Commit 14416d10 authored by effulgentsia's avatar effulgentsia Committed by Crell

refs #1595298 Revert CSRF token checks back to page callbacks, not menu access callbacks.

This will be refactored again later when the routing system is upgraded.
parent f5079ffb
......@@ -401,9 +401,16 @@ function _aggregator_parse_opml($opml) {
* An object describing the feed to be refreshed.
*
* @see aggregator_menu()
* @see aggregator_admin_refresh_feed_access()
*/
function aggregator_admin_refresh_feed($feed) {
// @todo CSRF tokens are validated in page callbacks rather than access
// callbacks, because access callbacks are also invoked during menu link
// generation. Add token support to routing: http://drupal.org/node/755584.
$token = request()->query->get('token');
if (!isset($token) || !drupal_valid_token($token, 'aggregator/update/' . $feed->fid)) {
drupal_access_denied();
}
aggregator_refresh($feed);
drupal_goto('admin/config/services/aggregator');
}
......
......@@ -138,8 +138,7 @@ function aggregator_menu() {
'title' => 'Update items',
'page callback' => 'aggregator_admin_refresh_feed',
'page arguments' => array(5),
'access callback' => 'aggregator_admin_refresh_feed_access',
'access arguments' => array(5),
'access arguments' => array('administer news feeds'),
'file' => 'aggregator.admin.inc',
);
$items['admin/config/services/aggregator/list'] = array(
......@@ -797,23 +796,3 @@ function aggregator_preprocess_block(&$variables) {
$variables['attributes_array']['role'] = 'complementary';
}
}
/**
* Access callback: Determines if feed refresh is accessible.
*
* @param $feed
* An object describing the feed to be refreshed.
*
* @see aggregator_admin_refresh_feed()
* @see aggregator_menu()
*/
function aggregator_admin_refresh_feed_access($feed) {
if (!user_access('administer news feeds')) {
return FALSE;
}
$token = request()->query->get('token');
if (!isset($token) || !drupal_valid_token($token, 'aggregator/update/' . $feed->fid)) {
return FALSE;
}
return TRUE;
}
......@@ -277,8 +277,7 @@ function comment_menu() {
'title' => 'Approve',
'page callback' => 'comment_approve',
'page arguments' => array(1),
'access callback' => 'comment_approve_access',
'access arguments' => array(1),
'access arguments' => array('administer comments'),
'file' => 'comment.pages.inc',
'weight' => 1,
);
......@@ -2515,23 +2514,3 @@ function comment_file_download_access($field, $entity_type, $entity) {
return FALSE;
}
}
/**
* Access callback: Determines if comment approval is accessible.
*
* @param $cid
* A comment identifier.
*
* @see comment_approve()
* @see comment_menu()
*/
function comment_approve_access($cid) {
if (!user_access('administer comments')) {
return FALSE;
}
$token = request()->query->get('token');
if (!isset($token) || !drupal_valid_token($token, "comment/$cid/approve")) {
return FALSE;
}
return TRUE;
}
......@@ -105,9 +105,16 @@ function comment_reply(Node $node, $pid = NULL) {
* A comment identifier.
*
* @see comment_menu()
* @see comment_approve_access()
*/
function comment_approve($cid) {
// @todo CSRF tokens are validated in page callbacks rather than access
// callbacks, because access callbacks are also invoked during menu link
// generation. Add token support to routing: http://drupal.org/node/755584.
$token = request()->query->get('token');
if (!isset($token) || !drupal_valid_token($token, "comment/$cid/approve")) {
drupal_access_denied();
}
if ($comment = comment_load($cid)) {
$comment->status = COMMENT_PUBLISHED;
comment_save($comment);
......
......@@ -317,11 +317,6 @@ function overlay_user_dismiss_message_access() {
if (empty($user->uid)) {
return FALSE;
}
// Protect against cross-site request forgeries by validating a token.
$token = request()->query->get('token');
if (!isset($token) || !drupal_valid_token($token, 'overlay')) {
return FALSE;
}
return TRUE;
}
......@@ -333,6 +328,15 @@ function overlay_user_dismiss_message_access() {
*/
function overlay_user_dismiss_message() {
global $user;
// @todo CSRF tokens are validated in page callbacks rather than access
// callbacks, because access callbacks are also invoked during menu link
// generation. Add token support to routing: http://drupal.org/node/755584.
$token = request()->query->get('token');
if (!isset($token) || !drupal_valid_token($token, 'overlay')) {
drupal_access_denied();
}
$account = user_load($user->uid);
$account->data['overlay_message_dismissed'] = 1;
$account->save();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment