CSRF more mod pages

2024-11-24 07:30:10 +01:00 · 2013-09-23 16:48:56 +10:00 · 2013-09-23 16:48:56 +10:00 · c8062fbf76
commit c8062fbf76
parent 00f4da3b82
18 changed files with 166 additions and 79 deletions
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@ -157,6 +157,8 @@ function mod_dashboard() {
 			$args['newer_release'] = $latest;
 	}
 	$args['logout_token'] = make_secure_link_token('logout');
 	mod_page(_('Dashboard'), 'mod/dashboard.html', $args);
 }
@ -389,7 +391,10 @@ function mod_edit_board($boardName) {
 		header('Location: ?/', true, $config['redirect_http']);
 	} else {
-		mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array('board' => $board));
+		mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array(
 			'board' => $board,
 			'token' => make_secure_link_token('edit/' . $board['uri'])
 		));
 	}
 }
@ -459,7 +464,7 @@ function mod_new_board() {
 		header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']);
 	}
-	mod_page(_('New board'), 'mod/board.html', array('new' => true));
+	mod_page(_('New board'), 'mod/board.html', array('new' => true, 'token' => make_secure_link_token('new-board')));
 }
 function mod_noticeboard($page_no = 1) {
@ -502,11 +507,19 @@ function mod_noticeboard($page_no = 1) {
 	if (empty($noticeboard) && $page_no > 1)
 		error($config['error']['404']);
 	foreach ($noticeboard as &$entry) {
 		$entry['delete_token'] = make_secure_link_token('noticeboard/delete/' . $entry['id']);
 	}
 	$query = prepare("SELECT COUNT(*) FROM ``noticeboard``");
 	$query->execute() or error(db_error($query));
 	$count = $query->fetchColumn();
-	mod_page(_('Noticeboard'), 'mod/noticeboard.html', array('noticeboard' => $noticeboard, 'count' => $count));
+	mod_page(_('Noticeboard'), 'mod/noticeboard.html', array(
 		'noticeboard' => $noticeboard,
 		'count' => $count,
 		'token' => make_secure_link_token('noticeboard')
 	));
 }
 function mod_noticeboard_delete($id) {
@ -563,11 +576,15 @@ function mod_news($page_no = 1) {
 	if (empty($news) && $page_no > 1)
 		error($config['error']['404']);
 	foreach ($news as &$entry) {
 		$entry['delete_token'] = make_secure_link_token('news/delete/' . $entry['id']);
 	}
 	$query = prepare("SELECT COUNT(*) FROM ``news``");
 	$query->execute() or error(db_error($query));
 	$count = $query->fetchColumn();
-	mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count));
+	mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count, 'token' => make_secure_link_token('news')));
 }
 function mod_news_delete($id) {
@ -773,6 +790,8 @@ function mod_page_ip($ip) {
 		$args['logs'] = array();
 	}
 	$args['security_token'] = make_secure_link_token('IP/' . $ip);
 	mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']);
 }
@ -835,7 +854,11 @@ function mod_bans($page_no = 1) {
 			$ban['single_addr'] = true;
 	}
-	mod_page(_('Ban list'), 'mod/ban_list.html', array('bans' => $bans, 'count' => Bans::count()));
+	mod_page(_('Ban list'), 'mod/ban_list.html', array(
 		'bans' => $bans,
 		'count' => Bans::count(),
 		'token' => make_secure_link_token('bans')
 	));
 }
 function mod_ban_appeals() {
@ -851,15 +874,23 @@ function mod_ban_appeals() {
 	if (isset($_POST['appeal_id']) && (isset($_POST['unban']) || isset($_POST['deny']))) {
 		if (!hasPermission($config['mod']['ban_appeals']))
 			error($config['error']['noaccess']);
-		if (isset($_POST['unban'])) {
+		
-			$query = query("SELECT `ban_id` FROM ``ban_appeals`` WHERE `id` = " .
