aliens/SemanticScuttle
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix bug: prevent CSRF attacks to admin page

Browse source 
git-svn-id: https://semanticscuttle.svn.sourceforge.net/svnroot/semanticscuttle/trunk@174 b3834d28-1941-0410-a4f8-b48e95affb8f
This commit is contained in:
mensonge 2008-11-25 16:23:55 +00:00
parent 15b91c7e66
commit 111bcdec75
1 changed files with 29 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
admin.php
View file

@ -1,21 +1,21 @@
<?php
/***************************************************************************
Copyright (C) 2007 - 2008 SemanticScuttle project (fork from Scuttle)
http://sourceforge.net/projects/semanticscuttle/
Copyright (C) 2007 - 2008 SemanticScuttle project (fork from Scuttle)
http://sourceforge.net/projects/semanticscuttle/
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
***************************************************************************/
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
***************************************************************************/
require_once('header.inc.php');
@ -26,29 +26,30 @@ $bookmarkservice = & ServiceFactory :: getServiceInstance('BookmarkService');
$tag2tagservice = & ServiceFactory :: getServiceInstance('Tag2TagService');
$templateservice = & ServiceFactory :: getServiceInstance('TemplateService');
/* Managing current logged user */
$currentUser = $userservice->getCurrentObjectUser();
// Header variables
$tplVars['subtitle'] = T_('Manage users');
$tplVars['loadjs'] = true;
$tplVars['sidebar_blocks'] = array('users' );
if ( !$userservice->isLoggedOn() ) {
header('Location: '. createURL('login', ''));
exit();
header('Location: '. createURL('login', ''));
exit();
}
//$currentUser = $userservice->getCurrentUser();
//$currentUserID = $userservice->getCurrentUserId();
//$currentUsername = $currentUser[$userservice->getFieldName('username')];
$currentObjectUser = $userservice->getCurrentObjectUser();
if ( !$currentObjectUser->isAdmin() ) {
header('Location: '. createURL('bookmarks', $currentObjectUser->getUsername()));
exit();
if ( !$currentUser->isAdmin() ) {
header('Location: '. createURL('bookmarks', $currentUser->getUsername()));
exit();
}
@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL;
if ( $action ) {
if ( $action
&& strpos($_SERVER['HTTP_REFERER'], ROOT.'/admin.php') == 0 // Prevent CSRF attacks
) {
switch ( $action ) {
case 'delete':
if ( $user && ($userinfo = $userservice->getUserByUsername($user)) ) {