From 9d295272240af38fff823b867004c6959ef2cc4b Mon Sep 17 00:00:00 2001 From: bitPickups Date: Tue, 22 Aug 2023 00:33:43 +0200 Subject: [PATCH] Upload files to "/" --- fb721f8e30.patch | 1670 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1670 insertions(+) create mode 100644 fb721f8e30.patch diff --git a/fb721f8e30.patch b/fb721f8e30.patch new file mode 100644 index 000000000..2b8e3df6a --- /dev/null +++ b/fb721f8e30.patch @@ -0,0 +1,1670 @@ +From 2ce15cae1a41451b631b814c418b3b3b976d79d1 Mon Sep 17 00:00:00 2001 +From: Hypolite Petovan +Date: Tue, 8 Sep 2020 10:38:35 -0400 +Subject: [PATCH 1/3] Use router parameters in Admin modules + +- Remove 10 @TODO tags + +# Conflicts: +# src/Module/Admin/DBSync.php +# src/Module/Admin/Themes/Details.php +# src/Module/Admin/Themes/Embed.php +--- + src/Module/Admin/Addons/Details.php | 160 ++++----- + src/Module/Admin/DBSync.php | 146 ++++---- + src/Module/Admin/Queue.php | 7 +- + src/Module/Admin/Themes/Details.php | 174 ++++----- + src/Module/Admin/Themes/Embed.php | 96 ++--- + src/Module/Admin/Users.php | 337 +++++++++--------- + static/routes.config.php | 6 +- + .../templates/admin/dbsync/failed_updates.tpl | 2 +- + 8 files changed, 427 insertions(+), 501 deletions(-) + +diff --git a/src/Module/Admin/Addons/Details.php b/src/Module/Admin/Addons/Details.php +index 8e0e14f22b..139275cfe2 100644 +--- a/src/Module/Admin/Addons/Details.php ++++ b/src/Module/Admin/Addons/Details.php +@@ -34,24 +34,20 @@ class Details extends BaseAdmin + { + parent::post($parameters); + +- $a = DI::app(); ++ $addon = Strings::sanitizeFilePathItem($parameters['addon']); + +- if ($a->argc > 2) { +- // @TODO: Replace with parameter from router +- $addon = $a->argv[2]; +- $addon = Strings::sanitizeFilePathItem($addon); +- if (is_file('addon/' . $addon . '/' . $addon . '.php')) { +- include_once 'addon/' . $addon . '/' . $addon . '.php'; +- if (function_exists($addon . '_addon_admin_post')) { +- $func = $addon . '_addon_admin_post'; +- $func($a); +- } ++ $redirect = 'admin/addons/' . $addon; + +- DI::baseUrl()->redirect('admin/addons/' . $addon); ++ if (is_file('addon/' . $addon . '/' . $addon . '.php')) { ++ include_once 'addon/' . $addon . '/' . $addon . '.php'; ++ ++ if (function_exists($addon . '_addon_admin_post')) { ++ $func = $addon . '_addon_admin_post'; ++ $func(DI::app()); + } + } + +- DI::baseUrl()->redirect('admin/addons'); ++ DI::baseUrl()->redirect($redirect); + } + + public static function content(array $parameters = []) +@@ -62,79 +58,73 @@ class Details extends BaseAdmin + + $addons_admin = Addon::getAdminList(); + +- if ($a->argc > 2) { +- // @TODO: Replace with parameter from router +- $addon = $a->argv[2]; +- $addon = Strings::sanitizeFilePathItem($addon); +- if (!is_file("addon/$addon/$addon.php")) { +- notice(DI::l10n()->t('Addon not found.')); +- Addon::uninstall($addon); +- DI::baseUrl()->redirect('admin/addons'); +- } +- +- if (($_GET['action'] ?? '') == 'toggle') { +- parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_themes', 't'); +- +- // Toggle addon status +- if (Addon::isEnabled($addon)) { +- Addon::uninstall($addon); +- info(DI::l10n()->t('Addon %s disabled.', $addon)); +- } else { +- Addon::install($addon); +- info(DI::l10n()->t('Addon %s enabled.', $addon)); +- } +- +- DI::baseUrl()->redirect('admin/addons/' . $addon); +- } +- +- // display addon details +- if (Addon::isEnabled($addon)) { +- $status = 'on'; +- $action = DI::l10n()->t('Disable'); +- } else { +- $status = 'off'; +- $action = DI::l10n()->t('Enable'); +- } +- +- $readme = null; +- if (is_file("addon/$addon/README.md")) { +- $readme = Markdown::convert(file_get_contents("addon/$addon/README.md"), false); +- } elseif (is_file("addon/$addon/README")) { +- $readme = '
' . file_get_contents("addon/$addon/README") . '
'; +- } +- +- $admin_form = ''; +- if (array_key_exists($addon, $addons_admin)) { +- require_once "addon/$addon/$addon.php"; +- $func = $addon . '_addon_admin'; +- $func($a, $admin_form); +- } +- +- $t = Renderer::getMarkupTemplate('admin/addons/details.tpl'); +- +- return Renderer::replaceMacros($t, [ +- '$title' => DI::l10n()->t('Administration'), +- '$page' => DI::l10n()->t('Addons'), +- '$toggle' => DI::l10n()->t('Toggle'), +- '$settings' => DI::l10n()->t('Settings'), +- '$baseurl' => DI::baseUrl()->get(true), +- +- '$addon' => $addon, +- '$status' => $status, +- '$action' => $action, +- '$info' => Addon::getInfo($addon), +- '$str_author' => DI::l10n()->t('Author: '), +- '$str_maintainer' => DI::l10n()->t('Maintainer: '), +- +- '$admin_form' => $admin_form, +- '$function' => 'addons', +- '$screenshot' => '', +- '$readme' => $readme, +- +- '$form_security_token' => parent::getFormSecurityToken('admin_themes'), +- ]); ++ $addon = Strings::sanitizeFilePathItem($parameters['addon']); ++ if (!is_file("addon/$addon/$addon.php")) { ++ notice(DI::l10n()->t('Addon not found.')); ++ Addon::uninstall($addon); ++ DI::baseUrl()->redirect('admin/addons'); + } + +- DI::baseUrl()->redirect('admin/addons'); ++ if (($_GET['action'] ?? '') == 'toggle') { ++ self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't'); ++ ++ // Toggle addon status ++ if (Addon::isEnabled($addon)) { ++ Addon::uninstall($addon); ++ info(DI::l10n()->t('Addon %s disabled.', $addon)); ++ } else { ++ Addon::install($addon); ++ info(DI::l10n()->t('Addon %s enabled.', $addon)); ++ } ++ ++ DI::baseUrl()->redirect('admin/addons/' . $addon); ++ } ++ ++ // display addon details ++ if (Addon::isEnabled($addon)) { ++ $status = 'on'; ++ $action = DI::l10n()->t('Disable'); ++ } else { ++ $status = 'off'; ++ $action = DI::l10n()->t('Enable'); ++ } ++ ++ $readme = null; ++ if (is_file("addon/$addon/README.md")) { ++ $readme = Markdown::convert(file_get_contents("addon/$addon/README.md"), false); ++ } elseif (is_file("addon/$addon/README")) { ++ $readme = '
' . file_get_contents("addon/$addon/README") . '
'; ++ } ++ ++ $admin_form = ''; ++ if (array_key_exists($addon, $addons_admin)) { ++ require_once "addon/$addon/$addon.php"; ++ $func = $addon . '_addon_admin'; ++ $func($a, $admin_form); ++ } ++ ++ $t = Renderer::getMarkupTemplate('admin/addons/details.tpl'); ++ ++ return Renderer::replaceMacros($t, [ ++ '$title' => DI::l10n()->t('Administration'), ++ '$page' => DI::l10n()->t('Addons'), ++ '$toggle' => DI::l10n()->t('Toggle'), ++ '$settings' => DI::l10n()->t('Settings'), ++ '$baseurl' => DI::baseUrl()->get(true), ++ ++ '$addon' => $addon, ++ '$status' => $status, ++ '$action' => $action, ++ '$info' => Addon::getInfo($addon), ++ '$str_author' => DI::l10n()->t('Author: '), ++ '$str_maintainer' => DI::l10n()->t('Maintainer: '), ++ ++ '$admin_form' => $admin_form, ++ '$function' => 'addons', ++ '$screenshot' => '', ++ '$readme' => $readme, ++ ++ '$form_security_token' => self::getFormSecurityToken('admin_addons'), ++ ]); + } + } +diff --git a/src/Module/Admin/DBSync.php b/src/Module/Admin/DBSync.php +index dd7febcc59..36f683e087 100644 +--- a/src/Module/Admin/DBSync.php ++++ b/src/Module/Admin/DBSync.php +@@ -36,91 +36,93 @@ class DBSync extends BaseAdmin + + $a = DI::app(); + +- $o = ''; ++ $action = $parameters['action'] ?? ''; ++ $update = $parameters['update'] ?? 