Commit 55241a7f authored by chealer's avatar chealer

accesslib: add check_authenticity() for CSRF protection

some accesslib deployment
ticketlib: Mark ticketlib[1] as deprecated again
ticketlib: Store tickets in session instead of database
[FIX] ticketlib: granting a ticket destroys previous one
[FIX] HTML special chars escaping
parent df72381b
......@@ -298,16 +298,11 @@ if ( $prefs['feature_comments_locking'] == 'y' && ! empty($_REQUEST['comments_lo
if (($tiki_p_remove_comments == 'y' && (!isset($forum_mode) || $forum_mode == 'n'))
|| (isset($forum_mode) && $forum_mode =='y' && $tiki_p_admin_forum == 'y' ) ) {
if (isset($_REQUEST["comments_remove"]) && isset($_REQUEST["comments_threadId"])) {
$area = 'delcomment';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$comments_show = 'y';
$commentslib->remove_comment($_REQUEST["comments_threadId"]);
$_REQUEST["comments_threadId"] = 0;
$smarty->assign('comments_threadId', 0);
} else {
key_get($area);
}
$access->check_authenticity();
$comments_show = 'y';
$commentslib->remove_comment($_REQUEST["comments_threadId"]);
$_REQUEST["comments_threadId"] = 0;
$smarty->assign('comments_threadId', 0);
}
}
......
......@@ -57,13 +57,8 @@ if (isset($_REQUEST['action']) && isset($_REQUEST['copyrightId'])) {
} elseif ($_REQUEST['action'] == 'down') {
$copyrightslib->down_copyright($_REQUEST['copyrightId']);
} elseif ($_REQUEST['action'] == 'delete') {
$area = 'delcopyright';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$copyrightslib->remove_copyright($_REQUEST['copyrightId']);
} else {
key_get($area);
}
$access->check_authenticity();
$copyrightslib->remove_copyright($_REQUEST['copyrightId']);
}
}
......
......@@ -184,6 +184,26 @@ class TikiAccessLib extends TikiLib
}
}
/**
* Checks whether the request was willingly submitted by the user, instead of being triggered by Cross-Site Request Forgery.
* This uses random tokens. The first call brings to a request confirmation screen with a new token in the form. The second call, in the second request, verifies the submitted token matches.
* Typical usage: $access->check_authenticity();
* @param string $confirmation_text Text on the confirmation screen. Default: 'Click here to confirm your action'
* @access public
* @return void
*/
function check_authenticity($confirmation_text = '') {
global $prefs;
if ($prefs['feature_ticketlib2'] == 'y') {
if (isset($_REQUEST['daconfirm'])) {
key_check();
} else {
key_get(null, $confirmation_text, $confirmaction);
}
}
}
// you must call ask_ticket('error') before calling this
function display_error($page, $errortitle="", $errortype="", $enableRedirect = true, $message='') {
global $smarty, $wikilib, $prefs, $tikiroot, $userlib, $user;
......
......@@ -19,11 +19,13 @@ if (strpos($_SERVER["SCRIPT_NAME"],basename(__FILE__)) !== false) {
exit;
}
// Deprecated in favor of key_get($area)
function ask_ticket($area) {
$_SESSION['antisurf'] = $area;
return true;
}
// Deprecated in favor of key_check($area)
function check_ticket($area) {
if (!isset($_SESSION['antisurf'])) $_SESSION['antisurf'] = '';
if ($_SESSION['antisurf'] != $area) {
......@@ -41,21 +43,14 @@ function check_ticket($area) {
return true;
}
// new valid function for ticketing :
function key_get($area, $confirmation_text = '', $confirmaction='') {
//confirmaction actin must be set if the param are not transfer via the URI
global $tikilib,$smarty,$prefs,$user;
// new valid functions for ticketing:
// * @param string $area No more used
function key_get($area = null, $confirmation_text = '', $confirmaction='') {
global $tikilib,$smarty,$prefs;
