diff options
Diffstat (limited to 'phpBB/includes/acp/acp_profile.php')
| -rw-r--r-- | phpBB/includes/acp/acp_profile.php | 55 |
1 files changed, 41 insertions, 14 deletions
diff --git a/phpBB/includes/acp/acp_profile.php b/phpBB/includes/acp/acp_profile.php index 43668b8ad5..2012d3c513 100644 --- a/phpBB/includes/acp/acp_profile.php +++ b/phpBB/includes/acp/acp_profile.php @@ -33,8 +33,15 @@ class acp_profile global $phpbb_root_path, $phpbb_admin_path, $phpEx, $table_prefix; global $request, $phpbb_container, $phpbb_dispatcher; - include($phpbb_root_path . 'includes/functions_posting.' . $phpEx); - include($phpbb_root_path . 'includes/functions_user.' . $phpEx); + if (!function_exists('generate_smilies')) + { + include($phpbb_root_path . 'includes/functions_posting.' . $phpEx); + } + + if (!function_exists('user_get_id_name')) + { + include($phpbb_root_path . 'includes/functions_user.' . $phpEx); + } $user->add_lang(array('ucp', 'acp/profile')); $this->tpl_name = 'acp_profile'; @@ -46,6 +53,9 @@ class acp_profile $error = array(); $s_hidden_fields = ''; + $form_key = 'acp_profile'; + add_form_key($form_key); + if (!$field_id && in_array($action, array('delete','activate', 'deactivate', 'move_up', 'move_down', 'edit'))) { trigger_error($user->lang['NO_FIELD_ID'] . adm_back_link($this->u_action), E_USER_WARNING); @@ -154,6 +164,11 @@ class acp_profile case 'activate': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT lang_id FROM ' . LANG_TABLE . " WHERE lang_iso = '" . $db->sql_escape($config['default_lang']) . "'"; @@ -194,6 +209,11 @@ class acp_profile case 'deactivate': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'UPDATE ' . PROFILE_FIELDS_TABLE . " SET field_active = 0 WHERE field_id = $field_id"; @@ -223,6 +243,11 @@ class acp_profile case 'move_up': case 'move_down': + if (!check_link_hash($request->variable('hash', ''), 'acp_profile')) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $sql = 'SELECT field_order FROM ' . PROFILE_FIELDS_TABLE . " WHERE field_id = $field_id"; @@ -537,13 +562,14 @@ class acp_profile } } - $step = (isset($_REQUEST['next'])) ? $step + 1 : ((isset($_REQUEST['prev'])) ? $step - 1 : $step); - if (sizeof($error)) { - $step--; $submit = false; } + else + { + $step = (isset($_REQUEST['next'])) ? $step + 1 : ((isset($_REQUEST['prev'])) ? $step - 1 : $step); + } // Build up the specific hidden fields foreach ($exclude as $num => $key_ary) @@ -561,7 +587,7 @@ class acp_profile $var = $profile_field->prepare_hidden_fields($step, $key, $action, $field_data); if ($var !== null) { - $_new_key_ary[$key] = $profile_field->prepare_hidden_fields($step, $key, $action, $field_data); + $_new_key_ary[$key] = $var; } } $cp->vars = $field_data; @@ -571,12 +597,13 @@ class acp_profile if (!sizeof($error)) { - if ($step == 3 && (sizeof($this->lang_defs['iso']) == 1 || $save)) - { - $this->save_profile_field($cp, $field_type, $action); - } - else if ($action == 'edit' && $save) + if (($step == 3 && (sizeof($this->lang_defs['iso']) == 1 || $save)) || ($action == 'edit' && $save)) { + if (!check_form_key($form_key)) + { + trigger_error($user->lang['FORM_INVALID'] . adm_back_link($this->u_action), E_USER_WARNING); + } + $this->save_profile_field($cp, $field_type, $action); } } @@ -731,12 +758,12 @@ class acp_profile 'FIELD_TYPE' => $profile_field->get_name(), 'L_ACTIVATE_DEACTIVATE' => $user->lang[$active_lang], - 'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id", + 'U_ACTIVATE_DEACTIVATE' => $this->u_action . "&action=$active_value&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), 'U_EDIT' => $this->u_action . "&action=edit&field_id=$id", 'U_TRANSLATE' => $this->u_action . "&action=edit&field_id=$id&step=3", 'U_DELETE' => $this->u_action . "&action=delete&field_id=$id", - 'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id", - 'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id", + 'U_MOVE_UP' => $this->u_action . "&action=move_up&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), + 'U_MOVE_DOWN' => $this->u_action . "&action=move_down&field_id=$id" . '&hash=' . generate_link_hash('acp_profile'), 'S_NEED_EDIT' => $s_need_edit) ); |