1
0
mirror of https://github.com/vichan-devel/vichan.git synced 2024-11-23 23:20:57 +01:00

CSRF more mod pages

This commit is contained in:
Michael Foster 2013-09-23 16:48:56 +10:00
parent 00f4da3b82
commit c8062fbf76
18 changed files with 166 additions and 79 deletions

View File

@ -156,7 +156,9 @@ function mod_dashboard() {
if ($latest) if ($latest)
$args['newer_release'] = $latest; $args['newer_release'] = $latest;
} }
$args['logout_token'] = make_secure_link_token('logout');
mod_page(_('Dashboard'), 'mod/dashboard.html', $args); mod_page(_('Dashboard'), 'mod/dashboard.html', $args);
} }
@ -389,7 +391,10 @@ function mod_edit_board($boardName) {
header('Location: ?/', true, $config['redirect_http']); header('Location: ?/', true, $config['redirect_http']);
} else { } else {
mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array('board' => $board)); mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array(
'board' => $board,
'token' => make_secure_link_token('edit/' . $board['uri'])
));
} }
} }
@ -459,7 +464,7 @@ function mod_new_board() {
header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']); header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']);
} }
mod_page(_('New board'), 'mod/board.html', array('new' => true)); mod_page(_('New board'), 'mod/board.html', array('new' => true, 'token' => make_secure_link_token('new-board')));
} }
function mod_noticeboard($page_no = 1) { function mod_noticeboard($page_no = 1) {
@ -502,11 +507,19 @@ function mod_noticeboard($page_no = 1) {
if (empty($noticeboard) && $page_no > 1) if (empty($noticeboard) && $page_no > 1)
error($config['error']['404']); error($config['error']['404']);
foreach ($noticeboard as &$entry) {
$entry['delete_token'] = make_secure_link_token('noticeboard/delete/' . $entry['id']);
}
$query = prepare("SELECT COUNT(*) FROM ``noticeboard``"); $query = prepare("SELECT COUNT(*) FROM ``noticeboard``");
$query->execute() or error(db_error($query)); $query->execute() or error(db_error($query));
$count = $query->fetchColumn(); $count = $query->fetchColumn();
mod_page(_('Noticeboard'), 'mod/noticeboard.html', array('noticeboard' => $noticeboard, 'count' => $count)); mod_page(_('Noticeboard'), 'mod/noticeboard.html', array(
'noticeboard' => $noticeboard,
'count' => $count,
'token' => make_secure_link_token('noticeboard')
));
} }
function mod_noticeboard_delete($id) { function mod_noticeboard_delete($id) {
@ -563,11 +576,15 @@ function mod_news($page_no = 1) {
if (empty($news) && $page_no > 1) if (empty($news) && $page_no > 1)
error($config['error']['404']); error($config['error']['404']);
foreach ($news as &$entry) {
$entry['delete_token'] = make_secure_link_token('news/delete/' . $entry['id']);
}
$query = prepare("SELECT COUNT(*) FROM ``news``"); $query = prepare("SELECT COUNT(*) FROM ``news``");
$query->execute() or error(db_error($query)); $query->execute() or error(db_error($query));
$count = $query->fetchColumn(); $count = $query->fetchColumn();
mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count)); mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count, 'token' => make_secure_link_token('news')));
} }
function mod_news_delete($id) { function mod_news_delete($id) {
@ -773,6 +790,8 @@ function mod_page_ip($ip) {
$args['logs'] = array(); $args['logs'] = array();
} }
$args['security_token'] = make_secure_link_token('IP/' . $ip);
mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']); mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']);
} }
@ -835,7 +854,11 @@ function mod_bans($page_no = 1) {
$ban['single_addr'] = true; $ban['single_addr'] = true;
} }
mod_page(_('Ban list'), 'mod/ban_list.html', array('bans' => $bans, 'count' => Bans::count())); mod_page(_('Ban list'), 'mod/ban_list.html', array(
'bans' => $bans,
'count' => Bans::count(),
'token' => make_secure_link_token('bans')
));
} }
function mod_ban_appeals() { function mod_ban_appeals() {
@ -851,15 +874,23 @@ function mod_ban_appeals() {
