mirror of
https://github.com/vichan-devel/vichan.git
synced 2024-11-23 23:20:57 +01:00
CSRF more mod pages
This commit is contained in:
parent
00f4da3b82
commit
c8062fbf76
@ -156,7 +156,9 @@ function mod_dashboard() {
|
|||||||
if ($latest)
|
if ($latest)
|
||||||
$args['newer_release'] = $latest;
|
$args['newer_release'] = $latest;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$args['logout_token'] = make_secure_link_token('logout');
|
||||||
|
|
||||||
mod_page(_('Dashboard'), 'mod/dashboard.html', $args);
|
mod_page(_('Dashboard'), 'mod/dashboard.html', $args);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -389,7 +391,10 @@ function mod_edit_board($boardName) {
|
|||||||
|
|
||||||
header('Location: ?/', true, $config['redirect_http']);
|
header('Location: ?/', true, $config['redirect_http']);
|
||||||
} else {
|
} else {
|
||||||
mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array('board' => $board));
|
mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array(
|
||||||
|
'board' => $board,
|
||||||
|
'token' => make_secure_link_token('edit/' . $board['uri'])
|
||||||
|
));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -459,7 +464,7 @@ function mod_new_board() {
|
|||||||
header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']);
|
header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']);
|
||||||
}
|
}
|
||||||
|
|
||||||
mod_page(_('New board'), 'mod/board.html', array('new' => true));
|
mod_page(_('New board'), 'mod/board.html', array('new' => true, 'token' => make_secure_link_token('new-board')));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_noticeboard($page_no = 1) {
|
function mod_noticeboard($page_no = 1) {
|
||||||
@ -502,11 +507,19 @@ function mod_noticeboard($page_no = 1) {
|
|||||||
if (empty($noticeboard) && $page_no > 1)
|
if (empty($noticeboard) && $page_no > 1)
|
||||||
error($config['error']['404']);
|
error($config['error']['404']);
|
||||||
|
|
||||||
|
foreach ($noticeboard as &$entry) {
|
||||||
|
$entry['delete_token'] = make_secure_link_token('noticeboard/delete/' . $entry['id']);
|
||||||
|
}
|
||||||
|
|
||||||
$query = prepare("SELECT COUNT(*) FROM ``noticeboard``");
|
$query = prepare("SELECT COUNT(*) FROM ``noticeboard``");
|
||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
$count = $query->fetchColumn();
|
$count = $query->fetchColumn();
|
||||||
|
|
||||||
mod_page(_('Noticeboard'), 'mod/noticeboard.html', array('noticeboard' => $noticeboard, 'count' => $count));
|
mod_page(_('Noticeboard'), 'mod/noticeboard.html', array(
|
||||||
|
'noticeboard' => $noticeboard,
|
||||||
|
'count' => $count,
|
||||||
|
'token' => make_secure_link_token('noticeboard')
|
||||||
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_noticeboard_delete($id) {
|
function mod_noticeboard_delete($id) {
|
||||||
@ -563,11 +576,15 @@ function mod_news($page_no = 1) {
|
|||||||
if (empty($news) && $page_no > 1)
|
if (empty($news) && $page_no > 1)
|
||||||
error($config['error']['404']);
|
error($config['error']['404']);
|
||||||
|
|
||||||
|
foreach ($news as &$entry) {
|
||||||
|
$entry['delete_token'] = make_secure_link_token('news/delete/' . $entry['id']);
|
||||||
|
}
|
||||||
|
|
||||||
$query = prepare("SELECT COUNT(*) FROM ``news``");
|
$query = prepare("SELECT COUNT(*) FROM ``news``");
|
||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
$count = $query->fetchColumn();
|
$count = $query->fetchColumn();
|
||||||
|
|
||||||
mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count));
|
mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count, 'token' => make_secure_link_token('news')));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_news_delete($id) {
|
function mod_news_delete($id) {
|
||||||
@ -773,6 +790,8 @@ function mod_page_ip($ip) {
|
|||||||
$args['logs'] = array();
|
$args['logs'] = array();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$args['security_token'] = make_secure_link_token('IP/' . $ip);
|
||||||
|
|
||||||
mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']);
|
mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -835,7 +854,11 @@ function mod_bans($page_no = 1) {
|
|||||||
$ban['single_addr'] = true;
|
$ban['single_addr'] = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
mod_page(_('Ban list'), 'mod/ban_list.html', array('bans' => $bans, 'count' => Bans::count()));
|
mod_page(_('Ban list'), 'mod/ban_list.html', array(
|
||||||
|
'bans' => $bans,
|
||||||
|
'count' => Bans::count(),
|
||||||
|
'token' => make_secure_link_token('bans')
|
||||||
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_ban_appeals() {
|
function mod_ban_appeals() {
|
||||||
@ -851,15 +874,23 @@ function mod_ban_appeals() {
|
|||||||
if (isset($_POST['appeal_id']) && (isset($_POST['unban']) || isset($_POST['deny']))) {
|
if (isset($_POST['appeal_id']) && (isset($_POST['unban']) || isset($_POST['deny']))) {
|
||||||
if (!hasPermission($config['mod']['ban_appeals']))
|
if (!hasPermission($config['mod']['ban_appeals']))
|
||||||
error($config['error']['noaccess']);
|
error($config['error']['noaccess']);
|
||||||
|
|
||||||
|
$query = query("SELECT *, ``ban_appeals``.`id` AS `id` FROM ``ban_appeals``
|
||||||
|
LEFT JOIN ``bans`` ON `ban_id` = ``bans``.`id`
|
||||||
|
WHERE ``ban_appeals``.`id` = " . (int)$_POST['appeal_id']) or error(db_error());
|
||||||
|
if (!$ban = $query->fetch(PDO::FETCH_ASSOC)) {
|
||||||
|
error(_('Ban appeal not found!'));
|
||||||
|
}
|
||||||
|
|
||||||
|
$ban['mask'] = Bans::range_to_string(array($ban['ipstart'], $ban['ipend']));
|
||||||
|
|
||||||
if (isset($_POST['unban'])) {
|
if (isset($_POST['unban'])) {
|
||||||
$query = query("SELECT `ban_id` FROM ``ban_appeals`` WHERE `id` = " .
|
modLog('Accepted ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
|
||||||
(int)$_POST['appeal_id']) or error(db_error());
|
Bans::delete($ban['ban_id'], true);
|
||||||
if ($ban_id = $query->fetchColumn()) {
|
query("DELETE FROM ``ban_appeals`` WHERE `id` = " . $ban['id']) or error(db_error());
|
||||||
Bans::delete($ban_id);
|
|
||||||
query("DELETE FROM ``ban_appeals`` WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error());
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error());
|
modLog('Denied ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
|
||||||
|
query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . $ban['id']) or error(db_error());
|
||||||
}
|
}
|
||||||
|
|
||||||
header('Location: ?/ban-appeals', true, $config['redirect_http']);
|
header('Location: ?/ban-appeals', true, $config['redirect_http']);
|
||||||
@ -898,7 +929,10 @@ function mod_ban_appeals() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array('ban_appeals' => $ban_appeals));
|
mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array(
|
||||||
|
'ban_appeals' => $ban_appeals,
|
||||||
|
'token' => make_secure_link_token('ban-appeals')
|
||||||
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_lock($board, $unlock, $post) {
|
function mod_lock($board, $unlock, $post) {
|
||||||
@ -1583,7 +1617,12 @@ function mod_user($uid) {
|
|||||||
|
|
||||||
$user['boards'] = explode(',', $user['boards']);
|
$user['boards'] = explode(',', $user['boards']);
|
||||||
|
|
||||||
mod_page(_('Edit user'), 'mod/user.html', array('user' => $user, 'logs' => $log, 'boards' => listBoards()));
|
mod_page(_('Edit user'), 'mod/user.html', array(
|
||||||
|
'user' => $user,
|
||||||
|
'logs' => $log,
|
||||||
|
'boards' => listBoards(),
|
||||||
|
'token' => make_secure_link_token('users/' . $user['id'])
|
||||||
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_user_new() {
|
function mod_user_new() {
|
||||||
@ -1636,7 +1675,7 @@ function mod_user_new() {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
mod_page(_('Edit user'), 'mod/user.html', array('new' => true, 'boards' => listBoards()));
|
mod_page(_('New user'), 'mod/user.html', array('new' => true, 'boards' => listBoards(), 'token' => make_secure_link_token('users/new')));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1646,9 +1685,18 @@ function mod_users() {
|
|||||||
if (!hasPermission($config['mod']['manageusers']))
|
if (!hasPermission($config['mod']['manageusers']))
|
||||||
error($config['error']['noaccess']);
|
error($config['error']['noaccess']);
|
||||||
|
|
||||||
$query = query("SELECT *, (SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error());
|
$query = query("SELECT
|
||||||
|
*,
|
||||||
|
(SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`,
|
||||||
|
(SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action`
|
||||||
|
FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error());
|
||||||
$users = $query->fetchAll(PDO::FETCH_ASSOC);
|
$users = $query->fetchAll(PDO::FETCH_ASSOC);
|
||||||
|
|
||||||
|
foreach ($users as &$user) {
|
||||||
|
$user['promote_token'] = make_secure_link_token("users/{$user['id']}/promote");
|
||||||
|
$user['demote_token'] = make_secure_link_token("users/{$user['id']}/demote");
|
||||||
|
}
|
||||||
|
|
||||||
mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users));
|
mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1740,7 +1788,10 @@ function mod_pm($id, $reply = false) {
|
|||||||
error($config['error']['404']); // deleted?
