oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix becomeUser and deleteUser CSRF protected submenu links.

Browse source
This commit is contained in:
Colin Kuskie 2009-07-14 15:54:03 +00:00
parent cd67bed213
commit 6aa3784636
2 changed files with 17 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/changelog/7.x.x.txt
View file

@ -3,9 +3,8 @@
- fixed #10626: Carriage returns stripped from Wiki comments
- fixed #10572: CDN / CloudFront breaks 7.7.11 upgrade
- fixed #10630: If macro says that 0 is true
- WebGUI::Shop::PayDriver::PayPal::PayPalStd replaced by
WebGUI::Shop::PayDriver::PayPal. PayPalStd fought the Shop API and
didn't work.
- WebGUI::Shop::PayDriver::PayPal::PayPalStd replaced by WebGUI::Shop::PayDriver::PayPal. PayPalStd fought the Shop API and didn't work.
- fixed #10633: GET requests in Operation/User require valid CSRF token.
7.7.14
- fixed #10606: shelf selector

26
lib/WebGUI/Operation/User.pm
View file

@ -75,15 +75,19 @@ sub _submenu {
$ac->addSubmenuItem($session->url->page("op=editUser;uid=new"), $i18n->get(169));
}
$ac->setFormUrl($session->url->page('op=editUser;uid='.$userId));
my $formId = $ac->getSubmenuFormId;
if (canEdit($session)) {
unless ($session->form->process("op") eq "listUsers"
|| $session->form->process("op") eq "deleteUser"
|| $userId eq "new") {
$ac->addSubmenuItem($session->url->page("op=editUser;uid=$userId"), $i18n->get(457));
$ac->addSubmenuItem($session->url->page("op=becomeUser;uid=$userId"), $i18n->get(751));
$ac->addSubmenuItem($session->url->page('op=becomeUser;uid='.$userId), $i18n->get(751), qq|onclick="var thisForm=document.getElementById('$formId');thisForm.op.value='becomeUser';thisForm.submit(); return false;"|);
my $user = WebGUI::User->new($session, $userId);
$ac->addSubmenuItem($user->getProfileUrl(), $i18n->get('view profile'));
$ac->addConfirmedSubmenuItem($session->url->page("op=deleteUser;uid=$userId"), $i18n->get(750), $i18n->get(167));
my $confirm = $i18n->get(167);
$confirm =~ s/([\\\'])/\\$1/g;
$ac->addSubmenuItem($session->url->page('op=deleteUser;uid='.$userId), $i18n->get(750), qq|onclick="var ack = confirm('$confirm'); alert(ack); if (ack) { var thisForm=document.getElementById('$formId');thisForm.op.value='deleteUser';thisForm.submit();} return false;"|);
if ($session->setting->get("useKarma")) {
$ac->addSubmenuItem($session->url->page("op=editUserKarma;uid=$userId"), $i18n->get(555));
}
@ -576,7 +580,7 @@ Allows an administrator to assume another user.
sub www_becomeUser {
my $session = shift;
return $session->privilege->adminOnly() unless canEdit($session);
return $session->privilege->adminOnly() unless canEdit($session) && $session->form->validToken;
return undef unless WebGUI::User->validUserId($session, $session->form->process("uid"));
$session->var->end($session->var->get("sessionId"));
$session->user({userId=>$session->form->process("uid")});
@ -595,14 +599,14 @@ after this.
sub www_deleteUser {
my $session = shift;
return $session->privilege->adminOnly() unless canEdit($session);
my ($u);
if ($session->form->process("uid") eq '1' || $session->form->process("uid") eq '3') {
return WebGUI::AdminConsole->new($session,"users")->render($session->privilege->vitalComponent());
} else {
$u = WebGUI::User->new($session,$session->form->process("uid"));
$u->delete;
return www_listUsers($session);
return $session->privilege->adminOnly() unless canEdit($session) && $session->form->validToken;
if ($session->form->process("uid") eq '1' || $session->form->process("uid") eq '3') {
return WebGUI::AdminConsole->new($session,"users")->render($session->privilege->vitalComponent());
}
else {
my $u = WebGUI::User->new($session,$session->form->process("uid"));
$u->delete;
return www_listUsers($session);
}
}