1
1
Fork 0

Merge branch 'master', remote-tracking branch 'remotes/upstream/master'

* remotes/upstream/master:
  XSRF protection and PHPdoc for mod/admin.php
  XSRF protection and PHPdoc for mod/admin.php

* master:
This commit is contained in:
Simon L'nu 2012-04-20 05:52:08 -04:00
commit 1c88a7ef5d
10 changed files with 118 additions and 39 deletions

View file

@ -4,7 +4,11 @@
* Friendica admin * Friendica admin
*/ */
require_once("include/remoteupdate.php"); require_once("include/remoteupdate.php");
/**
* @param App $a
*/
function admin_post(&$a){ function admin_post(&$a){
@ -67,6 +71,10 @@ function admin_post(&$a){
return; // NOTREACHED return; // NOTREACHED
} }
/**
* @param App $a
* @return string
*/
function admin_content(&$a) { function admin_content(&$a) {
if(!is_site_admin()) { if(!is_site_admin()) {
@ -74,7 +82,7 @@ function admin_content(&$a) {
} }
if(x($_SESSION,'submanage') && intval($_SESSION['submanage'])) if(x($_SESSION,'submanage') && intval($_SESSION['submanage']))
return; return "";
/** /**
* Side bar links * Side bar links
@ -147,6 +155,7 @@ function admin_content(&$a) {
if(is_ajax()) { if(is_ajax()) {
echo $o; echo $o;
killme(); killme();
return '';
} else { } else {
return $o; return $o;
} }
@ -155,6 +164,8 @@ function admin_content(&$a) {
/** /**
* Admin Summary Page * Admin Summary Page
* @param App $a
* @return string
*/ */
function admin_page_summary(&$a) { function admin_page_summary(&$a) {
$r = q("SELECT `page-flags`, COUNT(uid) as `count` FROM `user` GROUP BY `page-flags`"); $r = q("SELECT `page-flags`, COUNT(uid) as `count` FROM `user` GROUP BY `page-flags`");
@ -188,12 +199,15 @@ function admin_page_summary(&$a) {
/** /**
* Admin Site Page * Admin Site Page
* @param App $a
*/ */
function admin_page_site_post(&$a){ function admin_page_site_post(&$a){
if (!x($_POST,"page_site")){ if (!x($_POST,"page_site")){
return; return;
} }
check_form_security_token_redirectOnErr('/admin/site', 'admin_site');
$sitename = ((x($_POST,'sitename')) ? notags(trim($_POST['sitename'])) : ''); $sitename = ((x($_POST,'sitename')) ? notags(trim($_POST['sitename'])) : '');
$banner = ((x($_POST,'banner')) ? trim($_POST['banner']) : false); $banner = ((x($_POST,'banner')) ? trim($_POST['banner']) : false);
$language = ((x($_POST,'language')) ? notags(trim($_POST['language'])) : ''); $language = ((x($_POST,'language')) ? notags(trim($_POST['language'])) : '');
@ -298,7 +312,7 @@ function admin_page_site_post(&$a){
} else { } else {
set_config('system','directory_submit_url', $global_directory); set_config('system','directory_submit_url', $global_directory);
} }
set_config('system','directory_search_url', $global_search_url);
set_config('system','block_extended_register', $no_multi_reg); set_config('system','block_extended_register', $no_multi_reg);
set_config('system','no_openid', $no_openid); set_config('system','no_openid', $no_openid);
set_config('system','no_regfullname', $no_regfullname); set_config('system','no_regfullname', $no_regfullname);
@ -317,7 +331,11 @@ function admin_page_site_post(&$a){
return; // NOTREACHED return; // NOTREACHED
} }
/**
* @param App $a
* @return string
*/
function admin_page_site(&$a) { function admin_page_site(&$a) {
/* Installed langs */ /* Installed langs */
@ -408,6 +426,7 @@ function admin_page_site(&$a) {
'$proxy' => array('proxy', t("Proxy URL"), get_config('system','proxy'), ""), '$proxy' => array('proxy', t("Proxy URL"), get_config('system','proxy'), ""),
'$timeout' => array('timeout', t("Network timeout"), (x(get_config('system','curl_timeout'))?get_config('system','curl_timeout'):60), t("Value is in seconds. Set to 0 for unlimited (not recommended).")), '$timeout' => array('timeout', t("Network timeout"), (x(get_config('system','curl_timeout'))?get_config('system','curl_timeout'):60), t("Value is in seconds. Set to 0 for unlimited (not recommended).")),
'$form_security_token' => get_form_security_token("admin_site"),
)); ));
@ -416,11 +435,15 @@ function admin_page_site(&$a) {
/** /**
* Users admin page * Users admin page
*
* @param App $a
*/ */
function admin_page_users_post(&$a){ function admin_page_users_post(&$a){
$pending = ( x($_POST, 'pending') ? $_POST['pending'] : Array() ); $pending = ( x($_POST, 'pending') ? $_POST['pending'] : Array() );
$users = ( x($_POST, 'user') ? $_POST['user'] : Array() ); $users = ( x($_POST, 'user') ? $_POST['user'] : Array() );
check_form_security_token_redirectOnErr('/admin/users', 'admin_users');
if (x($_POST,'page_users_block')){ if (x($_POST,'page_users_block')){
foreach($users as $uid){ foreach($users as $uid){
q("UPDATE `user` SET `blocked`=1-`blocked` WHERE `uid`=%s", q("UPDATE `user` SET `blocked`=1-`blocked` WHERE `uid`=%s",
@ -452,7 +475,11 @@ function admin_page_users_post(&$a){
goaway($a->get_baseurl(true) . '/admin/users' ); goaway($a->get_baseurl(true) . '/admin/users' );
return; // NOTREACHED return; // NOTREACHED
} }
/**
* @param App $a
* @return string
*/
function admin_page_users(&$a){ function admin_page_users(&$a){
if ($a->argc>2) { if ($a->argc>2) {
$uid = $a->argv[3]; $uid = $a->argv[3];
@ -460,10 +487,11 @@ function admin_page_users(&$a){
if (count($user)==0){ if (count($user)==0){
notice( 'User not found' . EOL); notice( 'User not found' . EOL);
goaway($a->get_baseurl(true) . '/admin/users' ); goaway($a->get_baseurl(true) . '/admin/users' );
return; // NOTREACHED return ''; // NOTREACHED
} }
switch($a->argv[2]){ switch($a->argv[2]){
case "delete":{ case "delete":{
check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
// delete user // delete user
require_once("include/Contact.php"); require_once("include/Contact.php");
user_remove($uid); user_remove($uid);
@ -471,6 +499,7 @@ function admin_page_users(&$a){
notice( sprintf(t("User '%s' deleted"), $user[0]['username']) . EOL); notice( sprintf(t("User '%s' deleted"), $user[0]['username']) . EOL);
}; break; }; break;
case "block":{ case "block":{
check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
q("UPDATE `user` SET `blocked`=%d WHERE `uid`=%s", q("UPDATE `user` SET `blocked`=%d WHERE `uid`=%s",
intval( 1-$user[0]['blocked'] ), intval( 1-$user[0]['blocked'] ),
intval( $uid ) intval( $uid )
@ -479,7 +508,7 @@ function admin_page_users(&$a){
}; break; }; break;
} }
goaway($a->get_baseurl(true) . '/admin/users' ); goaway($a->get_baseurl(true) . '/admin/users' );
return; // NOTREACHED return ''; // NOTREACHED
} }
@ -555,6 +584,7 @@ function admin_page_users(&$a){
'$confirm_delete_multi' => t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'), '$confirm_delete_multi' => t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'),
'$confirm_delete' => t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'), '$confirm_delete' => t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'),
'$form_security_token' => get_form_security_token("admin_users"),
// values // // values //
'$baseurl' => $a->get_baseurl(true), '$baseurl' => $a->get_baseurl(true),
@ -567,10 +597,12 @@ function admin_page_users(&$a){
} }
/* /**
* Plugins admin page * Plugins admin page
*
* @param App $a
* @return string
*/ */
function admin_page_plugins(&$a){ function admin_page_plugins(&$a){
/** /**
@ -580,10 +612,12 @@ function admin_page_plugins(&$a){
$plugin = $a->argv[2]; $plugin = $a->argv[2];
if (!is_file("addon/$plugin/$plugin.php")){ if (!is_file("addon/$plugin/$plugin.php")){
notice( t("Item not found.") ); notice( t("Item not found.") );
return; return '';
} }
if (x($_GET,"a") && $_GET['a']=="t"){ if (x($_GET,"a") && $_GET['a']=="t"){