if (isset($_POST['appeal_id']) && (isset($_POST['unban']) || isset($_POST['deny']))) { if (isset($_POST['appeal_id']) && (isset($_POST['unban']) || isset($_POST['deny']))) {
if (!hasPermission($config['mod']['ban_appeals'])) if (!hasPermission($config['mod']['ban_appeals']))
error($config['error']['noaccess']); error($config['error']['noaccess']);
$query = query("SELECT *, ``ban_appeals``.`id` AS `id` FROM ``ban_appeals``
LEFT JOIN ``bans`` ON `ban_id` = ``bans``.`id`
WHERE ``ban_appeals``.`id` = " . (int)$_POST['appeal_id']) or error(db_error());
if (!$ban = $query->fetch(PDO::FETCH_ASSOC)) {
error(_('Ban appeal not found!'));
}
$ban['mask'] = Bans::range_to_string(array($ban['ipstart'], $ban['ipend']));
if (isset($_POST['unban'])) { if (isset($_POST['unban'])) {
$query = query("SELECT `ban_id` FROM ``ban_appeals`` WHERE `id` = " . modLog('Accepted ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
(int)$_POST['appeal_id']) or error(db_error()); Bans::delete($ban['ban_id'], true);
if ($ban_id = $query->fetchColumn()) { query("DELETE FROM ``ban_appeals`` WHERE `id` = " . $ban['id']) or error(db_error());
Bans::delete($ban_id);
query("DELETE FROM ``ban_appeals`` WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error());
}
} else { } else {
query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error()); modLog('Denied ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . $ban['id']) or error(db_error());
} }
header('Location: ?/ban-appeals', true, $config['redirect_http']); header('Location: ?/ban-appeals', true, $config['redirect_http']);
@ -898,7 +929,10 @@ function mod_ban_appeals() {
} }
} }
mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array('ban_appeals' => $ban_appeals)); mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array(
'ban_appeals' => $ban_appeals,
'token' => make_secure_link_token('ban-appeals')
));
} }
function mod_lock($board, $unlock, $post) { function mod_lock($board, $unlock, $post) {
@ -1583,7 +1617,12 @@ function mod_user($uid) {
$user['boards'] = explode(',', $user['boards']); $user['boards'] = explode(',', $user['boards']);
mod_page(_('Edit user'), 'mod/user.html', array('user' => $user, 'logs' => $log, 'boards' => listBoards())); mod_page(_('Edit user'), 'mod/user.html', array(
'user' => $user,
'logs' => $log,
'boards' => listBoards(),
'token' => make_secure_link_token('users/' . $user['id'])
));
} }
function mod_user_new() { function mod_user_new() {
@ -1636,7 +1675,7 @@ function mod_user_new() {
return; return;
} }
mod_page(_('Edit user'), 'mod/user.html', array('new' => true, 'boards' => listBoards())); mod_page(_('New user'), 'mod/user.html', array('new' => true, 'boards' => listBoards(), 'token' => make_secure_link_token('users/new')));
} }
@ -1646,9 +1685,18 @@ function mod_users() {
if (!hasPermission($config['mod']['manageusers'])) if (!hasPermission($config['mod']['manageusers']))
error($config['error']['noaccess']); error($config['error']['noaccess']);
$query = query("SELECT *, (SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error()); $query = query("SELECT
*,
(SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`,
(SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action`
FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error());
$users = $query->fetchAll(PDO::FETCH_ASSOC); $users = $query->fetchAll(PDO::FETCH_ASSOC);
foreach ($users as &$user) {
$user['promote_token'] = make_secure_link_token("users/{$user['id']}/promote");
$user['demote_token'] = make_secure_link_token("users/{$user['id']}/demote");
}
mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users)); mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users));
} }
@ -1740,7 +1788,10 @@ function mod_pm($id, $reply = false) {
error($config['error']['404']); // deleted? error($config['error']['404']); // deleted?
mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array( mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array(
'username' => $pm['username'], 'id' => $pm['sender'], 'message' => quote($pm['message']) 'username' => $pm['username'],
'id' => $pm['sender'],