if ($prefs['feature_ticketlib2'] == 'y') {
if ($user) {
$whose = $user;
} else {
$whose = ' '. md5($tikilib->get_ip_address().$_SERVER['USER_AGENT']);
}
$ticket = md5(uniqid(rand()));
$tikilib->set_user_preference($whose,'ticket',$ticket);
$_SESSION['tickets'][$ticket] = time();
$smarty->assign('ticket',$ticket);
$_SESSION["ticket_$area"] = time();
if (empty($confirmation_text)) {
$confirmation_text = tra('Click here to confirm your action');
}
......@@ -75,32 +70,18 @@ function key_get($area, $confirmation_text = '', $confirmaction='') {
die();
}
}
function key_check($area) {
global $tikilib,$smarty,$prefs,$user;
if ($prefs['feature_ticketlib2'] != 'y') {
return true;
} else {
if (isset($_SESSION["ticket_$area"])
and $_SESSION["ticket_$area"] < date('U')
and $_SESSION["ticket_$area"] > (date('U')-(60*15))) {
$smarty->load_filter('pre', 'ticket');
if ($user) {
$whose = $user;
} else {
$whose = ' '. md5($tikilib->get_ip_address().$_SERVER['USER_AGENT']);
}
if (isset($_REQUEST) and is_array($_REQUEST)
and (!isset($_REQUEST['ticket'])
or $_REQUEST['ticket'] != $tikilib->get_user_preference($whose,'ticket'))) {
unset($_REQUEST);
} else {
// * @param string $area No more used
function key_check($area = null) {
global $smarty, $prefs;
if ($prefs['feature_ticketlib2'] == 'y') {
if (isset($_REQUEST['ticket']) && isset($_SESSION["tickets"][$_REQUEST['ticket']])) {
$time = $_SESSION["tickets"][$_REQUEST['ticket']];
if ($time < time() && $time > (time()-(60*15))) {
return true;
}
}
unset($_SESSION["ticket_$area"]);
$smarty->assign('msg',tra('Sea Surfing (CSRF) detected. Operation blocked.'));
$smarty->display("error.tpl");
die();
exit();
}
}
......@@ -429,41 +429,37 @@ function histlib_strip_irrelevant( $data )
}
function rollback_page_to_version($page, $version, $check_key = true, $keep_lastModif = false) {
global $prefs, $histlib, $tikilib, $categlib;
$area = 'delrollbackpage';
if (!$check_key or $prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
if ($check_key) key_check($area);
$histlib->use_version($page, $version, '', $keep_lastModif);
if ( ($approved = $tikilib->get_approved_page($page)) && $prefs['wikiapproval_outofsync_category'] > 0) {
$approved_page = $histlib->get_page_from_history($approved, 0, true);
$staging_page = $histlib->get_page_from_history($page, $version, true);
$cat_type='wiki page';
$staging_cats = $categlib->get_object_categories($cat_type, $page);
$s_cat_desc = ($prefs['feature_wiki_description'] == 'y') ? substr($staging_info["description"],0,200) : '';
$s_cat_objid = $page;
$s_cat_name = $page;
$s_cat_href="tiki-index.php?page=".urlencode($s_cat_objid);
//Instead of firing up diff, just check if the pages share the same exact data, drop the staging
//copy out of the review category if so
if ( $approved_page["data"] != $staging_page["data"] ) //compare these only once
$pages_diff = true;
if ( in_array($prefs['wikiapproval_outofsync_category'], $staging_cats) )
$in_staging_cat = true;
global $prefs, $histlib, $tikilib, $categlib, $access;
if ($check_key) {
$access->check_authenticity();
}
$histlib->use_version($page, $version, '', $keep_lastModif);
if ( !$pages_diff && $in_staging_cat ) {
$staging_cats = array_diff($staging_cats,Array($prefs['wikiapproval_outofsync_category']));
$categlib->update_object_categories($staging_cats, $s_cat_objid, $cat_type, $s_cat_desc, $s_cat_name, $s_cat_href);
} elseif ( $pages_diff && !$in_staging_cat ) {
$staging_cats[] = $prefs['wikiapproval_outofsync_category'];
$categlib->update_object_categories($staging_cats, $s_cat_objid, $cat_type, $s_cat_desc, $s_cat_name, $s_cat_href);
