Merge pull request #9166 from MrPetovan/bug/phpinfo-accessible-hotfix
[Hotfix] Fix security vulnerability in admin modules
This commit is contained in:
commit
fb721f8e30
20 changed files with 497 additions and 574 deletions
|
@ -32,26 +32,24 @@ class Details extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
$a = DI::app();
|
||||
$addon = Strings::sanitizeFilePathItem($parameters['addon']);
|
||||
|
||||
$redirect = 'admin/addons/' . $addon;
|
||||
|
||||
if ($a->argc > 2) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$addon = $a->argv[2];
|
||||
$addon = Strings::sanitizeFilePathItem($addon);
|
||||
if (is_file('addon/' . $addon . '/' . $addon . '.php')) {
|
||||
include_once 'addon/' . $addon . '/' . $addon . '.php';
|
||||
|
||||
if (function_exists($addon . '_addon_admin_post')) {
|
||||
self::checkFormSecurityTokenRedirectOnError($redirect, 'admin_addons_details');
|
||||
|
||||
$func = $addon . '_addon_admin_post';
|
||||
$func($a);
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/addons/' . $addon);
|
||||
$func(DI::app());
|
||||
}
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/addons');
|
||||
DI::baseUrl()->redirect($redirect);
|
||||
}
|
||||
|
||||
public static function content(array $parameters = [])
|
||||
|
@ -62,10 +60,7 @@ class Details extends BaseAdmin
|
|||
|
||||
$addons_admin = Addon::getAdminList();
|
||||
|
||||
if ($a->argc > 2) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$addon = $a->argv[2];
|
||||
$addon = Strings::sanitizeFilePathItem($addon);
|
||||
$addon = Strings::sanitizeFilePathItem($parameters['addon']);
|
||||
if (!is_file("addon/$addon/$addon.php")) {
|
||||
notice(DI::l10n()->t('Addon not found.'));
|
||||
Addon::uninstall($addon);
|
||||
|
@ -73,7 +68,7 @@ class Details extends BaseAdmin
|
|||
}
|
||||
|
||||
if (($_GET['action'] ?? '') == 'toggle') {
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_themes', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons_details', 't');
|
||||
|
||||
// Toggle addon status
|
||||
if (Addon::isEnabled($addon)) {
|
||||
|
@ -131,10 +126,7 @@ class Details extends BaseAdmin
|
|||
'$screenshot' => '',
|
||||
'$readme' => $readme,
|
||||
|
||||
'$form_security_token' => parent::getFormSecurityToken('admin_themes'),
|
||||
'$form_security_token' => self::getFormSecurityToken('admin_addons_details'),
|
||||
]);
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/addons');
|
||||
}
|
||||
}
|
||||
|
|
|
@ -34,7 +34,7 @@ class Index extends BaseAdmin
|
|||
|
||||
// reload active themes
|
||||
if (!empty($_GET['action'])) {
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_addons', 't');
|
||||
|
||||
switch ($_GET['action']) {
|
||||
case 'reload':
|
||||
|
@ -73,7 +73,7 @@ class Index extends BaseAdmin
|
|||
'$addons' => $addons,
|
||||
'$pcount' => count($addons),
|
||||
'$noplugshint' => DI::l10n()->t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'),
|
||||
'$form_security_token' => parent::getFormSecurityToken('admin_addons'),
|
||||
'$form_security_token' => self::getFormSecurityToken('admin_addons'),
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -32,14 +32,14 @@ class Contact extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock');
|
||||
|
||||
$contact_url = $_POST['contact_url'] ?? '';
|
||||
$block_reason = $_POST['contact_block_reason'] ?? '';
|
||||
$contacts = $_POST['contacts'] ?? [];
|
||||
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/contact', 'admin_contactblock');
|
||||
|
||||
if (!empty($_POST['page_contactblock_block'])) {
|
||||
