makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 14:18:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1855 from nickvergessen/ticket/12002

Browse source 
Ticket/12002 Add link hash to extension manager links
This commit is contained in:
Nathan Guse 2013-11-11 09:08:32 -08:00
commit fea933e2e9
3 changed files with 33 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
phpBB/adm/style/acp_ext_delete_data.html
View file

@ -21,7 +21,7 @@
<form id="acp_extensions" method="post" action="{U_PURGE}"> <form id="acp_extensions" method="post" action="{U_PURGE}">
<fieldset class="submit-buttons"> <fieldset class="submit-buttons">
<legend>{L_EXTENSION_DELETE_DATA}</legend> <legend>{L_EXTENSION_DELETE_DATA}</legend>
<input class="button1" type="submit" name="purge" value="{L_EXTENSION_DELETE_DATA}" /> <input class="button1" type="submit" name="delete_data" value="{L_EXTENSION_DELETE_DATA}" />
<input class="button2" type="submit" name="cancel" value="{L_CANCEL}" /> <input class="button2" type="submit" name="cancel" value="{L_CANCEL}" />
</fieldset> </fieldset>
</form> </form>

17
phpBB/includes/acp/acp_extensions.php
View file

@ -55,6 +55,11 @@ class acp_extensions
$ext_name = ''; $ext_name = '';
} }
if (in_array($action, array('enable', 'disable', 'delete_data')) && !check_link_hash($request->variable('hash', ''), $action . '.' . $ext_name))
{
trigger_error('FORM_INVALID', E_USER_WARNING);
}
// If they've specified an extension, let's load the metadata manager and validate it. // If they've specified an extension, let's load the metadata manager and validate it.
if ($ext_name) if ($ext_name)
{ {
@ -98,7 +103,7 @@ class acp_extensions
$template->assign_vars(array( $template->assign_vars(array(
'PRE' => true, 'PRE' => true,
'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_ENABLE_CONFIRM', $md_manager->get_metadata('display-name')), 'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_ENABLE_CONFIRM', $md_manager->get_metadata('display-name')),
'U_ENABLE' => $this->u_action . '&amp;action=enable&amp;ext_name=' . urlencode($ext_name), 'U_ENABLE' => $this->u_action . '&amp;action=enable&amp;ext_name=' . urlencode($ext_name) . '&amp;hash=' . generate_link_hash('enable.' . $ext_name),
)); ));
break; break;
@ -117,7 +122,7 @@ class acp_extensions
{ {
$template->assign_var('S_NEXT_STEP', true); $template->assign_var('S_NEXT_STEP', true);
meta_refresh(0, $this->u_action . '&amp;action=enable&amp;ext_name=' . urlencode($ext_name)); meta_refresh(0, $this->u_action . '&amp;action=enable&amp;ext_name=' . urlencode($ext_name) . '&amp;hash=' . generate_link_hash('enable.' . $ext_name));
} }
} }
} }
@ -144,7 +149,7 @@ class acp_extensions
$template->assign_vars(array( $template->assign_vars(array(
'PRE' => true, 'PRE' => true,
'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_DISABLE_CONFIRM', $md_manager->get_metadata('display-name')), 'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_DISABLE_CONFIRM', $md_manager->get_metadata('display-name')),
'U_DISABLE' => $this->u_action . '&amp;action=disable&amp;ext_name=' . urlencode($ext_name), 'U_DISABLE' => $this->u_action . '&amp;action=disable&amp;ext_name=' . urlencode($ext_name) . '&amp;hash=' . generate_link_hash('disable.' . $ext_name),
)); ));
break; break;
@ -156,7 +161,7 @@ class acp_extensions
{ {
$template->assign_var('S_NEXT_STEP', true); $template->assign_var('S_NEXT_STEP', true);
meta_refresh(0, $this->u_action . '&amp;action=disable&amp;ext_name=' . urlencode($ext_name)); meta_refresh(0, $this->u_action . '&amp;action=disable&amp;ext_name=' . urlencode($ext_name) . '&amp;hash=' . generate_link_hash('disable.' . $ext_name));
} }
} }
@ -177,7 +182,7 @@ class acp_extensions
$template->assign_vars(array( $template->assign_vars(array(
'PRE' => true, 'PRE' => true,
'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_DELETE_DATA_CONFIRM', $md_manager->get_metadata('display-name')), 'L_CONFIRM_MESSAGE' => $this->user->lang('EXTENSION_DELETE_DATA_CONFIRM', $md_manager->get_metadata('display-name')),
'U_PURGE' => $this->u_action . '&amp;action=delete_data&amp;ext_name=' . urlencode($ext_name), 'U_PURGE' => $this->u_action . '&amp;action=delete_data&amp;ext_name=' . urlencode($ext_name) . '&amp;hash=' . generate_link_hash('delete_data.' . $ext_name),
)); ));
break; break;
@ -191,7 +196,7 @@ class acp_extensions
{ {
$template->assign_var('S_NEXT_STEP', true); $template->assign_var('S_NEXT_STEP', true);
meta_refresh(0, $this->u_action . '&amp;action=delete_data&amp;ext_name=' . urlencode($ext_name)); meta_refresh(0, $this->u_action . '&amp;action=delete_data&amp;ext_name=' . urlencode($ext_name) . '&amp;hash=' . generate_link_hash('delete_data.' . $ext_name));
} }
} }
} }