'message' => quote($pm['message']),
'token' => make_secure_link_token('new_PM/' . $pm['username'])
)); ));
} else { } else {
mod_page(sprintf('%s – #%d', _('Private message'), $id), 'mod/pm.html', $pm); mod_page(sprintf('%s – #%d', _('Private message'), $id), 'mod/pm.html', $pm);
@ -1812,7 +1863,11 @@ function mod_new_pm($username) {
header('Location: ?/', true, $config['redirect_http']); header('Location: ?/', true, $config['redirect_http']);
} }
mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array('username' => $username, 'id' => $id)); mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array(
'username' => $username,
'id' => $id,
'token' => make_secure_link_token('new_PM/' . $username)
));
} }
function mod_rebuild() { function mod_rebuild() {
@ -1881,7 +1936,10 @@ function mod_rebuild() {
return; return;
} }
mod_page(_('Rebuild'), 'mod/rebuild.html', array('boards' => listBoards())); mod_page(_('Rebuild'), 'mod/rebuild.html', array(
'boards' => listBoards(),
'token' => make_secure_link_token('rebuild')
));
} }
function mod_reports() { function mod_reports() {
@ -1936,7 +1994,13 @@ function mod_reports() {
} }
// a little messy and inefficient // a little messy and inefficient
$append_html = Element('mod/report.html', array('report' => $report, 'config' => $config, 'mod' => $mod)); $append_html = Element('mod/report.html', array(
'report' => $report,
'config' => $config,
'mod' => $mod,
'token' => make_secure_link_token('reports/' . $report['id'] . '/dismiss'),
'token_all' => make_secure_link_token('reports/' . $report['id'] . '/dismissall')
));
// Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21 // Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
$po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '<br>')); $po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '<br>'));
@ -2030,7 +2094,8 @@ function mod_config($board_config = false) {
'readonly' => $readonly, 'readonly' => $readonly,
'boards' => listBoards(), 'boards' => listBoards(),
'board' => $board_config, 'board' => $board_config,
'file' => $config_file 'file' => $config_file,
'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
)); ));
return; return;
} }
@ -2113,17 +2178,18 @@ function mod_config($board_config = false) {
} }
} }
header('Location: ?/config', true, $config['redirect_http']); header('Location: ?/config' . ($board_config ? '/' . $board_config : ''), true, $config['redirect_http']);
exit; exit;
} }
mod_page(_('Config editor') . ($board_config ? ': ' . sprintf($config['board_abbreviation'], $board_config) : ''), mod_page(_('Config editor') . ($board_config ? ': ' . sprintf($config['board_abbreviation'], $board_config) : ''),
'mod/config-editor.html', array( 'mod/config-editor.html', array(
'boards' => listBoards(), 'boards' => listBoards(),
'board' => $board_config, 'board' => $board_config,
'conf' => $conf, 'conf' => $conf,
'file' => $config_file 'file' => $config_file,
'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
)); ));
} }
@ -2149,6 +2215,11 @@ function mod_themes_list() {
} }
} }
closedir($dir); closedir($dir);
foreach ($themes as $theme_name => &$theme) {
$theme['rebuild_token'] = make_secure_link_token('themes/' . $theme_name . '/rebuild');
$theme['uninstall_token'] = make_secure_link_token('themes/' . $theme_name . '/uninstall');
}
mod_page(_('Manage themes'), 'mod/themes.html', array( mod_page(_('Manage themes'), 'mod/themes.html', array(
'themes' => $themes, 'themes' => $themes,
@ -2219,7 +2290,7 @@ function mod_theme_configure($theme_name) {
'theme_name' => $theme_name, 'theme_name' => $theme_name,
'theme' => $theme, 'theme' => $theme,
'result' => $result, 'result' => $result,
'message' => $message, 'message' => $message
)); ));
return; return;
} }
@ -2230,6 +2301,7 @@ function mod_theme_configure($theme_name) {
'theme_name' => $theme_name, 'theme_name' => $theme_name,
'theme' => $theme, 'theme' => $theme,
'settings' => $settings, 'settings' => $settings,
'token' => make_secure_link_token('themes/' . $theme_name)
)); ));
} }

