@ -157,6 +157,8 @@ function mod_dashboard() {
$args['newer_release'] = $latest;
$args['newer_release'] = $latest;
}
}
$args['logout_token'] = make_secure_link_token('logout');
mod_page(_('Dashboard'), 'mod/dashboard.html', $args);
mod_page(_('Dashboard'), 'mod/dashboard.html', $args);
}
}
@ -389,7 +391,10 @@ function mod_edit_board($boardName) {
header('Location: ?/', true, $config['redirect_http']);
header('Location: ?/', true, $config['redirect_http']);
} else {
} else {
mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array('board' => $board));
mod_page(sprintf('%s: ' . $config['board_abbreviation'], _('Edit board'), $board['uri']), 'mod/board.html', array(
'board' => $board,
'token' => make_secure_link_token('edit/' . $board['uri'])
));
}
}
}
}
@ -459,7 +464,7 @@ function mod_new_board() {
header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']);
header('Location: ?/' . $board['uri'] . '/' . $config['file_index'], true, $config['redirect_http']);
}
}
mod_page(_('New board'), 'mod/board.html', array('new' => true));
mod_page(_('New board'), 'mod/board.html', array('new' => true, 'token' => make_secure_link_token('new-board') ));
}
}
function mod_noticeboard($page_no = 1) {
function mod_noticeboard($page_no = 1) {
@ -502,11 +507,19 @@ function mod_noticeboard($page_no = 1) {
if (empty($noticeboard) & & $page_no > 1)
if (empty($noticeboard) & & $page_no > 1)
error($config['error']['404']);
error($config['error']['404']);
foreach ($noticeboard as & $entry) {
$entry['delete_token'] = make_secure_link_token('noticeboard/delete/' . $entry['id']);
}
$query = prepare("SELECT COUNT(*) FROM ``noticeboard``");
$query = prepare("SELECT COUNT(*) FROM ``noticeboard``");
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
$count = $query->fetchColumn();
$count = $query->fetchColumn();
mod_page(_('Noticeboard'), 'mod/noticeboard.html', array('noticeboard' => $noticeboard, 'count' => $count));
mod_page(_('Noticeboard'), 'mod/noticeboard.html', array(
'noticeboard' => $noticeboard,
'count' => $count,
'token' => make_secure_link_token('noticeboard')
));
}
}
function mod_noticeboard_delete($id) {
function mod_noticeboard_delete($id) {
@ -563,11 +576,15 @@ function mod_news($page_no = 1) {
if (empty($news) & & $page_no > 1)
if (empty($news) & & $page_no > 1)
error($config['error']['404']);
error($config['error']['404']);
foreach ($news as & $entry) {
$entry['delete_token'] = make_secure_link_token('news/delete/' . $entry['id']);
}
$query = prepare("SELECT COUNT(*) FROM ``news``");
$query = prepare("SELECT COUNT(*) FROM ``news``");
$query->execute() or error(db_error($query));
$query->execute() or error(db_error($query));
$count = $query->fetchColumn();
$count = $query->fetchColumn();
mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count));
mod_page(_('News'), 'mod/news.html', array('news' => $news, 'count' => $count, 'token' => make_secure_link_token('news') ));
}
}
function mod_news_delete($id) {
function mod_news_delete($id) {
@ -773,6 +790,8 @@ function mod_page_ip($ip) {
$args['logs'] = array();
$args['logs'] = array();
}
}
$args['security_token'] = make_secure_link_token('IP/' . $ip);
mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']);
mod_page(sprintf('%s: %s', _('IP'), $ip), 'mod/view_ip.html', $args, $args['hostname']);
}
}
@ -835,7 +854,11 @@ function mod_bans($page_no = 1) {
$ban['single_addr'] = true;
$ban['single_addr'] = true;
}
}
mod_page(_('Ban list'), 'mod/ban_list.html', array('bans' => $bans, 'count' => Bans::count()));
mod_page(_('Ban list'), 'mod/ban_list.html', array(
'bans' => $bans,
'count' => Bans::count(),
'token' => make_secure_link_token('bans')
));
}
}
function mod_ban_appeals() {
function mod_ban_appeals() {
@ -851,15 +874,23 @@ function mod_ban_appeals() {
if (isset($_POST['appeal_id']) & & (isset($_POST['unban']) || isset($_POST['deny']))) {
if (isset($_POST['appeal_id']) & & (isset($_POST['unban']) || isset($_POST['deny']))) {
if (!hasPermission($config['mod']['ban_appeals']))
if (!hasPermission($config['mod']['ban_appeals']))
error($config['error']['noaccess']);
error($config['error']['noaccess']);
if (isset($_POST['unban'])) {
$query = query("SELECT `ban_id` FROM ``ban_appeals`` WHERE `id` = " .