|
error($config['error']['404']); // deleted?
|
||||||
|
|
||||||
mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array(
|
mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array(
|
||||||
'username' => $pm['username'], 'id' => $pm['sender'], 'message' => quote($pm['message'])
|
'username' => $pm['username'],
|
||||||
|
'id' => $pm['sender'],
|
||||||
|
'message' => quote($pm['message']),
|
||||||
|
'token' => make_secure_link_token('new_PM/' . $pm['username'])
|
||||||
));
|
));
|
||||||
} else {
|
} else {
|
||||||
mod_page(sprintf('%s – #%d', _('Private message'), $id), 'mod/pm.html', $pm);
|
mod_page(sprintf('%s – #%d', _('Private message'), $id), 'mod/pm.html', $pm);
|
||||||
@ -1812,7 +1863,11 @@ function mod_new_pm($username) {
|
|||||||
header('Location: ?/', true, $config['redirect_http']);
|
header('Location: ?/', true, $config['redirect_http']);
|
||||||
}
|
}
|
||||||
|
|
||||||
mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array('username' => $username, 'id' => $id));
|
mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array(
|
||||||
|
'username' => $username,
|
||||||
|
'id' => $id,
|
||||||
|
'token' => make_secure_link_token('new_PM/' . $username)
|
||||||
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_rebuild() {
|
function mod_rebuild() {
|
||||||
@ -1881,7 +1936,10 @@ function mod_rebuild() {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
mod_page(_('Rebuild'), 'mod/rebuild.html', array('boards' => listBoards()));
|
mod_page(_('Rebuild'), 'mod/rebuild.html', array(
|
||||||
|
'boards' => listBoards(),
|
||||||
|
'token' => make_secure_link_token('rebuild')
|
||||||
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
function mod_reports() {
|
function mod_reports() {
|
||||||
@ -1936,7 +1994,13 @@ function mod_reports() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// a little messy and inefficient
|
// a little messy and inefficient
|
||||||
$append_html = Element('mod/report.html', array('report' => $report, 'config' => $config, 'mod' => $mod));
|
$append_html = Element('mod/report.html', array(
|
||||||
|
'report' => $report,
|
||||||
|
'config' => $config,
|
||||||
|
'mod' => $mod,
|
||||||
|
'token' => make_secure_link_token('reports/' . $report['id'] . '/dismiss'),
|
||||||
|
'token_all' => make_secure_link_token('reports/' . $report['id'] . '/dismissall')
|
||||||
|
));
|
||||||
|
|
||||||
// Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
|
// Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
|
||||||
$po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '<br>'));
|
$po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '<br>'));
|
||||||
@ -2030,7 +2094,8 @@ function mod_config($board_config = false) {
|
|||||||
'readonly' => $readonly,
|
'readonly' => $readonly,
|
||||||
'boards' => listBoards(),
|
'boards' => listBoards(),
|
||||||
'board' => $board_config,
|
'board' => $board_config,
|
||||||
'file' => $config_file
|
'file' => $config_file,
|
||||||
|
'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
|
||||||
));
|
));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -2113,17 +2178,18 @@ function mod_config($board_config = false) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
header('Location: ?/config', true, $config['redirect_http']);
|
header('Location: ?/config' . ($board_config ? '/' . $board_config : ''), true, $config['redirect_http']);
|
||||||
|
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
mod_page(_('Config editor') . ($board_config ? ': ' . sprintf($config['board_abbreviation'], $board_config) : ''),
|
mod_page(_('Config editor') . ($board_config ? ': ' . sprintf($config['board_abbreviation'], $board_config) : ''),
|
||||||
'mod/config-editor.html', array(
|
'mod/config-editor.html', array(
|
||||||