0; + +- if ($a->argc > 3 && $a->argv[2] === 'mark') { +- // @TODO: Replace with parameter from router +- $update = intval($a->argv[3]); +- if ($update) { +- DI::config()->set('database', 'update_' . $update, 'success'); +- $curr = DI::config()->get('system', 'build'); +- if (intval($curr) == $update) { +- DI::config()->set('system', 'build', intval($curr) + 1); ++ switch ($action) { ++ case 'mark': ++ if ($update) { ++ DI::config()->set('database', 'update_' . $update, 'success'); ++ $curr = DI::config()->get('system', 'build'); ++ if (intval($curr) == $update) { ++ DI::config()->set('system', 'build', intval($curr) + 1); ++ } ++ ++ info(DI::l10n()->t('Update has been marked successful')); + } +- info(DI::l10n()->t('Update has been marked successful') . EOL); +- } +- DI::baseUrl()->redirect('admin/dbsync'); +- } + +- if ($a->argc > 2) { +- if ($a->argv[2] === 'check') { ++ break; ++ case 'check': + // @TODO Seems like a similar logic like Update::check() + $retval = DBStructure::update($a->getBasePath(), false, true); + if ($retval === '') { +- $o .= DI::l10n()->t("Database structure update %s was successfully applied.", DB_UPDATE_VERSION) . "
"; ++ $o = DI::l10n()->t("Database structure update %s was successfully applied.", DB_UPDATE_VERSION) . "
"; + DI::config()->set('database', 'last_successful_update', DB_UPDATE_VERSION); + DI::config()->set('database', 'last_successful_update_time', time()); + } else { +- $o .= DI::l10n()->t("Executing of database structure update %s failed with error: %s", DB_UPDATE_VERSION, $retval) . "
"; +- } +- if ($a->argv[2] === 'check') { +- return $o; +- } +- } elseif (intval($a->argv[2])) { +- require_once 'update.php'; +- +- // @TODO: Replace with parameter from router +- $update = intval($a->argv[2]); +- +- $func = 'update_' . $update; +- +- if (function_exists($func)) { +- $retval = $func(); +- +- if ($retval === Update::FAILED) { +- $o .= DI::l10n()->t("Executing %s failed with error: %s", $func, $retval); +- } elseif ($retval === Update::SUCCESS) { +- $o .= DI::l10n()->t('Update %s was successfully applied.', $func); +- DI::config()->set('database', $func, 'success'); +- } else { +- $o .= DI::l10n()->t('Update %s did not return a status. Unknown if it succeeded.', $func); +- } +- } else { +- $o .= DI::l10n()->t('There was no additional update function %s that needed to be called.', $func) . "
"; +- DI::config()->set('database', $func, 'success'); ++ $o = DI::l10n()->t("Executing of database structure update %s failed with error: %s", DB_UPDATE_VERSION, $retval) . "
"; ++ } ++ ++ return $o; ++ case 'update': ++ require_once 'update.php'; ++ ++ // @TODO: Replace with parameter from router ++ if ($update) { ++ $func = 'update_' . $update; ++ ++ if (function_exists($func)) { ++ $retval = $func(); ++ ++ if ($retval === Update::FAILED) { ++ $o = DI::l10n()->t("Executing %s failed with error: %s", $func, $retval); ++ } elseif ($retval === Update::SUCCESS) { ++ $o = DI::l10n()->t('Update %s was successfully applied.', $func); ++ DI::config()->set('database', $func, 'success'); ++ } else { ++ $o = DI::l10n()->t('Update %s did not return a status. Unknown if it succeeded.', $func); ++ } ++ } else { ++ $o = DI::l10n()->t('There was no additional update function %s that needed to be called.', $func) . "
"; ++ DI::config()->set('database', $func, 'success'); ++ } ++ ++ return $o; ++ } ++ ++ break; ++ default: ++ $failed = []; ++ $configStmt = DBA::select('config', ['k', 'v'], ['cat' => 'database']); ++ while ($config = DBA::fetch($configStmt)) { ++ $upd = intval(substr($config['k'], 7)); ++ if ($upd >= 1139 && $config['v'] != 'success') { ++ $failed[] = $upd; ++ } ++ } ++ DBA::close($configStmt); ++ ++ if (!count($failed)) { ++ $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/structure_check.tpl'), [ ++ '$base' => DI::baseUrl()->get(true), ++ '$banner' => DI::l10n()->t('No failed updates.'), ++ '$check' => DI::l10n()->t('Check database structure'), ++ ]); ++ } else { ++ $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/failed_updates.tpl'), [ ++ '$base' => DI::baseUrl()->get(true), ++ '$banner' => DI::l10n()->t('Failed Updates'), ++ '$desc' => DI::l10n()->t('This does not include updates prior to 1139, which did not return a status.'), ++ '$mark' => DI::l10n()->t("Mark success \x28if update was manually applied\x29"), ++ '$apply' => DI::l10n()->t('Attempt to execute this update step automatically'), ++ '$failed' => $failed ++ ]); + } + + return $o; +- } + } + +- $failed = []; +- $configStmt = DBA::select('config', ['k', 'v'], ['cat' => 'database']); +- while ($config = DBA::fetch($configStmt)) { +- $upd = intval(substr($config['k'], 7)); +- if ($upd >= 1139 && $config['v'] != 'success') { +- $failed[] = $upd; +- } +- } +- DBA::close($configStmt); +- +- if (!count($failed)) { +- $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/structure_check.tpl'), [ +- '$base' => DI::baseUrl()->get(true), +- '$banner' => DI::l10n()->t('No failed updates.'), +- '$check' => DI::l10n()->t('Check database structure'), +- ]); +- } else { +- $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/failed_updates.tpl'), [ +- '$base' => DI::baseUrl()->get(true), +- '$banner' => DI::l10n()->t('Failed Updates'), +- '$desc' => DI::l10n()->t('This does not include updates prior to 1139, which did not return a status.'), +- '$mark' => DI::l10n()->t("Mark success \x28if update was manually applied\x29"), +- '$apply' => DI::l10n()->t('Attempt to execute this update step automatically'), +- '$failed' => $failed +- ]); +- } +- +- return $o; ++ DI::baseUrl()->redirect('admin/dbsync'); ++ return ''; + } + } +diff --git a/src/Module/Admin/Queue.php b/src/Module/Admin/Queue.php +index b6e7d122fb..7f5329dbfe 100644 +--- a/src/Module/Admin/Queue.php ++++ b/src/Module/Admin/Queue.php +@@ -42,13 +42,10 @@ class Queue extends BaseAdmin + { + parent::content($parameters); + +- $a = DI::app(); +- +- // @TODO: Replace with parameter from router +- $deferred = $a->argc > 2 && $a->argv[2] == 'deferred'; ++ $status = $parameters['status'] ?? ''; + + // get jobs from the workerqueue table +- if ($deferred) { ++ if ($status == 'deferred') { + $condition = ["NOT `done` AND `retrial` > ?", 0]; + $sub_title = DI::l10n()->t('Inspect Deferred Worker Queue'); + $info = DI::l10n()->t("This page lists the deferred worker jobs. This are jobs that couldn't be executed at the first time."); +diff --git a/src/Module/Admin/Themes/Details.php b/src/Module/Admin/Themes/Details.php +index c8d0578382..5c00c8d9d3 100644 +--- a/src/Module/Admin/Themes/Details.php ++++ b/src/Module/Admin/Themes/Details.php +@@ -30,116 +30,80 @@ use Friendica\Util\Strings; + + class Details extends BaseAdmin + { +- public static function post(array $parameters = []) +- { +- parent::post($parameters); +- +- $a = DI::app(); +- +- if ($a->argc > 2) { +- // @TODO: Replace with parameter from router +- $theme = $a->argv[2]; +- $theme = Strings::sanitizeFilePathItem($theme); +- if (is_file("view/theme/$theme/config.php")) { +- require_once "view/theme/$theme/config.php"; +- +- if (function_exists('theme_admin_post')) { +- theme_admin_post($a); +- } +- } +- +- info(DI::l10n()->t('Theme settings updated.')); +- +- if (DI::mode()->isAjax()) { +- return; +- } +- +- DI::baseUrl()->redirect('admin/themes/' . $theme); +- } +- } +- + public static function content(array $parameters = []) + { + parent::content($parameters); + +- $a = DI::app(); +- +- if ($a->argc > 2) { +- // @TODO: Replace with parameter from router +- $theme = $a->argv[2]; +- $theme = Strings::sanitizeFilePathItem($theme); +- if (!is_dir("view/theme/$theme")) { +- notice(DI::l10n()->t("Item not found.")); +- return ''; +- } +- +- $isEnabled = in_array($theme, Theme::getAllowedList()); +- if ($isEnabled) { +- $status = "on"; +- $action = DI::l10n()->t("Disable"); +- } else { +- $status = "off"; +- $action = DI::l10n()->t("Enable"); +- } +- +- if (!empty($_GET['action']) && $_GET['action'] == 'toggle') { +- parent::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't'); +- +- if ($isEnabled) { +- Theme::uninstall($theme); +- info(DI::l10n()->t('Theme %s disabled.', $theme)); +- } elseif (Theme::install($theme)) { +- info(DI::l10n()->t('Theme %s successfully enabled.', $theme)); +- } else { +- info(DI::l10n()->t('Theme %s failed to install.', $theme)); +- } +- +- DI::baseUrl()->redirect('admin/themes/' . $theme); +- } +- +- $readme = null; +- if (is_file("view/theme/$theme/README.md")) { +- $readme = Markdown::convert(file_get_contents("view/theme/$theme/README.md"), false); +- } elseif (is_file("view/theme/$theme/README")) { +- $readme = "
" . file_get_contents("view/theme/$theme/README") . "
"; +- } +- +- $admin_form = ''; +- if (is_file("view/theme/$theme/config.php")) { +- require_once "view/theme/$theme/config.php"; +- +- if (function_exists('theme_admin')) { +- $admin_form = ''; +- } +- } +- +- $screenshot = [Theme::getScreenshot($theme), DI::l10n()->t('Screenshot')]; +- if (!stristr($screenshot[0], $theme)) { +- $screenshot = null; +- } +- +- $t = Renderer::getMarkupTemplate('admin/addons/details.tpl'); +- return Renderer::replaceMacros($t, [ +- '$title' => DI::l10n()->t('Administration'), +- '$page' => DI::l10n()->t('Themes'), +- '$toggle' => DI::l10n()->t('Toggle'), +- '$settings' => DI::l10n()->t('Settings'), +- '$baseurl' => DI::baseUrl()->get(true), +- '$addon' => $theme, +- '$status' => $status, +- '$action' => $action, +- '$info' => Theme::getInfo($theme), +- '$function' => 'themes', +- '$admin_form' => $admin_form, +- '$str_author' => DI::l10n()->t('Author: '), +- '$str_maintainer' => DI::l10n()->t('Maintainer: '), +- '$screenshot' => $screenshot, +- '$readme' => $readme, +- +- '$form_security_token' => parent::getFormSecurityToken("admin_themes"), +- ]); ++ $theme = Strings::sanitizeFilePathItem($parameters['theme']); ++ if (!is_dir("view/theme/$theme")) { ++ notice(DI::l10n()->t("Item not found.")); ++ return ''; + } + +- DI::baseUrl()->redirect('admin/themes'); ++ $isEnabled = in_array($theme, Theme::getAllowedList()); ++ if ($isEnabled) { ++ $status = "on"; ++ $action = DI::l10n()->t("Disable"); ++ } else { ++ $status = "off"; ++ $action = DI::l10n()->t("Enable"); ++ } ++ ++ if (!empty($_GET['action']) && $_GET['action'] == 'toggle') { ++ self::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't'); ++ ++ if ($isEnabled) { ++ Theme::uninstall($theme); ++ info(DI::l10n()->t('Theme %s disabled.', $theme)); ++ } elseif (Theme::install($theme)) { ++ info(DI::l10n()->t('Theme %s successfully enabled.', $theme)); ++ } else { ++ notice(DI::l10n()->t('Theme %s failed to install.', $theme)); ++ } ++ ++ DI::baseUrl()->redirect('admin/themes/' . $theme); ++ } ++ ++ $readme = null; ++ if (is_file("view/theme/$theme/README.md")) { ++ $readme = Markdown::convert(file_get_contents("view/theme/$theme/README.md"), false); ++ } elseif (is_file("view/theme/$theme/README")) { ++ $readme = "
" . file_get_contents("view/theme/$theme/README") . "
"; ++ } ++ ++ $admin_form = ''; ++ if (is_file("view/theme/$theme/config.php")) { ++ require_once "view/theme/$theme/config.php"; ++ ++ if (function_exists('theme_admin')) { ++ $admin_form = ''; ++ } ++ } ++ ++ $screenshot = [Theme::getScreenshot($theme), DI::l10n()->t('Screenshot')]; ++ if (!stristr($screenshot[0], $theme)) { ++ $screenshot = null; ++ } ++ ++ $t = Renderer::getMarkupTemplate('admin/addons/details.tpl'); ++ return Renderer::replaceMacros($t, [ ++ '$title' => DI::l10n()->t('Administration'), ++ '$page' => DI::l10n()->t('Themes'), ++ '$toggle' => DI::l10n()->t('Toggle'), ++ '$settings' => DI::l10n()->t('Settings'), ++ '$baseurl' => DI::baseUrl()->get(true), ++ '$addon' => $theme, ++ '$status' => $status, ++ '$action' => $action, ++ '$info' => Theme::getInfo($theme), ++ '$function' => 'themes', ++ '$admin_form' => $admin_form, ++ '$str_author' => DI::l10n()->t('Author: '), ++ '$str_maintainer' => DI::l10n()->t('Maintainer: '), ++ '$screenshot' => $screenshot, ++ '$readme' => $readme, ++ ++ '$form_security_token' => self::getFormSecurityToken("admin_themes"), ++ ]); + } + } +diff --git a/src/Module/Admin/Themes/Embed.php b/src/Module/Admin/Themes/Embed.php +index 675e33c846..71824c6ccb 100644 +--- a/src/Module/Admin/Themes/Embed.php ++++ b/src/Module/Admin/Themes/Embed.php +@@ -30,15 +30,9 @@ class Embed extends BaseAdmin + { + public static function init(array $parameters = []) + { +- $a = DI::app(); +- +- if ($a->argc > 2) { +- // @TODO: Replace with parameter from router +- $theme = $a->argv[2]; +- $theme = Strings::sanitizeFilePathItem($theme); +- if (is_file("view/theme/$theme/config.php")) { +- $a->setCurrentTheme($theme); +- } ++ $theme = Strings::sanitizeFilePathItem($parameters['theme']); ++ if (is_file("view/theme/$theme/config.php")) { ++ DI::app()->setCurrentTheme($theme); + } + } + +@@ -46,67 +40,49 @@ class Embed extends BaseAdmin + { + parent::post($parameters); + +- $a = DI::app(); +- +- if ($a->argc > 2) { +- // @TODO: Replace with parameter from router +- $theme = $a->argv[2]; +- $theme = Strings::sanitizeFilePathItem($theme); +- if (is_file("view/theme/$theme/config.php")) { ++ $theme = Strings::sanitizeFilePathItem($parameters['theme']); ++ if (is_file("view/theme/$theme/config.php")) { ++ require_once "view/theme/$theme/config.php"; ++ if (function_exists('theme_admin_post')) { + self::checkFormSecurityTokenRedirectOnError('/admin/themes/' . $theme . '/embed?mode=minimal', 'admin_theme_settings'); +- +- require_once "view/theme/$theme/config.php"; +- +- if (function_exists('theme_admin_post')) { +- theme_admin_post($a); +- } ++ theme_admin_post(DI::app()); + } +- +- info(DI::l10n()->t('Theme settings updated.')); +- +- if (DI::mode()->isAjax()) { +- return; +- } +- +- DI::baseUrl()->redirect('admin/themes/' . $theme . '/embed?mode=minimal'); + } ++ ++ if (DI::mode()->isAjax()) { ++ return; ++ } ++ ++ DI::baseUrl()->redirect('admin/themes/' . $theme . '/embed?mode=minimal'); + } + + public static function content(array $parameters = []) + { + parent::content($parameters); + +- $a = DI::app(); +- +- if ($a->argc > 2) { +- // @TODO: Replace with parameter from router +- $theme = $a->argv[2]; +- $theme = Strings::sanitizeFilePathItem($theme); +- if (!is_dir("view/theme/$theme")) { +- notice(DI::l10n()->t('Unknown theme.')); +- return ''; +- } +- +- $admin_form = ''; +- if (is_file("view/theme/$theme/config.php")) { +- require_once "view/theme/$theme/config.php"; +- +- if (function_exists('theme_admin')) { +- $admin_form = theme_admin($a); +- } +- } +- +- // Overrides normal theme style include to strip user param to show embedded theme settings +- Renderer::$theme['stylesheet'] = 'view/theme/' . $theme . '/style.pcss'; +- +- $t = Renderer::getMarkupTemplate('admin/addons/embed.tpl'); +- return Renderer::replaceMacros($t, [ +- '$action' => '/admin/themes/' . $theme . '/embed?mode=minimal', +- '$form' => $admin_form, +- '$form_security_token' => parent::getFormSecurityToken("admin_theme_settings"), +- ]); ++ $theme = Strings::sanitizeFilePathItem($parameters['theme']); ++ if (!is_dir("view/theme/$theme")) { ++ notice(DI::l10n()->t('Unknown theme.')); ++ return ''; + } + +- return ''; ++ $admin_form = ''; ++ if (is_file("view/theme/$theme/config.php")) { ++ require_once "view/theme/$theme/config.php"; ++ ++ if (function_exists('theme_admin')) { ++ $admin_form = theme_admin(DI::app()); ++ } ++ } ++ ++ // Overrides normal theme style include to strip user param to show embedded theme settings ++ Renderer::$theme['stylesheet'] = 'view/theme/' . $theme . '/style.pcss'; ++ ++ $t = Renderer::getMarkupTemplate('admin/addons/embed.tpl'); ++ return Renderer::replaceMacros($t, [ ++ '$action' => '/admin/themes/' . $theme . '/embed?mode=minimal', ++ '$form' => $admin_form, ++ '$form_security_token' => self::getFormSecurityToken("admin_theme_settings"), ++ ]); + } + } +diff --git a/src/Module/Admin/Users.php b/src/Module/Admin/Users.php +index dca8c9c2e6..f82f9f8c74 100644 +--- a/src/Module/Admin/Users.php ++++ b/src/Module/Admin/Users.php +@@ -101,187 +101,186 @@ class Users extends BaseAdmin + { + parent::content($parameters); + +- $a = DI::app(); ++ $action = $parameters['action'] ?? ''; ++ $uid = $parameters['uid'] ?? 0; + +- if ($a->argc > 3) { +- // @TODO: Replace with parameter from router +- $action = $a->argv[2]; +- $uid = $a->argv[3]; ++ if ($uid) { + $user = User::getById($uid, ['username', 'blocked']); + if (!DBA::isResult($user)) { + notice('User not found' . EOL); + DI::baseUrl()->redirect('admin/users'); + return ''; // NOTREACHED + } ++ } + +- switch ($action) { +- case 'delete': +- if (local_user() != $uid) { +- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); +- // delete user +- User::remove($uid); ++ switch ($action) { ++ case 'delete': ++ if (local_user() != $uid) { ++ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); ++ // delete user ++ User::remove($uid); + +- notice(DI::l10n()->t('User "%s" deleted', $user['username'])); +- } else { +- notice(DI::l10n()->t('You can\'t remove yourself')); ++ notice(DI::l10n()->t('User "%s" deleted', $user['username'])); ++ } else { ++ notice(DI::l10n()->t('You can\'t remove yourself')); ++ } ++ break; ++ case 'block': ++ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); ++ User::block($uid); ++ notice(DI::l10n()->t('User "%s" blocked', $user['username'])); ++ break; ++ case 'unblock': ++ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); ++ User::block($uid, false); ++ notice(DI::l10n()->t('User "%s" unblocked', $user['username'])); ++ break; ++ case 'allow': ++ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); ++ User::allow(Register::getPendingForUser($uid)['hash'] ?? ''); ++ notice(DI::l10n()->t('Account approved.')); ++ break; ++ case 'deny': ++ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); ++ User::deny(Register::getPendingForUser($uid)['hash'] ?? ''); ++ notice(DI::l10n()->t('Registration revoked')); ++ break; ++ default: ++ /* get pending */ ++ $pending = Register::getPending(); ++ ++ $pager = new Pager(DI::l10n(), DI::args()->getQueryString(), 100); ++ ++ $valid_orders = [ ++ 'name', ++ 'email', ++ 'register_date', ++ 'login_date', ++ 'last-item', ++ 'page-flags' ++ ]; ++ ++ $order = 'name'; ++ $order_direction = '+'; ++ if (!empty($_GET['o'])) { ++ $new_order = $_GET['o']; ++ if ($new_order[0] === '-') { ++ $order_direction = '-'; ++ $new_order = substr($new_order, 1); + } +- break; +- case 'block': +- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); +- User::block($uid); +- notice(DI::l10n()->t('User "%s" blocked', $user['username'])); +- break; +- case 'unblock': +- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); +- User::block($uid, false); +- notice(DI::l10n()->t('User "%s" unblocked', $user['username'])); +- break; +- case 'allow': +- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); +- User::allow(Register::getPendingForUser($uid)['hash'] ?? ''); +- notice(DI::l10n()->t('Account approved.')); +- break; +- case 'deny': +- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't'); +- User::deny(Register::getPendingForUser($uid)['hash'] ?? ''); +- notice(DI::l10n()->t('Registration revoked')); +- break; +- } + +- DI::baseUrl()->redirect('admin/users'); ++ if (in_array($new_order, $valid_orders)) { ++ $order = $new_order; ++ } ++ } ++ ++ $users = User::getList($pager->getStart(), $pager->getItemsPerPage(), 'all', $order, ($order_direction == '-')); ++ ++ $adminlist = explode(',', str_replace(' ', '', DI::config()->get('config', 'admin_email'))); ++ $_setup_users = function ($e) use ($adminlist) { ++ $page_types = [ ++ User::PAGE_FLAGS_NORMAL => DI::l10n()->t('Normal Account Page'), ++ User::PAGE_FLAGS_SOAPBOX => DI::l10n()->t('Soapbox Page'), ++ User::PAGE_FLAGS_COMMUNITY => DI::l10n()->t('Public Forum'), ++ User::PAGE_FLAGS_FREELOVE => DI::l10n()->t('Automatic Friend Page'), ++ User::PAGE_FLAGS_PRVGROUP => DI::l10n()->t('Private Forum') ++ ]; ++ $account_types = [ ++ User::ACCOUNT_TYPE_PERSON => DI::l10n()->t('Personal Page'), ++ User::ACCOUNT_TYPE_ORGANISATION => DI::l10n()->t('Organisation Page'), ++ User::ACCOUNT_TYPE_NEWS => DI::l10n()->t('News Page'), ++ User::ACCOUNT_TYPE_COMMUNITY => DI::l10n()->t('Community Forum'), ++ User::ACCOUNT_TYPE_RELAY => DI::l10n()->t('Relay'), ++ ]; ++ ++ $e['page_flags_raw'] = $e['page-flags']; ++ $e['page-flags'] = $page_types[$e['page-flags']]; ++ ++ $e['account_type_raw'] = ($e['page_flags_raw'] == 0) ? $e['account-type'] : -1; ++ $e['account-type'] = ($e['page_flags_raw'] == 0) ? $account_types[$e['account-type']] : ''; ++ ++ $e['register_date'] = Temporal::getRelativeDate($e['register_date']); ++ $e['login_date'] = Temporal::getRelativeDate($e['login_date']); ++ $e['lastitem_date'] = Temporal::getRelativeDate($e['last-item']); ++ $e['is_admin'] = in_array($e['email'], $adminlist); ++ $e['is_deletable'] = (intval($e['uid']) != local_user()); ++ $e['deleted'] = ($e['account_removed'] ? Temporal::getRelativeDate($e['account_expires_on']) : False); ++ ++ return $e; ++ }; ++ ++ $tmp_users = array_map($_setup_users, $users); ++ ++ // Get rid of dashes in key names, Smarty3 can't handle them ++ // and extracting deleted users ++ ++ $deleted = []; ++ $users = []; ++ foreach ($tmp_users as $user) { ++ foreach ($user as $k => $v) { ++ $newkey = str_replace('-', '_', $k); ++ $user[$newkey] = $v; ++ } ++ ++ if ($user['deleted']) { ++ $deleted[] = $user; ++ } else { ++ $users[] = $user; ++ } ++ } ++ ++ $th_users = array_map(null, [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Type')], $valid_orders); ++ ++ $t = Renderer::getMarkupTemplate('admin/users.tpl'); ++ $o = Renderer::replaceMacros($t, [ ++ // strings // ++ '$title' => DI::l10n()->t('Administration'), ++ '$page' => DI::l10n()->t('Users'), ++ '$submit' => DI::l10n()->t('Add User'), ++ '$select_all' => DI::l10n()->t('select all'), ++ '$h_pending' => DI::l10n()->t('User registrations waiting for confirm'), ++ '$h_deleted' => DI::l10n()->t('User waiting for permanent deletion'), ++ '$th_pending' => [DI::l10n()->t('Request date'), DI::l10n()->t('Name'), DI::l10n()->t('Email')], ++ '$no_pending' => DI::l10n()->t('No registrations.'), ++ '$pendingnotetext' => DI::l10n()->t('Note from the user'), ++ '$approve' => DI::l10n()->t('Approve'), ++ '$deny' => DI::l10n()->t('Deny'), ++ '$delete' => DI::l10n()->t('Delete'), ++ '$block' => DI::l10n()->t('Block'), ++ '$blocked' => DI::l10n()->t('User blocked'), ++ '$unblock' => DI::l10n()->t('Unblock'), ++ '$siteadmin' => DI::l10n()->t('Site admin'), ++ '$accountexpired' => DI::l10n()->t('Account expired'), ++ ++ '$h_users' => DI::l10n()->t('Users'), ++ '$h_newuser' => DI::l10n()->t('New User'), ++ '$th_deleted' => [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Permanent deletion')], ++ '$th_users' => $th_users, ++ '$order_users' => $order, ++ '$order_direction_users' => $order_direction, ++ ++ '$confirm_delete_multi' => DI::l10n()->t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'), ++ '$confirm_delete' => DI::l10n()->t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'), ++ ++ '$form_security_token' => self::getFormSecurityToken('admin_users'), ++ ++ // values // ++ '$baseurl' => DI::baseUrl()->get(true), ++ ++ '$pending' => $pending, ++ 'deleted' => $deleted, ++ '$users' => $users, ++ '$newusername' => ['new_user_name', DI::l10n()->t('Name'), '', DI::l10n()->t('Name of the new user.')], ++ '$newusernickname' => ['new_user_nickname', DI::l10n()->t('Nickname'), '', DI::l10n()->t('Nickname of the new user.')], ++ '$newuseremail' => ['new_user_email', DI::l10n()->t('Email'), '', DI::l10n()->t('Email address of the new user.'), '', '', 'email'], ++ ]); ++ ++ $o .= $pager->renderFull(DBA::count('user')); ++ ++ return $o; + } + +- /* get pending */ +- $pending = Register::getPending(); +- +- $pager = new Pager(DI::l10n(), DI::args()->getQueryString(), 100); +- +- $valid_orders = [ +- 'name', +- 'email', +- 'register_date', +- 'login_date', +- 'last-item', +- 'page-flags' +- ]; +- +- $order = 'name'; +- $order_direction = '+'; +- if (!empty($_GET['o'])) { +- $new_order = $_GET['o']; +- if ($new_order[0] === '-') { +- $order_direction = '-'; +- $new_order = substr($new_order, 1); +- } +- +- if (in_array($new_order, $valid_orders)) { +- $order = $new_order; +- } +- } +- +- $users = User::getList($pager->getStart(), $pager->getItemsPerPage(), 'all', $order, ($order_direction == '-')); +- +- $adminlist = explode(',', str_replace(' ', '', DI::config()->get('config', 'admin_email'))); +- $_setup_users = function ($e) use ($adminlist) { +- $page_types = [ +- User::PAGE_FLAGS_NORMAL => DI::l10n()->t('Normal Account Page'), +- User::PAGE_FLAGS_SOAPBOX => DI::l10n()->t('Soapbox Page'), +- User::PAGE_FLAGS_COMMUNITY => DI::l10n()->t('Public Forum'), +- User::PAGE_FLAGS_FREELOVE => DI::l10n()->t('Automatic Friend Page'), +- User::PAGE_FLAGS_PRVGROUP => DI::l10n()->t('Private Forum') +- ]; +- $account_types = [ +- User::ACCOUNT_TYPE_PERSON => DI::l10n()->t('Personal Page'), +- User::ACCOUNT_TYPE_ORGANISATION => DI::l10n()->t('Organisation Page'), +- User::ACCOUNT_TYPE_NEWS => DI::l10n()->t('News Page'), +- User::ACCOUNT_TYPE_COMMUNITY => DI::l10n()->t('Community Forum'), +- User::ACCOUNT_TYPE_RELAY => DI::l10n()->t('Relay'), +- ]; +- +- $e['page_flags_raw'] = $e['page-flags']; +- $e['page-flags'] = $page_types[$e['page-flags']]; +- +- $e['account_type_raw'] = ($e['page_flags_raw'] == 0) ? $e['account-type'] : -1; +- $e['account-type'] = ($e['page_flags_raw'] == 0) ? $account_types[$e['account-type']] : ''; +- +- $e['register_date'] = Temporal::getRelativeDate($e['register_date']); +- $e['login_date'] = Temporal::getRelativeDate($e['login_date']); +- $e['lastitem_date'] = Temporal::getRelativeDate($e['last-item']); +- $e['is_admin'] = in_array($e['email'], $adminlist); +- $e['is_deletable'] = (intval($e['uid']) != local_user()); +- $e['deleted'] = ($e['account_removed'] ? Temporal::getRelativeDate($e['account_expires_on']) : False); +- +- return $e; +- }; +- +- $tmp_users = array_map($_setup_users, $users); +- +- // Get rid of dashes in key names, Smarty3 can't handle them +- // and extracting deleted users +- +- $deleted = []; +- $users = []; +- foreach ($tmp_users as $user) { +- foreach ($user as $k => $v) { +- $newkey = str_replace('-', '_', $k); +- $user[$newkey] = $v; +- } +- +- if ($user['deleted']) { +- $deleted[] = $user; +- } else { +- $users[] = $user; +- } +- } +- +- $th_users = array_map(null, [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Type')], $valid_orders); +- +- $t = Renderer::getMarkupTemplate('admin/users.tpl'); +- $o = Renderer::replaceMacros($t, [ +- // strings // +- '$title' => DI::l10n()->t('Administration'), +- '$page' => DI::l10n()->t('Users'), +- '$submit' => DI::l10n()->t('Add User'), +- '$select_all' => DI::l10n()->t('select all'), +- '$h_pending' => DI::l10n()->t('User registrations waiting for confirm'), +- '$h_deleted' => DI::l10n()->t('User waiting for permanent deletion'), +- '$th_pending' => [DI::l10n()->t('Request date'), DI::l10n()->t('Name'), DI::l10n()->t('Email')], +- '$no_pending' => DI::l10n()->t('No registrations.'), +- '$pendingnotetext' => DI::l10n()->t('Note from the user'), +- '$approve' => DI::l10n()->t('Approve'), +- '$deny' => DI::l10n()->t('Deny'), +- '$delete' => DI::l10n()->t('Delete'), +- '$block' => DI::l10n()->t('Block'), +- '$blocked' => DI::l10n()->t('User blocked'), +- '$unblock' => DI::l10n()->t('Unblock'), +- '$siteadmin' => DI::l10n()->t('Site admin'), +- '$accountexpired' => DI::l10n()->t('Account expired'), +- +- '$h_users' => DI::l10n()->t('Users'), +- '$h_newuser' => DI::l10n()->t('New User'), +- '$th_deleted' => [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Permanent deletion')], +- '$th_users' => $th_users, +- '$order_users' => $order, +- '$order_direction_users' => $order_direction, +- +- '$confirm_delete_multi' => DI::l10n()->t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'), +- '$confirm_delete' => DI::l10n()->t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'), +- +- '$form_security_token' => parent::getFormSecurityToken('admin_users'), +- +- // values // +- '$baseurl' => DI::baseUrl()->get(true), +- +- '$pending' => $pending, +- 'deleted' => $deleted, +- '$users' => $users, +- '$newusername' => ['new_user_name', DI::l10n()->t('Name'), '', DI::l10n()->t('Name of the new user.')], +- '$newusernickname' => ['new_user_nickname', DI::l10n()->t('Nickname'), '', DI::l10n()->t('Nickname of the new user.')], +- '$newuseremail' => ['new_user_email', DI::l10n()->t('Email'), '', DI::l10n()->t('Email address of the new user.'), '', '', 'email'], +- ]); +- +- $o .= $pager->renderFull(DBA::count('user')); +- +- return $o; ++ DI::baseUrl()->redirect('admin/users'); ++ return ''; + } + } +diff --git a/static/routes.config.php b/static/routes.config.php +index 074c1f5710..c7ef4bd78f 100644 +--- a/static/routes.config.php ++++ b/static/routes.config.php +@@ -73,9 +73,7 @@ return [ + '/blocklist/contact' => [Module\Admin\Blocklist\Contact::class, [R::GET, R::POST]], + '/blocklist/server' => [Module\Admin\Blocklist\Server::class, [R::GET, R::POST]], + +- '/dbsync[/check]' => [Module\Admin\DBSync::class, [R::GET]], +- '/dbsync/{update:\d+}' => [Module\Admin\DBSync::class, [R::GET]], +- '/dbsync/mark/{update:\d+}' => [Module\Admin\DBSync::class, [R::GET]], ++ '/dbsync[/{action}[/{update:\d+}]]' => [Module\Admin\DBSync::class, [R::GET]], + + '/features' => [Module\Admin\Features::class, [R::GET, R::POST]], + '/federation' => [Module\Admin\Federation::class, [R::GET]], +@@ -88,7 +86,7 @@ return [ + + '/phpinfo' => [Module\Admin\PhpInfo::class, [R::GET]], + +- '/queue[/deferred]' => [Module\Admin\Queue::class, [R::GET]], ++ '/queue[/{status}]' => [Module\Admin\Queue::class, [R::GET]], + + '/site' => [Module\Admin\Site::class, [R::GET, R::POST]], + +diff --git a/view/templates/admin/dbsync/failed_updates.tpl b/view/templates/admin/dbsync/failed_updates.tpl +index f75f266c7d..f1a7522907 100644 +--- a/view/templates/admin/dbsync/failed_updates.tpl ++++ b/view/templates/admin/dbsync/failed_updates.tpl +@@ -10,7 +10,7 @@ + + + +