21
tests/functional/extension_acp_test.php
View file

@ -182,13 +182,34 @@ class phpbb_functional_extension_acp_test extends phpbb_functional_test_case
public function test_actions() public function test_actions()
{ {
// Access enable page without hash
$crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=enable&ext_name=vendor%2Fmoo&sid=' . $this->sid); $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=enable&ext_name=vendor%2Fmoo&sid=' . $this->sid);
$this->assertContainsLang('FORM_INVALID', $crawler->filter('.errorbox')->text());
// Correctly submit the enable form
$crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=enable_pre&ext_name=vendor%2Fmoo&sid=' . $this->sid);
$form = $crawler->selectButton('enable')->form();
$crawler = self::submit($form);
$this->assertContainsLang('EXTENSION_ENABLE_SUCCESS', $crawler->filter('.successbox')->text()); $this->assertContainsLang('EXTENSION_ENABLE_SUCCESS', $crawler->filter('.successbox')->text());
// Access disable page without hash
$crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=disable&ext_name=vendor%2Fmoo&sid=' . $this->sid); $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=disable&ext_name=vendor%2Fmoo&sid=' . $this->sid);
$this->assertContainsLang('FORM_INVALID', $crawler->filter('.errorbox')->text());
// Correctly submit the disable form
$crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=disable_pre&ext_name=vendor%2Fmoo&sid=' . $this->sid);
$form = $crawler->selectButton('disable')->form();
$crawler = self::submit($form);
$this->assertContainsLang('EXTENSION_DISABLE_SUCCESS', $crawler->filter('.successbox')->text()); $this->assertContainsLang('EXTENSION_DISABLE_SUCCESS', $crawler->filter('.successbox')->text());
// Access delete_data page without hash
$crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=delete_data&ext_name=vendor%2Fmoo&sid=' . $this->sid); $crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=delete_data&ext_name=vendor%2Fmoo&sid=' . $this->sid);
$this->assertContainsLang('FORM_INVALID', $crawler->filter('.errorbox')->text());
// Correctly submit the delete data form
$crawler = self::request('GET', 'adm/index.php?i=acp_extensions&mode=main&action=delete_data_pre&ext_name=vendor%2Fmoo&sid=' . $this->sid);
$form = $crawler->selectButton('delete_data')->form();
$crawler = self::submit($form);
$this->assertContainsLang('EXTENSION_DELETE_DATA_SUCCESS', $crawler->filter('.successbox')->text()); $this->assertContainsLang('EXTENSION_DELETE_DATA_SUCCESS', $crawler->filter('.successbox')->text());
} }
} }