'boards' => listBoards(),
|
'boards' => listBoards(),
|
||||||
'board' => $board_config,
|
'board' => $board_config,
|
||||||
'conf' => $conf,
|
'conf' => $conf,
|
||||||
'file' => $config_file
|
'file' => $config_file,
|
||||||
|
'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2149,6 +2215,11 @@ function mod_themes_list() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
closedir($dir);
|
closedir($dir);
|
||||||
|
|
||||||
|
foreach ($themes as $theme_name => &$theme) {
|
||||||
|
$theme['rebuild_token'] = make_secure_link_token('themes/' . $theme_name . '/rebuild');
|
||||||
|
$theme['uninstall_token'] = make_secure_link_token('themes/' . $theme_name . '/uninstall');
|
||||||
|
}
|
||||||
|
|
||||||
mod_page(_('Manage themes'), 'mod/themes.html', array(
|
mod_page(_('Manage themes'), 'mod/themes.html', array(
|
||||||
'themes' => $themes,
|
'themes' => $themes,
|
||||||
@ -2219,7 +2290,7 @@ function mod_theme_configure($theme_name) {
|
|||||||
'theme_name' => $theme_name,
|
'theme_name' => $theme_name,
|
||||||
'theme' => $theme,
|
'theme' => $theme,
|
||||||
'result' => $result,
|
'result' => $result,
|
||||||
'message' => $message,
|
'message' => $message
|
||||||
));
|
));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -2230,6 +2301,7 @@ function mod_theme_configure($theme_name) {
|
|||||||
'theme_name' => $theme_name,
|
'theme_name' => $theme_name,
|
||||||
'theme' => $theme,
|
'theme' => $theme,
|
||||||
'settings' => $settings,
|
'settings' => $settings,
|
||||||
|
'token' => make_secure_link_token('themes/' . $theme_name)
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
86
mod.php
86
mod.php
@ -24,49 +24,51 @@ if (get_magic_quotes_gpc()) {
|
|||||||
$query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';
|
$query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';
|
||||||
|
|
||||||
$pages = array(
|
$pages = array(
|
||||||
'' => ':?/', // redirect to dashboard
|
'' => ':?/', // redirect to dashboard
|
||||||
'/' => 'dashboard', // dashboard
|
'/' => 'dashboard', // dashboard
|
||||||
'/confirm/(.+)' => 'confirm', // confirm action (if javascript didn't work)
|
'/confirm/(.+)' => 'confirm', // confirm action (if javascript didn't work)
|
||||||
'/logout' => 'logout', // logout
|
'/logout' => 'secure logout', // logout
|
||||||
|
|
||||||
'/users' => 'users', // manage users
|
'/users' => 'users', // manage users
|
||||||
'/users/(\d+)' => 'user', // edit user
|
'/users/(\d+)/(promote|demote)' => 'secure user_promote', // prmote/demote user
|
||||||
'/users/(\d+)/(promote|demote)' => 'user_promote', // prmote/demote user
|
'/users/(\d+)' => 'secure_POST user', // edit user
|
||||||
'/users/new' => 'user_new', // create a new user
|
'/users/new' => 'secure_POST user_new', // create a new user
|
||||||
'/new_PM/([^/]+)' => 'new_pm', // create a new pm
|
|
||||||
'/PM/(\d+)(/reply)?' => 'pm', // read a pm
|
|
||||||
'/inbox' => 'inbox', // pm inbox
|
|
||||||
|
|
||||||
'/noticeboard' => 'noticeboard', // view noticeboard
|
'/new_PM/([^/]+)' => 'secure_POST new_pm', // create a new pm
|
||||||
'/noticeboard/(\d+)' => 'noticeboard', // view noticeboard
|
'/PM/(\d+)(/reply)?' => 'pm', // read a pm
|
||||||
'/noticeboard/delete/(\d+)' => 'noticeboard_delete', // delete from noticeboard
|
'/inbox' => 'inbox', // pm inbox
|
||||||
'/log' => 'log', // modlog
|
|
||||||
'/log/(\d+)' => 'log', // modlog
|
|
||||||
'/log:([^/]+)' => 'user_log', // modlog
|
|
||||||
'/log:([^/]+)/(\d+)' => 'user_log', // modlog
|
|
||||||
'/news' => 'news', // view news
|
|
||||||
'/news/(\d+)' => 'news', // view news
|
|
||||||
'/news/delete/(\d+)' => 'news_delete', // delete from news
|
|
||||||
|
|
||||||
'/edit/(\%b)' => 'edit_board', // edit board details
|
'/log' => 'log', // modlog
|
||||||