}
if ( ($approved = $tikilib->get_approved_page($page)) && $prefs['wikiapproval_outofsync_category'] > 0) {
$approved_page = $histlib->get_page_from_history($approved, 0, true);
$staging_page = $histlib->get_page_from_history($page, $version, true);
$cat_type='wiki page';
$staging_cats = $categlib->get_object_categories($cat_type, $page);
$s_cat_desc = ($prefs['feature_wiki_description'] == 'y') ? substr($staging_info["description"],0,200) : '';
$s_cat_objid = $page;
$s_cat_name = $page;
$s_cat_href="tiki-index.php?page=".urlencode($s_cat_objid);
//Instead of firing up diff, just check if the pages share the same exact data, drop the staging
//copy out of the review category if so
if ( $approved_page["data"] != $staging_page["data"] ) //compare these only once
$pages_diff = true;
if ( in_array($prefs['wikiapproval_outofsync_category'], $staging_cats) )
$in_staging_cat = true;
if ( !$pages_diff && $in_staging_cat ) {
$staging_cats = array_diff($staging_cats,Array($prefs['wikiapproval_outofsync_category']));
$categlib->update_object_categories($staging_cats, $s_cat_objid, $cat_type, $s_cat_desc, $s_cat_name, $s_cat_href);
} elseif ( $pages_diff && !$in_staging_cat ) {
$staging_cats[] = $prefs['wikiapproval_outofsync_category'];
$categlib->update_object_categories($staging_cats, $s_cat_objid, $cat_type, $s_cat_desc, $s_cat_name, $s_cat_href);
}
} else {
key_get($area);
}
}
$tikilib->invalidate_cache( $page );
}
......@@ -97,17 +97,8 @@ function module_shoutbox( $mod_reference, $module_params ) {
if (isset($_REQUEST['shout_remove'])) {
$info = $shoutboxlib->get_shoutbox($_REQUEST['shout_remove']);
if ($tiki_p_admin_shoutbox == 'y' || $info['user'] == $user ) {
if ($prefs['feature_ticketlib2'] =='y') {
$area = 'delshoutboxentry';
if (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"])) {
key_check($area);
$shoutboxlib->remove_shoutbox($_REQUEST["shout_remove"]);
} else {
key_get($area);
}
} else {
$shoutboxlib->remove_shoutbox($_REQUEST["shout_remove"]);
}
$access->check_authenticity();
$shoutboxlib->remove_shoutbox($_REQUEST["shout_remove"]);
}
}
......
......@@ -159,13 +159,8 @@ if (!empty($_REQUEST['actionId']) && $tiki_p_admin == 'y') {
}
}
} elseif (isset($_REQUEST['remove'])) {
$area = 'delete';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_REQUEST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$logslib->remove_action($_REQUEST['actionId']);
} else {
key_get($area);
}
$access->check_authenticity();
$logslib->remove_action($_REQUEST['actionId']);
} else {
$smarty->assign_by_ref('action', $action);
if ($action['objectType'] == 'wiki page') {
......
......@@ -29,12 +29,8 @@ if (isset($_REQUEST['banId'])) {
$smarty->assign('banId', $_REQUEST['banId']);
$smarty->assign_by_ref('info', $info);
if (isset($_REQUEST['remove'])) {
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$banlib->remove_rule($_REQUEST['remove']);
} else {
key_get($area);
}
$access->check_authenticity();
$banlib->remove_rule($_REQUEST['remove']);
}
if (isset($_REQUEST['del']) && isset($_REQUEST['delsec'])) {
check_ticket('admin-banning');
......
......@@ -41,14 +41,9 @@ if (!isset($_REQUEST["calendarId"])) {
}
if (isset($_REQUEST["drop"])) {
$area = "delcalendar";
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$calendarlib->drop_calendar($_REQUEST["drop"]);
$_REQUEST["calendarId"] = 0;
} else {
key_get($area);
}
$access->check_authenticity();
$calendarlib->drop_calendar($_REQUEST["drop"]);
$_REQUEST["calendarId"] = 0;
}
if (isset($_REQUEST["save"])) {
check_ticket('admin-calendars');
......
