Project

General

Profile

« Previous | Next » 

Revision 1357

Added by FrankH almost 14 years ago

Security fixes

View differences:

sections.php
41 41
require_once(WB_PATH.'/framework/class.admin.php');
42 42
$admin = new admin('Pages', 'pages_modify');
43 43

  
44
if (!$admin->checkFTAN('get') and !$admin->checkFTAN())
45
{
46
	$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
47
	exit();
48
}
49

  
44 50
// Check if we are supposed to add or delete a section
45 51
if(isset($_GET['section_id']) AND is_numeric($_GET['section_id']))
46 52
{
......
71 77
		require(WB_PATH.'/framework/class.order.php');
72 78
		$order = new order(TABLE_PREFIX.'sections', 'position', 'section_id', 'page_id');
73 79
		$order->clean($page_id);
74
		$admin->print_success($TEXT['SUCCESS'], ADMIN_URL.'/pages/sections.php?page_id='.$page_id);
80
		$ftan2 = $admin->getFTAN(2);
81
		$admin->print_success($TEXT['SUCCESS'], ADMIN_URL."/pages/sections.php?page_id=$page_id&$ftan2");
75 82
		$admin->print_footer();
76 83
		exit();
77 84
	}
......
172 179
$template = new Template(THEME_PATH.'/templates');
173 180
$template->set_file('page', 'pages_sections.htt');
174 181
$template->set_block('page', 'main_block', 'main');
182
$template->set_var('FTAN', $admin->getFTAN());
175 183
$template->set_block('main_block', 'module_block', 'module_list');
176 184
$template->set_block('main_block', 'section_block', 'section_list');
177 185
$template->set_block('section_block', 'block_block', 'block_list');
......
201 209
			);
202 210

  
203 211
// Insert variables
212
$ftan2 = $admin->getFTAN(2);
204 213
$template->set_var(array(
205 214
				'VAR_PAGE_ID' => $results_array['page_id'],
206 215
				'VAR_PAGE_TITLE' => $results_array['page_title'],
207
				'SETTINGS_LINK' => ADMIN_URL.'/pages/settings.php?page_id='.$results_array['page_id'],
208
				'MODIFY_LINK' => ADMIN_URL.'/pages/modify.php?page_id='.$results_array['page_id']
216
				'SETTINGS_LINK' => ADMIN_URL.'/pages/settings.php?page_id='.$results_array['page_id']."&$ftan2",
217
				'MODIFY_LINK' => ADMIN_URL.'/pages/modify.php?page_id='.$results_array['page_id']."&$ftan2"
209 218
				) 
210 219
			);
211 220

  
......
232 241

  
233 242
			if(SECTION_BLOCKS)
234 243
            {
235
                if(defined('EDIT_ONE_SECTION') && EDIT_ONE_SECTION)
244
                
245
				if(defined('EDIT_ONE_SECTION') && EDIT_ONE_SECTION)
236 246
                {
237
				    $edit_page ='<a name="'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$page_id.'&amp;wysiwyg='.$section['section_id'] .'">'.$module_tmp.'</a>';
247
				    $edit_page ='<a name="'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$page_id."&amp;$ftan2&amp;wysiwyg=".$section['section_id'] .'">'.$module_tmp.'</a>';
238 248
                } else {
239
				    $edit_page ='<a name="'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$page_id.'#wb'.$section['section_id'].'">'.$module_tmp.'</a>';
249
				    $edit_page ='<a name="'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$page_id.'#wb'.$section['section_id'].."&amp;$ftan2"'">'.$module_tmp.'</a>';
240 250
                }
241 251
                $edit_page = ( trim($module_name) == '' ) ? '<span class="module_disabled">'.$section['module'].'</span>' : $edit_page;
242 252
				$input_attribute = 'input_normal';
......
267 277
					$template->parse('block_list', 'block_block', true);
268 278
				}
269 279
			} else {
270
				$edit_page ='<a name="'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$page_id.'#'.$section['section_id'].'">'.$module_tmp.'</a>';
280
				$edit_page ='<a name="'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$page_id.'#'.$section['section_id']."&amp;$ftan2".'">'.$module_tmp.'</a>';
271 281
                $edit_page = ( trim($module_name) == '' ) ? '<span class="module_disabled">'.$section['module'].'</span>' : $edit_page;
272 282
				$input_attribute = 'input_small';
273 283
				$template->set_var(array(
......
309 319
            {
310 320
				$template->set_var(
311 321
							'VAR_MOVE_UP_URL',
312
							'<a href="'.ADMIN_URL.'/pages/move_up.php?page_id='.$page_id.'&amp;section_id='.$section['section_id'].'">
322
							'<a href="'.ADMIN_URL.'/pages/move_up.php?page_id='.$page_id.'&amp;section_id='.$section['section_id']."&amp;$ftan2".'">
313 323
							<img src="'.THEME_URL.'/images/up_16.png" alt="{TEXT_MOVE_UP}" />
314 324
							</a>' );
315 325
			} else {
......
321 331
			if($section['position'] != $num_sections ) {
322 332
				$template->set_var(
323 333
							'VAR_MOVE_DOWN_URL',
324
							'<a href="'.ADMIN_URL.'/pages/move_down.php?page_id='.$page_id.'&amp;section_id='.$section['section_id'].'">
334
							'<a href="'.ADMIN_URL.'/pages/move_down.php?page_id='.$page_id.'&amp;section_id='.$section['section_id']."&amp;$ftan2".'">
325 335
							<img src="'.THEME_URL.'/images/down_16.png" alt="{TEXT_MOVE_DOWN}" />
326 336
							</a>' );
327 337
			} else {

Also available in: Unified diff