'/new-board' => 'new_board', // create a new board
|
'/log/(\d+)' => 'log', // modlog
|
||||||
|
'/log:([^/]+)' => 'user_log', // modlog
|
||||||
|
'/log:([^/]+)/(\d+)' => 'user_log', // modlog
|
||||||
|
'/news' => 'secure_POST news', // view news
|
||||||
|
'/news/(\d+)' => 'secure_POST news', // view news
|
||||||
|
'/news/delete/(\d+)' => 'secure news_delete', // delete from news
|
||||||
|
|
||||||
'/rebuild' => 'rebuild', // rebuild static files
|
'/noticeboard' => 'secure_POST noticeboard', // view noticeboard
|
||||||
'/reports' => 'reports', // report queue
|
'/noticeboard/(\d+)' => 'secure_POST noticeboard', // view noticeboard
|
||||||
'/reports/(\d+)/dismiss(all)?' => 'report_dismiss', // dismiss a report
|
'/noticeboard/delete/(\d+)' => 'secure noticeboard_delete', // delete from noticeboard
|
||||||
|
|
||||||
'/IP/([\w.:]+)' => 'ip', // view ip address
|
'/edit/(\%b)' => 'secure_POST edit_board', // edit board details
|
||||||
'/IP/([\w.:]+)/remove_note/(\d+)' => 'ip_remove_note', // remove note from ip address
|
'/new-board' => 'secure_POST new_board', // create a new board
|
||||||
'/bans' => 'bans', // ban list
|
|
||||||
'/bans/(\d+)' => 'bans', // ban list
|
'/rebuild' => 'secure_POST rebuild', // rebuild static files
|
||||||
'/ban-appeals' => 'ban_appeals', // view ban appeals
|
'/reports' => 'reports', // report queue
|
||||||
|
'/reports/(\d+)/dismiss(all)?' => 'secure report_dismiss', // dismiss a report
|
||||||
|
|
||||||
|
'/IP/([\w.:]+)' => 'secure_POST ip', // view ip address
|
||||||
|
'/IP/([\w.:]+)/remove_note/(\d+)' => 'secure ip_remove_note', // remove note from ip address
|
||||||
|
|
||||||
'/search' => 'search_redirect', // search
|
|
||||||
'/search/(posts|IP_notes|bans|log)/(.+)/(\d+)' => 'search', // search
|
|
||||||
'/search/(posts|IP_notes|bans|log)/(.+)' => 'search', // search
|
|
||||||
|
|
||||||
// CSRF-protected moderator actions
|
|
||||||
'/ban' => 'secure_POST ban', // new ban
|
'/ban' => 'secure_POST ban', // new ban
|
||||||
|
'/bans' => 'secure_POST bans', // ban list
|
||||||
|
'/bans/(\d+)' => 'secure_POST bans', // ban list
|
||||||
|
'/ban-appeals' => 'secure_POST ban_appeals', // view ban appeals
|
||||||
|
|
||||||
|
'/search' => 'search_redirect', // search
|
||||||
|
'/search/(posts|IP_notes|bans|log)/(.+)/(\d+)' => 'search', // search
|
||||||
|
'/search/(posts|IP_notes|bans|log)/(.+)' => 'search', // search
|
||||||
|
|
||||||
'/(\%b)/ban(&delete)?/(\d+)' => 'secure_POST ban_post', // ban poster
|
'/(\%b)/ban(&delete)?/(\d+)' => 'secure_POST ban_post', // ban poster
|
||||||
'/(\%b)/move/(\d+)' => 'secure_POST move', // move thread
|
'/(\%b)/move/(\d+)' => 'secure_POST move', // move thread
|
||||||
'/(\%b)/edit(_raw)?/(\d+)' => 'secure_POST edit_post', // edit post
|
'/(\%b)/edit(_raw)?/(\d+)' => 'secure_POST edit_post', // edit post
|
||||||
@ -78,13 +80,13 @@ $pages = array(
|
|||||||
'/(\%b)/(un)?sticky/(\d+)' => 'secure sticky', // sticky thread
|
'/(\%b)/(un)?sticky/(\d+)' => 'secure sticky', // sticky thread
|
||||||
'/(\%b)/bump(un)?lock/(\d+)' => 'secure bumplock', // "bumplock" thread
|
'/(\%b)/bump(un)?lock/(\d+)' => 'secure bumplock', // "bumplock" thread
|
||||||
|
|
||||||
'/themes' => 'themes_list', // manage themes
|
'/themes' => 'themes_list', // manage themes
|
||||||
'/themes/(\w+)' => 'theme_configure', // configure/reconfigure theme
|
'/themes/(\w+)' => 'secure_POST theme_configure', // configure/reconfigure theme
|
||||||
'/themes/(\w+)/rebuild' => 'theme_rebuild', // rebuild theme
|
'/themes/(\w+)/rebuild' => 'secure theme_rebuild', // rebuild theme
|
||||||
'/themes/(\w+)/uninstall' => 'theme_uninstall', // uninstall theme
|
'/themes/(\w+)/uninstall' => 'secure theme_uninstall', // uninstall theme
|
||||||
|
|
||||||
'/config' => 'config', // config editor
|