$contact_id = Model\Contact::getIdForURL($contact_url);
|
||||
if ($contact_id) {
|
||||
|
@ -89,7 +89,7 @@ class Contact extends BaseAdmin
|
|||
'$h_newblock' => DI::l10n()->t('Block New Remote Contact'),
|
||||
'$th_contacts' => [DI::l10n()->t('Photo'), DI::l10n()->t('Name'), DI::l10n()->t('Reason')],
|
||||
|
||||
'$form_security_token' => parent::getFormSecurityToken('admin_contactblock'),
|
||||
'$form_security_token' => self::getFormSecurityToken('admin_contactblock'),
|
||||
|
||||
// values //
|
||||
'$baseurl' => DI::baseUrl()->get(true),
|
||||
|
|
|
@ -30,13 +30,13 @@ class Server extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
if (empty($_POST['page_blocklist_save']) && empty($_POST['page_blocklist_edit'])) {
|
||||
return;
|
||||
}
|
||||
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/blocklist/server', 'admin_blocklist');
|
||||
|
||||
if (!empty($_POST['page_blocklist_save'])) {
|
||||
// Add new item to blocklist
|
||||
|
@ -108,7 +108,7 @@ class Server extends BaseAdmin
|
|||
'$entries' => $blocklistform,
|
||||
'$baseurl' => DI::baseUrl()->get(true),
|
||||
'$confirm_delete' => DI::l10n()->t('Delete entry from blocklist?'),
|
||||
'$form_security_token' => parent::getFormSecurityToken("admin_blocklist")
|
||||
'$form_security_token' => self::getFormSecurityToken("admin_blocklist")
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -36,64 +36,62 @@ class DBSync extends BaseAdmin
|
|||
|
||||
$a = DI::app();
|
||||
|
||||
$o = '';
|
||||
$action = $parameters['action'] ?? '';
|
||||
$update = $parameters['update'] ?? 0;
|
||||
|
||||
if ($a->argc > 3 && $a->argv[2] === 'mark') {
|
||||
// @TODO: Replace with parameter from router
|
||||
$update = intval($a->argv[3]);
|
||||
switch ($action) {
|
||||
case 'mark':
|
||||
if ($update) {
|
||||
DI::config()->set('database', 'update_' . $update, 'success');
|
||||
$curr = DI::config()->get('system', 'build');
|
||||
if (intval($curr) == $update) {
|
||||
DI::config()->set('system', 'build', intval($curr) + 1);
|
||||
}
|
||||
info(DI::l10n()->t('Update has been marked successful') . EOL);
|
||||
}
|
||||
DI::baseUrl()->redirect('admin/dbsync');
|
||||
|
||||
info(DI::l10n()->t('Update has been marked successful'));
|
||||
}
|
||||
|
||||
if ($a->argc > 2) {
|
||||
if ($a->argv[2] === 'check') {
|
||||
break;
|
||||
case 'check':
|
||||
// @TODO Seems like a similar logic like Update::check()
|
||||
$retval = DBStructure::update($a->getBasePath(), false, true);
|
||||
if ($retval === '') {
|
||||
$o .= DI::l10n()->t("Database structure update %s was successfully applied.", DB_UPDATE_VERSION) . "<br />";
|
||||
$o = DI::l10n()->t("Database structure update %s was successfully applied.", DB_UPDATE_VERSION) . "<br />";
|
||||
DI::config()->set('database', 'last_successful_update', DB_UPDATE_VERSION);
|
||||
DI::config()->set('database', 'last_successful_update_time', time());
|
||||
} else {
|
||||
$o .= DI::l10n()->t("Executing of database structure update %s failed with error: %s", DB_UPDATE_VERSION, $retval) . "<br />";
|
||||
$o = DI::l10n()->t("Executing of database structure update %s failed with error: %s", DB_UPDATE_VERSION, $retval) . "<br />";
|
||||
}
|
||||
if ($a->argv[2] === 'check') {
|
||||
|
||||
return $o;
|
||||
}
|
||||
} elseif (intval($a->argv[2])) {
|
||||
case 'update':
|
||||
require_once 'update.php';
|
||||
|
||||
// @TODO: Replace with parameter from router
|
||||
$update = intval($a->argv[2]);
|
||||
|
||||
if ($update) {
|
||||
$func = 'update_' . $update;
|
||||
|
||||
if (function_exists($func)) {
|
||||
$retval = $func();
