bitPickups
/
friendica_2019-12_sharedHosting_hotFix
1
1
Fork 0
Code Pull Requests Activity
friendica_2019-12_sharedHos.../fb721f8e30.patch

1671 lines
62 KiB
Diff
Raw Permalink Blame History

From 2ce15cae1a41451b631b814c418b3b3b976d79d1 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Tue, 8 Sep 2020 10:38:35 -0400
Subject: [PATCH 1/3] Use router parameters in Admin modules
- Remove 10 @TODO tags
# Conflicts:
# src/Module/Admin/DBSync.php
# src/Module/Admin/Themes/Details.php
# src/Module/Admin/Themes/Embed.php
---
src/Module/Admin/Addons/Details.php | 160 ++++-----
src/Module/Admin/DBSync.php | 146 ++++----
src/Module/Admin/Queue.php | 7 +-
src/Module/Admin/Themes/Details.php | 174 ++++-----
src/Module/Admin/Themes/Embed.php | 96 ++---
src/Module/Admin/Users.php | 337 +++++++++---------
static/routes.config.php | 6 +-
.../templates/admin/dbsync/failed_updates.tpl | 2 +-
8 files changed, 427 insertions(+), 501 deletions(-)
diff --git a/src/Module/Admin/Addons/Details.php b/src/Module/Admin/Addons/Details.php
index 8e0e14f22b..139275cfe2 100644
--- a/src/Module/Admin/Addons/Details.php
+++ b/src/Module/Admin/Addons/Details.php
@@ -34,24 +34,20 @@ class Details extends BaseAdmin
{
parent::post($parameters);
- $a = DI::app();
+ $addon = Strings::sanitizeFilePathItem($parameters['addon']);
- if ($a->argc > 2) {
- // @TODO: Replace with parameter from router
- $addon = $a->argv[2];
- $addon = Strings::sanitizeFilePathItem($addon);
- if (is_file('addon/' . $addon . '/' . $addon . '.php')) {
- include_once 'addon/' . $addon . '/' . $addon . '.php';
- if (function_exists($addon . '_addon_admin_post')) {
- $func = $addon . '_addon_admin_post';
- $func($a);
- }
+ $redirect = 'admin/addons/' . $addon;
- DI::baseUrl()->redirect('admin/addons/' . $addon);
+ if (is_file('addon/' . $addon . '/' . $addon . '.php')) {
+ include_once 'addon/' . $addon . '/' . $addon . '.php';
+
+ if (function_exists($addon . '_addon_admin_post')) {
+ $func = $addon . '_addon_admin_post';
+ $func(DI::app());
}
}
- DI::baseUrl()->redirect('admin/addons');
+ DI::baseUrl()->redirect($redirect);
}
public static function content(array $parameters = [])
@@ -62,79 +58,73 @@ class Details extends BaseAdmin
$addons_admin = Addon::getAdminList();
- if ($a->argc > 2) {
- // @TODO: Replace with parameter from router
- $addon = $a->argv[2];
- $addon = Strings::sanitizeFilePathItem($addon);
- if (!is_file("addon/$addon/$addon.php")) {
- notice(DI::l10n()->t('Addon not found.'));
- Addon::uninstall($addon);
- DI::baseUrl()->redirect('admin/addons');
- }
-
- if (($_GET['action'] ?? '') == 'toggle') {
- parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_themes', 't');
-
- // Toggle addon status
- if (Addon::isEnabled($addon)) {
- Addon::uninstall($addon);
- info(DI::l10n()->t('Addon %s disabled.', $addon));
- } else {
- Addon::install($addon);
- info(DI::l10n()->t('Addon %s enabled.', $addon));
- }
-
- DI::baseUrl()->redirect('admin/addons/' . $addon);
- }
-
- // display addon details
- if (Addon::isEnabled($addon)) {
- $status = 'on';
- $action = DI::l10n()->t('Disable');
- } else {
- $status = 'off';
- $action = DI::l10n()->t('Enable');
- }
-
- $readme = null;
- if (is_file("addon/$addon/README.md")) {
- $readme = Markdown::convert(file_get_contents("addon/$addon/README.md"), false);
- } elseif (is_file("addon/$addon/README")) {
- $readme = '<pre>' . file_get_contents("addon/$addon/README") . '</pre>';
- }
-
- $admin_form = '';
- if (array_key_exists($addon, $addons_admin)) {
- require_once "addon/$addon/$addon.php";
- $func = $addon . '_addon_admin';
- $func($a, $admin_form);
- }
-
- $t = Renderer::getMarkupTemplate('admin/addons/details.tpl');
-
- return Renderer::replaceMacros($t, [
- '$title' => DI::l10n()->t('Administration'),
- '$page' => DI::l10n()->t('Addons'),
- '$toggle' => DI::l10n()->t('Toggle'),
- '$settings' => DI::l10n()->t('Settings'),
- '$baseurl' => DI::baseUrl()->get(true),
-
- '$addon' => $addon,
- '$status' => $status,
- '$action' => $action,
- '$info' => Addon::getInfo($addon),
- '$str_author' => DI::l10n()->t('Author: '),
- '$str_maintainer' => DI::l10n()->t('Maintainer: '),
-
- '$admin_form' => $admin_form,
- '$function' => 'addons',
- '$screenshot' => '',
- '$readme' => $readme,
-
- '$form_security_token' => parent::getFormSecurityToken('admin_themes'),
- ]);
+ $addon = Strings::sanitizeFilePathItem($parameters['addon']);
+ if (!is_file("addon/$addon/$addon.php")) {
+ notice(DI::l10n()->t('Addon not found.'));
+ Addon::uninstall($addon);
+ DI::baseUrl()->redirect('admin/addons');
}
- DI::baseUrl()->redirect('admin/addons');
+ if (($_GET['action'] ?? '') == 'toggle') {
+ self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
+
+ // Toggle addon status
+ if (Addon::isEnabled($addon)) {
+ Addon::uninstall($addon);
+ info(DI::l10n()->t('Addon %s disabled.', $addon));
+ } else {
+ Addon::install($addon);
+ info(DI::l10n()->t('Addon %s enabled.', $addon));
+ }
+
+ DI::baseUrl()->redirect('admin/addons/' . $addon);
+ }
+
+ // display addon details
+ if (Addon::isEnabled($addon)) {
+ $status = 'on';
+ $action = DI::l10n()->t('Disable');
+ } else {
+ $status = 'off';
+ $action = DI::l10n()->t('Enable');
+ }
+
+ $readme = null;
+ if (is_file("addon/$addon/README.md")) {
+ $readme = Markdown::convert(file_get_contents("addon/$addon/README.md"), false);
+ } elseif (is_file("addon/$addon/README")) {
+ $readme = '<pre>' . file_get_contents("addon/$addon/README") . '</pre>';
+ }
+
+ $admin_form = '';
+ if (array_key_exists($addon, $addons_admin)) {
+ require_once "addon/$addon/$addon.php";
+ $func = $addon . '_addon_admin';
+ $func($a, $admin_form);
+ }
+
+ $t = Renderer::getMarkupTemplate('admin/addons/details.tpl');
+
+ return Renderer::replaceMacros($t, [
+ '$title' => DI::l10n()->t('Administration'),
+ '$page' => DI::l10n()->t('Addons'),
+ '$toggle' => DI::l10n()->t('Toggle'),
+ '$settings' => DI::l10n()->t('Settings'),
+ '$baseurl' => DI::baseUrl()->get(true),
+
+ '$addon' => $addon,
+ '$status' => $status,
+ '$action' => $action,
+ '$info' => Addon::getInfo($addon),
+ '$str_author' => DI::l10n()->t('Author: '),
+ '$str_maintainer' => DI::l10n()->t('Maintainer: '),
+
+ '$admin_form' => $admin_form,
+ '$function' => 'addons',
+ '$screenshot' => '',
+ '$readme' => $readme,
+
+ '$form_security_token' => self::getFormSecurityToken('admin_addons'),
+ ]);
}
}
diff --git a/src/Module/Admin/DBSync.php b/src/Module/Admin/DBSync.php
index dd7febcc59..36f683e087 100644
--- a/src/Module/Admin/DBSync.php
+++ b/src/Module/Admin/DBSync.php
@@ -36,91 +36,93 @@ class DBSync extends BaseAdmin
$a = DI::app();
- $o = '';
+ $action = $parameters['action'] ?? '';
+ $update = $parameters['update'] ?? 0;
- if ($a->argc > 3 && $a->argv[2] === 'mark') {
- // @TODO: Replace with parameter from router
- $update = intval($a->argv[3]);
- if ($update) {
- DI::config()->set('database', 'update_' . $update, 'success');
- $curr = DI::config()->get('system', 'build');
- if (intval($curr) == $update) {
- DI::config()->set('system', 'build', intval($curr) + 1);
+ switch ($action) {
+ case 'mark':
+ if ($update) {
+ DI::config()->set('database', 'update_' . $update, 'success');
+ $curr = DI::config()->get('system', 'build');
+ if (intval($curr) == $update) {
+ DI::config()->set('system', 'build', intval($curr) + 1);
+ }
+
+ info(DI::l10n()->t('Update has been marked successful'));
}
- info(DI::l10n()->t('Update has been marked successful') . EOL);
- }
- DI::baseUrl()->redirect('admin/dbsync');
- }
- if ($a->argc > 2) {
- if ($a->argv[2] === 'check') {
+ break;
+ case 'check':
// @TODO Seems like a similar logic like Update::check()
$retval = DBStructure::update($a->getBasePath(), false, true);
if ($retval === '') {
- $o .= DI::l10n()->t("Database structure update %s was successfully applied.", DB_UPDATE_VERSION) . "<br />";
+ $o = DI::l10n()->t("Database structure update %s was successfully applied.", DB_UPDATE_VERSION) . "<br />";
DI::config()->set('database', 'last_successful_update', DB_UPDATE_VERSION);
DI::config()->set('database', 'last_successful_update_time', time());
} else {
- $o .= DI::l10n()->t("Executing of database structure update %s failed with error: %s", DB_UPDATE_VERSION, $retval) . "<br />";
- }
- if ($a->argv[2] === 'check') {
- return $o;
- }
- } elseif (intval($a->argv[2])) {
- require_once 'update.php';
-
- // @TODO: Replace with parameter from router
- $update = intval($a->argv[2]);
-
- $func = 'update_' . $update;
-
- if (function_exists($func)) {
- $retval = $func();
-
- if ($retval === Update::FAILED) {
- $o .= DI::l10n()->t("Executing %s failed with error: %s", $func, $retval);
- } elseif ($retval === Update::SUCCESS) {
- $o .= DI::l10n()->t('Update %s was successfully applied.', $func);
- DI::config()->set('database', $func, 'success');
- } else {
- $o .= DI::l10n()->t('Update %s did not return a status. Unknown if it succeeded.', $func);
- }
- } else {
- $o .= DI::l10n()->t('There was no additional update function %s that needed to be called.', $func) . "<br />";
- DI::config()->set('database', $func, 'success');
+ $o = DI::l10n()->t("Executing of database structure update %s failed with error: %s", DB_UPDATE_VERSION, $retval) . "<br />";
+ }
+
+ return $o;
+ case 'update':
+ require_once 'update.php';
+
+ // @TODO: Replace with parameter from router
+ if ($update) {
+ $func = 'update_' . $update;
+
+ if (function_exists($func)) {
+ $retval = $func();
+
+ if ($retval === Update::FAILED) {
+ $o = DI::l10n()->t("Executing %s failed with error: %s", $func, $retval);
+ } elseif ($retval === Update::SUCCESS) {
+ $o = DI::l10n()->t('Update %s was successfully applied.', $func);
+ DI::config()->set('database', $func, 'success');
+ } else {
+ $o = DI::l10n()->t('Update %s did not return a status. Unknown if it succeeded.', $func);
+ }
+ } else {
+ $o = DI::l10n()->t('There was no additional update function %s that needed to be called.', $func) . "<br />";
+ DI::config()->set('database', $func, 'success');
+ }
+
+ return $o;
+ }
+
+ break;
+ default:
+ $failed = [];
+ $configStmt = DBA::select('config', ['k', 'v'], ['cat' => 'database']);
+ while ($config = DBA::fetch($configStmt)) {
+ $upd = intval(substr($config['k'], 7));
+ if ($upd >= 1139 && $config['v'] != 'success') {
+ $failed[] = $upd;
+ }
+ }
+ DBA::close($configStmt);
+
+ if (!count($failed)) {
+ $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/structure_check.tpl'), [
+ '$base' => DI::baseUrl()->get(true),
+ '$banner' => DI::l10n()->t('No failed updates.'),
+ '$check' => DI::l10n()->t('Check database structure'),
+ ]);
+ } else {
+ $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/failed_updates.tpl'), [
+ '$base' => DI::baseUrl()->get(true),
+ '$banner' => DI::l10n()->t('Failed Updates'),
+ '$desc' => DI::l10n()->t('This does not include updates prior to 1139, which did not return a status.'),
+ '$mark' => DI::l10n()->t("Mark success \x28if update was manually applied\x29"),
+ '$apply' => DI::l10n()->t('Attempt to execute this update step automatically'),
+ '$failed' => $failed
+ ]);
}
return $o;
- }
}
- $failed = [];
- $configStmt = DBA::select('config', ['k', 'v'], ['cat' => 'database']);
- while ($config = DBA::fetch($configStmt)) {
- $upd = intval(substr($config['k'], 7));
- if ($upd >= 1139 && $config['v'] != 'success') {
- $failed[] = $upd;
- }
- }
- DBA::close($configStmt);
-
- if (!count($failed)) {
- $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/structure_check.tpl'), [
- '$base' => DI::baseUrl()->get(true),
- '$banner' => DI::l10n()->t('No failed updates.'),
- '$check' => DI::l10n()->t('Check database structure'),
- ]);
- } else {
- $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/dbsync/failed_updates.tpl'), [
- '$base' => DI::baseUrl()->get(true),
- '$banner' => DI::l10n()->t('Failed Updates'),
- '$desc' => DI::l10n()->t('This does not include updates prior to 1139, which did not return a status.'),
- '$mark' => DI::l10n()->t("Mark success \x28if update was manually applied\x29"),
- '$apply' => DI::l10n()->t('Attempt to execute this update step automatically'),
- '$failed' => $failed
- ]);
- }
-
- return $o;
+ DI::baseUrl()->redirect('admin/dbsync');
+ return '';
}
}
diff --git a/src/Module/Admin/Queue.php b/src/Module/Admin/Queue.php
index b6e7d122fb..7f5329dbfe 100644
--- a/src/Module/Admin/Queue.php
+++ b/src/Module/Admin/Queue.php
@@ -42,13 +42,10 @@ class Queue extends BaseAdmin
{
parent::content($parameters);
- $a = DI::app();
-
- // @TODO: Replace with parameter from router
- $deferred = $a->argc > 2 && $a->argv[2] == 'deferred';
+ $status = $parameters['status'] ?? '';
// get jobs from the workerqueue table
- if ($deferred) {
+ if ($status == 'deferred') {
$condition = ["NOT `done` AND `retrial` > ?", 0];
$sub_title = DI::l10n()->t('Inspect Deferred Worker Queue');
$info = DI::l10n()->t("This page lists the deferred worker jobs. This are jobs that couldn't be executed at the first time.");
diff --git a/src/Module/Admin/Themes/Details.php b/src/Module/Admin/Themes/Details.php
index c8d0578382..5c00c8d9d3 100644
--- a/src/Module/Admin/Themes/Details.php
+++ b/src/Module/Admin/Themes/Details.php
@@ -30,116 +30,80 @@ use Friendica\Util\Strings;
class Details extends BaseAdmin
{
- public static function post(array $parameters = [])
- {
- parent::post($parameters);
-
- $a = DI::app();
-
- if ($a->argc > 2) {
- // @TODO: Replace with parameter from router
- $theme = $a->argv[2];
- $theme = Strings::sanitizeFilePathItem($theme);
- if (is_file("view/theme/$theme/config.php")) {
- require_once "view/theme/$theme/config.php";
-
- if (function_exists('theme_admin_post')) {
- theme_admin_post($a);
- }
- }
-
- info(DI::l10n()->t('Theme settings updated.'));
-
- if (DI::mode()->isAjax()) {
- return;
- }
-
- DI::baseUrl()->redirect('admin/themes/' . $theme);
- }
- }
-
public static function content(array $parameters = [])
{
parent::content($parameters);
- $a = DI::app();
-
- if ($a->argc > 2) {
- // @TODO: Replace with parameter from router
- $theme = $a->argv[2];
- $theme = Strings::sanitizeFilePathItem($theme);
- if (!is_dir("view/theme/$theme")) {
- notice(DI::l10n()->t("Item not found."));
- return '';
- }