86
mod.php
View File

@ -24,49 +24,51 @@ if (get_magic_quotes_gpc()) {
$query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : ''; $query = isset($_SERVER['QUERY_STRING']) ? rawurldecode($_SERVER['QUERY_STRING']) : '';
$pages = array( $pages = array(
'' => ':?/', // redirect to dashboard '' => ':?/', // redirect to dashboard
'/' => 'dashboard', // dashboard '/' => 'dashboard', // dashboard
'/confirm/(.+)' => 'confirm', // confirm action (if javascript didn't work) '/confirm/(.+)' => 'confirm', // confirm action (if javascript didn't work)
'/logout' => 'logout', // logout '/logout' => 'secure logout', // logout
'/users' => 'users', // manage users '/users' => 'users', // manage users
'/users/(\d+)' => 'user', // edit user '/users/(\d+)/(promote|demote)' => 'secure user_promote', // prmote/demote user
'/users/(\d+)/(promote|demote)' => 'user_promote', // prmote/demote user '/users/(\d+)' => 'secure_POST user', // edit user
'/users/new' => 'user_new', // create a new user '/users/new' => 'secure_POST user_new', // create a new user
'/new_PM/([^/]+)' => 'new_pm', // create a new pm
'/PM/(\d+)(/reply)?' => 'pm', // read a pm
'/inbox' => 'inbox', // pm inbox
'/noticeboard' => 'noticeboard', // view noticeboard '/new_PM/([^/]+)' => 'secure_POST new_pm', // create a new pm
'/noticeboard/(\d+)' => 'noticeboard', // view noticeboard '/PM/(\d+)(/reply)?' => 'pm', // read a pm
'/noticeboard/delete/(\d+)' => 'noticeboard_delete', // delete from noticeboard '/inbox' => 'inbox', // pm inbox
'/log' => 'log', // modlog
'/log/(\d+)' => 'log', // modlog
'/log:([^/]+)' => 'user_log', // modlog
'/log:([^/]+)/(\d+)' => 'user_log', // modlog
'/news' => 'news', // view news
'/news/(\d+)' => 'news', // view news
'/news/delete/(\d+)' => 'news_delete', // delete from news
'/edit/(\%b)' => 'edit_board', // edit board details '/log' => 'log', // modlog
'/new-board' => 'new_board', // create a new board '/log/(\d+)' => 'log', // modlog
'/log:([^/]+)' => 'user_log', // modlog
'/log:([^/]+)/(\d+)' => 'user_log', // modlog
'/news' => 'secure_POST news', // view news
'/news/(\d+)' => 'secure_POST news', // view news
'/news/delete/(\d+)' => 'secure news_delete', // delete from news
'/rebuild' => 'rebuild', // rebuild static files '/noticeboard' => 'secure_POST noticeboard', // view noticeboard
'/reports' => 'reports', // report queue '/noticeboard/(\d+)' => 'secure_POST noticeboard', // view noticeboard
'/reports/(\d+)/dismiss(all)?' => 'report_dismiss', // dismiss a report '/noticeboard/delete/(\d+)' => 'secure noticeboard_delete', // delete from noticeboard
'/IP/([\w.:]+)' => 'ip', // view ip address '/edit/(\%b)' => 'secure_POST edit_board', // edit board details
'/IP/([\w.:]+)/remove_note/(\d+)' => 'ip_remove_note', // remove note from ip address '/new-board' => 'secure_POST new_board', // create a new board
'/bans' => 'bans', // ban list
'/bans/(\d+)' => 'bans', // ban list '/rebuild' => 'secure_POST rebuild', // rebuild static files
'/ban-appeals' => 'ban_appeals', // view ban appeals '/reports' => 'reports', // report queue
'/reports/(\d+)/dismiss(all)?' => 'secure report_dismiss', // dismiss a report
'/IP/([\w.:]+)' => 'secure_POST ip', // view ip address
'/IP/([\w.:]+)/remove_note/(\d+)' => 'secure ip_remove_note', // remove note from ip address
'/search' => 'search_redirect', // search
'/search/(posts|IP_notes|bans|log)/(.+)/(\d+)' => 'search', // search
'/search/(posts|IP_notes|bans|log)/(.+)' => 'search', // search
// CSRF-protected moderator actions
'/ban' => 'secure_POST ban', // new ban '/ban' => 'secure_POST ban', // new ban
'/bans' => 'secure_POST bans', // ban list
'/bans/(\d+)' => 'secure_POST bans', // ban list
'/ban-appeals' => 'secure_POST ban_appeals', // view ban appeals
'/search' => 'search_redirect', // search
'/search/(posts|IP_notes|bans|log)/(.+)/(\d+)' => 'search', // search
'/search/(posts|IP_notes|bans|log)/(.+)' => 'search', // search
'/(\%b)/ban(&delete)?/(\d+)' => 'secure_POST ban_post', // ban poster '/(\%b)/ban(&delete)?/(\d+)' => 'secure_POST ban_post', // ban poster
'/(\%b)/move/(\d+)' => 'secure_POST move', // move thread '/(\%b)/move/(\d+)' => 'secure_POST move', // move thread
'/(\%b)/edit(_raw)?/(\d+)' => 'secure_POST edit_post', // edit post '/(\%b)/edit(_raw)?/(\d+)' => 'secure_POST edit_post', // edit post
@ -78,13 +80,13 @@ $pages = array(
'/(\%b)/(un)?sticky/(\d+)' => 'secure sticky', // sticky thread '/(\%b)/(un)?sticky/(\d+)' => 'secure sticky', // sticky thread
'/(\%b)/bump(un)?lock/(\d+)' => 'secure bumplock', // "bumplock" thread '/(\%b)/bump(un)?lock/(\d+)' => 'secure bumplock', // "bumplock" thread
'/themes' => 'themes_list', // manage themes '/themes' => 'themes_list', // manage themes
'/themes/(\w+)' => 'theme_configure', // configure/reconfigure theme '/themes/(\w+)' => 'secure_POST theme_configure', // configure/reconfigure theme
'/themes/(\w+)/rebuild' => 'theme_rebuild', // rebuild theme '/themes/(\w+)/rebuild' => 'secure theme_rebuild', // rebuild theme
'/themes/(\w+)/uninstall' => 'theme_uninstall', // uninstall theme '/themes/(\w+)/uninstall' => 'secure theme_uninstall', // uninstall theme
'/config' => 'config', // config editor '/config' => 'secure_POST config', // config editor
'/config/(\%b)' => 'config', // config editor '/config/(\%b)' => 'secure_POST config', // config editor
// these pages aren't listed in the dashboard without $config['debug'] // these pages aren't listed in the dashboard without $config['debug']
'/debug/antispam' => 'debug_antispam', '/debug/antispam' => 'debug_antispam',