|
||||
|
||||
if ($retval === Update::FAILED) {
|
||||
$o .= DI::l10n()->t("Executing %s failed with error: %s", $func, $retval);
|
||||
$o = DI::l10n()->t("Executing %s failed with error: %s", $func, $retval);
|
||||
} elseif ($retval === Update::SUCCESS) {
|
||||
$o .= DI::l10n()->t('Update %s was successfully applied.', $func);
|
||||
$o = DI::l10n()->t('Update %s was successfully applied.', $func);
|
||||
DI::config()->set('database', $func, 'success');
|
||||
} else {
|
||||
$o .= DI::l10n()->t('Update %s did not return a status. Unknown if it succeeded.', $func);
|
||||
$o = DI::l10n()->t('Update %s did not return a status. Unknown if it succeeded.', $func);
|
||||
}
|
||||
} else {
|
||||
$o .= DI::l10n()->t('There was no additional update function %s that needed to be called.', $func) . "<br />";
|
||||
$o = DI::l10n()->t('There was no additional update function %s that needed to be called.', $func) . "<br />";
|
||||
DI::config()->set('database', $func, 'success');
|
||||
}
|
||||
|
||||
return $o;
|
||||
}
|
||||
}
|
||||
|
||||
break;
|
||||
default:
|
||||
$failed = [];
|
||||
$configStmt = DBA::select('config', ['k', 'v'], ['cat' => 'database']);
|
||||
while ($config = DBA::fetch($configStmt)) {
|
||||
|
@ -123,4 +121,8 @@ class DBSync extends BaseAdmin
|
|||
|
||||
return $o;
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/dbsync');
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,9 +30,9 @@ class Features extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
|
||||
|
||||
$features = Feature::get(false);
|
||||
|
||||
|
@ -80,7 +80,7 @@ class Features extends BaseAdmin
|
|||
|
||||
$tpl = Renderer::getMarkupTemplate('admin/features.tpl');
|
||||
$o = Renderer::replaceMacros($tpl, [
|
||||
'$form_security_token' => parent::getFormSecurityToken("admin_manage_features"),
|
||||
'$form_security_token' => self::getFormSecurityToken("admin_manage_features"),
|
||||
'$baseurl' => DI::baseUrl()->get(true),
|
||||
'$title' => DI::l10n()->t('Manage Additional Features'),
|
||||
'$features' => $features,
|
||||
|
|
|
@ -31,13 +31,13 @@ class Delete extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
if (empty($_POST['page_deleteitem_submit'])) {
|
||||
return;
|
||||
}
|
||||
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/item/delete', 'admin_deleteitem');
|
||||
|
||||
if (!empty($_POST['page_deleteitem_submit'])) {
|
||||
$guid = trim(Strings::escapeTags($_POST['deleteitemguid']));
|
||||
|
@ -68,7 +68,7 @@ class Delete extends BaseAdmin
|
|||
'$intro1' => DI::l10n()->t('On this page you can delete an item from your node. If the item is a top level posting, the entire thread will be deleted.'),
|
||||
'$intro2' => DI::l10n()->t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'),
|
||||
'$deleteitemguid' => ['deleteitemguid', DI::l10n()->t("GUID"), '', DI::l10n()->t("The GUID of the item you want to delete."), 'required', 'autofocus'],
|
||||
'$form_security_token' => parent::getFormSecurityToken("admin_deleteitem")
|
||||
'$form_security_token' => self::getFormSecurityToken("admin_deleteitem")
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -31,10 +31,13 @@ class Settings extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
if (!empty($_POST['page_logs'])) {
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
|
||||
if (empty($_POST['page_logs'])) {
|
||||
return;
|
||||
}
|
||||
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
|
||||
|
||||
$logfile = (!empty($_POST['logfile']) ? Strings::escapeTags(trim($_POST['logfile'])) : '');
|
||||