-
- $isEnabled = in_array($theme, Theme::getAllowedList());
- if ($isEnabled) {
- $status = "on";
- $action = DI::l10n()->t("Disable");
- } else {
- $status = "off";
- $action = DI::l10n()->t("Enable");
- }
-
- if (!empty($_GET['action']) && $_GET['action'] == 'toggle') {
- parent::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't');
-
- if ($isEnabled) {
- Theme::uninstall($theme);
- info(DI::l10n()->t('Theme %s disabled.', $theme));
- } elseif (Theme::install($theme)) {
- info(DI::l10n()->t('Theme %s successfully enabled.', $theme));
- } else {
- info(DI::l10n()->t('Theme %s failed to install.', $theme));
- }
-
- DI::baseUrl()->redirect('admin/themes/' . $theme);
- }
-
- $readme = null;
- if (is_file("view/theme/$theme/README.md")) {
- $readme = Markdown::convert(file_get_contents("view/theme/$theme/README.md"), false);
- } elseif (is_file("view/theme/$theme/README")) {
- $readme = "<pre>" . file_get_contents("view/theme/$theme/README") . "</pre>";
- }
-
- $admin_form = '';
- if (is_file("view/theme/$theme/config.php")) {
- require_once "view/theme/$theme/config.php";
-
- if (function_exists('theme_admin')) {
- $admin_form = '<iframe onload="resizeIframe(this);" src="/admin/themes/' . $theme . '/embed?mode=minimal" width="100%" height="600px" frameborder="no"></iframe>';
- }
- }
-
- $screenshot = [Theme::getScreenshot($theme), DI::l10n()->t('Screenshot')];
- if (!stristr($screenshot[0], $theme)) {
- $screenshot = null;
- }
-
- $t = Renderer::getMarkupTemplate('admin/addons/details.tpl');
- return Renderer::replaceMacros($t, [
- '$title' => DI::l10n()->t('Administration'),
- '$page' => DI::l10n()->t('Themes'),
- '$toggle' => DI::l10n()->t('Toggle'),
- '$settings' => DI::l10n()->t('Settings'),
- '$baseurl' => DI::baseUrl()->get(true),
- '$addon' => $theme,
- '$status' => $status,
- '$action' => $action,
- '$info' => Theme::getInfo($theme),
- '$function' => 'themes',
- '$admin_form' => $admin_form,
- '$str_author' => DI::l10n()->t('Author: '),
- '$str_maintainer' => DI::l10n()->t('Maintainer: '),
- '$screenshot' => $screenshot,
- '$readme' => $readme,
-
- '$form_security_token' => parent::getFormSecurityToken("admin_themes"),
- ]);
+ $theme = Strings::sanitizeFilePathItem($parameters['theme']);
+ if (!is_dir("view/theme/$theme")) {
+ notice(DI::l10n()->t("Item not found."));
+ return '';
}
- DI::baseUrl()->redirect('admin/themes');
+ $isEnabled = in_array($theme, Theme::getAllowedList());
+ if ($isEnabled) {
+ $status = "on";
+ $action = DI::l10n()->t("Disable");
+ } else {
+ $status = "off";
+ $action = DI::l10n()->t("Enable");
+ }
+
+ if (!empty($_GET['action']) && $_GET['action'] == 'toggle') {
+ self::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't');
+
+ if ($isEnabled) {
+ Theme::uninstall($theme);
+ info(DI::l10n()->t('Theme %s disabled.', $theme));
+ } elseif (Theme::install($theme)) {
+ info(DI::l10n()->t('Theme %s successfully enabled.', $theme));
+ } else {
+ notice(DI::l10n()->t('Theme %s failed to install.', $theme));
+ }
+
+ DI::baseUrl()->redirect('admin/themes/' . $theme);
+ }
+
+ $readme = null;
+ if (is_file("view/theme/$theme/README.md")) {
+ $readme = Markdown::convert(file_get_contents("view/theme/$theme/README.md"), false);
+ } elseif (is_file("view/theme/$theme/README")) {
+ $readme = "<pre>" . file_get_contents("view/theme/$theme/README") . "</pre>";
+ }
+
+ $admin_form = '';
+ if (is_file("view/theme/$theme/config.php")) {
+ require_once "view/theme/$theme/config.php";
+
+ if (function_exists('theme_admin')) {
+ $admin_form = '<iframe onload="resizeIframe(this);" src="/admin/themes/' . $theme . '/embed?mode=minimal" width="100%" height="600px" frameborder="no"></iframe>';
+ }
+ }
+
+ $screenshot = [Theme::getScreenshot($theme), DI::l10n()->t('Screenshot')];
+ if (!stristr($screenshot[0], $theme)) {
+ $screenshot = null;
+ }
+
+ $t = Renderer::getMarkupTemplate('admin/addons/details.tpl');
+ return Renderer::replaceMacros($t, [
+ '$title' => DI::l10n()->t('Administration'),
+ '$page' => DI::l10n()->t('Themes'),
+ '$toggle' => DI::l10n()->t('Toggle'),
+ '$settings' => DI::l10n()->t('Settings'),
+ '$baseurl' => DI::baseUrl()->get(true),
+ '$addon' => $theme,
+ '$status' => $status,
+ '$action' => $action,
+ '$info' => Theme::getInfo($theme),
+ '$function' => 'themes',
+ '$admin_form' => $admin_form,
+ '$str_author' => DI::l10n()->t('Author: '),
+ '$str_maintainer' => DI::l10n()->t('Maintainer: '),
+ '$screenshot' => $screenshot,
+ '$readme' => $readme,
+
+ '$form_security_token' => self::getFormSecurityToken("admin_themes"),
+ ]);
}
}
diff --git a/src/Module/Admin/Themes/Embed.php b/src/Module/Admin/Themes/Embed.php
index 675e33c846..71824c6ccb 100644
--- a/src/Module/Admin/Themes/Embed.php
+++ b/src/Module/Admin/Themes/Embed.php
@@ -30,15 +30,9 @@ class Embed extends BaseAdmin
{
public static function init(array $parameters = [])
{
- $a = DI::app();
-
- if ($a->argc > 2) {
- // @TODO: Replace with parameter from router
- $theme = $a->argv[2];
- $theme = Strings::sanitizeFilePathItem($theme);
- if (is_file("view/theme/$theme/config.php")) {
- $a->setCurrentTheme($theme);
- }
+ $theme = Strings::sanitizeFilePathItem($parameters['theme']);
+ if (is_file("view/theme/$theme/config.php")) {
+ DI::app()->setCurrentTheme($theme);
}
}
@@ -46,67 +40,49 @@ class Embed extends BaseAdmin
{
parent::post($parameters);
- $a = DI::app();
-
- if ($a->argc > 2) {
- // @TODO: Replace with parameter from router
- $theme = $a->argv[2];
- $theme = Strings::sanitizeFilePathItem($theme);
- if (is_file("view/theme/$theme/config.php")) {
+ $theme = Strings::sanitizeFilePathItem($parameters['theme']);
+ if (is_file("view/theme/$theme/config.php")) {
+ require_once "view/theme/$theme/config.php";
+ if (function_exists('theme_admin_post')) {
self::checkFormSecurityTokenRedirectOnError('/admin/themes/' . $theme . '/embed?mode=minimal', 'admin_theme_settings');
-
- require_once "view/theme/$theme/config.php";
-
- if (function_exists('theme_admin_post')) {
- theme_admin_post($a);
- }
+ theme_admin_post(DI::app());
}
-
- info(DI::l10n()->t('Theme settings updated.'));
-
- if (DI::mode()->isAjax()) {
- return;
- }
-
- DI::baseUrl()->redirect('admin/themes/' . $theme . '/embed?mode=minimal');
}
+
+ if (DI::mode()->isAjax()) {
+ return;
+ }
+
+ DI::baseUrl()->redirect('admin/themes/' . $theme . '/embed?mode=minimal');
}
public static function content(array $parameters = [])
{
parent::content($parameters);
- $a = DI::app();
-
- if ($a->argc > 2) {
- // @TODO: Replace with parameter from router
- $theme = $a->argv[2];
- $theme = Strings::sanitizeFilePathItem($theme);
- if (!is_dir("view/theme/$theme")) {
- notice(DI::l10n()->t('Unknown theme.'));
- return '';
- }
-
- $admin_form = '';
- if (is_file("view/theme/$theme/config.php")) {
- require_once "view/theme/$theme/config.php";
-
- if (function_exists('theme_admin')) {
- $admin_form = theme_admin($a);
- }
- }
-
- // Overrides normal theme style include to strip user param to show embedded theme settings
- Renderer::$theme['stylesheet'] = 'view/theme/' . $theme . '/style.pcss';
-
- $t = Renderer::getMarkupTemplate('admin/addons/embed.tpl');
- return Renderer::replaceMacros($t, [
- '$action' => '/admin/themes/' . $theme . '/embed?mode=minimal',
- '$form' => $admin_form,
- '$form_security_token' => parent::getFormSecurityToken("admin_theme_settings"),
- ]);
+ $theme = Strings::sanitizeFilePathItem($parameters['theme']);
+ if (!is_dir("view/theme/$theme")) {
+ notice(DI::l10n()->t('Unknown theme.'));
+ return '';
}
- return '';
+ $admin_form = '';
+ if (is_file("view/theme/$theme/config.php")) {
+ require_once "view/theme/$theme/config.php";
+
+ if (function_exists('theme_admin')) {
+ $admin_form = theme_admin(DI::app());
+ }
+ }
+
+ // Overrides normal theme style include to strip user param to show embedded theme settings
+ Renderer::$theme['stylesheet'] = 'view/theme/' . $theme . '/style.pcss';
+
+ $t = Renderer::getMarkupTemplate('admin/addons/embed.tpl');
+ return Renderer::replaceMacros($t, [
+ '$action' => '/admin/themes/' . $theme . '/embed?mode=minimal',
+ '$form' => $admin_form,
+ '$form_security_token' => self::getFormSecurityToken("admin_theme_settings"),
+ ]);
}
}
diff --git a/src/Module/Admin/Users.php b/src/Module/Admin/Users.php
index dca8c9c2e6..f82f9f8c74 100644
--- a/src/Module/Admin/Users.php
+++ b/src/Module/Admin/Users.php
@@ -101,187 +101,186 @@ class Users extends BaseAdmin
{
parent::content($parameters);
- $a = DI::app();
+ $action = $parameters['action'] ?? '';
+ $uid = $parameters['uid'] ?? 0;
- if ($a->argc > 3) {
- // @TODO: Replace with parameter from router
- $action = $a->argv[2];
- $uid = $a->argv[3];
+ if ($uid) {
$user = User::getById($uid, ['username', 'blocked']);
if (!DBA::isResult($user)) {
notice('User not found' . EOL);
DI::baseUrl()->redirect('admin/users');
return ''; // NOTREACHED
}
+ }
- switch ($action) {
- case 'delete':
- if (local_user() != $uid) {
- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
- // delete user
- User::remove($uid);
+ switch ($action) {
+ case 'delete':
+ if (local_user() != $uid) {
+ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
+ // delete user
+ User::remove($uid);
- notice(DI::l10n()->t('User "%s" deleted', $user['username']));
- } else {
- notice(DI::l10n()->t('You can\'t remove yourself'));
+ notice(DI::l10n()->t('User "%s" deleted', $user['username']));
+ } else {
+ notice(DI::l10n()->t('You can\'t remove yourself'));
+ }
+ break;
+ case 'block':
+ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
+ User::block($uid);
+ notice(DI::l10n()->t('User "%s" blocked', $user['username']));
+ break;
+ case 'unblock':
+ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
+ User::block($uid, false);
+ notice(DI::l10n()->t('User "%s" unblocked', $user['username']));
+ break;
+ case 'allow':
+ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
+ User::allow(Register::getPendingForUser($uid)['hash'] ?? '');
+ notice(DI::l10n()->t('Account approved.'));
+ break;
+ case 'deny':
+ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
+ User::deny(Register::getPendingForUser($uid)['hash'] ?? '');
+ notice(DI::l10n()->t('Registration revoked'));
+ break;
+ default:
+ /* get pending */
+ $pending = Register::getPending();
+
+ $pager = new Pager(DI::l10n(), DI::args()->getQueryString(), 100);
+
+ $valid_orders = [
+ 'name',
+ 'email',
+ 'register_date',
+ 'login_date',
+ 'last-item',
+ 'page-flags'
+ ];
+
+ $order = 'name';
+ $order_direction = '+';
+ if (!empty($_GET['o'])) {
+ $new_order = $_GET['o'];
+ if ($new_order[0] === '-') {
+ $order_direction = '-';
+ $new_order = substr($new_order, 1);
}
- break;
- case 'block':
- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
- User::block($uid);
- notice(DI::l10n()->t('User "%s" blocked', $user['username']));
- break;
- case 'unblock':
- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
- User::block($uid, false);
- notice(DI::l10n()->t('User "%s" unblocked', $user['username']));
- break;
- case 'allow':
- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
- User::allow(Register::getPendingForUser($uid)['hash'] ?? '');
- notice(DI::l10n()->t('Account approved.'));
- break;
- case 'deny':
- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
- User::deny(Register::getPendingForUser($uid)['hash'] ?? '');
- notice(DI::l10n()->t('Registration revoked'));
- break;
- }
- DI::baseUrl()->redirect('admin/users');
+ if (in_array($new_order, $valid_orders)) {
+ $order = $new_order;
+ }
+ }
+
+ $users = User::getList($pager->getStart(), $pager->getItemsPerPage(), 'all', $order, ($order_direction == '-'));
+
+ $adminlist = explode(',', str_replace(' ', '', DI::config()->get('config', 'admin_email')));
+ $_setup_users = function ($e) use ($adminlist) {
+ $page_types = [
+ User::PAGE_FLAGS_NORMAL => DI::l10n()->t('Normal Account Page'),
+ User::PAGE_FLAGS_SOAPBOX => DI::l10n()->t('Soapbox Page'),
+ User::PAGE_FLAGS_COMMUNITY => DI::l10n()->t('Public Forum'),
+ User::PAGE_FLAGS_FREELOVE => DI::l10n()->t('Automatic Friend Page'),
+ User::PAGE_FLAGS_PRVGROUP => DI::l10n()->t('Private Forum')
+ ];
+ $account_types = [
+ User::ACCOUNT_TYPE_PERSON => DI::l10n()->t('Personal Page'),
+ User::ACCOUNT_TYPE_ORGANISATION => DI::l10n()->t('Organisation Page'),
+ User::ACCOUNT_TYPE_NEWS => DI::l10n()->t('News Page'),
+ User::ACCOUNT_TYPE_COMMUNITY => DI::l10n()->t('Community Forum'),
+ User::ACCOUNT_TYPE_RELAY => DI::l10n()->t('Relay'),
+ ];
+
+ $e['page_flags_raw'] = $e['page-flags'];
+ $e['page-flags'] = $page_types[$e['page-flags']];
+
+ $e['account_type_raw'] = ($e['page_flags_raw'] == 0) ? $e['account-type'] : -1;
+ $e['account-type'] = ($e['page_flags_raw'] == 0) ? $account_types[$e['account-type']] : '';
+
+ $e['register_date'] = Temporal::getRelativeDate($e['register_date']);
+ $e['login_date'] = Temporal::getRelativeDate($e['login_date']);
+ $e['lastitem_date'] = Temporal::getRelativeDate($e['last-item']);
+ $e['is_admin'] = in_array($e['email'], $adminlist);
+ $e['is_deletable'] = (intval($e['uid']) != local_user());
+ $e['deleted'] = ($e['account_removed'] ? Temporal::getRelativeDate($e['account_expires_on']) : False);
+
+ return $e;
+ };
+
+ $tmp_users = array_map($_setup_users, $users);
+
+ // Get rid of dashes in key names, Smarty3 can't handle them
+ // and extracting deleted users
+
+ $deleted = [];
+ $users = [];
+ foreach ($tmp_users as $user) {
+ foreach ($user as $k => $v) {
+ $newkey = str_replace('-', '_', $k);
+ $user[$newkey] = $v;
+ }
+
+ if ($user['deleted']) {
+ $deleted[] = $user;
+ } else {
+ $users[] = $user;
+ }
+ }
+
+ $th_users = array_map(null, [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Type')], $valid_orders);
+
+ $t = Renderer::getMarkupTemplate('admin/users.tpl');
+ $o = Renderer::replaceMacros($t, [
+ // strings //
+ '$title' => DI::l10n()->t('Administration'),
+ '$page' => DI::l10n()->t('Users'),
+ '$submit' => DI::l10n()->t('Add User'),
+ '$select_all' => DI::l10n()->t('select all'),
+ '$h_pending' => DI::l10n()->t('User registrations waiting for confirm'),
+ '$h_deleted' => DI::l10n()->t('User waiting for permanent deletion'),