View File

@ -1,6 +1,7 @@
{% for ban in ban_appeals %} {% for ban in ban_appeals %}
<form action="" method="post" style="margin: 10px 0"> <form action="" method="post" style="margin: 10px 0">
<input type="hidden" name="token" value="{{ token }}">
<table style="margin: 5px 0"> <table style="margin: 5px 0">
<tr> <tr>
<th>{% trans 'Status' %}</th> <th>{% trans 'Status' %}</th>

View File

@ -1,7 +1,8 @@
{% if bans|count == 0 %} {% if bans|count == 0 %}
<p style="text-align:center" class="unimportant">({% trans 'There are no active bans.' %})</p> <p style="text-align:center" class="unimportant">({% trans 'There are no active bans.' %})</p>
{% else %} {% else %}
<form action="" method="post"> <form action="?/bans" method="post">
<input type="hidden" name="token" value="{{ token }}">
<table class="mod" style="width:100%"> <table class="mod" style="width:100%">
<tr> <tr>
<th>{% trans 'IP address/mask' %}</th> <th>{% trans 'IP address/mask' %}</th>

View File

@ -5,6 +5,7 @@
{% endif %} {% endif %}
<form action="{{ action }}" method="post"> <form action="{{ action }}" method="post">
<input type="hidden" name="token" value="{{ token }}">
<table> <table>
<tr> <tr>
<th>{% trans 'URI' %}</th> <th>{% trans 'URI' %}</th>

View File

@ -21,6 +21,7 @@
{% if not readonly %}<form method="post" action="">{% endif %} {% if not readonly %}<form method="post" action="">{% endif %}
<input type="hidden" name="token" value="{{ token }}">
<textarea name="code" id="code" style="margin:auto;width:100%;height:500px{% if readonly %};background:#eee" readonly{% else %}"{% endif %}> <textarea name="code" id="code" style="margin:auto;width:100%;height:500px{% if readonly %};background:#eee" readonly{% else %}"{% endif %}>
{{ php }} {{ php }}
</textarea> </textarea>

View File

@ -14,6 +14,7 @@
</ul> </ul>
{% endif %} {% endif %}
<form method="post" action=""> <form method="post" action="">
<input type="hidden" name="token" value="{{ token }}">
<table class="mod config-editor"> <table class="mod config-editor">
<tr> <tr>
<th class="minimal">{% trans 'Name' %}</th> <th class="minimal">{% trans 'Name' %}</th>

View File

@ -164,7 +164,7 @@
<legend>{% trans 'User account' %}</legend> <legend>{% trans 'User account' %}</legend>
<ul> <ul>
<li><a href="?/logout">{% trans 'Logout' %}</a></li> <li><a href="?/logout/{{ logout_token }}">{% trans 'Logout' %}</a></li>
</ul> </ul>
</fieldset> </fieldset>