$debugging = !empty($_POST['debugging']);
|
||||
|
@ -49,9 +52,7 @@ class Settings extends BaseAdmin
|
|||
DI::config()->set('system', 'logfile', $logfile);
|
||||
DI::config()->set('system', 'debugging', $debugging);
|
||||
DI::config()->set('system', 'loglevel', $loglevel);
|
||||
}
|
||||
|
||||
info(DI::l10n()->t("Log settings updated."));
|
||||
DI::baseUrl()->redirect('admin/logs');
|
||||
}
|
||||
|
||||
|
@ -86,7 +87,7 @@ class Settings extends BaseAdmin
|
|||
'$debugging' => ['debugging', DI::l10n()->t("Enable Debugging"), DI::config()->get('system', 'debugging'), ""],
|
||||
'$logfile' => ['logfile', DI::l10n()->t("Log file"), DI::config()->get('system', 'logfile'), DI::l10n()->t("Must be writable by web server. Relative to your Friendica top-level directory.")],
|
||||
'$loglevel' => ['loglevel', DI::l10n()->t("Log level"), DI::config()->get('system', 'loglevel'), "", $log_choices],
|
||||
'$form_security_token' => parent::getFormSecurityToken("admin_logs"),
|
||||
'$form_security_token' => self::getFormSecurityToken("admin_logs"),
|
||||
'$phpheader' => DI::l10n()->t("PHP logging"),
|
||||
'$phphint' => DI::l10n()->t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."),
|
||||
'$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');",
|
||||
|
|
|
@ -27,7 +27,7 @@ class PhpInfo extends BaseAdmin
|
|||
{
|
||||
public static function rawContent(array $parameters = [])
|
||||
{
|
||||
parent::rawContent($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
phpinfo();
|
||||
exit();
|
||||
|
|
|
@ -42,13 +42,10 @@ class Queue extends BaseAdmin
|
|||
{
|
||||
parent::content($parameters);
|
||||
|
||||
$a = DI::app();
|
||||
|
||||
// @TODO: Replace with parameter from router
|
||||
$deferred = $a->argc > 2 && $a->argv[2] == 'deferred';
|
||||
$status = $parameters['status'] ?? '';
|
||||
|
||||
// get jobs from the workerqueue table
|
||||
if ($deferred) {
|
||||
if ($status == 'deferred') {
|
||||
$condition = ["NOT `done` AND `retrial` > ?", 0];
|
||||
$sub_title = DI::l10n()->t('Inspect Deferred Worker Queue');
|
||||
$info = DI::l10n()->t("This page lists the deferred worker jobs. This are jobs that couldn't be executed at the first time.");
|
||||
|
|
|
@ -43,7 +43,7 @@ class Site extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/site', 'admin_site');
|
||||
|
||||
|
@ -718,7 +718,7 @@ class Site extends BaseAdmin
|
|||
'$relay_server_tags' => ['relay_server_tags', DI::l10n()->t('Server tags'), DI::config()->get('system', 'relay_server_tags'), DI::l10n()->t('Comma separated list of tags for the "tags" subscription.')],
|
||||
'$relay_user_tags' => ['relay_user_tags', DI::l10n()->t('Allow user tags'), DI::config()->get('system', 'relay_user_tags', true), DI::l10n()->t('If enabled, the tags from the saved searches will used for the "tags" subscription in addition to the "relay_server_tags".')],
|
||||
|
||||
'$form_security_token' => parent::getFormSecurityToken('admin_site'),
|
||||
'$form_security_token' => self::getFormSecurityToken('admin_site'),
|
||||
'$relocate_button' => DI::l10n()->t('Start Relocation'),
|
||||
]);
|
||||
}
|
||||
|
|
|
@ -30,44 +30,11 @@ use Friendica\Util\Strings;
|
|||
|
||||
class Details extends BaseAdmin
|
||||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
|
||||
$a = DI::app();
|
||||
|
||||
if ($a->argc > 2) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$theme = $a->argv[2];
|
||||
$theme = Strings::sanitizeFilePathItem($theme);
|
||||
if (is_file("view/theme/$theme/config.php")) {
|
||||
require_once "view/theme/$theme/config.php";
|
||||
|
||||