+		$query = query("SELECT *, ``ban_appeals``.`id` AS `id` FROM ``ban_appeals``
-				(int)$_POST['appeal_id']) or error(db_error());
+			LEFT JOIN ``bans`` ON `ban_id` = ``bans``.`id`
-			if ($ban_id = $query->fetchColumn()) {
+			WHERE ``ban_appeals``.`id` = " . (int)$_POST['appeal_id']) or error(db_error());
-				Bans::delete($ban_id);
+		if (!$ban = $query->fetch(PDO::FETCH_ASSOC)) {
-				query("DELETE FROM ``ban_appeals`` WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error());
+			error(_('Ban appeal not found!'));
 		}
 		$ban['mask'] = Bans::range_to_string(array($ban['ipstart'], $ban['ipend']));
 		if (isset($_POST['unban'])) {
 			modLog('Accepted ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
 			Bans::delete($ban['ban_id'], true);
 			query("DELETE FROM ``ban_appeals`` WHERE `id` = " . $ban['id']) or error(db_error());
 		} else {
-			query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error());
+			modLog('Denied ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
 			query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . $ban['id']) or error(db_error());
 		}
 		header('Location: ?/ban-appeals', true, $config['redirect_http']);
@ -898,7 +929,10 @@ function mod_ban_appeals() {
 		}
 	}
-	mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array('ban_appeals' => $ban_appeals));
+	mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array(
 		'ban_appeals' => $ban_appeals,
 		'token' => make_secure_link_token('ban-appeals')
 	));
 }
 function mod_lock($board, $unlock, $post) {
@ -1583,7 +1617,12 @@ function mod_user($uid) {
 	$user['boards'] = explode(',', $user['boards']);
-	mod_page(_('Edit user'), 'mod/user.html', array('user' => $user, 'logs' => $log, 'boards' => listBoards()));
+	mod_page(_('Edit user'), 'mod/user.html', array(
 		'user' => $user,
 		'logs' => $log,
 		'boards' => listBoards(),
 		'token' => make_secure_link_token('users/' . $user['id'])
 	));
 }
 function mod_user_new() {
@ -1636,7 +1675,7 @@ function mod_user_new() {
 		return;
 	}
-	mod_page(_('Edit user'), 'mod/user.html', array('new' => true, 'boards' => listBoards()));
+	mod_page(_('New user'), 'mod/user.html', array('new' => true, 'boards' => listBoards(), 'token' => make_secure_link_token('users/new')));
 }
@ -1646,9 +1685,18 @@ function mod_users() {
 	if (!hasPermission($config['mod']['manageusers']))
 		error($config['error']['noaccess']);
-	$query = query("SELECT *, (SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error());
+	$query = query("SELECT
 		*,
 		(SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`,
 		(SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action`
 		FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error());
 	$users = $query->fetchAll(PDO::FETCH_ASSOC);
 	foreach ($users as &$user) {
 		$user['promote_token'] = make_secure_link_token("users/{$user['id']}/promote");
 		$user['demote_token'] = make_secure_link_token("users/{$user['id']}/demote");
 	}
 	mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users));
 }
@ -1740,7 +1788,10 @@ function mod_pm($id, $reply = false) {
 			error($config['error']['404']); // deleted?
 		mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array(
-			'username' => $pm['username'], 'id' => $pm['sender'], 'message' => quote($pm['message'])
+			'username' => $pm['username'],
 			'id' => $pm['sender'],
 			'message' => quote($pm['message']),
 			'token' => make_secure_link_token('new_PM/' . $pm['username'])
 		));
 	} else {
 		mod_page(sprintf('%s &ndash; #%d', _('Private message'), $id), 'mod/pm.html', $pm);
@ -1812,7 +1863,11 @@ function mod_new_pm($username) {
 		header('Location: ?/', true, $config['redirect_http']);
 	}
-	mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array('username' => $username, 'id' => $id));
+	mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array(