View File

@ -1,4 +1,5 @@
<form action="?/new_PM/{{ username|e }}" method="post"> <form action="?/new_PM/{{ username|e }}" method="post">
<input type="hidden" name="token" value="{{ token }}">
<table> <table>
<tr> <tr>
<th>To</th> <th>To</th>

View File

@ -2,6 +2,7 @@
<fieldset> <fieldset>
<legend>{% trans 'New post' %}</legend> <legend>{% trans 'New post' %}</legend>
<form style="margin:0" action="" method="post"> <form style="margin:0" action="" method="post">
<input type="hidden" name="token" value="{{ token }}">
<table> <table>
<tr> <tr>
<th> <th>
@ -39,7 +40,7 @@
<div class="ban"> <div class="ban">
{% if mod|hasPermission(config.mod.news_delete) %} {% if mod|hasPermission(config.mod.news_delete) %}
<span style="float:right;padding:2px"> <span style="float:right;padding:2px">
<a class="unimportant" href="?/news/delete/{{ post.id }}">[{% trans 'delete' %}]</a> <a class="unimportant" href="?/news/delete/{{ post.id }}/{{ post.delete_token }}">[{% trans 'delete' %}]</a>
</span> </span>
{% endif %} {% endif %}
<h2 id="{{ post.id }}"> <h2 id="{{ post.id }}">

View File

@ -1,7 +1,8 @@
{% if mod|hasPermission(config.mod.noticeboard_post) %} {% if mod|hasPermission(config.mod.noticeboard_post) %}
<fieldset> <fieldset>
<legend>{% trans 'New post' %}</legend> <legend>{% trans 'New post' %}</legend>
<form style="margin:0" action="" method="post"> <form style="margin:0" action="?/noticeboard" method="post">
<input type="hidden" name="token" value="{{ token }}">
<table> <table>
<tr> <tr>
<th>{% trans 'Name' %}</th> <th>{% trans 'Name' %}</th>
@ -27,7 +28,7 @@
<div class="ban"> <div class="ban">
{% if mod|hasPermission(config.mod.noticeboard_delete) %} {% if mod|hasPermission(config.mod.noticeboard_delete) %}
<span style="float:right;padding:2px"> <span style="float:right;padding:2px">
<a class="unimportant" href="?/noticeboard/delete/{{ post.id }}">[{% trans 'delete' %}]</a> <a class="unimportant" href="?/noticeboard/delete/{{ post.id }}/{{ post.delete_token }}">[{% trans 'delete' %}]</a>
</span> </span>
{% endif %} {% endif %}
<h2 id="{{ post.id }}"> <h2 id="{{ post.id }}">

View File

@ -1,4 +1,5 @@
<form style="width:300px;margin:auto" action="?/rebuild" method="post"> <form style="width:300px;margin:auto" action="?/rebuild" method="post">
<input type="hidden" name="token" value="{{ token }}">
<ul id="rebuild"> <ul id="rebuild">
<li style="margin-bottom:8px"> <li style="margin-bottom:8px">
<input type="checkbox" name="rebuild_all" id="rebuild_all" onchange="toggleall(this.checked)"> <input type="checkbox" name="rebuild_all" id="rebuild_all" onchange="toggleall(this.checked)">

View File

@ -13,13 +13,13 @@
{% if mod|hasPermission(config.mod.report_dismiss, report.board) or mod|hasPermission(config.mod.report_dismiss_ip, report.board) %} {% if mod|hasPermission(config.mod.report_dismiss, report.board) or mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
<hr> <hr>
{% if mod|hasPermission(config.mod.report_dismiss, report.board) %} {% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
<a title="{% trans 'Discard abuse report' %}" href="?/reports/{{ report.id }}/dismiss">Dismiss</a> <a title="{% trans 'Discard abuse report' %}" href="?/reports/{{ report.id }}/dismiss/{{ token }}">Dismiss</a>
{% endif %} {% endif %}
{% if mod|hasPermission(config.mod.report_dismiss_ip, report.board) %} {% if mod|hasPermission(config.mod.report_dismiss_ip, report.board) %}
{% if mod|hasPermission(config.mod.report_dismiss, report.board) %} {% if mod|hasPermission(config.mod.report_dismiss, report.board) %}
| |
{% endif %} {% endif %}
<a title="{% trans 'Discard all abuse reports by this IP address' %}" href="?/reports/{{ report.id }}/dismissall">Dismiss+</a> <a title="{% trans 'Discard all abuse reports by this IP address' %}" href="?/reports/{{ report.id }}/dismissall/{{ token_all }}">Dismiss+</a>
{% endif %} {% endif %}
{% endif %} {% endif %}
</div> </div>