+ +From 9bc2c5a52e8fd0bf09774a36c40174ae758f6f98 Mon Sep 17 00:00:00 2001 +From: Hypolite Petovan +Date: Tue, 8 Sep 2020 10:42:25 -0400 +Subject: [PATCH 2/3] Normalize use of form security tokens in Admin modules + +# Conflicts: +# src/Module/Admin/Logs/Settings.php +--- + src/Module/Admin/Addons/Details.php | 6 ++-- + src/Module/Admin/Addons/Index.php | 4 +-- + src/Module/Admin/Blocklist/Contact.php | 6 ++-- + src/Module/Admin/Blocklist/Server.php | 4 +-- + src/Module/Admin/Features.php | 4 +-- + src/Module/Admin/Item/Delete.php | 4 +-- + src/Module/Admin/Logs/Settings.php | 37 +++++++++++++------------ + src/Module/Admin/Site.php | 2 +- + src/Module/Admin/Themes/Index.php | 4 +-- + src/Module/Admin/Tos.php | 6 ++-- + src/Module/Admin/Users.php | 4 +-- + view/templates/admin/addons/details.tpl | 1 + + 12 files changed, 43 insertions(+), 39 deletions(-) + +diff --git a/src/Module/Admin/Addons/Details.php b/src/Module/Admin/Addons/Details.php +index 139275cfe2..85b17130c4 100644 +--- a/src/Module/Admin/Addons/Details.php ++++ b/src/Module/Admin/Addons/Details.php +@@ -42,6 +42,8 @@ class Details extends BaseAdmin + include_once 'addon/' . $addon . '/' . $addon . '.php'; + + if (function_exists($addon . '_addon_admin_post')) { ++ self::checkFormSecurityTokenRedirectOnError($redirect, 'admin_addons_details'); ++ + $func = $addon . '_addon_admin_post'; + $func(DI::app()); + } +@@ -66,7 +68,7 @@ class Details extends BaseAdmin + } + + if (($_GET['action'] ?? '') == 'toggle') { +- self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't'); ++ self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons_details', 't'); + + // Toggle addon status + if (Addon::isEnabled($addon)) { +@@ -124,7 +126,7 @@ class Details extends BaseAdmin + '$screenshot' => '', + '$readme' => $readme, + +- '$form_security_token' => self::getFormSecurityToken('admin_addons'), ++ '$form_security_token' => self::getFormSecurityToken('admin_addons_details'), + ]); + } + } +diff --git a/src/Module/Admin/Addons/Index.php b/src/Module/Admin/Addons/Index.php +index 3049cdc6a7..959f9d04a1 100644 +--- a/src/Module/Admin/Addons/Index.php ++++ b/src/Module/Admin/Addons/Index.php +@@ -34,7 +34,7 @@ class Index extends BaseAdmin + + // reload active themes + if (!empty($_GET['action'])) { +- parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't'); ++ self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't'); + + switch ($_GET['action']) { + case 'reload': +@@ -73,7 +73,7 @@ class Index extends BaseAdmin + '$addons' => $addons, + '$pcount' => count($addons), + '$noplugshint' => DI::l10n()->t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'), +- '$form_security_token' => parent::getFormSecurityToken('admin_addons'), ++ '$form_security_token' => self::getFormSecurityToken('admin_addons'), + ]); + } + } +diff --git a/src/Module/Admin/Blocklist/Contact.php b/src/Module/Admin/Blocklist/Contact.php +index 8893623234..5a7d138b23 100644 +--- a/src/Module/Admin/Blocklist/Contact.php ++++ b/src/Module/Admin/Blocklist/Contact.php +@@ -34,12 +34,12 @@ class Contact extends BaseAdmin + { + parent::post($parameters); + ++ self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock'); ++ + $contact_url = $_POST['contact_url'] ?? ''; + $block_reason = $_POST['contact_block_reason'] ?? ''; + $contacts = $_POST['contacts'] ?? []; + +- parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock'); +- + if (!empty($_POST['page_contactblock_block'])) { + $contact_id = Model\Contact::getIdForURL($contact_url); + if ($contact_id) { +@@ -89,7 +89,7 @@ class Contact extends BaseAdmin + '$h_newblock' => DI::l10n()->t('Block New Remote Contact'), + '$th_contacts' => [DI::l10n()->t('Photo'), DI::l10n()->t('Name'), DI::l10n()->t('Reason')], + +- '$form_security_token' => parent::getFormSecurityToken('admin_contactblock'), ++ '$form_security_token' => self::getFormSecurityToken('admin_contactblock'), + + // values // + '$baseurl' => DI::baseUrl()->get(true), +diff --git a/src/Module/Admin/Blocklist/Server.php b/src/Module/Admin/Blocklist/Server.php +index 4f19ca361d..b4be591e7f 100644 +--- a/src/Module/Admin/Blocklist/Server.php ++++ b/src/Module/Admin/Blocklist/Server.php +@@ -36,7 +36,7 @@ class Server extends BaseAdmin + return; + } + +- parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist'); ++ self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist'); + + if (!empty($_POST['page_blocklist_save'])) { + // Add new item to blocklist +@@ -108,7 +108,7 @@ class Server extends BaseAdmin + '$entries' => $blocklistform, + '$baseurl' => DI::baseUrl()->get(true), + '$confirm_delete' => DI::l10n()->t('Delete entry from blocklist?'), +- '$form_security_token' => parent::getFormSecurityToken("admin_blocklist") ++ '$form_security_token' => self::getFormSecurityToken("admin_blocklist") + ]); + } + } +diff --git a/src/Module/Admin/Features.php b/src/Module/Admin/Features.php +index a97bc0e7bb..51ba9140ef 100644 +--- a/src/Module/Admin/Features.php ++++ b/src/Module/Admin/Features.php +@@ -32,7 +32,7 @@ class Features extends BaseAdmin + { + parent::post($parameters); + +- parent::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features'); ++ self::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features'); + + $features = Feature::get(false); + +@@ -80,7 +80,7 @@ class Features extends BaseAdmin + + $tpl = Renderer::getMarkupTemplate('admin/features.tpl'); + $o = Renderer::replaceMacros($tpl, [ +- '$form_security_token' => parent::getFormSecurityToken("admin_manage_features"), ++ '$form_security_token' => self::getFormSecurityToken("admin_manage_features"), + '$baseurl' => DI::baseUrl()->get(true), + '$title' => DI::l10n()->t('Manage Additional Features'), + '$features' => $features, +diff --git a/src/Module/Admin/Item/Delete.php b/src/Module/Admin/Item/Delete.php +index 0ad20f97c9..028e228d34 100644 +--- a/src/Module/Admin/Item/Delete.php ++++ b/src/Module/Admin/Item/Delete.php +@@ -37,7 +37,7 @@ class Delete extends BaseAdmin + return; + } + +- parent::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem'); ++ self::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem'); + + if (!empty($_POST['page_deleteitem_submit'])) { + $guid = trim(Strings::escapeTags($_POST['deleteitemguid'])); +@@ -68,7 +68,7 @@ class Delete extends BaseAdmin + '$intro1' => DI::l10n()->t('On this page you can delete an item from your node. If the item is a top level posting, the entire thread will be deleted.'), + '$intro2' => DI::l10n()->t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'), + '$deleteitemguid' => ['deleteitemguid', DI::l10n()->t("GUID"), '', DI::l10n()->t("The GUID of the item you want to delete."), 'required', 'autofocus'], +- '$form_security_token' => parent::getFormSecurityToken("admin_deleteitem") ++ '$form_security_token' => self::getFormSecurityToken("admin_deleteitem") + ]); + } + } +diff --git a/src/Module/Admin/Logs/Settings.php b/src/Module/Admin/Logs/Settings.php +index 5158108e46..0b59937986 100644 +--- a/src/Module/Admin/Logs/Settings.php ++++ b/src/Module/Admin/Logs/Settings.php +@@ -33,25 +33,26 @@ class Settings extends BaseAdmin + { + parent::post($parameters); + +- if (!empty($_POST['page_logs'])) { +- parent::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs'); +- +- $logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : ''); +- $debugging = !empty($_POST['debugging']); +- $loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR; +- +- if (is_file($logfile) && +- !is_writeable($logfile)) { +- notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile)); +- return; +- } +- +- DI::config()->set('system', 'logfile', $logfile); +- DI::config()->set('system', 'debugging', $debugging); +- DI::config()->set('system', 'loglevel', $loglevel); ++ if (empty($_POST['page_logs'])) { ++ return; + } + +- info(DI::l10n()->t("Log settings updated.")); ++ self::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs'); ++ ++ $logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : ''); ++ $debugging = !empty($_POST['debugging']); ++ $loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR; ++ ++ if (is_file($logfile) && ++ !is_writeable($logfile)) { ++ notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile)); ++ return; ++ } ++ ++ DI::config()->set('system', 'logfile', $logfile); ++ DI::config()->set('system', 'debugging', $debugging); ++ DI::config()->set('system', 'loglevel', $loglevel); ++ + DI::baseUrl()->redirect('admin/logs'); + } + +@@ -86,7 +87,7 @@ class Settings extends BaseAdmin + '$debugging' => ['debugging', DI::l10n()->t("Enable Debugging"), DI::config()->get('system', 'debugging'), ""], + '$logfile' => ['logfile', DI::l10n()->t("Log file"), DI::config()->get('system', 'logfile'), DI::l10n()->t("Must be writable by web server. Relative to your Friendica top-level directory.")], + '$loglevel' => ['loglevel', DI::l10n()->t("Log level"), DI::config()->get('system', 'loglevel'), "", $log_choices], +- '$form_security_token' => parent::getFormSecurityToken("admin_logs"), ++ '$form_security_token' => self::getFormSecurityToken("admin_logs"), + '$phpheader' => DI::l10n()->t("PHP logging"), + '$phphint' => DI::l10n()->t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."), + '$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');", +diff --git a/src/Module/Admin/Site.php b/src/Module/Admin/Site.php +index 2e16cc657e..6380f3d935 100644 +--- a/src/Module/Admin/Site.php ++++ b/src/Module/Admin/Site.php +@@ -718,7 +718,7 @@ class Site extends BaseAdmin + '$relay_server_tags' => ['relay_server_tags', DI::l10n()->t('Server tags'), DI::config()->get('system', 'relay_server_tags'), DI::l10n()->t('Comma separated list of tags for the "tags" subscription.')], + '$relay_user_tags' => ['relay_user_tags', DI::l10n()->t('Allow user tags'), DI::config()->get('system', 'relay_user_tags', true), DI::l10n()->t('If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags".')], + +- '$form_security_token' => parent::getFormSecurityToken('admin_site'), ++ '$form_security_token' => self::getFormSecurityToken('admin_site'), + '$relocate_button' => DI::l10n()->t('Start Relocation'), + ]); + } +diff --git a/src/Module/Admin/Themes/Index.php b/src/Module/Admin/Themes/Index.php +index 955ddadc70..f25d64b474 100644 +--- a/src/Module/Admin/Themes/Index.php ++++ b/src/Module/Admin/Themes/Index.php +@@ -37,7 +37,7 @@ class Index extends BaseAdmin + + // reload active themes + if (!empty($_GET['action'])) { +- parent::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't'); ++ self::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't'); + + switch ($_GET['action']) { + case 'reload': +@@ -119,7 +119,7 @@ class Index extends BaseAdmin + '$noplugshint' => DI::l10n()->t('No themes found on the system. They should be placed in %1$s', '/view/themes'), + '$experimental' => DI::l10n()->t('[Experimental]'), + '$unsupported' => DI::l10n()->t('[Unsupported]'), +- '$form_security_token' => parent::getFormSecurityToken('admin_themes'), ++ '$form_security_token' => self::getFormSecurityToken('admin_themes'), + ]); + } + } +diff --git a/src/Module/Admin/Tos.php b/src/Module/Admin/Tos.php +index 811a0eb25c..fef199c351 100644 +--- a/src/Module/Admin/Tos.php ++++ b/src/Module/Admin/Tos.php +@@ -31,12 +31,12 @@ class Tos extends BaseAdmin + { + parent::post($parameters); + +- parent::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos'); +- + if (empty($_POST['page_tos'])) { + return; + } + ++ self::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos'); ++ + $displaytos = !empty($_POST['displaytos']); + $displayprivstatement = !empty($_POST['displayprivstatement']); + $tostext = (!empty($_POST['tostext']) ? strip_tags(trim($_POST['tostext'])) : ''); +@@ -64,7 +64,7 @@ class Tos extends BaseAdmin + '$preview' => DI::l10n()->t('Privacy Statement Preview'), + '$privtext' => $tos->privacy_complete, + '$tostext' => ['tostext', DI::l10n()->t('The Terms of Service'), DI::config()->get('system', 'tostext'), DI::l10n()->t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')], +- '$form_security_token' => parent::getFormSecurityToken('admin_tos'), ++ '$form_security_token' => self::getFormSecurityToken('admin_tos'), + '$submit' => DI::l10n()->t('Save Settings'), + ]); + } +diff --git a/src/Module/Admin/Users.php b/src/Module/Admin/Users.php +index f82f9f8c74..751b618afc 100644 +--- a/src/Module/Admin/Users.php ++++ b/src/Module/Admin/Users.php +@@ -36,6 +36,8 @@ class Users extends BaseAdmin + { + parent::post($parameters); + ++ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users'); ++ + $pending = $_POST['pending'] ?? []; + $users = $_POST['user'] ?? []; + $nu_name = $_POST['new_user_name'] ?? ''; +@@ -43,8 +45,6 @@ class Users extends BaseAdmin + $nu_email = $_POST['new_user_email'] ?? ''; + $nu_language = DI::config()->get('system', 'language'); + +- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users'); +- + if ($nu_name !== '' && $nu_email !== '' && $nu_nickname !== '') { + try { + User::createMinimal($nu_name, $nu_email, $nu_nickname, $nu_language); +diff --git a/view/templates/admin/addons/details.tpl b/view/templates/admin/addons/details.tpl +index f5bb165e05..81625fecf1 100644 +--- a/view/templates/admin/addons/details.tpl ++++ b/view/templates/admin/addons/details.tpl +@@ -24,6 +24,7 @@ + {{if $admin_form}} +

{{$settings}}

+
++ + {{$admin_form nofilter}} +
+ {{/if}} + +From 3efa8648c565f7a4bd24436a55336e7ca70fcb06 Mon Sep 17 00:00:00 2001 +From: Hypolite Petovan +Date: Tue, 8 Sep 2020 10:44:27 -0400 +Subject: [PATCH 3/3] Fix security vulnerability in admin modules + +- The Module\BaseAdmin::post method checked credentials but didn't abort the process when it failed +- Created Module\BaseAdmin::checkAdminAccess method +--- + src/Module/Admin/Addons/Details.php | 2 +- + src/Module/Admin/Blocklist/Contact.php | 2 +- + src/Module/Admin/Blocklist/Server.php | 2 +- + src/Module/Admin/Features.php | 2 +- + src/Module/Admin/Item/Delete.php | 2 +- + src/Module/Admin/Logs/Settings.php | 2 +- + src/Module/Admin/PhpInfo.php | 2 +- + src/Module/Admin/Site.php | 2 +- + src/Module/Admin/Themes/Embed.php | 2 +- + src/Module/Admin/Tos.php | 2 +- + src/Module/Admin/Users.php | 2 +- + src/Module/BaseAdmin.php | 43 +++++++++++--------------- + 12 files changed, 29 insertions(+), 36 deletions(-) + +diff --git a/src/Module/Admin/Addons/Details.php b/src/Module/Admin/Addons/Details.php +index 85b17130c4..4c1fe2df92 100644 +--- a/src/Module/Admin/Addons/Details.php ++++ b/src/Module/Admin/Addons/Details.php +@@ -32,7 +32,7 @@ class Details extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + $addon = Strings::sanitizeFilePathItem($parameters['addon']); + +diff --git a/src/Module/Admin/Blocklist/Contact.php b/src/Module/Admin/Blocklist/Contact.php +index 5a7d138b23..c4eedc5a8a 100644 +--- a/src/Module/Admin/Blocklist/Contact.php ++++ b/src/Module/Admin/Blocklist/Contact.php +@@ -32,7 +32,7 @@ class Contact extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock'); + +diff --git a/src/Module/Admin/Blocklist/Server.php b/src/Module/Admin/Blocklist/Server.php +index b4be591e7f..1290662f25 100644 +--- a/src/Module/Admin/Blocklist/Server.php ++++ b/src/Module/Admin/Blocklist/Server.php +@@ -30,7 +30,7 @@ class Server extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + if (empty($_POST['page_blocklist_save']) && empty($_POST['page_blocklist_edit'])) { + return; +diff --git a/src/Module/Admin/Features.php b/src/Module/Admin/Features.php +index 51ba9140ef..5054da3fb4 100644 +--- a/src/Module/Admin/Features.php ++++ b/src/Module/Admin/Features.php +@@ -30,7 +30,7 @@ class Features extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + self::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features'); + +diff --git a/src/Module/Admin/Item/Delete.php b/src/Module/Admin/Item/Delete.php +index 028e228d34..9e2bc90d92 100644 +--- a/src/Module/Admin/Item/Delete.php ++++ b/src/Module/Admin/Item/Delete.php +@@ -31,7 +31,7 @@ class Delete extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + if (empty($_POST['page_deleteitem_submit'])) { + return; +diff --git a/src/Module/Admin/Logs/Settings.php b/src/Module/Admin/Logs/Settings.php +index 0b59937986..7730b487da 100644 +--- a/src/Module/Admin/Logs/Settings.php ++++ b/src/Module/Admin/Logs/Settings.php +@@ -31,7 +31,7 @@ class Settings extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + if (empty($_POST['page_logs'])) { + return; +diff --git a/src/Module/Admin/PhpInfo.php b/src/Module/Admin/PhpInfo.php +index f282e10089..61a004618e 100644 +--- a/src/Module/Admin/PhpInfo.php ++++ b/src/Module/Admin/PhpInfo.php +@@ -27,7 +27,7 @@ class PhpInfo extends BaseAdmin + { + public static function rawContent(array $parameters = []) + { +- parent::rawContent($parameters); ++ self::checkAdminAccess(); + + phpinfo(); + exit(); +diff --git a/src/Module/Admin/Site.php b/src/Module/Admin/Site.php +index 6380f3d935..9f3905da5b 100644 +--- a/src/Module/Admin/Site.php ++++ b/src/Module/Admin/Site.php +@@ -43,7 +43,7 @@ class Site extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + self::checkFormSecurityTokenRedirectOnError('/admin/site', 'admin_site'); + +diff --git a/src/Module/Admin/Themes/Embed.php b/src/Module/Admin/Themes/Embed.php +index 71824c6ccb..a308b43cb5 100644 +--- a/src/Module/Admin/Themes/Embed.php ++++ b/src/Module/Admin/Themes/Embed.php +@@ -38,7 +38,7 @@ class Embed extends BaseAdmin + + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + $theme = Strings::sanitizeFilePathItem($parameters['theme']); + if (is_file("view/theme/$theme/config.php")) { +diff --git a/src/Module/Admin/Tos.php b/src/Module/Admin/Tos.php +index fef199c351..aac81264b7 100644 +--- a/src/Module/Admin/Tos.php ++++ b/src/Module/Admin/Tos.php +@@ -29,7 +29,7 @@ class Tos extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + if (empty($_POST['page_tos'])) { + return; +diff --git a/src/Module/Admin/Users.php b/src/Module/Admin/Users.php +index 751b618afc..74fee7230a 100644 +--- a/src/Module/Admin/Users.php ++++ b/src/Module/Admin/Users.php +@@ -34,7 +34,7 @@ class Users extends BaseAdmin + { + public static function post(array $parameters = []) + { +- parent::post($parameters); ++ self::checkAdminAccess(); + + self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users'); + +diff --git a/src/Module/BaseAdmin.php b/src/Module/BaseAdmin.php +index a7b38a5033..67de97f857 100644 +--- a/src/Module/BaseAdmin.php ++++ b/src/Module/BaseAdmin.php +@@ -26,7 +26,7 @@ use Friendica\Core\Addon; + use Friendica\Core\Renderer; + use Friendica\Core\Session; + use Friendica\DI; +-use Friendica\Network\HTTPException\ForbiddenException; ++use Friendica\Network\HTTPException; + + require_once 'boot.php'; + +@@ -42,42 +42,35 @@ require_once 'boot.php'; + */ + abstract class BaseAdmin extends BaseModule + { +- public static function post(array $parameters = []) ++ /** ++ * @param bool $interactive ++ * @throws HTTPException\ForbiddenException ++ * @throws HTTPException\InternalServerErrorException ++ */ ++ public static function checkAdminAccess(bool $interactive = false) + { +- if (!is_site_admin()) { +- return; ++ if (!local_user()) { ++ if ($interactive) { ++ notice(DI::l10n()->t('Please login to continue.')); ++ Session::set('return_path', DI::args()->getQueryString()); ++ DI::baseUrl()->redirect('login'); ++ } else { ++ throw new HTTPException\UnauthorizedException(DI::l10n()->t('Please login to continue.')); ++ } + } + +- // do not allow a page manager to access the admin panel at all. +- if (!empty($_SESSION['submanage'])) { +- return; +- } +- } +- +- public static function rawContent(array $parameters = []) +- { + if (!is_site_admin()) { +- return ''; ++ throw new HTTPException\ForbiddenException(DI::l10n()->t('You don\'t have access to administration pages.')); + } + + if (!empty($_SESSION['submanage'])) { +- return ''; ++ throw new HTTPException\ForbiddenException(DI::l10n()->t('Submanaged account can\'t access the administation pages. Please log back in as the main account.')); + } +- +- return ''; + } + + public static function content(array $parameters = []) + { +- if (!is_site_admin()) { +- notice(DI::l10n()->t('Please login to continue.')); +- Session::set('return_path', DI::args()->getQueryString()); +- DI::baseUrl()->redirect('login'); +- } +- +- if (!empty($_SESSION['submanage'])) { +- throw new ForbiddenException(DI::l10n()->t('Submanaged account can\'t access the administation pages. Please log back in as the main account.')); +- } ++ self::checkAdminAccess(true); + + // Header stuff + DI::page()['htmlhead'] .= Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/settings_head.tpl'), []);