From a65fbcebe785d33a8053645cb73dfd11d032a940 Mon Sep 17 00:00:00 2001
From: Philipp <admin@philipp.info>
Date: Sun, 12 Sep 2021 21:20:12 +0200
Subject: [PATCH] Fixing #10699 (prohibits blocking and ignoreing from the
 photo menu)

---
 include/conversation.php | 12 +++++++-----
 src/Object/Post.php      |  7 ++++---
 src/Object/Thread.php    |  5 +++--
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/include/conversation.php b/include/conversation.php
index 352060d7f2..2db0c22b80 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -20,6 +20,7 @@
  */
 
 use Friendica\App;
+use Friendica\BaseModule;
 use Friendica\Content\ContactSelector;
 use Friendica\Content\Feature;
 use Friendica\Core\ACL;
@@ -396,6 +397,7 @@ function conversation(App $a, array $items, $mode, $update, $preview = false, $o
 	$threadsid = -1;
 
 	$page_template = Renderer::getMarkupTemplate("conversation.tpl");
+	$formSecurityToken = BaseModule::getFormSecurityToken('contact_action');
 
 	if (!empty($items)) {
 		if (in_array($mode, ['community', 'contacts'])) {
@@ -502,7 +504,7 @@ function conversation(App $a, array $items, $mode, $update, $preview = false, $o
 					'network_icon' => ContactSelector::networkToIcon($item['network'], $item['author-link']),
 					'linktitle' => DI::l10n()->t('View %s\'s profile @ %s', $profile_name, $item['author-link']),
 					'profile_url' => $profile_link,
-					'item_photo_menu_html' => item_photo_menu($item),
+					'item_photo_menu_html' => item_photo_menu($item, $formSecurityToken),
 					'name' => $profile_name,
 					'sparkle' => $sparkle,
 					'lock' => false,
@@ -590,7 +592,7 @@ function conversation(App $a, array $items, $mode, $update, $preview = false, $o
 				}
 			}
 
-			$threads = $conv->getTemplateData($conv_responses);
+			$threads = $conv->getTemplateData($conv_responses, $formSecurityToken);
 			if (!$threads) {
 				Logger::log('[ERROR] conversation : Failed to get template data.', Logger::DEBUG);
 				$threads = [];
@@ -782,7 +784,7 @@ function conversation_add_children(array $parents, $block_authors, $order, $uid)
 	return $items;
 }
 
-function item_photo_menu($item)
+function item_photo_menu($item, string $formSecurityToken)
 {
 	DI::profiler()->startRecording('rendering');
 	$sub_link = '';
@@ -825,8 +827,8 @@ function item_photo_menu($item)
 	if (!empty($pcid)) {
 		$contact_url = 'contact/' . $pcid;
 		$posts_link  = $contact_url . '/posts';
-		$block_link  = $item['self'] ? '' : $contact_url . '/block';
-		$ignore_link = $item['self'] ? '' : $contact_url . '/ignore';
+		$block_link  = $item['self'] ? '' : $contact_url . '/block?t=' . $formSecurityToken;
+		$ignore_link = $item['self'] ? '' : $contact_url . '/ignore?t=' . $formSecurityToken;
 	}
 
 	if ($cid && !$item['self']) {
diff --git a/src/Object/Post.php b/src/Object/Post.php
index 628cc95f7a..5722582d21 100644
--- a/src/Object/Post.php
+++ b/src/Object/Post.php
@@ -125,6 +125,7 @@ class Post
 	 * Get data in a form usable by a conversation template
 	 *
 	 * @param array   $conv_responses conversation responses
+	 * @param string $formSecurityToken A security Token to avoid CSF attacks
 	 * @param integer $thread_level   default = 1
 	 *
 	 * @return mixed The data requested on success
@@ -132,7 +133,7 @@ class Post
 	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 * @throws \ImagickException
 	 */
-	public function getTemplateData(array $conv_responses, $thread_level = 1)
+	public function getTemplateData(array $conv_responses, string $formSecurityToken, $thread_level = 1)
 	{
 		$a = DI::app();
 
@@ -458,7 +459,7 @@ class Post
 			'vwall'           => DI::l10n()->t('via Wall-To-Wall:'),
 			'profile_url'     => $profile_link,
 			'name'            => $profile_name,
-			'item_photo_menu_html' => item_photo_menu($item),
+			'item_photo_menu_html' => item_photo_menu($item, $formSecurityToken),
 			'thumb'           => DI::baseUrl()->remove(Contact::getAvatarUrlForUrl($item['author-link'], $item['uid'], Proxy::SIZE_THUMB)),
 			'osparkle'        => $osparkle,
 			'sparkle'         => $sparkle,
@@ -532,7 +533,7 @@ class Post
 		$nb_children = count($children);
 		if ($nb_children > 0) {
 			foreach ($children as $child) {
-				$result['children'][] = $child->getTemplateData($conv_responses, $thread_level + 1);
+				$result['children'][] = $child->getTemplateData($conv_responses, $formSecurityToken, $thread_level + 1);
 			}
 
 			// Collapse
diff --git a/src/Object/Thread.php b/src/Object/Thread.php
index a848586fe5..7d59759a0d 100644
--- a/src/Object/Thread.php
+++ b/src/Object/Thread.php
@@ -190,12 +190,13 @@ class Thread
 	 * We should find a way to avoid using those arguments (at least most of them)
 	 *
 	 * @param array $conv_responses data
+	 * @param string $formSecurityToken A security Token to avoid CSF attacks
 	 *
 	 * @return mixed The data requested on success
 	 *               false on failure
 	 * @throws \Exception
 	 */
-	public function getTemplateData($conv_responses)
+	public function getTemplateData($conv_responses, string $formSecurityToken)
 	{
 		$result = [];
 
@@ -204,7 +205,7 @@ class Thread
 				continue;
 			}
 
-			$item_data = $item->getTemplateData($conv_responses);
+			$item_data = $item->getTemplateData($conv_responses, $formSecurityToken);
 
 			if (!$item_data) {
 				Logger::log('[ERROR] Conversation::getTemplateData : Failed to get item template data ('. $item->getId() .').', Logger::DEBUG);