if (function_exists('theme_admin_post')) {
|
||||
theme_admin_post($a);
|
||||
}
|
||||
}
|
||||
|
||||
info(DI::l10n()->t('Theme settings updated.'));
|
||||
|
||||
if (DI::mode()->isAjax()) {
|
||||
return;
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/themes/' . $theme);
|
||||
}
|
||||
}
|
||||
|
||||
public static function content(array $parameters = [])
|
||||
{
|
||||
parent::content($parameters);
|
||||
|
||||
$a = DI::app();
|
||||
|
||||
if ($a->argc > 2) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$theme = $a->argv[2];
|
||||
$theme = Strings::sanitizeFilePathItem($theme);
|
||||
$theme = Strings::sanitizeFilePathItem($parameters['theme']);
|
||||
if (!is_dir("view/theme/$theme")) {
|
||||
notice(DI::l10n()->t("Item not found."));
|
||||
return '';
|
||||
|
@ -83,7 +50,7 @@ class Details extends BaseAdmin
|
|||
}
|
||||
|
||||
if (!empty($_GET['action']) && $_GET['action'] == 'toggle') {
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't');
|
||||
|
||||
if ($isEnabled) {
|
||||
Theme::uninstall($theme);
|
||||
|
@ -91,7 +58,7 @@ class Details extends BaseAdmin
|
|||
} elseif (Theme::install($theme)) {
|
||||
info(DI::l10n()->t('Theme %s successfully enabled.', $theme));
|
||||
} else {
|
||||
info(DI::l10n()->t('Theme %s failed to install.', $theme));
|
||||
notice(DI::l10n()->t('Theme %s failed to install.', $theme));
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/themes/' . $theme);
|
||||
|
@ -136,10 +103,7 @@ class Details extends BaseAdmin
|
|||
'$screenshot' => $screenshot,
|
||||
'$readme' => $readme,
|
||||
|
||||
'$form_security_token' => parent::getFormSecurityToken("admin_themes"),
|
||||
'$form_security_token' => self::getFormSecurityToken("admin_themes"),
|
||||
]);
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/themes');
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,58 +30,37 @@ class Embed extends BaseAdmin
|
|||
{
|
||||
public static function init(array $parameters = [])
|
||||
{
|
||||
$a = DI::app();
|
||||
|
||||
if ($a->argc > 2) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$theme = $a->argv[2];
|
||||
$theme = Strings::sanitizeFilePathItem($theme);
|
||||
$theme = Strings::sanitizeFilePathItem($parameters['theme']);
|
||||
if (is_file("view/theme/$theme/config.php")) {
|
||||
$a->setCurrentTheme($theme);
|
||||
}
|
||||
DI::app()->setCurrentTheme($theme);
|
||||
}
|
||||
}
|
||||
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
$a = DI::app();
|
||||
|
||||
if ($a->argc > 2) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$theme = $a->argv[2];
|
||||
$theme = Strings::sanitizeFilePathItem($theme);
|
||||
$theme = Strings::sanitizeFilePathItem($parameters['theme']);
|
||||
if (is_file("view/theme/$theme/config.php")) {
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/themes/' . $theme . '/embed?mode=minimal', 'admin_theme_settings');
|
||||
|
||||
require_once "view/theme/$theme/config.php";
|
||||
|
||||
if (function_exists('theme_admin_post')) {
|
||||
theme_admin_post($a);
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/themes/' . $theme . '/embed?mode=minimal', 'admin_theme_settings');
|
||||
theme_admin_post(DI::app());
|
||||
}
|
||||
}
|
||||
|
||||
info(DI::l10n()->t('Theme settings updated.'));
|
||||
|
||||
if (DI::mode()->isAjax()) {
|
||||
return;
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/themes/' . $theme . '/embed?mode=minimal');
|
||||
}
|
||||
}
|
||||
|
||||
public static function content(array $parameters = [])
|
||||
{
|
||||
parent::content($parameters);
|
||||
|
||||
$a = DI::app();