......@@ -25,14 +25,8 @@ if (!isset($_REQUEST["parentId"])) {
$smarty->assign('parentId', $_REQUEST["parentId"]);
if (!empty($_REQUEST['unassign'])) {
check_ticket('admin-categories');
$area = 'unassign';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_REQUEST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$categlib->unassign_all_objects($_REQUEST['parentId']);
} else {
key_get($area, tra('Are you sure you want to unassign the objects of this category: ').$info['name']);
}
$access->check_authenticity(tra('Are you sure you want to unassign the objects of this category: ') . htmlspecialchars($info['name']));
$categlib->unassign_all_objects($_REQUEST['parentId']);
}
if (!empty($_REQUEST['move_to']) && !empty($_REQUEST['toId'])) {
check_ticket('admin-categories');
......@@ -162,39 +156,28 @@ if (isset($_REQUEST["categId"])) {
$info["description"] = '';
}
if (isset($_REQUEST["removeObject"])) {
$area = 'delcategobject';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$category = $categlib->get_category($_REQUEST["parentId"]);
$categorizedObject = $categlib->get_categorized_object_via_category_object_id($_REQUEST["removeObject"]);
$categlib->remove_object_from_category($_REQUEST["removeObject"], $_REQUEST["parentId"]);
// Notify the users watching this category.
$values = array(
"categoryId" => $_REQUEST["parentId"],
"categoryName" => $category['name'],
"categoryPath" => $categlib->get_category_path_string_with_root($_REQUEST["parentId"]) ,
"description" => $category['description'],
"parentId" => $category['parentId'],
"parentName" => $categlib->get_category_name($category['parentId']) ,
"action" => "object leaved category",
"objectName" => $categorizedObject['name'],
"objectType" => $categorizedObject['type'],
"objectUrl" => $categorizedObject['href']
);
$categlib->notify($values);
} else {
key_get($area);
}
$access->check_authenticity();
$category = $categlib->get_category($_REQUEST["parentId"]);
$categorizedObject = $categlib->get_categorized_object_via_category_object_id($_REQUEST["removeObject"]);
$categlib->remove_object_from_category($_REQUEST["removeObject"], $_REQUEST["parentId"]);
// Notify the users watching this category.
$values = array(
"categoryId" => $_REQUEST["parentId"],
"categoryName" => $category['name'],
"categoryPath" => $categlib->get_category_path_string_with_root($_REQUEST["parentId"]) ,
"description" => $category['description'],
"parentId" => $category['parentId'],
"parentName" => $categlib->get_category_name($category['parentId']) ,
"action" => "object leaved category",
"objectName" => $categorizedObject['name'],
"objectType" => $categorizedObject['type'],
"objectUrl" => $categorizedObject['href']
);
$categlib->notify($values);
}
if (isset($_REQUEST["removeCat"]) && ($info = $categlib->get_category($_REQUEST['removeCat']))) {
$area = "delcateg";
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$categlib->remove_category($_REQUEST["removeCat"]);
} else {
$confirmation = tra('Click here to delete the category:') . ' ' . $info['name'];
key_get($area, $confirmation);
}
$access->check_authenticity(tra('Click here to delete the category:') . ' ' . htmlspecialchars($info['name']));
$categlib->remove_category($_REQUEST["removeCat"]);
}
if (isset($_REQUEST["save"]) && isset($_REQUEST["name"]) && strlen($_REQUEST["name"]) > 0) {
check_ticket('admin-categories');
......
......@@ -62,22 +62,12 @@ if ($_REQUEST["templateId"]) {
$smarty->assign('info', $info);
if (isset($_REQUEST["remove"])) {
$area = 'delcontenttemplate';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$templateslib->remove_template($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$templateslib->remove_template($_REQUEST["remove"]);
}
if (isset($_REQUEST["removesection"])) {
$area = 'delcontenttemplatefromsection';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$templateslib->remove_template_from_section($_REQUEST["rtemplateId"], $_REQUEST["removesection"]);
} else {
key_get($area);
}
$access->check_authenticity();
$templateslib->remove_template_from_section($_REQUEST["rtemplateId"], $_REQUEST["removesection"]);
}
$smarty->assign('preview', 'n');
if (isset($_REQUEST["preview"])) {
......
......@@ -22,22 +22,12 @@ if ($_REQUEST["cookieId"]) {
}
$smarty->assign('cookie', $info["cookie"]);
if (isset($_REQUEST["remove"])) {
$area = 'delcookie';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$taglinelib->remove_cookie($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$taglinelib->remove_cookie($_REQUEST["remove"]);
}
if (isset($_REQUEST["removeall"])) {
$area = 'delcookieall';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$taglinelib->remove_all_cookies();
} else {
key_get($area);
}
$access->check_authenticity();
$taglinelib->remove_all_cookies();
}
if (isset($_REQUEST["upload"])) {
check_ticket('admin-cookies');
......
......@@ -23,13 +23,8 @@ if ($_REQUEST["dsnId"]) {
}
$smarty->assign('info', $info);
if (isset($_REQUEST["remove"])) {
$area = 'deldsn';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$adminlib->remove_dsn($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$adminlib->remove_dsn($_REQUEST["remove"]);
}
if (isset($_REQUEST["save"])) {
check_ticket('admin-dsn');
......
......@@ -23,13 +23,8 @@ if ($_REQUEST["extwikiId"]) {
}
$smarty->assign('info', $info);
if (isset($_REQUEST["remove"])) {
$area = 'delextwiki';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$adminlib->remove_extwiki($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$adminlib->remove_extwiki($_REQUEST["remove"]);
}
if (isset($_REQUEST["save"])) {
check_ticket('admin-external-wikis');
......
......@@ -42,13 +42,8 @@ $auto_query_args = array(
include_once ("lib/commentslib.php");
$commentslib = new Comments($dbTiki);
if (isset($_REQUEST["remove"])) {
$area = 'delforum';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_REQUEST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$commentslib->remove_forum($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$commentslib->remove_forum($_REQUEST["remove"]);
}
if (isset($_REQUEST['lock']) && isset($_REQUEST['forumId'])) {
check_ticket('view-forum');
......
......@@ -21,13 +21,8 @@ if (isset($_REQUEST["add"])) {
$hotwordlib->add_hotword($_REQUEST["word"], $_REQUEST["url"]);
}
if (isset($_REQUEST["remove"]) && !empty($_REQUEST["remove"])) {
$area = 'delhotword';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$hotwordlib->remove_hotword($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$hotwordlib->remove_hotword($_REQUEST["remove"]);
}
if (!isset($_REQUEST["sort_mode"])) {
$sort_mode = 'word_desc';
......
......@@ -25,13 +25,8 @@ if ($_REQUEST["pageName"]) {
}
$smarty->assign('info', $info);
if (isset($_REQUEST["remove"])) {
$area = 'delhtmlpage';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$htmlpageslib->remove_html_page($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$htmlpageslib->remove_html_page($_REQUEST["remove"]);
}
if (isset($_REQUEST["templateId"]) && $_REQUEST["templateId"] > 0) {
global $templateslib; require_once 'lib/templates/templateslib.php';
......
......@@ -52,12 +52,8 @@ if (isset($_REQUEST["action"])) {
case 'rm':
if ($repID != 0) {
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$integrator->remove_repository($repID);
} else {
key_get($area);
}
$access->check_authenticity();
$integrator->remove_repository($repID);
}
break;
......
......@@ -118,13 +118,8 @@ if (isset($_REQUEST["action"])) {
case 'rm':
if ($ruleID != 0) {
$area = "delintegratorrule";
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$integrator->remove_rule($ruleID);
} else {
key_get($area);
}
$access->check_authenticity();
$integrator->remove_rule($ruleID);
}
break;
......
......@@ -42,13 +42,8 @@ if (isset($_REQUEST["add"])) {
}
}
if (isset($_REQUEST["remove"])) {
$area = 'delfeaturedlink';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$flinkslib->remove_featured_link($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$flinkslib->remove_featured_link($_REQUEST["remove"]);
}
$links = $tikilib->get_featured_links(999999);
$smarty->assign_by_ref('links', $links);
......
......@@ -50,13 +50,8 @@ if (isset($_REQUEST["new_acc"])) {
$smarty->assign('confirmation', 0);
}
if (isset($_REQUEST["remove"])) {
$area = 'delmailin';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$mailinlib->remove_mailin_account($_REQUEST["remove"]);
} else {
key_get($area);
}
$access->check_authenticity();
$mailinlib->remove_mailin_account($_REQUEST["remove"]);
}
if ($_REQUEST["accountId"]) {
$info = $mailinlib->get_mailin_account($_REQUEST["accountId"]);
......
