From a65fbcebe785d33a8053645cb73dfd11d032a940 Mon Sep 17 00:00:00 2001 From: Philipp Date: Sun, 12 Sep 2021 21:20:12 +0200 Subject: [PATCH] Fixing #10699 (prohibits blocking and ignoreing from the photo menu) --- include/conversation.php | 12 +++++++----- src/Object/Post.php | 7 ++++--- src/Object/Thread.php | 5 +++-- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/include/conversation.php b/include/conversation.php index 352060d7f..2db0c22b8 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -20,6 +20,7 @@ */ use Friendica\App; +use Friendica\BaseModule; use Friendica\Content\ContactSelector; use Friendica\Content\Feature; use Friendica\Core\ACL; @@ -396,6 +397,7 @@ function conversation(App $a, array $items, $mode, $update, $preview = false, $o $threadsid = -1; $page_template = Renderer::getMarkupTemplate("conversation.tpl"); + $formSecurityToken = BaseModule::getFormSecurityToken('contact_action'); if (!empty($items)) { if (in_array($mode, ['community', 'contacts'])) { @@ -502,7 +504,7 @@ function conversation(App $a, array $items, $mode, $update, $preview = false, $o 'network_icon' => ContactSelector::networkToIcon($item['network'], $item['author-link']), 'linktitle' => DI::l10n()->t('View %s\'s profile @ %s', $profile_name, $item['author-link']), 'profile_url' => $profile_link, - 'item_photo_menu_html' => item_photo_menu($item), + 'item_photo_menu_html' => item_photo_menu($item, $formSecurityToken), 'name' => $profile_name, 'sparkle' => $sparkle, 'lock' => false, @@ -590,7 +592,7 @@ function conversation(App $a, array $items, $mode, $update, $preview = false, $o } } - $threads = $conv->getTemplateData($conv_responses); + $threads = $conv->getTemplateData($conv_responses, $formSecurityToken); if (!$threads) { Logger::log('[ERROR] conversation : Failed to get template data.', Logger::DEBUG); $threads = []; @@ -782,7 +784,7 @@ function conversation_add_children(array $parents, $block_authors, $order, $uid) return $items; } -function item_photo_menu($item) +function item_photo_menu($item, string $formSecurityToken) { DI::profiler()->startRecording('rendering'); $sub_link = ''; @@ -825,8 +827,8 @@ function item_photo_menu($item) if (!empty($pcid)) { $contact_url = 'contact/' . $pcid; $posts_link = $contact_url . '/posts'; - $block_link = $item['self'] ? '' : $contact_url . '/block'; - $ignore_link = $item['self'] ? '' : $contact_url . '/ignore'; + $block_link = $item['self'] ? '' : $contact_url . '/block?t=' . $formSecurityToken; + $ignore_link = $item['self'] ? '' : $contact_url . '/ignore?t=' . $formSecurityToken; } if ($cid && !$item['self']) { diff --git a/src/Object/Post.php b/src/Object/Post.php index 628cc95f7..5722582d2 100644 --- a/src/Object/Post.php +++ b/src/Object/Post.php @@ -125,6 +125,7 @@ class Post * Get data in a form usable by a conversation template * * @param array $conv_responses conversation responses + * @param string $formSecurityToken A security Token to avoid CSF attacks * @param integer $thread_level default = 1 * * @return mixed The data requested on success @@ -132,7 +133,7 @@ class Post * @throws \Friendica\Network\HTTPException\InternalServerErrorException * @throws \ImagickException */ - public function getTemplateData(array $conv_responses, $thread_level = 1) + public function getTemplateData(array $conv_responses, string $formSecurityToken, $thread_level = 1) { $a = DI::app(); @@ -458,7 +459,7 @@ class Post 'vwall' => DI::l10n()->t('via Wall-To-Wall:'), 'profile_url' => $profile_link, 'name' => $profile_name, - 'item_photo_menu_html' => item_photo_menu($item), + 'item_photo_menu_html' => item_photo_menu($item, $formSecurityToken), 'thumb' => DI::baseUrl()->remove(Contact::getAvatarUrlForUrl($item['author-link'], $item['uid'], Proxy::SIZE_THUMB)), 'osparkle' => $osparkle, 'sparkle' => $sparkle, @@ -532,7 +533,7 @@ class Post $nb_children = count($children); if ($nb_children > 0) { foreach ($children as $child) { - $result['children'][] = $child->getTemplateData($conv_responses, $thread_level + 1); + $result['children'][] = $child->getTemplateData($conv_responses, $formSecurityToken, $thread_level + 1); } // Collapse diff --git a/src/Object/Thread.php b/src/Object/Thread.php index a848586fe..7d59759a0 100644 --- a/src/Object/Thread.php +++ b/src/Object/Thread.php @@ -190,12 +190,13 @@ class Thread * We should find a way to avoid using those arguments (at least most of them) * * @param array $conv_responses data + * @param string $formSecurityToken A security Token to avoid CSF attacks * * @return mixed The data requested on success * false on failure * @throws \Exception */ - public function getTemplateData($conv_responses) + public function getTemplateData($conv_responses, string $formSecurityToken) { $result = []; @@ -204,7 +205,7 @@ class Thread continue; } - $item_data = $item->getTemplateData($conv_responses); + $item_data = $item->getTemplateData($conv_responses, $formSecurityToken); if (!$item_data) { Logger::log('[ERROR] Conversation::getTemplateData : Failed to get item template data ('. $item->getId() .').', Logger::DEBUG);