|
||||
|
||||
if ($a->argc > 2) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$theme = $a->argv[2];
|
||||
$theme = Strings::sanitizeFilePathItem($theme);
|
||||
$theme = Strings::sanitizeFilePathItem($parameters['theme']);
|
||||
if (!is_dir("view/theme/$theme")) {
|
||||
notice(DI::l10n()->t('Unknown theme.'));
|
||||
return '';
|
||||
|
@ -92,7 +71,7 @@ class Embed extends BaseAdmin
|
|||
require_once "view/theme/$theme/config.php";
|
||||
|
||||
if (function_exists('theme_admin')) {
|
||||
$admin_form = theme_admin($a);
|
||||
$admin_form = theme_admin(DI::app());
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -103,10 +82,7 @@ class Embed extends BaseAdmin
|
|||
return Renderer::replaceMacros($t, [
|
||||
'$action' => '/admin/themes/' . $theme . '/embed?mode=minimal',
|
||||
'$form' => $admin_form,
|
||||
'$form_security_token' => parent::getFormSecurityToken("admin_theme_settings"),
|
||||
'$form_security_token' => self::getFormSecurityToken("admin_theme_settings"),
|
||||
]);
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -37,7 +37,7 @@ class Index extends BaseAdmin
|
|||
|
||||
// reload active themes
|
||||
if (!empty($_GET['action'])) {
|
||||
parent::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError(DI::baseUrl()->get() . '/admin/themes', 'admin_themes', 't');
|
||||
|
||||
switch ($_GET['action']) {
|
||||
case 'reload':
|
||||
|
@ -119,7 +119,7 @@ class Index extends BaseAdmin
|
|||
'$noplugshint' => DI::l10n()->t('No themes found on the system. They should be placed in %1$s', '<code>/view/themes</code>'),
|
||||
'$experimental' => DI::l10n()->t('[Experimental]'),
|
||||
'$unsupported' => DI::l10n()->t('[Unsupported]'),
|
||||
'$form_security_token' => parent::getFormSecurityToken('admin_themes'),
|
||||
'$form_security_token' => self::getFormSecurityToken('admin_themes'),
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -29,14 +29,14 @@ class Tos extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
|
||||
self::checkAdminAccess();
|
||||
|
||||
if (empty($_POST['page_tos'])) {
|
||||
return;
|
||||
}
|
||||
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
|
||||
|
||||
$displaytos = !empty($_POST['displaytos']);
|
||||
$displayprivstatement = !empty($_POST['displayprivstatement']);
|
||||
$tostext = (!empty($_POST['tostext']) ? strip_tags(trim($_POST['tostext'])) : '');
|
||||
|
@ -64,7 +64,7 @@ class Tos extends BaseAdmin
|
|||
'$preview' => DI::l10n()->t('Privacy Statement Preview'),
|
||||
'$privtext' => $tos->privacy_complete,
|
||||
'$tostext' => ['tostext', DI::l10n()->t('The Terms of Service'), DI::config()->get('system', 'tostext'), DI::l10n()->t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')],
|
||||
'$form_security_token' => parent::getFormSecurityToken('admin_tos'),
|
||||
'$form_security_token' => self::getFormSecurityToken('admin_tos'),
|
||||
'$submit' => DI::l10n()->t('Save Settings'),
|
||||
]);
|
||||
}
|
||||
|
|
|
@ -34,7 +34,9 @@ class Users extends BaseAdmin
|
|||
{
|
||||
public static function post(array $parameters = [])
|
||||
{
|
||||
parent::post($parameters);
|
||||
self::checkAdminAccess();
|
||||
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
|
||||
|
||||
$pending = $_POST['pending'] ?? [];
|
||||
$users = $_POST['user'] ?? [];
|
||||
|
@ -43,8 +45,6 @@ class Users extends BaseAdmin
|
|||
$nu_email = $_POST['new_user_email'] ?? '';
|
||||
$nu_language = DI::config()->get('system', 'language');
|
||||
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
|
||||
|
||||
if ($nu_name !== '' && $nu_email !== '' && $nu_nickname !== '') {
|
||||
try {
|
||||
User::createMinimal($nu_name, $nu_email, $nu_nickname, $nu_language);
|
||||
|
@ -101,23 +101,22 @@ class Users extends BaseAdmin
|
|||
{
|
||||
parent::content($parameters);
|
||||
|
||||
$a = DI::app();
|
||||
$action = $parameters['action'] ?? '';
|
||||
$uid = $parameters['uid'] ?? 0;
|
||||
|
||||
if ($a->argc > 3) {
|
||||
// @TODO: Replace with parameter from router
|
||||
$action = $a->argv[2];
|
||||
$uid = $a->argv[3];
|
||||
if ($uid) {
|
||||
$user = User::getById($uid, ['username', 'blocked']);
|
||||
if (!DBA::isResult($user)) {
|
||||
notice('User not found' . EOL);
|
||||
DI::baseUrl()->redirect('admin/users');
|
||||
return ''; // NOTREACHED
|
||||
}
|
||||
}
|
||||
|
||||
switch ($action) {
|
||||
case 'delete':
|
||||
if (local_user() != $uid) {
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
// delete user
|
||||
User::remove($uid);
|
||||
|
||||
|
@ -127,30 +126,26 @@ class Users extends BaseAdmin
|
|||
}
|
||||
break;
|
||||
case 'block':
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
User::block($uid);
|
||||
notice(DI::l10n()->t('User "%s" blocked', $user['username']));
|
||||
break;
|
||||
case 'unblock':
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
User::block($uid, false);
|
||||
notice(DI::l10n()->t('User "%s" unblocked', $user['username']));
|
||||
break;
|
||||
case 'allow':
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
User::allow(Register::getPendingForUser($uid)['hash'] ?? '');
|
||||
notice(DI::l10n()->t('Account approved.'));
|
||||
break;
|
||||
case 'deny':
|
||||
parent::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
self::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
|
||||
User::deny(Register::getPendingForUser($uid)['hash'] ?? '');
|
||||
notice(DI::l10n()->t('Registration revoked'));
|
||||
break;
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/users');
|
||||
}
|
||||
|
||||
default:
|
||||
/* get pending */
|
||||
$pending = Register::getPending();
|
||||
|
||||
|
@ -267,7 +262,7 @@ class Users extends BaseAdmin
|
|||
'$confirm_delete_multi' => DI::l10n()->t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'),
|
||||
'$confirm_delete' => DI::l10n()->t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'),
|
||||
|
||||
'$form_security_token' => parent::getFormSecurityToken('admin_users'),
|
||||
'$form_security_token' => self::getFormSecurityToken('admin_users'),
|
||||
|
||||
// values //
|
||||
'$baseurl' => DI::baseUrl()->get(true),
|
||||
|
@ -284,4 +279,8 @@ class Users extends BaseAdmin
|
|||
|
||||
return $o;
|
||||
}
|
||||
|
||||
DI::baseUrl()->redirect('admin/users');
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -26,7 +26,7 @@ use Friendica\Core\Addon;
|
|||
use Friendica\Core\Renderer;
|
||||
use Friendica\Core\Session;
|
||||
use Friendica\DI;
|
||||
use Friendica\Network\HTTPException\ForbiddenException;
|
||||
use Friendica\Network\HTTPException;
|
||||
|
||||
require_once 'boot.php';
|
||||
|
||||
|
@ -42,42 +42,35 @@ require_once 'boot.php';
|
|||
*/
|
||||
abstract class BaseAdmin extends BaseModule
|
||||
{
|
||||
public static function post(array $parameters = [])
|
||||
/**
|
||||
* @param bool $interactive
|
||||
* @throws HTTPException\ForbiddenException
|
||||
* @throws HTTPException\InternalServerErrorException
|
||||
*/
|
||||
public static function checkAdminAccess(bool $interactive = false)
|
||||
{
|
||||
if (!is_site_admin()) {
|
||||
return;
|
||||
}
|
||||
|
||||
// do not allow a page manager to access the admin panel at all.
|
||||
if (!empty($_SESSION['submanage'])) {
|
||||
return;
|
||||
if (!local_user()) {
|
||||
if ($interactive) {
|
||||
notice(DI::l10n()->t('Please login to continue.'));
|
||||
Session::set('return_path', DI::args()->getQueryString());
|
||||
DI::baseUrl()->redirect('login');
|
||||
} else {
|
||||
throw new HTTPException\UnauthorizedException(DI::l10n()->t('Please login to continue.'));
|
||||
}
|
||||
}
|
||||
|
||||
public static function rawContent(array $parameters = [])
|
||||
{
|
||||
if (!is_site_admin()) {
|
||||
return '';
|
||||
throw new HTTPException\ForbiddenException(DI::l10n()->t('You don\'t have access to administration pages.'));
|
||||
}
|
||||
|
||||
if (!empty($_SESSION['submanage'])) {
|
||||
return '';
|
||||
throw new HTTPException\ForbiddenException(DI::l10n()->t('Submanaged account can\'t access the administation pages. Please log back in as the main account.'));
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
public static function content(array $parameters = [])
|
||||
{
|
||||
if (!is_site_admin()) {
|
||||
notice(DI::l10n()->t('Please login to continue.'));
|
||||
Session::set('return_path', DI::args()->getQueryString());
|
||||
DI::baseUrl()->redirect('login');
|
||||
}
|
||||
|
||||
if (!empty($_SESSION['submanage'])) {
|
||||
throw new ForbiddenException(DI::l10n()->t('Submanaged account can\'t access the administation pages. Please log back in as the main account.'));
|
||||
}
|
||||
self::checkAdminAccess(true);
|
||||
|
||||
// Header stuff
|
||||
DI::page()['htmlhead'] .= Renderer::replaceMacros(Renderer::getMarkupTemplate('admin/settings_head.tpl'), []);
|
||||
|
|
|
@ -73,9 +73,7 @@ return [
|
|||
'/blocklist/contact' => [Module\Admin\Blocklist\Contact::class, [R::GET, R::POST]],
|
||||
'/blocklist/server' => [Module\Admin\Blocklist\Server::class, [R::GET, R::POST]],
|
||||
|
||||
'/dbsync[/check]' => [Module\Admin\DBSync::class, [R::GET]],
|
||||
'/dbsync/{update:\d+}' => [Module\Admin\DBSync::class, [R::GET]],
|
||||
'/dbsync/mark/{update:\d+}' => [Module\Admin\DBSync::class, [R::GET]],
|
||||
'/dbsync[/{action}[/{update:\d+}]]' => [Module\Admin\DBSync::class, [R::GET]],
|
||||
|
||||
'/features' => [Module\Admin\Features::class, [R::GET, R::POST]],
|
||||
'/federation' => [Module\Admin\Federation::class, [R::GET]],
|
||||
|
@ -88,7 +86,7 @@ return [
|
|||
|
||||
'/phpinfo' => [Module\Admin\PhpInfo::class, [R::GET]],
|
||||
|
||||
'/queue[/deferred]' => [Module\Admin\Queue::class, [R::GET]],
|
||||
'/queue[/{status}]' => [Module\Admin\Queue::class, [R::GET]],
|
||||
|
||||
'/site' => [Module\Admin\Site::class, [R::GET, R::POST]],
|
||||
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
{{if $admin_form}}
|
||||
<h3>{{$settings}}</h3>
|
||||
<form method="post" action="{{$baseurl}}/admin/{{$function}}/{{$addon}}">
|
||||
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
|
||||
{{$admin_form nofilter}}
|
||||
</form>
|
||||
{{/if}}
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
<ul>
|
||||
<li><a href="{{$baseurl}}/admin/dbsync/mark/{{$f}}">{{$mark}}</a></li>
|
||||
<li><a href="{{$baseurl}}/admin/dbsync/{{$f}}">{{$apply}}</a></li>
|
||||
<li><a href="{{$baseurl}}/admin/dbsync/update/{{$f}}">{{$apply}}</a></li>
|
||||
</ul>
|
||||
|
||||
<hr />
|
||||
|
|
Loading…
Reference in a new issue