 		'username' => $username,
 		'id' => $id,
 		'token' => make_secure_link_token('new_PM/' . $username)
 	));
 }
 function mod_rebuild() {
@ -1881,7 +1936,10 @@ function mod_rebuild() {
 		return;
 	}
-	mod_page(_('Rebuild'), 'mod/rebuild.html', array('boards' => listBoards()));
+	mod_page(_('Rebuild'), 'mod/rebuild.html', array(
 		'boards' => listBoards(),
 		'token' => make_secure_link_token('rebuild')
 	));
 }
 function mod_reports() {
@ -1936,7 +1994,13 @@ function mod_reports() {
 		}
 		// a little messy and inefficient
-		$append_html = Element('mod/report.html', array('report' => $report, 'config' => $config, 'mod' => $mod));
+		$append_html = Element('mod/report.html', array(
 			'report' => $report,
 			'config' => $config,
 			'mod' => $mod,
 			'token' => make_secure_link_token('reports/' . $report['id'] . '/dismiss'),
 			'token_all' => make_secure_link_token('reports/' . $report['id'] . '/dismissall')
 		));
 		// Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
 		$po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '<br>'));
@ -2030,7 +2094,8 @@ function mod_config($board_config = false) {
 			'readonly' => $readonly,
 			'boards' => listBoards(),
 			'board' => $board_config,
-			'file' => $config_file
+			'file' => $config_file,
 			'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
 		));
 		return;
 	}
@ -2113,7 +2178,7 @@ function mod_config($board_config = false) {
 			}
 		}
-		header('Location: ?/config', true, $config['redirect_http']);
+		header('Location: ?/config' . ($board_config ? '/' . $board_config : ''), true, $config['redirect_http']);
 		exit;
 	}
@ -2123,7 +2188,8 @@ function mod_config($board_config = false) {
 			'boards' => listBoards(),
 			'board' => $board_config,
 			'conf' => $conf,
-			'file' => $config_file
+			'file' => $config_file,
 			'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
 	));
 }
@ -2150,6 +2216,11 @@ function mod_themes_list() {
 	}
 	closedir($dir);
 	foreach ($themes as $theme_name => &$theme) {
 		$theme['rebuild_token'] = make_secure_link_token('themes/' . $theme_name . '/rebuild');
 		$theme['uninstall_token'] = make_secure_link_token('themes/' . $theme_name . '/uninstall');
 	}
 	mod_page(_('Manage themes'), 'mod/themes.html', array(
 		'themes' => $themes,
 		'themes_in_use' => $themes_in_use,
@ -2219,7 +2290,7 @@ function mod_theme_configure($theme_name) {
 			'theme_name' => $theme_name,
 			'theme' => $theme,
 			'result' => $result,
-			'message' => $message,
+			'message' => $message
 		));
 		return;
 	}
@ -2230,6 +2301,7 @@ function mod_theme_configure($theme_name) {
 		'theme_name' => $theme_name,
 		'theme' => $theme,
 		'settings' => $settings,
 		'token' => make_secure_link_token('themes/' . $theme_name)
 	));
 }
--- a/mod.php
+++ b/mod.php
@ -27,46 +27,48 @@ $pages = array(
 	''					=> ':?/',			// redirect to dashboard
 	'/'					=> 'dashboard',			// dashboard
 	'/confirm/(.+)'				=> 'confirm',			// confirm action (if javascript didn't work)
-	'/logout'				=> 'logout',		// logout
+	'/logout'				=> 'secure logout',		// logout
 	'/users'				=> 'users',			// manage users
-	'/users/(\d+)'				=> 'user',		// edit user
+	'/users/(\d+)/(promote|demote)'		=> 'secure user_promote',	// prmote/demote user
-	'/users/(\d+)/(promote|demote)'		=> 'user_promote',		// prmote/demote user
+	'/users/(\d+)'				=> 'secure_POST user',		// edit user
-	'/users/new'				=> 'user_new',		// create a new user
+	'/users/new'				=> 'secure_POST user_new',	// create a new user
-	'/new_PM/([^/]+)'			=> 'new_pm',		// create a new pm
+	
 	'/new_PM/([^/]+)'			=> 'secure_POST new_pm',	// create a new pm
 	'/PM/(\d+)(/reply)?'			=> 'pm',			// read a pm
 	'/inbox'				=> 'inbox',			// pm inbox
 	'/noticeboard'				=> 'noticeboard',	// view noticeboard
 	'/noticeboard/(\d+)'			=> 'noticeboard',	// view noticeboard
