perdedora/leftypol
1
0
Fork 0
forked from leftypol/leftypol
Code Pull requests Activity

Merge branch 'fix-security-token' into 'config'

Browse source 
Fix security token endpoin in browse user posts by IP

See merge request leftypol/leftypol!19
This commit is contained in:
Zankaria Auxa 2024-12-28 23:27:54 +00:00
commit 9430b1b78e
2 changed files with 5 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

44
inc/mod/pages.php
View file

@ -928,45 +928,6 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
$config = $ctx->get('config'); $config = $ctx->get('config');
if (isset($_POST['ban_id'], $_POST['unban'])) {
if (!hasPermission($config['mod']['unban']))
error($config['error']['noaccess']);
Bans::delete($_POST['ban_id'], true, $mod['boards']);
if (empty($encoded_cursor)) {
\header("Location: ?/user_posts/ip/$ip#bans", true, $config['redirect_http']);
} else {
\header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#bans", true, $config['redirect_http']);
}
return;
}
if (isset($_POST['note'])) {
if (!hasPermission($config['mod']['create_notes']))
error($config['error']['noaccess']);
$_POST['note'] = escape_markup_modifiers($_POST['note']);
markup($_POST['note']);
$query = prepare('INSERT INTO ``ip_notes`` VALUES (NULL, :ip, :mod, :time, :body)');
$query->bindValue(':ip', $ip);
$query->bindValue(':mod', $mod['id']);
$query->bindValue(':time', time());
$query->bindValue(':body', $_POST['note']);
$query->execute() or error(db_error($query));
Cache::delete("mod_page_ip_view_notes_$ip");
modLog("Added a note for <a href=\"?/user_posts/ip/{$ip}\">{$ip}</a>");
if (empty($encoded_cursor)) {
\header("Location: ?/user_posts/ip/$ip#notes", true, $config['redirect_http']);
} else {
\header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#notes", true, $config['redirect_http']);
}
return;
}
$args = [ $args = [
'ip' => $ip, 'ip' => $ip,
'posts' => [] 'posts' => []
@ -1051,10 +1012,11 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
$args['boards'] = $boards; $args['boards'] = $boards;
// Since the security token is only used to send requests to create notes and remove bans, use "?/IP/" as the url.
if (empty($encoded_cursor)) { if (empty($encoded_cursor)) {
$args['security_token'] = make_secure_link_token("user_posts/ip/$ip"); $args['security_token'] = make_secure_link_token("IP/$ip");
} else { } else {
$args['security_token'] = make_secure_link_token("user_posts/ip/$ip/cursor/$encoded_cursor"); $args['security_token'] = make_secure_link_token("IP/$ip/cursor/$encoded_cursor");
} }
mod_page(\sprintf('%s: %s', _('IP'), \htmlspecialchars($ip)), 'mod/view_ip.html', $args, $args['hostname']); mod_page(\sprintf('%s: %s', _('IP'), \htmlspecialchars($ip)), 'mod/view_ip.html', $args, $args['hostname']);

4
templates/mod/view_ip.html
View file

@ -43,7 +43,7 @@
{% endif %} {% endif %}
{% if mod|hasPermission(config.mod.create_notes) %} {% if mod|hasPermission(config.mod.create_notes) %}
<form action="" method="post" style="margin:0"> <form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="margin:0">
<input type="hidden" name="token" value="{{ security_token }}"> <input type="hidden" name="token" value="{{ security_token }}">
<table> <table>
<tr> <tr>
@ -74,7 +74,7 @@
<legend>{{ bans|count }} {% trans bans_on_record %}</legend> <legend>{{ bans|count }} {% trans bans_on_record %}</legend>
{% for ban in bans %} {% for ban in bans %}
<form action="" method="post" style="text-align:center"> <form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="text-align:center">
<input type="hidden" name="token" value="{{ security_token }}"> <input type="hidden" name="token" value="{{ security_token }}">
<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px"> <table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
<tr> <tr>