+ '$th_pending' => [DI::l10n()->t('Request date'), DI::l10n()->t('Name'), DI::l10n()->t('Email')],
+ '$no_pending' => DI::l10n()->t('No registrations.'),
+ '$pendingnotetext' => DI::l10n()->t('Note from the user'),
+ '$approve' => DI::l10n()->t('Approve'),
+ '$deny' => DI::l10n()->t('Deny'),
+ '$delete' => DI::l10n()->t('Delete'),
+ '$block' => DI::l10n()->t('Block'),
+ '$blocked' => DI::l10n()->t('User blocked'),
+ '$unblock' => DI::l10n()->t('Unblock'),
+ '$siteadmin' => DI::l10n()->t('Site admin'),
+ '$accountexpired' => DI::l10n()->t('Account expired'),
+
+ '$h_users' => DI::l10n()->t('Users'),
+ '$h_newuser' => DI::l10n()->t('New User'),
+ '$th_deleted' => [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Permanent deletion')],
+ '$th_users' => $th_users,
+ '$order_users' => $order,
+ '$order_direction_users' => $order_direction,
+
+ '$confirm_delete_multi' => DI::l10n()->t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'),
+ '$confirm_delete' => DI::l10n()->t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'),
+
+ '$form_security_token' => self::getFormSecurityToken('admin_users'),
+
+ // values //
+ '$baseurl' => DI::baseUrl()->get(true),
+
+ '$pending' => $pending,
+ 'deleted' => $deleted,
+ '$users' => $users,
+ '$newusername' => ['new_user_name', DI::l10n()->t('Name'), '', DI::l10n()->t('Name of the new user.')],
+ '$newusernickname' => ['new_user_nickname', DI::l10n()->t('Nickname'), '', DI::l10n()->t('Nickname of the new user.')],
+ '$newuseremail' => ['new_user_email', DI::l10n()->t('Email'), '', DI::l10n()->t('Email address of the new user.'), '', '', 'email'],
+ ]);
+
+ $o .= $pager->renderFull(DBA::count('user'));
+
+ return $o;
}
- /* get pending */
- $pending = Register::getPending();
-
- $pager = new Pager(DI::l10n(), DI::args()->getQueryString(), 100);
-
- $valid_orders = [
- 'name',
- 'email',
- 'register_date',
- 'login_date',
- 'last-item',
- 'page-flags'
- ];
-
- $order = 'name';
- $order_direction = '+';
- if (!empty($_GET['o'])) {
- $new_order = $_GET['o'];
- if ($new_order[0] === '-') {
- $order_direction = '-';
- $new_order = substr($new_order, 1);
- }
-
- if (in_array($new_order, $valid_orders)) {
- $order = $new_order;
- }
- }
-
- $users = User::getList($pager->getStart(), $pager->getItemsPerPage(), 'all', $order, ($order_direction == '-'));
-
- $adminlist = explode(',', str_replace(' ', '', DI::config()->get('config', 'admin_email')));
- $_setup_users = function ($e) use ($adminlist) {
- $page_types = [
- User::PAGE_FLAGS_NORMAL => DI::l10n()->t('Normal Account Page'),
- User::PAGE_FLAGS_SOAPBOX => DI::l10n()->t('Soapbox Page'),
- User::PAGE_FLAGS_COMMUNITY => DI::l10n()->t('Public Forum'),
- User::PAGE_FLAGS_FREELOVE => DI::l10n()->t('Automatic Friend Page'),
- User::PAGE_FLAGS_PRVGROUP => DI::l10n()->t('Private Forum')
- ];
- $account_types = [
- User::ACCOUNT_TYPE_PERSON => DI::l10n()->t('Personal Page'),
- User::ACCOUNT_TYPE_ORGANISATION => DI::l10n()->t('Organisation Page'),
- User::ACCOUNT_TYPE_NEWS => DI::l10n()->t('News Page'),
- User::ACCOUNT_TYPE_COMMUNITY => DI::l10n()->t('Community Forum'),
- User::ACCOUNT_TYPE_RELAY => DI::l10n()->t('Relay'),
- ];
-
- $e['page_flags_raw'] = $e['page-flags'];
- $e['page-flags'] = $page_types[$e['page-flags']];
-
- $e['account_type_raw'] = ($e['page_flags_raw'] == 0) ? $e['account-type'] : -1;
- $e['account-type'] = ($e['page_flags_raw'] == 0) ? $account_types[$e['account-type']] : '';
-
- $e['register_date'] = Temporal::getRelativeDate($e['register_date']);
- $e['login_date'] = Temporal::getRelativeDate($e['login_date']);
- $e['lastitem_date'] = Temporal::getRelativeDate($e['last-item']);
- $e['is_admin'] = in_array($e['email'], $adminlist);
- $e['is_deletable'] = (intval($e['uid']) != local_user());
- $e['deleted'] = ($e['account_removed'] ? Temporal::getRelativeDate($e['account_expires_on']) : False);
-
- return $e;
- };
-
- $tmp_users = array_map($_setup_users, $users);
-
- // Get rid of dashes in key names, Smarty3 can't handle them
- // and extracting deleted users
-
- $deleted = [];
- $users = [];
- foreach ($tmp_users as $user) {
- foreach ($user as $k => $v) {
- $newkey = str_replace('-', '_', $k);
- $user[$newkey] = $v;
- }
-
- if ($user['deleted']) {
- $deleted[] = $user;
- } else {
- $users[] = $user;
- }
- }
-
- $th_users = array_map(null, [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Type')], $valid_orders);
-
- $t = Renderer::getMarkupTemplate('admin/users.tpl');
- $o = Renderer::replaceMacros($t, [
- // strings //
- '$title' => DI::l10n()->t('Administration'),
- '$page' => DI::l10n()->t('Users'),
- '$submit' => DI::l10n()->t('Add User'),
- '$select_all' => DI::l10n()->t('select all'),
- '$h_pending' => DI::l10n()->t('User registrations waiting for confirm'),
- '$h_deleted' => DI::l10n()->t('User waiting for permanent deletion'),
- '$th_pending' => [DI::l10n()->t('Request date'), DI::l10n()->t('Name'), DI::l10n()->t('Email')],
- '$no_pending' => DI::l10n()->t('No registrations.'),
- '$pendingnotetext' => DI::l10n()->t('Note from the user'),
- '$approve' => DI::l10n()->t('Approve'),
- '$deny' => DI::l10n()->t('Deny'),
- '$delete' => DI::l10n()->t('Delete'),
- '$block' => DI::l10n()->t('Block'),
- '$blocked' => DI::l10n()->t('User blocked'),
- '$unblock' => DI::l10n()->t('Unblock'),
- '$siteadmin' => DI::l10n()->t('Site admin'),
- '$accountexpired' => DI::l10n()->t('Account expired'),
-
- '$h_users' => DI::l10n()->t('Users'),
- '$h_newuser' => DI::l10n()->t('New User'),
- '$th_deleted' => [DI::l10n()->t('Name'), DI::l10n()->t('Email'), DI::l10n()->t('Register date'), DI::l10n()->t('Last login'), DI::l10n()->t('Last public item'), DI::l10n()->t('Permanent deletion')],
- '$th_users' => $th_users,
- '$order_users' => $order,
- '$order_direction_users' => $order_direction,
-
- '$confirm_delete_multi' => DI::l10n()->t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'),
- '$confirm_delete' => DI::l10n()->t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'),
-
- '$form_security_token' => parent::getFormSecurityToken('admin_users'),
-
- // values //
- '$baseurl' => DI::baseUrl()->get(true),
-
- '$pending' => $pending,
- 'deleted' => $deleted,
- '$users' => $users,
- '$newusername' => ['new_user_name', DI::l10n()->t('Name'), '', DI::l10n()->t('Name of the new user.')],
- '$newusernickname' => ['new_user_nickname', DI::l10n()->t('Nickname'), '', DI::l10n()->t('Nickname of the new user.')],
- '$newuseremail' => ['new_user_email', DI::l10n()->t('Email'), '', DI::l10n()->t('Email address of the new user.'), '', '', 'email'],
- ]);
-
- $o .= $pager->renderFull(DBA::count('user'));
-
- return $o;
+ DI::baseUrl()->redirect('admin/users');
+ return '';
}
}
diff --git a/static/routes.config.php b/static/routes.config.php
index 074c1f5710..c7ef4bd78f 100644
--- a/static/routes.config.php
+++ b/static/routes.config.php
@@ -73,9 +73,7 @@ return [
'/blocklist/contact' => [Module\Admin\Blocklist\Contact::class, [R::GET, R::POST]],
'/blocklist/server' => [Module\Admin\Blocklist\Server::class, [R::GET, R::POST]],
- '/dbsync[/check]' => [Module\Admin\DBSync::class, [R::GET]],
- '/dbsync/{update:\d+}' => [Module\Admin\DBSync::class, [R::GET]],
- '/dbsync/mark/{update:\d+}' => [Module\Admin\DBSync::class, [R::GET]],
+ '/dbsync[/{action}[/{update:\d+}]]' => [Module\Admin\DBSync::class, [R::GET]],
'/features' => [Module\Admin\Features::class, [R::GET, R::POST]],
'/federation' => [Module\Admin\Federation::class, [R::GET]],
@@ -88,7 +86,7 @@ return [
'/phpinfo' => [Module\Admin\PhpInfo::class, [R::GET]],
- '/queue[/deferred]' => [Module\Admin\Queue::class, [R::GET]],
+ '/queue[/{status}]' => [Module\Admin\Queue::class, [R::GET]],
'/site' => [Module\Admin\Site::class, [R::GET, R::POST]],
diff --git a/view/templates/admin/dbsync/failed_updates.tpl b/view/templates/admin/dbsync/failed_updates.tpl
index f75f266c7d..f1a7522907 100644
--- a/view/templates/admin/dbsync/failed_updates.tpl
+++ b/view/templates/admin/dbsync/failed_updates.tpl
@@ -10,7 +10,7 @@
<ul>
<li><a href="{{$baseurl}}/admin/dbsync/mark/{{$f}}">{{$mark}}</a></li>
- <li><a href="{{$baseurl}}/admin/dbsync/{{$f}}">{{$apply}}</a></li>
+ <li><a href="{{$baseurl}}/admin/dbsync/update/{{$f}}">{{$apply}}</a></li>
</ul>
<hr />
From 9bc2c5a52e8fd0bf09774a36c40174ae758f6f98 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Tue, 8 Sep 2020 10:42:25 -0400
Subject: [PATCH 2/3] Normalize use of form security tokens in Admin modules
# Conflicts:
# src/Module/Admin/Logs/Settings.php
---
src/Module/Admin/Addons/Details.php | 6 ++--
src/Module/Admin/Addons/Index.php | 4 +--
src/Module/Admin/Blocklist/Contact.php | 6 ++--
src/Module/Admin/Blocklist/Server.php | 4 +--
src/Module/Admin/Features.php | 4 +--
src/Module/Admin/Item/Delete.php | 4 +--
src/Module/Admin/Logs/Settings.php | 37 +++++++++++++------------
src/Module/Admin/Site.php | 2 +-
src/Module/Admin/Themes/Index.php | 4 +--
src/Module/Admin/Tos.php | 6 ++--
src/Module/Admin/Users.php | 4 +--
view/templates/admin/addons/details.tpl | 1 +
12 files changed, 43 insertions(+), 39 deletions(-)
diff --git a/src/Module/Admin/Addons/Details.php b/src/Module/Admin/Addons/Details.php
index 139275cfe2..85b17130c4 100644
--- a/src/Module/Admin/Addons/Details.php
+++ b/src/Module/Admin/Addons/Details.php
@@ -42,6 +42,8 @@ class Details extends BaseAdmin
include_once 'addon/' . $addon . '/' . $addon . '.php';
if (function_exists($addon . '_addon_admin_post')) {
+ self::checkFormSecurityTokenRedirectOnError($redirect, 'admin_addons_details');
+
$func = $addon . '_addon_admin_post';
$func(DI::app());
}
@@ -66,7 +68,7 @@ class Details extends BaseAdmin
}
if (($_GET['action'] ?? '') == 'toggle') {
- self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
+ self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons_details', 't');
// Toggle addon status
if (Addon::isEnabled($addon)) {
@@ -124,7 +126,7 @@ class Details extends BaseAdmin
'$screenshot' => '',
'$readme' => $readme,
- '$form_security_token' => self::getFormSecurityToken('admin_addons'),
+ '$form_security_token' => self::getFormSecurityToken('admin_addons_details'),
]);
}
}
diff --git a/src/Module/Admin/Addons/Index.php b/src/Module/Admin/Addons/Index.php
index 3049cdc6a7..959f9d04a1 100644
--- a/src/Module/Admin/Addons/Index.php
+++ b/src/Module/Admin/Addons/Index.php
@@ -34,7 +34,7 @@ class Index extends BaseAdmin
// reload active themes
if (!empty($_GET['action'])) {
- parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
+ self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
switch ($_GET['action']) {
case 'reload':
@@ -73,7 +73,7 @@ class Index extends BaseAdmin
'$addons' => $addons,
'$pcount' => count($addons),
'$noplugshint' => DI::l10n()->t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'),
- '$form_security_token' => parent::getFormSecurityToken('admin_addons'),
+ '$form_security_token' => self::getFormSecurityToken('admin_addons'),
]);
}
}
diff --git a/src/Module/Admin/Blocklist/Contact.php b/src/Module/Admin/Blocklist/Contact.php
index 8893623234..5a7d138b23 100644
--- a/src/Module/Admin/Blocklist/Contact.php
+++ b/src/Module/Admin/Blocklist/Contact.php
@@ -34,12 +34,12 @@ class Contact extends BaseAdmin
{
parent::post($parameters);
+ self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock');
+
$contact_url = $_POST['contact_url'] ?? '';
$block_reason = $_POST['contact_block_reason'] ?? '';
$contacts = $_POST['contacts'] ?? [];
- parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock');
-
if (!empty($_POST['page_contactblock_block'])) {
$contact_id = Model\Contact::getIdForURL($contact_url);
if ($contact_id) {
@@ -89,7 +89,7 @@ class Contact extends BaseAdmin
'$h_newblock' => DI::l10n()->t('Block New Remote Contact'),
'$th_contacts' => [DI::l10n()->t('Photo'), DI::l10n()->t('Name'), DI::l10n()->t('Reason')],
- '$form_security_token' => parent::getFormSecurityToken('admin_contactblock'),
+ '$form_security_token' => self::getFormSecurityToken('admin_contactblock'),
// values //
'$baseurl' => DI::baseUrl()->get(true),
diff --git a/src/Module/Admin/Blocklist/Server.php b/src/Module/Admin/Blocklist/Server.php
index 4f19ca361d..b4be591e7f 100644
--- a/src/Module/Admin/Blocklist/Server.php
+++ b/src/Module/Admin/Blocklist/Server.php
@@ -36,7 +36,7 @@ class Server extends BaseAdmin
return;
}
- parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist');
+ self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist');
if (!empty($_POST['page_blocklist_save'])) {
// Add new item to blocklist
@@ -108,7 +108,7 @@ class Server extends BaseAdmin
'$entries' => $blocklistform,
'$baseurl' => DI::baseUrl()->get(true),
'$confirm_delete' => DI::l10n()->t('Delete entry from blocklist?'),
- '$form_security_token' => parent::getFormSecurityToken("admin_blocklist")
+ '$form_security_token' => self::getFormSecurityToken("admin_blocklist")
]);
}
}
diff --git a/src/Module/Admin/Features.php b/src/Module/Admin/Features.php
index a97bc0e7bb..51ba9140ef 100644
--- a/src/Module/Admin/Features.php
+++ b/src/Module/Admin/Features.php
@@ -32,7 +32,7 @@ class Features extends BaseAdmin
{
parent::post($parameters);
- parent::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
+ self::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
$features = Feature::get(false);
@@ -80,7 +80,7 @@ class Features extends BaseAdmin
$tpl = Renderer::getMarkupTemplate('admin/features.tpl');
$o = Renderer::replaceMacros($tpl, [
- '$form_security_token' => parent::getFormSecurityToken("admin_manage_features"),
+ '$form_security_token' => self::getFormSecurityToken("admin_manage_features"),
'$baseurl' => DI::baseUrl()->get(true),
'$title' => DI::l10n()->t('Manage Additional Features'),
'$features' => $features,
diff --git a/src/Module/Admin/Item/Delete.php b/src/Module/Admin/Item/Delete.php
index 0ad20f97c9..028e228d34 100644
--- a/src/Module/Admin/Item/Delete.php
+++ b/src/Module/Admin/Item/Delete.php
@@ -37,7 +37,7 @@ class Delete extends BaseAdmin
return;
}
- parent::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem');
+ self::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem');
if (!empty($_POST['page_deleteitem_submit'])) {
$guid = trim(Strings::escapeTags($_POST['deleteitemguid']));