......@@ -58,20 +58,14 @@ $smarty->assign('position', $info["position"]);
$smarty->assign('groupname', $info["groupname"]);
$smarty->assign('userlevel', $info["userlevel"]);
if (isset($_REQUEST["remove"])) {
check_ticket('admin-menu-options');
$area = 'delmenuoption';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$menulib->remove_menu_option($_REQUEST["remove"]);
$maxPos = $menulib->get_max_option($_REQUEST["menuId"]);
$smarty->assign('position', $maxPos + 1);
$smarty->clear_cache(null, "menu" . $_REQUEST["menuId"]);
// reload to prevent white screen
$url = $_SERVER['REQUEST_URI'] . "?menuId=" . $_REQUEST["menuId"];
header("location: $url");
} else {
key_get($area);
}
$access->check_authenticity();
$menulib->remove_menu_option($_REQUEST["remove"]);
$maxPos = $menulib->get_max_option($_REQUEST["menuId"]);
$smarty->assign('position', $maxPos + 1);
$smarty->clear_cache(null, "menu" . $_REQUEST["menuId"]);
// reload to prevent white screen
$url = $_SERVER['REQUEST_URI'] . "?menuId=" . $_REQUEST["menuId"];
header("location: $url");
}
if (isset($_REQUEST["up"])) {
check_ticket('admin-menu-options');
......
......@@ -30,14 +30,9 @@ if ($_REQUEST["menuId"]) {
}
$smarty->assign_by_ref('info', $info);
if (isset($_REQUEST["remove"])) {
$area = 'delmenu';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
$menulib->remove_menu($_REQUEST["remove"]);
$smarty->clear_cache('tiki-user_menu.tpl', $_REQUEST['menuId']);
} else {
key_get($area);
}
$access->check_authenticity();
$menulib->remove_menu($_REQUEST["remove"]);
$smarty->clear_cache('tiki-user_menu.tpl', $_REQUEST['menuId']);
}
if (isset($_REQUEST["save"])) {
check_ticket('admin-menus');
......
......@@ -97,12 +97,8 @@ if (!empty($_REQUEST['edit_assign'])) {
if (!empty($_REQUEST['unassign'])) {
check_ticket('admin-modules');
$info = $modlib->get_assigned_module($_REQUEST['unassign']);
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
$modlib->unassign_module($_REQUEST['unassign']);
$logslib->add_log('adminmodules', 'unassigned module ' . $info['name']);
} else {
key_get($area, tra('Unassign module:') . ' ' . $info['name']);
}
$modlib->unassign_module($_REQUEST['unassign']);
$logslib->add_log('adminmodules', 'unassigned module ' . $info['name']);
}
if (!empty($_REQUEST['modup'])) {
check_ticket('admin-modules');
......
......@@ -53,16 +53,11 @@ if ($_REQUEST["nlId"]) {
}
$smarty->assign('nl_info', $info);
if (isset($_REQUEST["remove"])) {
$area = 'delnlsub';
if ($prefs['feature_ticketlib2'] != 'y' or (isset($_POST['daconfirm']) and isset($_SESSION["ticket_$area"]))) {
key_check($area);
if (isset($_REQUEST["email"])) $nllib->remove_newsletter_subscription($_REQUEST["remove"], $_REQUEST["email"], "n");
elseif (isset($_REQUEST["subuser"])) $nllib->remove_newsletter_subscription($_REQUEST["remove"], $_REQUEST["subuser"], "y");
elseif (isset($_REQUEST["group"])) $nllib->remove_newsletter_group($_REQUEST["remove"], $_REQUEST["group"]);
elseif (isset($_REQUEST["included"])) $nllib->remove_newsletter_included($_REQUEST["remove"], $_REQUEST["included"]);
} else {
key_get($area);
}
$access->check_authenticity();
if (isset($_REQUEST["email"])) $nllib->remove_newsletter_subscription($_REQUEST["remove"], $_REQUEST["email"], "n");
elseif (isset($_REQUEST["subuser"])) $nllib->remove_newsletter_subscription($_REQUEST["remove"], $_REQUEST["subuser"], "y");
elseif (isset($_REQUEST["group"])) $nllib->remove_newsletter_group($_REQUEST["remove"], $_REQUEST["group"]);
elseif (isset($_REQUEST["included"])) $nllib->remove_newsletter_included($_REQUEST["remove"], $_REQUEST["included"]);