()) { $js->delete(); $this->redirect('/dashboard/system/optimization/jobs', 'set_deleted'); - } + } $this->edit_set($this->post('jsID')); } else { $this->error->add($this->token->getErrorMessage()); } } - public function add_set() + public function add_set() { $this->set('jobSetsSelected', true); - if ($this->token->validate('add_set')) { - if (!trim($this->post('jsName'))) - { + if ($this->token->validate('add_set')) { + if (!trim($this->post('jsName'))) + { $this->error->add(t("Specify a name for your Job set.")); } - - if (!$this->error->has()) - { + + if (!$this->error->has()) + { $js = JobSet::add($this->post('jsName')); - if (is_array($_POST['jID'])) + if (is_array($_POST['jID'])) { - foreach($_POST['jID'] as $jID) + foreach($_POST['jID'] as $jID) { $j = Job::getByID($jID); - if(is_object($j)) + if(is_object($j)) { $js->addJob($j); } - } + } } $this->redirect('/dashboard/system/optimization/jobs', 'set_added'); } - + } else { $this->error->add($this->token->getErrorMessage()); } } - public function update_job_schedule() + public function update_job_schedule() { - $jID = $this->request->request->get('jID'); - $J = Job::getByID($jID); - $J->setSchedule($this->post('isScheduled'), $this->post('unit'), max(0,(int)$this->post('value'))); - $this->redirect('/dashboard/system/optimization/jobs', 'job_scheduled'); + if ($this->token->validate('update_job_schedule')) { + $jID = $this->request->request->get('jID'); + $J = Job::getByID($jID); + $J->setSchedule($this->post('isScheduled'), $this->post('unit'), max(0, (int)$this->post('value'))); + $this->redirect('/dashboard/system/optimization/jobs', 'job_scheduled'); + } else { + $this->error->add(t('Invalid CSRF token. Please refresh and try again.')); + $this->view(); + } } - - public function job_scheduled() + + public function job_scheduled() { $this->set('success', t('Job schedule updated successfully.')); $this->view(); } - - - public function update_set_schedule() + + + public function update_set_schedule() { - $jsID = $this->post('jsID'); - $S = JobSet::getByID($jsID); - $S->setSchedule($this->post('isScheduled'), $this->post('unit'), $this->post('value')); - - $this->redirect('/dashboard/system/optimization/jobs', 'set_scheduled'); + if ($this->token->validate('update_set_schedule')) { + $jsID = $this->post('jsID'); + $S = JobSet::getByID($jsID); + $S->setSchedule($this->post('isScheduled'), $this->post('unit'), $this->post('value')); + + $this->redirect('/dashboard/system/optimization/jobs', 'set_scheduled'); + } else { + $this->error->add(t('Invalid CSRF token. Please refresh and try again.')); + $this->view(); + } } - - public function set_scheduled() + + public function set_scheduled() { $this->set('success', t('Job Set schedule updated successfully.')); $this->view(); } -} \ No newline at end of file +} diff --git a/web/concrete/controllers/single_page/dashboard/system/seo/bulk.php b/web/concrete/controllers/single_page/dashboard/system/seo/bulk.php index 5f975737322..4615c843312 100644 --- a/web/concrete/controllers/single_page/dashboard/system/seo/bulk.php +++ b/web/concrete/controllers/single_page/dashboard/system/seo/bulk.php @@ -88,9 +88,15 @@ public function view() public function saveRecord() { + $cID = $this->post('cID'); + + if (!$this->token->validate('save_seo_record_' . $cID)) { + $error = t('Invalid CSRF token. Please refresh and try again.'); + return JsonResponse::create(array('message' => $error)); + } + $text = $this->app->make('helper/text'); $success = t('success'); - $cID = $this->post('cID'); $c = Page::getByID($cID); if (!$c || $c->isError()) { throw new \RuntimeException(t('Unable to find the specified page')); diff --git a/web/concrete/single_pages/dashboard/pages/themes/view.php b/web/concrete/single_pages/dashboard/pages/themes/view.php index 062ff3a8137..ad9e54ae831 100644 --- a/web/concrete/single_pages/dashboard/pages/themes/view.php +++ b/web/concrete/single_pages/dashboard/pages/themes/view.php @@ -66,6 +66,9 @@ } ?>
+ output('save_mobile_theme'); + ?>

diff --git a/web/concrete/single_pages/dashboard/system/attributes/types.php b/web/concrete/single_pages/dashboard/system/attributes/types.php index 6b5baeaf05a..ac950c28b5a 100644 --- a/web/concrete/single_pages/dashboard/system/attributes/types.php +++ b/web/concrete/single_pages/dashboard/system/attributes/types.php @@ -7,9 +7,11 @@ $txt = Loader::helper('text'); $form = Loader::helper('form'); $interface = Loader::helper('concrete/ui'); +$valt = Core::make('token'); echo Loader::helper('concrete/dashboard')->getDashboardPaneHeaderWrapper(t('Attribute Type Associations'), false, 'span10 offset1');?> + output('save_attribute_type_associations'); ?> @@ -66,4 +68,4 @@ -getDashboardPaneFooterWrapper(false); \ No newline at end of file +getDashboardPaneFooterWrapper(false); diff --git a/web/concrete/single_pages/dashboard/system/basics/accessibility.php b/web/concrete/single_pages/dashboard/system/basics/accessibility.php index 405277ea5f7..303534a834a 100644 --- a/web/concrete/single_pages/dashboard/system/basics/accessibility.php +++ b/web/concrete/single_pages/dashboard/system/basics/accessibility.php @@ -1,4 +1,7 @@ + output('accessibility'); + ?>
diff --git a/web/concrete/single_pages/dashboard/system/optimization/jobs.php b/web/concrete/single_pages/dashboard/system/optimization/jobs.php index b775de979b8..ab40ffe83bf 100644 --- a/web/concrete/single_pages/dashboard/system/optimization/jobs.php +++ b/web/concrete/single_pages/dashboard/system/optimization/jobs.php @@ -5,6 +5,9 @@ /* @var $dh \Concrete\Core\Localization\Service\Date */ $dh = Core::make('helper/date'); +$token = Core::make('token'); +$uninstallToken = $token->generate('uninstall_job'); + ?>