View File

@ -1,4 +1,5 @@
<form action="" method="post"> <form action="" method="post">
<input type="hidden" name="token" value="{{ token }}">
{% if not config %} {% if not config %}
<p style="text-align:center" class="unimportant">(No configuration required.)</p> <p style="text-align:center" class="unimportant">(No configuration required.)</p>
{% else %} {% else %}

View File

@ -28,8 +28,8 @@
{% if theme_name in themes_in_use %}{% trans 'Reconfigure' %}{% else %}{% trans 'Install' %}{% endif %} {% if theme_name in themes_in_use %}{% trans 'Reconfigure' %}{% else %}{% trans 'Install' %}{% endif %}
</a></li> </a></li>
{% if theme_name in themes_in_use %} {% if theme_name in themes_in_use %}
<li><a href="?/themes/{{ theme_name }}/rebuild">{% trans 'Rebuild' %}</a></li> <li><a href="?/themes/{{ theme_name }}/rebuild/{{ theme.rebuild_token }}">{% trans 'Rebuild' %}</a></li>
<li><a href="?/themes/{{ theme_name }}/uninstall" onclick="return confirm('Are you sure you want to uninstall this theme?');">{% trans 'Uninstall' %}</a></li> <li><a href="?/themes/{{ theme_name }}/uninstall/{{ theme.uninstall_token }}" onclick="return confirm('Are you sure you want to uninstall this theme?');">{% trans 'Uninstall' %}</a></li>
{% endif %} {% endif %}
</ul></td> </ul></td>
</tr> </tr>

View File

@ -5,6 +5,7 @@
{% endif %} {% endif %}
<form action="{{ action }}" method="post"> <form action="{{ action }}" method="post">
<input type="hidden" name="token" value="{{ token }}">
<table> <table>
<tr> <tr>
<th>{% trans 'Username' %}</th> <th>{% trans 'Username' %}</th>

View File

@ -48,10 +48,10 @@
{% endif %} {% endif %}
<td> <td>
{% if mod|hasPermission(config.mod.promoteusers) and user.type < constant(config.mod.groups[0:-1]|last) %} {% if mod|hasPermission(config.mod.promoteusers) and user.type < constant(config.mod.groups[0:-1]|last) %}
<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote" title="{% trans 'Promote' %}">&#9650;</a> <a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote/{{ user.promote_token }}" title="{% trans 'Promote' %}">&#9650;</a>
{% endif %} {% endif %}
{% if mod|hasPermission(config.mod.promoteusers) and user.type > constant(config.mod.groups|first) %} {% if mod|hasPermission(config.mod.promoteusers) and user.type > constant(config.mod.groups|first) %}
<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>&#9660;</a> <a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote/{{ user.demote_token }}" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>&#9660;</a>
{% endif %} {% endif %}
{% if mod|hasPermission(config.mod.modlog) %} {% if mod|hasPermission(config.mod.modlog) %}
<a class="unimportant" style="margin-left:5px;float:right" href="?/log:{{ user.username|e }}">[{% trans 'log' %}]</a> <a class="unimportant" style="margin-left:5px;float:right" href="?/log:{{ user.username|e }}">[{% trans 'log' %}]</a>

View File

@ -57,6 +57,7 @@
{% if mod|hasPermission(config.mod.create_notes) %} {% if mod|hasPermission(config.mod.create_notes) %}
<form action="" method="post" style="margin:0"> <form action="" method="post" style="margin:0">
<input type="hidden" name="token" value="{{ security_token }}">
<table> <table>
<tr> <tr>
<th>{% trans 'Staff' %}</th> <th>{% trans 'Staff' %}</th>
@ -87,6 +88,7 @@
{% for ban in bans %} {% for ban in bans %}
<form action="" method="post" style="text-align:center"> <form action="" method="post" style="text-align:center">
<input type="hidden" name="token" value="{{ security_token }}">
<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px"> <table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
<tr> <tr>
<th>{% trans 'Status' %}</th> <th>{% trans 'Status' %}</th>