check_form_security_token_redirectOnErr('/admin/plugins', 'admin_themes', 't');
// Toggle plugin status // Toggle plugin status
$idx = array_search($plugin, $a->plugins); $idx = array_search($plugin, $a->plugins);
if ($idx !== false){ if ($idx !== false){
@ -597,7 +631,7 @@ function admin_page_plugins(&$a){
} }
set_config("system","addon", implode(", ",$a->plugins)); set_config("system","addon", implode(", ",$a->plugins));
goaway($a->get_baseurl(true) . '/admin/plugins' ); goaway($a->get_baseurl(true) . '/admin/plugins' );
return; // NOTREACHED return ''; // NOTREACHED
} }
// display plugin details // display plugin details
require_once('library/markdown.php'); require_once('library/markdown.php');
@ -641,7 +675,9 @@ function admin_page_plugins(&$a){
'$admin_form' => $admin_form, '$admin_form' => $admin_form,
'$function' => 'plugins', '$function' => 'plugins',
'$screenshot' => '', '$screenshot' => '',
'$readme' => $readme '$readme' => $readme,
'$form_security_token' => get_form_security_token("admin_themes"),
)); ));
} }
@ -670,10 +706,16 @@ function admin_page_plugins(&$a){
'$submit' => t('Submit'), '$submit' => t('Submit'),
'$baseurl' => $a->get_baseurl(true), '$baseurl' => $a->get_baseurl(true),
'$function' => 'plugins', '$function' => 'plugins',
'$plugins' => $plugins '$plugins' => $plugins,
'$form_security_token' => get_form_security_token("admin_themes"),
)); ));
} }
/**
* @param array $themes
* @param string $th
* @param int $result
*/
function toggle_theme(&$themes,$th,&$result) { function toggle_theme(&$themes,$th,&$result) {
for($x = 0; $x < count($themes); $x ++) { for($x = 0; $x < count($themes); $x ++) {
if($themes[$x]['name'] === $th) { if($themes[$x]['name'] === $th) {
@ -689,6 +731,11 @@ function toggle_theme(&$themes,$th,&$result) {
} }
} }
/**
* @param array $themes
* @param string $th
* @return int
*/
function theme_status($themes,$th) { function theme_status($themes,$th) {
for($x = 0; $x < count($themes); $x ++) { for($x = 0; $x < count($themes); $x ++) {
if($themes[$x]['name'] === $th) { if($themes[$x]['name'] === $th) {
@ -702,9 +749,12 @@ function theme_status($themes,$th) {
} }
return 0; return 0;
} }
/**
* @param array $themes
* @return string
*/
function rebuild_theme_table($themes) { function rebuild_theme_table($themes) {
$o = ''; $o = '';
if(count($themes)) { if(count($themes)) {
@ -720,10 +770,12 @@ function rebuild_theme_table($themes) {
} }
/* /**
* Themes admin page * Themes admin page
*
* @param App $a
* @return string
*/ */
function admin_page_themes(&$a){ function admin_page_themes(&$a){
$allowed_themes_str = get_config('system','allowed_themes'); $allowed_themes_str = get_config('system','allowed_themes');
@ -740,7 +792,7 @@ function admin_page_themes(&$a){
foreach($files as $file) { foreach($files as $file) {
$f = basename($file); $f = basename($file);
$is_experimental = intval(file_exists($file . '/experimental')); $is_experimental = intval(file_exists($file . '/experimental'));
$is_unsupported = 1-(intval(file_exists($file . '/unsupported'))); $is_supported = 1-(intval(file_exists($file . '/unsupported'))); // Is not used yet
$is_allowed = intval(in_array($f,$allowed_themes)); $is_allowed = intval(in_array($f,$allowed_themes));
$themes[] = array('name' => $f, 'experimental' => $is_experimental, 'supported' => $is_supported, 'allowed' => $is_allowed); $themes[] = array('name' => $f, 'experimental' => $is_experimental, 'supported' => $is_supported, 'allowed' => $is_allowed);
} }
@ -748,7 +800,7 @@ function admin_page_themes(&$a){
if(! count($themes)) { if(! count($themes)) {
notice( t('No themes found.')); notice( t('No themes found.'));
return; return '';
} }
/** /**
@ -759,10 +811,11 @@ function admin_page_themes(&$a){