$query = query("SELECT *, ` `ban_appeals``.`id` AS ` id` FROM ``ban_appeals``
(int)$_POST['appeal_id']) or error(db_error());
LEFT JOIN ``bans`` ON `ban_id` = ``bans``.`id`
if ($ban_id = $query->fetchColumn()) {
WHERE ``ban_appeals``.`id` = " . (int)$_POST['appeal_id']) or error(db_error());
Bans::delete($ban_id);
if (!$ban = $query->fetch(PDO::FETCH_ASSOC)) {
query("DELETE FROM ``ban_appeals`` WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error( ));
error(_('Ban appeal not found!' ));
}
}
$ban['mask'] = Bans::range_to_string(array($ban['ipstart'], $ban['ipend']));
if (isset($_POST['unban'])) {
modLog('Accepted ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
Bans::delete($ban['ban_id'], true);
query("DELETE FROM ``ban_appeals`` WHERE `id` = " . $ban['id']) or error(db_error());
} else {
} else {
query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . (int)$_POST['appeal_id']) or error(db_error());
modLog('Denied ban appeal #' . $ban['id'] . ' for ' . $ban['mask']);
query("UPDATE ``ban_appeals`` SET `denied` = 1 WHERE `id` = " . $ban['id']) or error(db_error());
}
}
header('Location: ?/ban-appeals', true, $config['redirect_http']);
header('Location: ?/ban-appeals', true, $config['redirect_http']);
@ -898,7 +929,10 @@ function mod_ban_appeals() {
}
}
}
}
mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array('ban_appeals' => $ban_appeals));
mod_page(_('Ban appeals'), 'mod/ban_appeals.html', array(
'ban_appeals' => $ban_appeals,
'token' => make_secure_link_token('ban-appeals')
));
}
}
function mod_lock($board, $unlock, $post) {
function mod_lock($board, $unlock, $post) {
@ -1583,7 +1617,12 @@ function mod_user($uid) {
$user['boards'] = explode(',', $user['boards']);
$user['boards'] = explode(',', $user['boards']);
mod_page(_('Edit user'), 'mod/user.html', array('user' => $user, 'logs' => $log, 'boards' => listBoards()));
mod_page(_('Edit user'), 'mod/user.html', array(
'user' => $user,
'logs' => $log,
'boards' => listBoards(),
'token' => make_secure_link_token('users/' . $user['id'])
));
}
}
function mod_user_new() {
function mod_user_new() {
@ -1636,7 +1675,7 @@ function mod_user_new() {
return;
return;
}
}
mod_page(_('Edit user'), 'mod/user.html', array('new' => true, 'boards' => listBoards()));
mod_page(_('New user'), 'mod/user.html', array('new' => true, 'boards' => listBoards(), 'token' => make_secure_link_token('users/new' )));
}
}
@ -1646,9 +1685,18 @@ function mod_users() {
if (!hasPermission($config['mod']['manageusers']))
if (!hasPermission($config['mod']['manageusers']))
error($config['error']['noaccess']);
error($config['error']['noaccess']);
$query = query("SELECT *, (SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`, (SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action` FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error());
$query = query("SELECT
*,
(SELECT `time` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `last`,
(SELECT `text` FROM ``modlogs`` WHERE `mod` = `id` ORDER BY `time` DESC LIMIT 1) AS `action`
FROM ``mods`` ORDER BY `type` DESC,`id`") or error(db_error());
$users = $query->fetchAll(PDO::FETCH_ASSOC);
$users = $query->fetchAll(PDO::FETCH_ASSOC);
foreach ($users as & $user) {
$user['promote_token'] = make_secure_link_token("users/{$user['id']}/promote");
$user['demote_token'] = make_secure_link_token("users/{$user['id']}/demote");
}
mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users));
mod_page(sprintf('%s (%d)', _('Manage users'), count($users)), 'mod/users.html', array('users' => $users));
}
}
@ -1740,7 +1788,10 @@ function mod_pm($id, $reply = false) {
error($config['error']['404']); // deleted?
error($config['error']['404']); // deleted?
mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array(
mod_page(sprintf('%s %s', _('New PM for'), $pm['to_username']), 'mod/new_pm.html', array(
'username' => $pm['username'], 'id' => $pm['sender'], 'message' => quote($pm['message'])
'username' => $pm['username'],
'id' => $pm['sender'],
'message' => quote($pm['message']),
'token' => make_secure_link_token('new_PM/' . $pm['username'])
));
));
} else {
} else {
mod_page(sprintf('%s – #%d', _('Private message'), $id), 'mod/pm.html', $pm);
mod_page(sprintf('%s – #%d', _('Private message'), $id), 'mod/pm.html', $pm);
@ -1812,7 +1863,11 @@ function mod_new_pm($username) {
header('Location: ?/', true, $config['redirect_http']);
header('Location: ?/', true, $config['redirect_http']);
}
}
mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array('username' => $username, 'id' => $id));
mod_page(sprintf('%s %s', _('New PM for'), $username), 'mod/new_pm.html', array(
'username' => $username,
'id' => $id,
'token' => make_secure_link_token('new_PM/' . $username)
));
}
}
function mod_rebuild() {
function mod_rebuild() {
@ -1881,7 +1936,10 @@ function mod_rebuild() {
return;
return;
}
}
mod_page(_('Rebuild'), 'mod/rebuild.html', array('boards' => listBoards()));
mod_page(_('Rebuild'), 'mod/rebuild.html', array(
'boards' => listBoards(),
'token' => make_secure_link_token('rebuild')
));
}
}
function mod_reports() {
function mod_reports() {
@ -1936,7 +1994,13 @@ function mod_reports() {
}
}
// a little messy and inefficient
// a little messy and inefficient
$append_html = Element('mod/report.html', array('report' => $report, 'config' => $config, 'mod' => $mod));
$append_html = Element('mod/report.html', array(
'report' => $report,
'config' => $config,
'mod' => $mod,
'token' => make_secure_link_token('reports/' . $report['id'] . '/dismiss'),
'token_all' => make_secure_link_token('reports/' . $report['id'] . '/dismissall')
));
// Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
// Bug fix for https://github.com/savetheinternet/Tinyboard/issues/21
$po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '< br > '));
$po->body = truncate($po->body, $po->link(), $config['body_truncate'] - substr_count($append_html, '< br > '));
@ -2030,7 +2094,8 @@ function mod_config($board_config = false) {
'readonly' => $readonly,
'readonly' => $readonly,
'boards' => listBoards(),
'boards' => listBoards(),
'board' => $board_config,
'board' => $board_config,
'file' => $config_file
'file' => $config_file,
'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
));
));
return;
return;
}
}
@ -2113,7 +2178,7 @@ function mod_config($board_config = false) {
}
}
}
}
header('Location: ?/config', true, $config['redirect_http']);
header('Location: ?/config' . ($board_config ? '/' . $board_config : '') , true, $config['redirect_http']);
exit;
exit;
}
}
@ -2123,7 +2188,8 @@ function mod_config($board_config = false) {
'boards' => listBoards(),
'boards' => listBoards(),
'board' => $board_config,
'board' => $board_config,
'conf' => $conf,
'conf' => $conf,
'file' => $config_file
'file' => $config_file,
'token' => make_secure_link_token('config' . ($board_config ? '/' . $board_config : ''))
));
));
}
}
@ -2150,6 +2216,11 @@ function mod_themes_list() {
}
}
closedir($dir);
closedir($dir);
foreach ($themes as $theme_name => & $theme) {
$theme['rebuild_token'] = make_secure_link_token('themes/' . $theme_name . '/rebuild');
$theme['uninstall_token'] = make_secure_link_token('themes/' . $theme_name . '/uninstall');
}
mod_page(_('Manage themes'), 'mod/themes.html', array(
mod_page(_('Manage themes'), 'mod/themes.html', array(
'themes' => $themes,
'themes' => $themes,
'themes_in_use' => $themes_in_use,
'themes_in_use' => $themes_in_use,
@ -2219,7 +2290,7 @@ function mod_theme_configure($theme_name) {
'theme_name' => $theme_name,
'theme_name' => $theme_name,
'theme' => $theme,
'theme' => $theme,
'result' => $result,
'result' => $result,
'message' => $message,
'message' => $message
));
));
return;
return;
}
}
@ -2230,6 +2301,7 @@ function mod_theme_configure($theme_name) {
'theme_name' => $theme_name,
'theme_name' => $theme_name,
'theme' => $theme,
'theme' => $theme,
'settings' => $settings,
'settings' => $settings,
'token' => make_secure_link_token('themes/' . $theme_name)
));
));
}
}