'/config' => 'secure_POST config', // config editor
|
||||||
'/config/(\%b)' => 'config', // config editor
|
'/config/(\%b)' => 'secure_POST config', // config editor
|
||||||
|
|
||||||
// these pages aren't listed in the dashboard without $config['debug']
|
// these pages aren't listed in the dashboard without $config['debug']
|
||||||
'/debug/antispam' => 'debug_antispam',
|
'/debug/antispam' => 'debug_antispam',
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
{% for ban in ban_appeals %}
|
{% for ban in ban_appeals %}
|
||||||
|
|
||||||
<form action="" method="post" style="margin: 10px 0">
|
<form action="" method="post" style="margin: 10px 0">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table style="margin: 5px 0">
|
<table style="margin: 5px 0">
|
||||||
<tr>
|
<tr>
|
||||||
<th>{% trans 'Status' %}</th>
|
<th>{% trans 'Status' %}</th>
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
{% if bans|count == 0 %}
|
{% if bans|count == 0 %}
|
||||||
<p style="text-align:center" class="unimportant">({% trans 'There are no active bans.' %})</p>
|
<p style="text-align:center" class="unimportant">({% trans 'There are no active bans.' %})</p>
|
||||||
{% else %}
|
{% else %}
|
||||||
<form action="" method="post">
|
<form action="?/bans" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table class="mod" style="width:100%">
|
<table class="mod" style="width:100%">
|
||||||
<tr>
|
<tr>
|
||||||
<th>{% trans 'IP address/mask' %}</th>
|
<th>{% trans 'IP address/mask' %}</th>
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
<form action="{{ action }}" method="post">
|
<form action="{{ action }}" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<th>{% trans 'URI' %}</th>
|
<th>{% trans 'URI' %}</th>
|
||||||
|
@ -21,6 +21,7 @@
|
|||||||
|
|
||||||
|
|
||||||
{% if not readonly %}<form method="post" action="">{% endif %}
|
{% if not readonly %}<form method="post" action="">{% endif %}
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<textarea name="code" id="code" style="margin:auto;width:100%;height:500px{% if readonly %};background:#eee" readonly{% else %}"{% endif %}>
|
<textarea name="code" id="code" style="margin:auto;width:100%;height:500px{% if readonly %};background:#eee" readonly{% else %}"{% endif %}>
|
||||||
{{ php }}
|
{{ php }}
|
||||||
</textarea>
|
</textarea>
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
</ul>
|
</ul>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<form method="post" action="">
|
<form method="post" action="">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table class="mod config-editor">
|
<table class="mod config-editor">
|
||||||
<tr>
|
<tr>
|
||||||
<th class="minimal">{% trans 'Name' %}</th>
|
<th class="minimal">{% trans 'Name' %}</th>
|
||||||
|
@ -164,7 +164,7 @@
|
|||||||
<legend>{% trans 'User account' %}</legend>
|
<legend>{% trans 'User account' %}</legend>
|
||||||
|
|
||||||
<ul>
|
<ul>
|
||||||
<li><a href="?/logout">{% trans 'Logout' %}</a></li>
|
<li><a href="?/logout/{{ logout_token }}">{% trans 'Logout' %}</a></li>
|
||||||
</ul>
|
</ul>
|
||||||
</fieldset>
|
</fieldset>
|
||||||
|
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
<form action="?/new_PM/{{ username|e }}" method="post">
|
<form action="?/new_PM/{{ username|e }}" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<th>To</th>
|
<th>To</th>
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
<fieldset>
|
<fieldset>
|
||||||
<legend>{% trans 'New post' %}</legend>
|
<legend>{% trans 'New post' %}</legend>
|
||||||
<form style="margin:0" action="" method="post">
|
<form style="margin:0" action="" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<th>
|
<th>
|
||||||
@ -39,7 +40,7 @@
|
|||||||
<div class="ban">
|
<div class="ban">
|
||||||
