forked from leftypol/leftypol
Merge branch 'fix-security-token' into 'config'
Fix security token endpoin in browse user posts by IP See merge request leftypol/leftypol!19
This commit is contained in:
commit
9430b1b78e
2 changed files with 5 additions and 43 deletions
|
|
@ -928,45 +928,6 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
|
|||
|
||||
$config = $ctx->get('config');
|
||||
|
||||
if (isset($_POST['ban_id'], $_POST['unban'])) {
|
||||
if (!hasPermission($config['mod']['unban']))
|
||||
error($config['error']['noaccess']);
|
||||
|
||||
Bans::delete($_POST['ban_id'], true, $mod['boards']);
|
||||
|
||||
if (empty($encoded_cursor)) {
|
||||
\header("Location: ?/user_posts/ip/$ip#bans", true, $config['redirect_http']);
|
||||
} else {
|
||||
\header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#bans", true, $config['redirect_http']);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
if (isset($_POST['note'])) {
|
||||
if (!hasPermission($config['mod']['create_notes']))
|
||||
error($config['error']['noaccess']);
|
||||
|
||||
$_POST['note'] = escape_markup_modifiers($_POST['note']);
|
||||
markup($_POST['note']);
|
||||
$query = prepare('INSERT INTO ``ip_notes`` VALUES (NULL, :ip, :mod, :time, :body)');
|
||||
$query->bindValue(':ip', $ip);
|
||||
$query->bindValue(':mod', $mod['id']);
|
||||
$query->bindValue(':time', time());
|
||||
$query->bindValue(':body', $_POST['note']);
|
||||
$query->execute() or error(db_error($query));
|
||||
|
||||
Cache::delete("mod_page_ip_view_notes_$ip");
|
||||
|
||||
modLog("Added a note for <a href=\"?/user_posts/ip/{$ip}\">{$ip}</a>");
|
||||
|
||||
if (empty($encoded_cursor)) {
|
||||
\header("Location: ?/user_posts/ip/$ip#notes", true, $config['redirect_http']);
|
||||
} else {
|
||||
\header("Location: ?/user_posts/ip/$ip/cursor/$encoded_cursor#notes", true, $config['redirect_http']);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
$args = [
|
||||
'ip' => $ip,
|
||||
'posts' => []
|
||||
|
|
@ -1051,10 +1012,11 @@ function mod_user_posts_by_ip(Context $ctx, string $ip, string $encoded_cursor =
|
|||
|
||||
$args['boards'] = $boards;
|
||||
|
||||
// Since the security token is only used to send requests to create notes and remove bans, use "?/IP/" as the url.
|
||||
if (empty($encoded_cursor)) {
|
||||
$args['security_token'] = make_secure_link_token("user_posts/ip/$ip");
|
||||
$args['security_token'] = make_secure_link_token("IP/$ip");
|
||||
} else {
|
||||
$args['security_token'] = make_secure_link_token("user_posts/ip/$ip/cursor/$encoded_cursor");
|
||||
$args['security_token'] = make_secure_link_token("IP/$ip/cursor/$encoded_cursor");
|
||||
}
|
||||
|
||||
mod_page(\sprintf('%s: %s', _('IP'), \htmlspecialchars($ip)), 'mod/view_ip.html', $args, $args['hostname']);
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@
|
|||
{% endif %}
|
||||
|
||||
{% if mod|hasPermission(config.mod.create_notes) %}
|
||||
<form action="" method="post" style="margin:0">
|
||||
<form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="margin:0">
|
||||
<input type="hidden" name="token" value="{{ security_token }}">
|
||||
<table>
|
||||
<tr>
|
||||
|
|
@ -74,7 +74,7 @@
|
|||
<legend>{{ bans|count }} {% trans bans_on_record %}</legend>
|
||||
|
||||
{% for ban in bans %}
|
||||
<form action="" method="post" style="text-align:center">
|
||||
<form action="?/IP/{{ ip|url_encode(true) }}" method="post" style="text-align:center">
|
||||
<input type="hidden" name="token" value="{{ security_token }}">
|
||||
<table style="width:400px;margin-bottom:10px;border-bottom:1px solid #ddd;padding:5px">
|
||||
<tr>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue