mirror of
https://github.com/Oreolek/ifhub.club.git
synced 2024-06-26 03:30:48 +03:00
Improve Security module
This commit is contained in:
Alexey Kachayev
parent
915862e936
commit
9c8c8f86b2
|
|
@ -357,6 +357,8 @@ class ActionBlog extends Action {
|
|||
* Обрабатываем сохранение формы
|
||||
*/
|
||||
if (isPost('submit_blog_admin')) {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$aUserRank=getRequest('user_rank',array());
|
||||
if (!is_array($aUserRank)) {
|
||||
$aUserRank=array();
|
||||
|
|
@ -427,6 +429,7 @@ class ActionBlog extends Action {
|
|||
* @return bool
|
||||
*/
|
||||
protected function checkBlogFields($oBlog=null) {
|
||||
$this->Security_ValidateSendForm();
|
||||
/**
|
||||
* Проверяем только если была отправлена форма с данными (методом POST)
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -248,46 +248,48 @@ class ActionPage extends Action {
|
|||
* @return unknown
|
||||
*/
|
||||
protected function CheckPageFields() {
|
||||
$bOk=true;
|
||||
/**
|
||||
* Проверяем есть ли заголовок топика
|
||||
*/
|
||||
if (!func_check(getRequest('page_title',null,'post'),'text',2,200)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_title_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем есть ли заголовок топика, с заменой всех пробельных символов на "_"
|
||||
*/
|
||||
$pageUrl=preg_replace("/\s+/",'_',getRequest('page_url',null,'post'));
|
||||
$_REQUEST['page_url']=$pageUrl;
|
||||
if (!func_check(getRequest('page_url',null,'post'),'login',1,50)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_url_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем на счет плохих УРЛов
|
||||
*/
|
||||
if (in_array(getRequest('page_url',null,'post'),$this->aBadPageUrl)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_url_error_bad').' '.join(',',$this->aBadPageUrl),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем есть ли содержание страницы
|
||||
*/
|
||||
if (!func_check(getRequest('page_text',null,'post'),'text',1,50000)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_text_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем страницу в которую хотим вложить
|
||||
*/
|
||||
if (getRequest('page_pid')!=0 and !($oPageParent=$this->Page_GetPageById(getRequest('page_pid')))) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_parent_page_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$bOk=true;
|
||||
/**
|
||||
* Проверяем есть ли заголовок топика
|
||||
*/
|
||||
if (!func_check(getRequest('page_title',null,'post'),'text',2,200)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_title_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем есть ли заголовок топика, с заменой всех пробельных символов на "_"
|
||||
*/
|
||||
$pageUrl=preg_replace("/\s+/",'_',getRequest('page_url',null,'post'));
|
||||
$_REQUEST['page_url']=$pageUrl;
|
||||
if (!func_check(getRequest('page_url',null,'post'),'login',1,50)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_url_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем на счет плохих УРЛов
|
||||
*/
|
||||
if (in_array(getRequest('page_url',null,'post'),$this->aBadPageUrl)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_url_error_bad').' '.join(',',$this->aBadPageUrl),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем есть ли содержание страницы
|
||||
*/
|
||||
if (!func_check(getRequest('page_text',null,'post'),'text',1,50000)) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_text_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
/**
|
||||
* Проверяем страницу в которую хотим вложить
|
||||
*/
|
||||
if (getRequest('page_pid')!=0 and !($oPageParent=$this->Page_GetPageById(getRequest('page_pid')))) {
|
||||
$this->Message_AddError($this->Lang_Get('page_create_parent_page_error'),$this->Lang_Get('error'));
|
||||
$bOk=false;
|
||||
}
|
||||
|
||||
return $bOk;
|
||||
return $bOk;
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -410,6 +410,8 @@ class ActionQuestion extends Action {
|
|||
* @return unknown
|
||||
*/
|
||||
protected function checkTopicFields($oTopic=null) {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$bOk=true;
|
||||
/**
|
||||
* Проверяем есть ли блог в кторый постим
|
||||
|
|
|
|||
|
|
@ -79,6 +79,8 @@ class ActionSettings extends Action {
|
|||
$this->Viewer_AddHtmlTitle($this->Lang_Get('settings_menu_tuning'));
|
||||
|
||||
if (isPost('submit_settings_tuning')) {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$this->oUserCurrent->setSettingsNoticeNewTopic( getRequest('settings_notice_new_topic') ? 1 : 0 );
|
||||
$this->oUserCurrent->setSettingsNoticeNewComment( getRequest('settings_notice_new_comment') ? 1 : 0 );
|
||||
$this->oUserCurrent->setSettingsNoticeNewTalk( getRequest('settings_notice_new_talk') ? 1 : 0 );
|
||||
|
|
@ -108,6 +110,8 @@ class ActionSettings extends Action {
|
|||
$this->Viewer_AddHtmlTitle($this->Lang_Get('settings_menu_invite'));
|
||||
|
||||
if (isPost('submit_invite')) {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$bError=false;
|
||||
if (!$this->ACL_CanSendInvite($this->oUserCurrent) and !$this->oUserCurrent->isAdministrator()) {
|
||||
$this->Message_AddError($this->Lang_Get('settings_invite_available_no'),$this->Lang_Get('error'));
|
||||
|
|
@ -138,6 +142,8 @@ class ActionSettings extends Action {
|
|||
* Если нажали кнопку "Сохранить"
|
||||
*/
|
||||
if (isPost('submit_profile_edit')) {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$bError=false;
|
||||
/**
|
||||
* Заполняем профиль из полей формы
|
||||
|
|
|
|||
|
|
@ -99,6 +99,8 @@ class ActionTalk extends Action {
|
|||
* Обработка удаления сообщений
|
||||
*/
|
||||
if (isPost('submit_talk_del')) {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$aTalksIdDel=getRequest('talk_del');
|
||||
if (is_array($aTalksIdDel)) {
|
||||
$this->Talk_DeleteTalkUserByArray(array_keys($aTalksIdDel),$this->oUserCurrent->getId());
|
||||
|
|
@ -346,6 +348,8 @@ class ActionTalk extends Action {
|
|||
|
||||
|
||||
protected function checkTalkFields() {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$bOk=true;
|
||||
/**
|
||||
* Проверяем есть ли заголовок
|
||||
|
|
|
|||
|
|
@ -489,6 +489,8 @@ class ActionTopic extends Action {
|
|||
* @return unknown
|
||||
*/
|
||||
protected function checkTopicFields() {
|
||||
$this->Security_ValidateSendForm();
|
||||
|
||||
$bOk=true;
|
||||
/**
|
||||
* Проверяем есть ли блог в кторый постим
|
||||
|
|
|
|||
|
|
@ -192,7 +192,8 @@ $config['module']['image']['foto']['round_corner'] = false;
|
|||
$config['module']['image']['topic']['watermark_use'] = false;
|
||||
$config['module']['image']['topic']['round_corner'] = false;
|
||||
// Модуль Security
|
||||
$config['module']['security']['key'] = "livestreet_security_key"; // ключ сессии для хранения security-кода
|
||||
$config['module']['security']['key'] = "livestreet_security_key"; // ключ сессии для хранения security-кода
|
||||
$config['module']['security']['hash'] = "livestreet_security_key"; // "примесь" к строке, хешируемой в качестве security-кода
|
||||
|
||||
// Какие модули должны быть загружены на старте
|
||||
$config['module']['autoLoad'] = array('Cache', 'Security','Session','User', 'Lang', 'Message');
|
||||
|
|
|
|||
|
|
@ -60,8 +60,8 @@ class LsSecurity extends Module {
|
|||
*
|
||||
*/
|
||||
public function SetSessionKey() {
|
||||
$sCode = md5(microtime().func_generator(32));
|
||||
$this->Session_Set(Config::Get('module.security.key'), $sCode);
|
||||
$sCode = md5($this->Session_GetId().Config::Get('module.security.hash'));
|
||||
if($this->User_IsAuthorization()) $this->Session_Set(Config::Get('module.security.key'), $sCode);
|
||||
$this->Viewer_Assign('LIVESTREET_SECURITY_KEY',$sCode);
|
||||
|
||||
return $sCode;
|
||||
|
|
|
|||
|
|
@ -87,6 +87,14 @@ class LsSession extends Module {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Получает идентификатор текущей сессии
|
||||
*
|
||||
*/
|
||||
public function GetId() {
|
||||
return $this->sId;
|
||||
}
|
||||
|
||||
/**
|
||||
* Гинерирует уникальный идентификатор
|
||||
*
|
||||
|
|
|
|||
|
|
@ -10,7 +10,8 @@
|
|||
<h1>{$aLang.blog_admin}: <a href="{router page='blog'}{$oBlogEdit->getUrl()}/">{$oBlogEdit->getTitle()}</a></h1>
|
||||
{/if}
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p><label for="blog_title">{$aLang.blog_create_title}:</label><br />
|
||||
<input type="text" id="blog_title" name="blog_title" value="{$_aRequest.blog_title}" class="w100p" /><br />
|
||||
<span class="form_note">{$aLang.blog_create_title_notice}</span></p>
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
{if $aBlogUsers}
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
<table class="table-blog-users">
|
||||
<thead>
|
||||
<tr>
|
||||
|
|
|
|||
|
|
@ -26,6 +26,8 @@ document.addEvent('domready', function() {
|
|||
<h1>{$aLang.topic_link_edit}</h1>
|
||||
{/if}
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p><label for="blog_id">{$aLang.topic_create_blog}</label>
|
||||
<select name="blog_id" id="blog_id" onChange="ajaxBlogInfo(this.value);">
|
||||
<option value="0">{$aLang.topic_create_blog_personal}</option>
|
||||
|
|
|
|||
|
|
@ -30,6 +30,8 @@ tinyMCE.init({
|
|||
{/if}
|
||||
|
||||
<form action="" method="POST">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p><label for="page_pid">{$aLang.page_create_parent_page}</label>
|
||||
<select name="page_pid" id="page_pid" >
|
||||
<option value="0"></option>
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ document.addEvent('domready', function() {
|
|||
<h1>{$aLang.topic_question_edit}</h1>
|
||||
{/if}
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p><label for="blog_id">{$aLang.topic_create_blog}</label>
|
||||
<select name="blog_id" id="blog_id" onChange="ajaxBlogInfo(this.value);">
|
||||
<option value="0">{$aLang.topic_create_blog_personal}</option>
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
<h1>{$aLang.settings_invite}</h1>
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p>
|
||||
{$aLang.settings_invite_available}: <strong>{if $oUserCurrent->isAdministrator()}{$aLang.settings_invite_many}{else}{$iCountInviteAvailable}{/if}</strong><br />
|
||||
{$aLang.settings_invite_used}: <strong>{$iCountInviteUsed}</strong>
|
||||
|
|
|
|||
|
|
@ -29,6 +29,8 @@ document.addEvent('domready', function() {
|
|||
|
||||
<h1>{$aLang.settings_profile_edit}</h1>
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p>
|
||||
<label for="profile_name">{$aLang.settings_profile_name}:</label>
|
||||
<input type="text" name="profile_name" id="profile_name" value="{$oUserCurrent->getProfileName()|escape:'html'}" class="w100p" /><br />
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
<h1>{$aLang.settings_tuning}</h1>
|
||||
<strong>{$aLang.settings_tuning_notice}</strong>
|
||||
<form action="{router page='settings'}tuning/" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
<p>
|
||||
<label for=""><input {if $oUserCurrent->getSettingsNoticeNewTopic()}checked{/if} type="checkbox" id="settings_notice_new_topic" name="settings_notice_new_topic" value="1" class="checkbox" /> — {$aLang.settings_tuning_notice_new_topic}</label><br />
|
||||
<label for=""><input {if $oUserCurrent->getSettingsNoticeNewComment()}checked{/if} type="checkbox" id="settings_notice_new_comment" name="settings_notice_new_comment" value="1" class="checkbox" /> — {$aLang.settings_tuning_notice_new_comment}</label><br />
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ document.addEvent('domready', function() {
|
|||
<div class="topic">
|
||||
<h1>{$aLang.talk_create}</h1>
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p><label for="talk_users">{$aLang.talk_create_users}:</label><input type="text" class="w100p" id="talk_users" name="talk_users" value="{$_aRequest.talk_users}"/></p>
|
||||
<p><label for="talk_title">{$aLang.talk_create_title}:</label><input type="text" class="w100p" id="talk_title" name="talk_title" value="{$_aRequest.talk_title}"/></p>
|
||||
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
<div class="topic people top-blogs talk-table">
|
||||
<h1>{$aLang.talk_inbox}</h1>
|
||||
<form action="" method="post" id="form_talks_list">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
<table>
|
||||
<thead>
|
||||
<tr>
|
||||
|
|
|
|||
|
|
@ -61,6 +61,8 @@ tinyMCE.init({
|
|||
<h1>{$aLang.topic_topic_edit}</h1>
|
||||
{/if}
|
||||
<form action="" method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="security_ls_key" value="{$LIVESTREET_SECURITY_KEY}" />
|
||||
|
||||
<p><label for="blog_id">{$aLang.topic_create_blog}</label>
|
||||
<select name="blog_id" id="blog_id" onChange="ajaxBlogInfo(this.value);">
|
||||
<option value="0">{$aLang.topic_create_blog_personal}</option>
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ var aRouter=new Array();
|
|||
{foreach from=$aRouter key=sPage item=sPath}
|
||||
aRouter['{$sPage}']='{$sPath}';
|
||||
{/foreach}
|
||||
|
||||
</script>
|
||||
|
||||
{$aHtmlHeadFiles.js}
|
||||
|
|
|
|||
Loading…
Reference in a new issue