@@ -68,7 +68,7 @@ class Delete extends BaseAdmin
'$intro1' => DI::l10n()->t('On this page you can delete an item from your node. If the item is a top level posting, the entire thread will be deleted.'),
'$intro2' => DI::l10n()->t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'),
'$deleteitemguid' => ['deleteitemguid', DI::l10n()->t("GUID"), '', DI::l10n()->t("The GUID of the item you want to delete."), 'required', 'autofocus'],
- '$form_security_token' => parent::getFormSecurityToken("admin_deleteitem")
+ '$form_security_token' => self::getFormSecurityToken("admin_deleteitem")
]);
}
}
diff --git a/src/Module/Admin/Logs/Settings.php b/src/Module/Admin/Logs/Settings.php
index 5158108e46..0b59937986 100644
--- a/src/Module/Admin/Logs/Settings.php
+++ b/src/Module/Admin/Logs/Settings.php
@@ -33,25 +33,26 @@ class Settings extends BaseAdmin
{
parent::post($parameters);
- if (!empty($_POST['page_logs'])) {
- parent::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
-
- $logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : '');
- $debugging = !empty($_POST['debugging']);
- $loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR;
-
- if (is_file($logfile) &&
- !is_writeable($logfile)) {
- notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile));
- return;
- }
-
- DI::config()->set('system', 'logfile', $logfile);
- DI::config()->set('system', 'debugging', $debugging);
- DI::config()->set('system', 'loglevel', $loglevel);
+ if (empty($_POST['page_logs'])) {
+ return;
}
- info(DI::l10n()->t("Log settings updated."));
+ self::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
+
+ $logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : '');
+ $debugging = !empty($_POST['debugging']);
+ $loglevel = ($_POST['loglevel'] ?? '') ?: LogLevel::ERROR;
+
+ if (is_file($logfile) &&
+ !is_writeable($logfile)) {
+ notice(DI::l10n()->t('The logfile \'%s\' is not writable. No logging possible', $logfile));
+ return;
+ }
+
+ DI::config()->set('system', 'logfile', $logfile);
+ DI::config()->set('system', 'debugging', $debugging);
+ DI::config()->set('system', 'loglevel', $loglevel);
+
DI::baseUrl()->redirect('admin/logs');
}
@@ -86,7 +87,7 @@ class Settings extends BaseAdmin
'$debugging' => ['debugging', DI::l10n()->t("Enable Debugging"), DI::config()->get('system', 'debugging'), ""],
'$logfile' => ['logfile', DI::l10n()->t("Log file"), DI::config()->get('system', 'logfile'), DI::l10n()->t("Must be writable by web server. Relative to your Friendica top-level directory.")],
'$loglevel' => ['loglevel', DI::l10n()->t("Log level"), DI::config()->get('system', 'loglevel'), "", $log_choices],
- '$form_security_token' => parent::getFormSecurityToken("admin_logs"),
+ '$form_security_token' => self::getFormSecurityToken("admin_logs"),
'$phpheader' => DI::l10n()->t("PHP logging"),
'$phphint' => DI::l10n()->t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."),
'$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');",
diff --git a/src/Module/Admin/Site.php b/src/Module/Admin/Site.php
index 2e16cc657e..6380f3d935 100644
--- a/src/Module/Admin/Site.php
+++ b/src/Module/Admin/Site.php
@@ -718,7 +718,7 @@ class Site extends BaseAdmin
'$relay_server_tags' => ['relay_server_tags', DI::l10n()->t('Server tags'), DI::config()->get('system', 'relay_server_tags'), DI::l10n()->t('Comma separated list of tags for the "tags" subscription.')],
'$relay_user_tags' => ['relay_user_tags', DI::l10n()->t('Allow user tags'), DI::config()->get('system', 'relay_user_tags', true), DI::l10n()->t('If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags".')],
- '$form_security_token' => parent::getFormSecurityToken('admin_site'),
+ '$form_security_token' => self::getFormSecurityToken('admin_site'),
'$relocate_button' => DI::l10n()->t('Start Relocation'),
]);
}
diff --git a/src/Module/Admin/Themes/Index.php b/src/Module/Admin/Themes/Index.php
index 955ddadc70..f25d64b474 100644
--- a/src/Module/Admin/Themes/Index.php
+++ b/src/Module/Admin/Themes/Index.php
@@ -37,7 +37,7 @@ class Index extends BaseAdmin
// reload active themes
if (!empty($_GET['action'])) {
- parent::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't');
+ self::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't');
switch ($_GET['action']) {
case 'reload':
@@ -119,7 +119,7 @@ class Index extends BaseAdmin
'$noplugshint' => DI::l10n()->t('No themes found on the system. They should be placed in %1$s', '<code>/view/themes</code>'),
'$experimental' => DI::l10n()->t('[Experimental]'),
'$unsupported' => DI::l10n()->t('[Unsupported]'),
- '$form_security_token' => parent::getFormSecurityToken('admin_themes'),
+ '$form_security_token' => self::getFormSecurityToken('admin_themes'),
]);
}
}
diff --git a/src/Module/Admin/Tos.php b/src/Module/Admin/Tos.php
index 811a0eb25c..fef199c351 100644
--- a/src/Module/Admin/Tos.php
+++ b/src/Module/Admin/Tos.php
@@ -31,12 +31,12 @@ class Tos extends BaseAdmin
{
parent::post($parameters);
- parent::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
-
if (empty($_POST['page_tos'])) {
return;
}
+ self::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
+
$displaytos = !empty($_POST['displaytos']);
$displayprivstatement = !empty($_POST['displayprivstatement']);
$tostext = (!empty($_POST['tostext']) ? strip_tags(trim($_POST['tostext'])) : '');
@@ -64,7 +64,7 @@ class Tos extends BaseAdmin
'$preview' => DI::l10n()->t('Privacy Statement Preview'),
'$privtext' => $tos->privacy_complete,
'$tostext' => ['tostext', DI::l10n()->t('The Terms of Service'), DI::config()->get('system', 'tostext'), DI::l10n()->t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')],
- '$form_security_token' => parent::getFormSecurityToken('admin_tos'),
+ '$form_security_token' => self::getFormSecurityToken('admin_tos'),
'$submit' => DI::l10n()->t('Save Settings'),
]);
}
diff --git a/src/Module/Admin/Users.php b/src/Module/Admin/Users.php
index f82f9f8c74..751b618afc 100644
--- a/src/Module/Admin/Users.php
+++ b/src/Module/Admin/Users.php
@@ -36,6 +36,8 @@ class Users extends BaseAdmin
{
parent::post($parameters);
+ self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
+
$pending = $_POST['pending'] ?? [];
$users = $_POST['user'] ?? [];
$nu_name = $_POST['new_user_name'] ?? '';
@@ -43,8 +45,6 @@ class Users extends BaseAdmin
$nu_email = $_POST['new_user_email'] ?? '';
$nu_language = DI::config()->get('system', 'language');
- parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
-
if ($nu_name !== '' && $nu_email !== '' && $nu_nickname !== '') {
try {
User::createMinimal($nu_name, $nu_email, $nu_nickname, $nu_language);
diff --git a/view/templates/admin/addons/details.tpl b/view/templates/admin/addons/details.tpl
index f5bb165e05..81625fecf1 100644
--- a/view/templates/admin/addons/details.tpl
+++ b/view/templates/admin/addons/details.tpl
@@ -24,6 +24,7 @@
{{if $admin_form}}
<h3>{{$settings}}</h3>
<form method="post" action="{{$baseurl}}/admin/{{$function}}/{{$addon}}">
+ <input type="hidden" name="form_security_token" value="{{$form_security_token}}">