$theme = $a->argv[2]; $theme = $a->argv[2];
if(! is_dir("view/theme/$theme")){ if(! is_dir("view/theme/$theme")){
notice( t("Item not found.") ); notice( t("Item not found.") );
return; return '';
} }
if (x($_GET,"a") && $_GET['a']=="t"){ if (x($_GET,"a") && $_GET['a']=="t"){
check_form_security_token_redirectOnErr('/admin/themes', 'admin_themes', 't');
// Toggle theme status // Toggle theme status
@ -775,7 +828,7 @@ function admin_page_themes(&$a){
set_config('system','allowed_themes',$s); set_config('system','allowed_themes',$s);
goaway($a->get_baseurl(true) . '/admin/themes' ); goaway($a->get_baseurl(true) . '/admin/themes' );
return; // NOTREACHED return ''; // NOTREACHED
} }
// display theme details // display theme details
@ -826,7 +879,9 @@ function admin_page_themes(&$a){
'$str_author' => t('Author: '), '$str_author' => t('Author: '),
'$str_maintainer' => t('Maintainer: '), '$str_maintainer' => t('Maintainer: '),
'$screenshot' => $screenshot, '$screenshot' => $screenshot,
'$readme' => $readme '$readme' => $readme,
'$form_security_token' => get_form_security_token("admin_themes"),
)); ));
} }
@ -852,17 +907,21 @@ function admin_page_themes(&$a){
'$function' => 'themes', '$function' => 'themes',
'$plugins' => $xthemes, '$plugins' => $xthemes,
'$experimental' => t('[Experimental]'), '$experimental' => t('[Experimental]'),
'$unsupported' => t('[Unsupported]') '$unsupported' => t('[Unsupported]'),
'$form_security_token' => get_form_security_token("admin_themes"),
)); ));
} }
/** /**
* Logs admin page * Logs admin page
*
* @param App $a
*/ */
function admin_page_logs_post(&$a) { function admin_page_logs_post(&$a) {
if (x($_POST,"page_logs")) { if (x($_POST,"page_logs")) {
check_form_security_token_redirectOnErr('/admin/logs', 'admin_logs');
$logfile = ((x($_POST,'logfile')) ? notags(trim($_POST['logfile'])) : ''); $logfile = ((x($_POST,'logfile')) ? notags(trim($_POST['logfile'])) : '');
$debugging = ((x($_POST,'debugging')) ? true : false); $debugging = ((x($_POST,'debugging')) ? true : false);
@ -879,7 +938,11 @@ function admin_page_logs_post(&$a) {
goaway($a->get_baseurl(true) . '/admin/logs' ); goaway($a->get_baseurl(true) . '/admin/logs' );
return; // NOTREACHED return; // NOTREACHED
} }
/**
* @param App $a
* @return string
*/
function admin_page_logs(&$a){ function admin_page_logs(&$a){
$log_choices = Array( $log_choices = Array(
@ -937,9 +1000,14 @@ readable.");
'$debugging' => array('debugging', t("Debugging"),get_config('system','debugging'), ""), '$debugging' => array('debugging', t("Debugging"),get_config('system','debugging'), ""),
'$logfile' => array('logfile', t("Log file"), get_config('system','logfile'), t("Must be writable by web server. Relative to your Friendica top-level directory.")), '$logfile' => array('logfile', t("Log file"), get_config('system','logfile'), t("Must be writable by web server. Relative to your Friendica top-level directory.")),
'$loglevel' => array('loglevel', t("Log level"), get_config('system','loglevel'), "", $log_choices), '$loglevel' => array('loglevel', t("Log level"), get_config('system','loglevel'), "", $log_choices),
'$form_security_token' => get_form_security_token("admin_logs"),
)); ));
} }
/**
* @param App $a
*/
function admin_page_remoteupdate_post(&$a) { function admin_page_remoteupdate_post(&$a) {
// this function should be called via ajax post // this function should be called via ajax post
if(!is_site_admin()) { if(!is_site_admin()) {
@ -958,6 +1026,10 @@ function admin_page_remoteupdate_post(&$a) {
killme(); killme();
} }
/**
* @param App $a
* @return string
*/
function admin_page_remoteupdate(&$a) { function admin_page_remoteupdate(&$a) {
if(!is_site_admin()) { if(!is_site_admin()) {
return login(false); return login(false);