 	'/noticeboard/delete/(\d+)'		=> 'noticeboard_delete',	// delete from noticeboard
 	'/log'					=> 'log',			// modlog
 	'/log/(\d+)'				=> 'log',			// modlog
 	'/log:([^/]+)'				=> 'user_log',			// modlog
 	'/log:([^/]+)/(\d+)'			=> 'user_log',			// modlog
-	'/news'					=> 'news',		// view news
+	'/news'					=> 'secure_POST news',		// view news
-	'/news/(\d+)'				=> 'news',		// view news
+	'/news/(\d+)'				=> 'secure_POST news',		// view news
-	'/news/delete/(\d+)'			=> 'news_delete',	// delete from news
+	'/news/delete/(\d+)'			=> 'secure news_delete',	// delete from news
-	'/edit/(\%b)'				=> 'edit_board',	// edit board details
+	'/noticeboard'				=> 'secure_POST noticeboard',	// view noticeboard
-	'/new-board'				=> 'new_board',		// create a new board
+	'/noticeboard/(\d+)'			=> 'secure_POST noticeboard',	// view noticeboard
 	'/noticeboard/delete/(\d+)'		=> 'secure noticeboard_delete',	// delete from noticeboard
-	'/rebuild'				=> 'rebuild',		// rebuild static files
+	'/edit/(\%b)'				=> 'secure_POST edit_board',	// edit board details
 	'/new-board'				=> 'secure_POST new_board',	// create a new board
 	'/rebuild'				=> 'secure_POST rebuild',	// rebuild static files
 	'/reports'				=> 'reports',			// report queue
-	'/reports/(\d+)/dismiss(all)?'		=> 'report_dismiss',	// dismiss a report
+	'/reports/(\d+)/dismiss(all)?'		=> 'secure report_dismiss',	// dismiss a report
-	'/IP/([\w.:]+)'				=> 'ip',		// view ip address
+	'/IP/([\w.:]+)'				=> 'secure_POST ip',		// view ip address
-	'/IP/([\w.:]+)/remove_note/(\d+)'	=> 'ip_remove_note',	// remove note from ip address
+	'/IP/([\w.:]+)/remove_note/(\d+)'	=> 'secure ip_remove_note',	// remove note from ip address
-	'/bans'					=> 'bans',		// ban list
+	
-	'/bans/(\d+)'				=> 'bans',		// ban list
+	'/ban'					=> 'secure_POST ban',		// new ban
-	'/ban-appeals'				=> 'ban_appeals',	// view ban appeals
+	'/bans'					=> 'secure_POST bans',		// ban list
 	'/bans/(\d+)'				=> 'secure_POST bans',		// ban list
 	'/ban-appeals'				=> 'secure_POST ban_appeals',	// view ban appeals
 	'/search'				=> 'search_redirect',		// search
 	'/search/(posts|IP_notes|bans|log)/(.+)/(\d+)'	=> 'search',		// search
 	'/search/(posts|IP_notes|bans|log)/(.+)'	=> 'search',		// search
 	// CSRF-protected moderator actions
 	'/ban'					=> 'secure_POST ban',		// new ban
 	'/(\%b)/ban(&delete)?/(\d+)'		=> 'secure_POST ban_post', 	// ban poster
 	'/(\%b)/move/(\d+)'			=> 'secure_POST move',		// move thread
 	'/(\%b)/edit(_raw)?/(\d+)'		=> 'secure_POST edit_post',	// edit post
@ -79,12 +81,12 @@ $pages = array(
 	'/(\%b)/bump(un)?lock/(\d+)'		=> 'secure bumplock',		// "bumplock" thread
 	'/themes'				=> 'themes_list',		// manage themes
-	'/themes/(\w+)'				=> 'theme_configure',	// configure/reconfigure theme
+	'/themes/(\w+)'				=> 'secure_POST theme_configure',		// configure/reconfigure theme
-	'/themes/(\w+)/rebuild'			=> 'theme_rebuild',	// rebuild theme
+	'/themes/(\w+)/rebuild'			=> 'secure theme_rebuild',		// rebuild theme
-	'/themes/(\w+)/uninstall'		=> 'theme_uninstall',	// uninstall theme
+	'/themes/(\w+)/uninstall'		=> 'secure theme_uninstall',		// uninstall theme
-	'/config'				=> 'config',		// config editor
+	'/config'				=> 'secure_POST config',	// config editor
-	'/config/(\%b)'				=> 'config',		// config editor
+	'/config/(\%b)'				=> 'secure_POST config',	// config editor
 	// these pages aren't listed in the dashboard without $config['debug']
 	'/debug/antispam'			=> 'debug_antispam',
--- a/templates/mod/ban_appeals.html
+++ b/templates/mod/ban_appeals.html
@ -1,6 +1,7 @@
 {% for ban in ban_appeals %}
 <form action="" method="post" style="margin: 10px 0">
 	<input type="hidden" name="token" value="{{ token }}">
 	<table style="margin: 5px 0">
 		<tr>
 			<th>{% trans 'Status' %}</th>
--- a/templates/mod/ban_list.html
+++ b/templates/mod/ban_list.html
@ -1,7 +1,8 @@
 {% if bans|count == 0 %}
 	<p style="text-align:center" class="unimportant">({% trans 'There are no active bans.' %})</p>
 {% else %}
-	<form action="" method="post">
+	<form action="?/bans" method="post">
 		<input type="hidden" name="token" value="{{ token }}">
 		<table class="mod" style="width:100%">
 			<tr>
 				<th>{% trans 'IP address/mask' %}</th>
--- a/templates/mod/board.html
+++ b/templates/mod/board.html
@ -5,6 +5,7 @@
 {% endif %}
 <form action="{{ action }}" method="post">
 	<input type="hidden" name="token" value="{{ token }}">
 	<table>
 		<tr>
 			<th>{% trans 'URI' %}</th>
--- a/templates/mod/config-editor-php.html
+++ b/templates/mod/config-editor-php.html
@ -21,6 +21,7 @@
 	{% if not readonly %}<form method="post" action="">{% endif %}
 		<input type="hidden" name="token" value="{{ token }}">
 		<textarea name="code" id="code" style="margin:auto;width:100%;height:500px{% if readonly %};background:#eee" readonly{% else %}"{% endif %}>
 		{{ php }}
 		</textarea>
--- a/templates/mod/config-editor.html
+++ b/templates/mod/config-editor.html
@ -14,6 +14,7 @@
 	</ul>
 {% endif %}
 <form method="post" action="">
 	<input type="hidden" name="token" value="{{ token }}">
 	<table class="mod config-editor">
 		<tr>
 			<th class="minimal">{% trans 'Name' %}</th>
--- a/templates/mod/dashboard.html
+++ b/templates/mod/dashboard.html
@ -164,7 +164,7 @@
 	<legend>{% trans 'User account' %}</legend>
 	<ul>
-		<li><a href="?/logout">{% trans 'Logout' %}</a></li>
+		<li><a href="?/logout/{{ logout_token }}">{% trans 'Logout' %}</a></li>
 	</ul>
 </fieldset>
--- a/templates/mod/new_pm.html
+++ b/templates/mod/new_pm.html
@ -1,4 +1,5 @@
 <form action="?/new_PM/{{ username|e }}" method="post">
 	<input type="hidden" name="token" value="{{ token }}">
 	<table>
 		<tr>
 			<th>To</th>
--- a/templates/mod/news.html
+++ b/templates/mod/news.html
@ -2,6 +2,7 @@
 	<fieldset>
 		<legend>{% trans 'New post' %}</legend>
 		<form style="margin:0" action="" method="post">
 			<input type="hidden" name="token" value="{{ token }}">
 			<table>
 				<tr>
 					<th>
@ -39,7 +40,7 @@
 	<div class="ban">
 		{% if mod|hasPermission(config.mod.news_delete) %}
 			<span style="float:right;padding:2px">
-				<a class="unimportant" href="?/news/delete/{{ post.id }}">[{% trans 'delete' %}]</a>
+				<a class="unimportant" href="?/news/delete/{{ post.id }}/{{ post.delete_token }}">[{% trans 'delete' %}]</a>
 			</span>
 		{% endif %}
 		<h2 id="{{ post.id }}">
--- a/templates/mod/noticeboard.html
+++ b/templates/mod/noticeboard.html
@ -1,7 +1,8 @@
 {% if mod|hasPermission(config.mod.noticeboard_post) %}
 	<fieldset>
 		<legend>{% trans 'New post' %}</legend>
-		<form style="margin:0" action="" method="post">
+		<form style="margin:0" action="?/noticeboard" method="post">
 			<input type="hidden" name="token" value="{{ token }}">
 			<table>
 				<tr>
 					<th>{% trans 'Name' %}</th>
@ -27,7 +28,7 @@
 	<div class="ban">
 		{% if mod|hasPermission(config.mod.noticeboard_delete) %}
 			<span style="float:right;padding:2px">
-				<a class="unimportant" href="?/noticeboard/delete/{{ post.id }}">[{% trans 'delete' %}]</a>
+				<a class="unimportant" href="?/noticeboard/delete/{{ post.id }}/{{ post.delete_token }}">[{% trans 'delete' %}]</a>
 			</span>
 		{% endif %}
 		<h2 id="{{ post.id }}">
--- a/templates/mod/rebuild.html
+++ b/templates/mod/rebuild.html
@ -1,4 +1,5 @@
 <form style="width:300px;margin:auto" action="?/rebuild" method="post">
 	<input type="hidden" name="token" value="{{ token }}">
 	<ul id="rebuild">
 		<li style="margin-bottom:8px">
 			<input type="checkbox" name="rebuild_all" id="rebuild_all" onchange="toggleall(this.checked)"> 
--- a/templates/mod/report.html
+++ b/templates/mod/report.html
@ -13,13 +13,13 @@