{{$admin_form nofilter}}
</form>
{{/if}}
From 3efa8648c565f7a4bd24436a55336e7ca70fcb06 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Tue, 8 Sep 2020 10:44:27 -0400
Subject: [PATCH 3/3] Fix security vulnerability in admin modules
- The Module\BaseAdmin::post method checked credentials but didn't abort the process when it failed
- Created Module\BaseAdmin::checkAdminAccess method
---
src/Module/Admin/Addons/Details.php | 2 +-
src/Module/Admin/Blocklist/Contact.php | 2 +-
src/Module/Admin/Blocklist/Server.php | 2 +-
src/Module/Admin/Features.php | 2 +-
src/Module/Admin/Item/Delete.php | 2 +-
src/Module/Admin/Logs/Settings.php | 2 +-
src/Module/Admin/PhpInfo.php | 2 +-
src/Module/Admin/Site.php | 2 +-
src/Module/Admin/Themes/Embed.php | 2 +-
src/Module/Admin/Tos.php | 2 +-
src/Module/Admin/Users.php | 2 +-
src/Module/BaseAdmin.php | 43 +++++++++++---------------
12 files changed, 29 insertions(+), 36 deletions(-)
diff --git a/src/Module/Admin/Addons/Details.php b/src/Module/Admin/Addons/Details.php
index 85b17130c4..4c1fe2df92 100644
--- a/src/Module/Admin/Addons/Details.php
+++ b/src/Module/Admin/Addons/Details.php
@@ -32,7 +32,7 @@ class Details extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
$addon = Strings::sanitizeFilePathItem($parameters['addon']);
diff --git a/src/Module/Admin/Blocklist/Contact.php b/src/Module/Admin/Blocklist/Contact.php
index 5a7d138b23..c4eedc5a8a 100644
--- a/src/Module/Admin/Blocklist/Contact.php
+++ b/src/Module/Admin/Blocklist/Contact.php
@@ -32,7 +32,7 @@ class Contact extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock');
diff --git a/src/Module/Admin/Blocklist/Server.php b/src/Module/Admin/Blocklist/Server.php
index b4be591e7f..1290662f25 100644
--- a/src/Module/Admin/Blocklist/Server.php
+++ b/src/Module/Admin/Blocklist/Server.php
@@ -30,7 +30,7 @@ class Server extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
if (empty($_POST['page_blocklist_save']) && empty($_POST['page_blocklist_edit'])) {
return;
diff --git a/src/Module/Admin/Features.php b/src/Module/Admin/Features.php
index 51ba9140ef..5054da3fb4 100644
--- a/src/Module/Admin/Features.php
+++ b/src/Module/Admin/Features.php
@@ -30,7 +30,7 @@ class Features extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
self::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
diff --git a/src/Module/Admin/Item/Delete.php b/src/Module/Admin/Item/Delete.php
index 028e228d34..9e2bc90d92 100644
--- a/src/Module/Admin/Item/Delete.php
+++ b/src/Module/Admin/Item/Delete.php
@@ -31,7 +31,7 @@ class Delete extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
if (empty($_POST['page_deleteitem_submit'])) {
return;
diff --git a/src/Module/Admin/Logs/Settings.php b/src/Module/Admin/Logs/Settings.php
index 0b59937986..7730b487da 100644
--- a/src/Module/Admin/Logs/Settings.php
+++ b/src/Module/Admin/Logs/Settings.php
@@ -31,7 +31,7 @@ class Settings extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
if (empty($_POST['page_logs'])) {
return;
diff --git a/src/Module/Admin/PhpInfo.php b/src/Module/Admin/PhpInfo.php
index f282e10089..61a004618e 100644
--- a/src/Module/Admin/PhpInfo.php
+++ b/src/Module/Admin/PhpInfo.php
@@ -27,7 +27,7 @@ class PhpInfo extends BaseAdmin
{
public static function rawContent(array $parameters = [])
{
- parent::rawContent($parameters);
+ self::checkAdminAccess();
phpinfo();
exit();
diff --git a/src/Module/Admin/Site.php b/src/Module/Admin/Site.php
index 6380f3d935..9f3905da5b 100644
--- a/src/Module/Admin/Site.php
+++ b/src/Module/Admin/Site.php
@@ -43,7 +43,7 @@ class Site extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
self::checkFormSecurityTokenRedirectOnError('/admin/site', 'admin_site');
diff --git a/src/Module/Admin/Themes/Embed.php b/src/Module/Admin/Themes/Embed.php
index 71824c6ccb..a308b43cb5 100644
--- a/src/Module/Admin/Themes/Embed.php
+++ b/src/Module/Admin/Themes/Embed.php
@@ -38,7 +38,7 @@ class Embed extends BaseAdmin
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
$theme = Strings::sanitizeFilePathItem($parameters['theme']);
if (is_file("view/theme/$theme/config.php")) {
diff --git a/src/Module/Admin/Tos.php b/src/Module/Admin/Tos.php
index fef199c351..aac81264b7 100644
--- a/src/Module/Admin/Tos.php
+++ b/src/Module/Admin/Tos.php
@@ -29,7 +29,7 @@ class Tos extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
if (empty($_POST['page_tos'])) {
return;
diff --git a/src/Module/Admin/Users.php b/src/Module/Admin/Users.php
index 751b618afc..74fee7230a 100644
--- a/src/Module/Admin/Users.php
+++ b/src/Module/Admin/Users.php
@@ -34,7 +34,7 @@ class Users extends BaseAdmin
{
public static function post(array $parameters = [])
{
- parent::post($parameters);
+ self::checkAdminAccess();
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
diff --git a/src/Module/BaseAdmin.php b/src/Module/BaseAdmin.php
index a7b38a5033..67de97f857 100644
--- a/src/Module/BaseAdmin.php
+++ b/src/Module/BaseAdmin.php
@@ -26,7 +26,7 @@ use Friendica\Core\Addon;
use Friendica\Core\Renderer;
use Friendica\Core\Session;
use Friendica\DI;
-use Friendica\Network\HTTPException\ForbiddenException;
+use Friendica\Network\HTTPException;
require_once 'boot.php';
@@ -42,42 +42,35 @@ require_once 'boot.php';
*/
abstract class BaseAdmin extends BaseModule
{
- public static function post(array $parameters = [])
+ /**
+ * @param bool $interactive
+ * @throws HTTPException\ForbiddenException
+ * @throws HTTPException\InternalServerErrorException
+ */
+ public static function checkAdminAccess(bool $interactive = false)
{
- if (!is_site_admin()) {
- return;
+ if (!local_user()) {
+ if ($interactive) {
+ notice(DI::l10n()->t('Please login to continue.'));
+ Session::set('return_path', DI::args()->getQueryString());
+ DI::baseUrl()->redirect('login');
+ } else {
+ throw new HTTPException\UnauthorizedException(DI::l10n()->t('Please login to continue.'));
+ }
}
- // do not allow a page manager to access the admin panel at all.
- if (!empty($_SESSION['submanage'])) {
- return;
- }
- }
-
- public static function rawContent(array $parameters = [])
- {
if (!is_site_admin()) {
- return '';
+ throw new HTTPException\ForbiddenException(DI::l10n()->t('You don\'t have access to administration pages.'));
}
if (!empty($_SESSION['submanage'])) {
- return '';
+ throw new HTTPException\ForbiddenException(DI::l10n()->t('Submanaged account can\'t access the administation pages. Please log back in as the main account.'));
}
-
- return '';
}
public static function content(array $parameters = [])
{
- if (!is_site_admin()) {
- notice(DI::l10n()->t('Please login to continue.'));
- Session::set('return_path', DI::args()->getQueryString());
- DI::baseUrl()->redirect('login');
- }
-
- if (!empty($_SESSION['submanage'])) {
- throw new ForbiddenException(DI::l10n()->t('Submanaged account can\'t access the administation pages. Please log back in as the main account.'));
- }
+ self::checkAdminAccess(true);
// Header stuff
DI::page()['htmlhead'] .= Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/settings_head.tpl'), []);
View Git Blame Copy Permalink