{% if mod|hasPermission(config.mod.news_delete) %}
|
{% if mod|hasPermission(config.mod.news_delete) %}
|
||||||
<span style="float:right;padding:2px">
|
<span style="float:right;padding:2px">
|
||||||
<a class="unimportant" href="?/news/delete/{{ post.id }}">[{% trans 'delete' %}]</a>
|
<a class="unimportant" href="?/news/delete/{{ post.id }}/{{ post.delete_token }}">[{% trans 'delete' %}]</a>
|
||||||
</span>
|
</span>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<h2 id="{{ post.id }}">
|
<h2 id="{{ post.id }}">
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
{% if mod|hasPermission(config.mod.noticeboard_post) %}
|
{% if mod|hasPermission(config.mod.noticeboard_post) %}
|
||||||
<fieldset>
|
<fieldset>
|
||||||
<legend>{% trans 'New post' %}</legend>
|
<legend>{% trans 'New post' %}</legend>
|
||||||
<form style="margin:0" action="" method="post">
|
<form style="margin:0" action="?/noticeboard" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<th>{% trans 'Name' %}</th>
|
<th>{% trans 'Name' %}</th>
|
||||||
@ -27,7 +28,7 @@
|
|||||||
<div class="ban">
|
<div class="ban">
|
||||||
{% if mod|hasPermission(config.mod.noticeboard_delete) %}
|
{% if mod|hasPermission(config.mod.noticeboard_delete) %}
|
||||||
<span style="float:right;padding:2px">
|
<span style="float:right;padding:2px">
|
||||||
<a class="unimportant" href="?/noticeboard/delete/{{ post.id }}">[{% trans 'delete' %}]</a>
|
<a class="unimportant" href="?/noticeboard/delete/{{ post.id }}/{{ post.delete_token }}">[{% trans 'delete' %}]</a>
|
||||||
</span>
|
</span>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<h2 id="{{ post.id }}">
|
<h2 id="{{ post.id }}">
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
<form style="width:300px;margin:auto" action="?/rebuild" method="post">
|
<form style="width:300px;margin:auto" action="?/rebuild" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<ul id="rebuild">
|
<ul id="rebuild">
|
||||||
<li style="margin-bottom:8px">
|
<li style="margin-bottom:8px">
|
||||||
<input type="checkbox" name="rebuild_all" id="rebuild_all" onchange="toggleall(this.checked)">
|
<input type="checkbox" name="rebuild_all" id="rebuild_all" onchange="toggleall(this.checked)">
|
||||||
|
@ -13,13 +13,13 @@
|
|||||||
{% if mod|hasPermission(config.mod.report_dismiss, report.board) or mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
|
{% if mod|hasPermission(config.mod.report_dismiss, report.board) or mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
|
||||||
<hr>
|
<hr>
|
||||||
{% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
|
{% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
|
||||||
<a title="{% trans 'Discard abuse report' %}" href="?/reports/{{ report.id }}/dismiss">Dismiss</a>
|
<a title="{% trans 'Discard abuse report' %}" href="?/reports/{{ report.id }}/dismiss/{{ token }}">Dismiss</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
|
{% if mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
|
||||||
{% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
|
{% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
|
||||||
|
|
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
<a title="{% trans 'Discard all abuse reports by this IP address' %}" href="?/reports/{{ report.id }}/dismissall">Dismiss+</a>
|
<a title="{% trans 'Discard all abuse reports by this IP address' %}" href="?/reports/{{ report.id }}/dismissall/{{ token_all }}">Dismiss+</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
<form action="" method="post">
|
<form action="" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
{% if not config %}
|
{% if not config %}
|
||||||
<p style="text-align:center" class="unimportant">(No configuration required.)</p>
|
<p style="text-align:center" class="unimportant">(No configuration required.)</p>