 	{% if mod|hasPermission(config.mod.report_dismiss, report.board) or mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
 		<hr>
 		{% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
-			<a title="{% trans 'Discard abuse report' %}" href="?/reports/{{ report.id }}/dismiss">Dismiss</a>
+			<a title="{% trans 'Discard abuse report' %}" href="?/reports/{{ report.id }}/dismiss/{{ token }}">Dismiss</a>
 		{% endif %}
 		{% if mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
 			{% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
 			 | 
 			{% endif %}
-			<a title="{% trans 'Discard all abuse reports by this IP address' %}" href="?/reports/{{ report.id }}/dismissall">Dismiss+</a>
+			<a title="{% trans 'Discard all abuse reports by this IP address' %}" href="?/reports/{{ report.id }}/dismissall/{{ token_all }}">Dismiss+</a>
 		{% endif %}
 	{% endif %}
 </div>
--- a/templates/mod/theme_config.html
+++ b/templates/mod/theme_config.html
@ -1,4 +1,5 @@
 <form action="" method="post">
 	<input type="hidden" name="token" value="{{ token }}">
 	{% if not config %}
 		<p style="text-align:center" class="unimportant">(No configuration required.)</p>
 	{% else %}
--- a/templates/mod/themes.html
+++ b/templates/mod/themes.html
@ -28,8 +28,8 @@
 							{% if theme_name in themes_in_use %}{% trans 'Reconfigure' %}{% else %}{% trans 'Install' %}{% endif %}
 						</a></li>
 						{% if theme_name in themes_in_use %}
-							<li><a href="?/themes/{{ theme_name }}/rebuild">{% trans 'Rebuild' %}</a></li>
+							<li><a href="?/themes/{{ theme_name }}/rebuild/{{ theme.rebuild_token }}">{% trans 'Rebuild' %}</a></li>
-							<li><a href="?/themes/{{ theme_name }}/uninstall" onclick="return confirm('Are you sure you want to uninstall this theme?');">{% trans 'Uninstall' %}</a></li>
+							<li><a href="?/themes/{{ theme_name }}/uninstall/{{ theme.uninstall_token }}" onclick="return confirm('Are you sure you want to uninstall this theme?');">{% trans 'Uninstall' %}</a></li>
 						{% endif %}
 					</ul></td>
 				</tr>
--- a/templates/mod/user.html
+++ b/templates/mod/user.html
@ -5,6 +5,7 @@
 {% endif %}
 <form action="{{ action }}" method="post">
 	<input type="hidden" name="token" value="{{ token }}">
 	<table>
 		<tr>
 			<th>{% trans 'Username' %}</th>
--- a/templates/mod/users.html
+++ b/templates/mod/users.html
@ -48,10 +48,10 @@
 			{% endif %}
 			<td>
 				{% if mod|hasPermission(config.mod.promoteusers) and user.type < constant(config.mod.groups[0:-1]|last) %}
-					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote" title="{% trans 'Promote' %}">&#9650;</a> 
+					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote/{{ user.promote_token }}" title="{% trans 'Promote' %}">&#9650;</a> 
 				{% endif %}
 				{% if mod|hasPermission(config.mod.promoteusers) and user.type > constant(config.mod.groups|first) %}
-					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>&#9660;</a> 
+					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote/{{ user.demote_token }}" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>&#9660;</a> 
 				{% endif %}
 				{% if mod|hasPermission(config.mod.modlog) %}
 					<a class="unimportant" style="margin-left:5px;float:right" href="?/log:{{ user.username|e }}">[{% trans 'log' %}]</a> 
--- a/templates/mod/view_ip.html
+++ b/templates/mod/view_ip.html
@ -57,6 +57,7 @@
 		{% if mod|hasPermission(config.mod.create_notes) %}
 			<form action="" method="post" style="margin:0">
 				<input type="hidden" name="token" value="{{ security_token }}">
 				<table>
 					<tr>
 						<th>{% trans 'Staff' %}</th>
@ -87,6 +88,7 @@
 		{% for ban in bans %}
 			<form action="" method="post" style="text-align:center">
 				<input type="hidden" name="token" value="{{ security_token }}">
 				<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
 					<tr>
 						<th>{% trans 'Status' %}</th>