View file

@ -2,6 +2,7 @@
<h1>$title - $page</h1> <h1>$title - $page</h1>
<form action="$baseurl/admin/logs" method="post"> <form action="$baseurl/admin/logs" method="post">
<input type='hidden' name='form_security_token' value='$form_security_token'>
{{ inc field_checkbox.tpl with $field=$debugging }}{{ endinc }} {{ inc field_checkbox.tpl with $field=$debugging }}{{ endinc }}
{{ inc field_input.tpl with $field=$logfile }}{{ endinc }} {{ inc field_input.tpl with $field=$logfile }}{{ endinc }}

View file

@ -4,7 +4,7 @@
<ul id='pluginslist'> <ul id='pluginslist'>
{{ for $plugins as $p }} {{ for $plugins as $p }}
<li class='plugin $p.1'> <li class='plugin $p.1'>
<a class='toggleplugin' href='$baseurl/admin/$function/$p.0?a=t' title="{{if $p.1==on }}Disable{{ else }}Enable{{ endif }}" ><span class='icon $p.1'></span></a> <a class='toggleplugin' href='$baseurl/admin/$function/$p.0?a=t&amp;t=$form_security_token' title="{{if $p.1==on }}Disable{{ else }}Enable{{ endif }}" ><span class='icon $p.1'></span></a>
<a href='$baseurl/admin/$function/$p.0'><span class='name'>$p.2.name</span></a> - <span class="version">$p.2.version</span> <a href='$baseurl/admin/$function/$p.0'><span class='name'>$p.2.name</span></a> - <span class="version">$p.2.version</span>
{{ if $p.2.experimental }} $experimental {{ endif }}{{ if $p.2.unsupported }} $unsupported {{ endif }} {{ if $p.2.experimental }} $experimental {{ endif }}{{ if $p.2.unsupported }} $unsupported {{ endif }}

View file

@ -1,7 +1,7 @@
<div id='adminpage'> <div id='adminpage'>
<h1>$title - $page</h1> <h1>$title - $page</h1>
<p><span class='toggleplugin icon $status'></span> $info.name - $info.version : <a href="$baseurl/admin/$function/$plugin/?a=t">$action</a></p> <p><span class='toggleplugin icon $status'></span> $info.name - $info.version : <a href="$baseurl/admin/$function/$plugin/?a=t&amp;t=$form_security_token">$action</a></p>
<p>$info.description</p> <p>$info.description</p>
<p class="author">$str_author <p class="author">$str_author

View file

@ -38,7 +38,8 @@
<h1>$title - $page</h1> <h1>$title - $page</h1>
<form action="$baseurl/admin/site" method="post"> <form action="$baseurl/admin/site" method="post">
<input type='hidden' name='form_security_token' value='$form_security_token'>
{{ inc field_input.tpl with $field=$sitename }}{{ endinc }} {{ inc field_input.tpl with $field=$sitename }}{{ endinc }}
{{ inc field_textarea.tpl with $field=$banner }}{{ endinc }} {{ inc field_textarea.tpl with $field=$banner }}{{ endinc }}
{{ inc field_select.tpl with $field=$language }}{{ endinc }} {{ inc field_select.tpl with $field=$language }}{{ endinc }}

View file

@ -14,6 +14,7 @@
<h1>$title - $page</h1> <h1>$title - $page</h1>
<form action="$baseurl/admin/users" method="post"> <form action="$baseurl/admin/users" method="post">
<input type='hidden' name='form_security_token' value='$form_security_token'>
<h3>$h_pending</h3> <h3>$h_pending</h3>
{{ if $pending }} {{ if $pending }}
@ -72,8 +73,8 @@
<td class='login_date'>$u.page-flags</td> <td class='login_date'>$u.page-flags</td>
<td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
<td class="tools"> <td class="tools">
<a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
<a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon drop'></span></a> <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon drop'></span></a>
</td> </td>
</tr> </tr>
{{ endfor }} {{ endfor }}

View file

@ -14,7 +14,8 @@
<h1>$title - $page</h1> <h1>$title - $page</h1>
<form action="$baseurl/admin/users" method="post"> <form action="$baseurl/admin/users" method="post">
<input type='hidden' name='form_security_token' value='$form_security_token'>
<h3>$h_pending</h3> <h3>$h_pending</h3>
{{ if $pending }} {{ if $pending }}
<table id='pending'> <table id='pending'>
@ -72,8 +73,8 @@
<td class='login_date'>$u.page-flags</td> <td class='login_date'>$u.page-flags</td>
<td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
<td class="tools" style="width:60px;"> <td class="tools" style="width:60px;">
<a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
<a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
</td> </td>
</tr> </tr>
{{ endfor }} {{ endfor }}

View file

@ -14,7 +14,8 @@
<h1>$title - $page</h1> <h1>$title - $page</h1>
<form action="$baseurl/admin/users" method="post"> <form action="$baseurl/admin/users" method="post">
<input type='hidden' name='form_security_token' value='$form_security_token'>
<h3>$h_pending</h3> <h3>$h_pending</h3>
{{ if $pending }} {{ if $pending }}
<table id='pending'> <table id='pending'>
@ -72,8 +73,8 @@
<td class='login_date'>$u.page-flags</td> <td class='login_date'>$u.page-flags</td>
<td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
<td class="tools" style="width:60px;"> <td class="tools" style="width:60px;">
<a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
<a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
</td> </td>
</tr> </tr>
{{ endfor }} {{ endfor }}

View file

@ -14,6 +14,7 @@
<h1>$title - $page</h1> <h1>$title - $page</h1>
<form action="$baseurl/admin/users" method="post"> <form action="$baseurl/admin/users" method="post">
<input type='hidden' name='form_security_token' value='$form_security_token'>
<h3>$h_pending</h3> <h3>$h_pending</h3>
{{ if $pending }} {{ if $pending }}
@ -72,8 +73,8 @@
<td class='login_date'>$u.page-flags</td> <td class='login_date'>$u.page-flags</td>
<td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
<td class="tools" style="width:60px;"> <td class="tools" style="width:60px;">
<a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
<a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
</td> </td>
</tr> </tr>
{{ endfor }} {{ endfor }}

View file

@ -14,6 +14,7 @@
<h1>$title - $page</h1> <h1>$title - $page</h1>
<form action="$baseurl/admin/users" method="post"> <form action="$baseurl/admin/users" method="post">
<input type='hidden' name='form_security_token' value='$form_security_token'>
<h3>$h_pending</h3> <h3>$h_pending</h3>
{{ if $pending }} {{ if $pending }}
@ -72,8 +73,8 @@
<td class='login_date'>$u.page-flags</td> <td class='login_date'>$u.page-flags</td>
<td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td> <td class="checkbox"><input type="checkbox" class="users_ckbx" id="id_user_$u.uid" name="user[]" value="$u.uid"/></td>
<td class="tools" style="width:60px;"> <td class="tools" style="width:60px;">
<a href="$baseurl/admin/users/block/$u.uid" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a> <a href="$baseurl/admin/users/block/$u.uid?t=$form_security_token" title='{{ if $u.blocked }}$unblock{{ else }}$block{{ endif }}'><span class='icon block {{ if $u.blocked==0 }}dim{{ endif }}'></span></a>
<a href="$baseurl/admin/users/delete/$u.uid" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a> <a href="$baseurl/admin/users/delete/$u.uid?t=$form_security_token" title='$delete' onclick="return confirm_delete('$u.name')"><span class='icon ad_drop'></span></a>
</td> </td>
</tr> </tr>
{{ endfor }} {{ endfor }}