|
||||||
{% else %}
|
{% else %}
|
||||||
|
@ -28,8 +28,8 @@
|
|||||||
{% if theme_name in themes_in_use %}{% trans 'Reconfigure' %}{% else %}{% trans 'Install' %}{% endif %}
|
{% if theme_name in themes_in_use %}{% trans 'Reconfigure' %}{% else %}{% trans 'Install' %}{% endif %}
|
||||||
</a></li>
|
</a></li>
|
||||||
{% if theme_name in themes_in_use %}
|
{% if theme_name in themes_in_use %}
|
||||||
<li><a href="?/themes/{{ theme_name }}/rebuild">{% trans 'Rebuild' %}</a></li>
|
<li><a href="?/themes/{{ theme_name }}/rebuild/{{ theme.rebuild_token }}">{% trans 'Rebuild' %}</a></li>
|
||||||
<li><a href="?/themes/{{ theme_name }}/uninstall" onclick="return confirm('Are you sure you want to uninstall this theme?');">{% trans 'Uninstall' %}</a></li>
|
<li><a href="?/themes/{{ theme_name }}/uninstall/{{ theme.uninstall_token }}" onclick="return confirm('Are you sure you want to uninstall this theme?');">{% trans 'Uninstall' %}</a></li>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</ul></td>
|
</ul></td>
|
||||||
</tr>
|
</tr>
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
<form action="{{ action }}" method="post">
|
<form action="{{ action }}" method="post">
|
||||||
|
<input type="hidden" name="token" value="{{ token }}">
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<th>{% trans 'Username' %}</th>
|
<th>{% trans 'Username' %}</th>
|
||||||
|
@ -48,10 +48,10 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
<td>
|
<td>
|
||||||
{% if mod|hasPermission(config.mod.promoteusers) and user.type < constant(config.mod.groups[0:-1]|last) %}
|
{% if mod|hasPermission(config.mod.promoteusers) and user.type < constant(config.mod.groups[0:-1]|last) %}
|
||||||
<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote" title="{% trans 'Promote' %}">▲</a>
|
<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote/{{ user.promote_token }}" title="{% trans 'Promote' %}">▲</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if mod|hasPermission(config.mod.promoteusers) and user.type > constant(config.mod.groups|first) %}
|
{% if mod|hasPermission(config.mod.promoteusers) and user.type > constant(config.mod.groups|first) %}
|
||||||
<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>▼</a>
|
<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote/{{ user.demote_token }}" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>▼</a>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if mod|hasPermission(config.mod.modlog) %}
|
{% if mod|hasPermission(config.mod.modlog) %}
|
||||||
<a class="unimportant" style="margin-left:5px;float:right" href="?/log:{{ user.username|e }}">[{% trans 'log' %}]</a>
|
<a class="unimportant" style="margin-left:5px;float:right" href="?/log:{{ user.username|e }}">[{% trans 'log' %}]</a>
|
||||||
|
@ -57,6 +57,7 @@
|
|||||||
|
|
||||||
{% if mod|hasPermission(config.mod.create_notes) %}
|
{% if mod|hasPermission(config.mod.create_notes) %}
|
||||||
<form action="" method="post" style="margin:0">
|
<form action="" method="post" style="margin:0">
|
||||||
|
<input type="hidden" name="token" value="{{ security_token }}">
|
||||||
<table>
|
<table>
|
||||||
<tr>
|
<tr>
|
||||||
<th>{% trans 'Staff' %}</th>
|
<th>{% trans 'Staff' %}</th>
|
||||||
@ -87,6 +88,7 @@
|
|||||||
|
|
||||||
{% for ban in bans %}
|
{% for ban in bans %}
|
||||||
<form action="" method="post" style="text-align:center">
|
<form action="" method="post" style="text-align:center">
|
||||||
|
<input type="hidden" name="token" value="{{ security_token }}">
|
||||||
<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
|
<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
|
||||||
<tr>
|
<tr>
|
||||||
<th>{% trans 'Status' %}</th>
|
<th>{% trans 'Status' %}</th>
|
||||||
|
Loading…
Reference in New Issue
Block a user