Commit dec4ddd3 authored by Dries's avatar Dries

- Patch #28420 by Jeremy: provide a more generic interface that can be used

  to validate other form submissions, not just comments. Two new functions
  are introduced, form_token() and form_validate(). The first function uses
  a private key and a public key to set a token in a hidden field. The second
  function validates the token. The comment and contect module are updated to
  use these functions.
parent 2ef6b52c
......@@ -519,6 +519,9 @@ function comment_validate($edit) {
}
}
}
// verify that this submission was actually generated using a local form
form_validate($edit, 'comment'. $edit['nid'] . $edit['pid']);
return $edit;
}
......@@ -1426,6 +1429,8 @@ function theme_comment_form($edit, $title = NULL) {
$form .= form_hidden('pid', $edit['pid']);
$form .= form_hidden('nid', $edit['nid']);
$form .= form_hidden('uid', $edit['uid']);
// generate a token used to validate that submissions came from this form
$form .= form_token('comment'. $edit['nid'] . $edit['pid']);
$form .= form_submit(t('Preview comment'));
......
......@@ -519,6 +519,9 @@ function comment_validate($edit) {
}
}
}
// verify that this submission was actually generated using a local form
form_validate($edit, 'comment'. $edit['nid'] . $edit['pid']);
return $edit;
}
......@@ -1426,6 +1429,8 @@ function theme_comment_form($edit, $title = NULL) {
$form .= form_hidden('pid', $edit['pid']);
$form .= form_hidden('nid', $edit['nid']);
$form .= form_hidden('uid', $edit['uid']);
// generate a token used to validate that submissions came from this form
$form .= form_token('comment'. $edit['nid'] . $edit['pid']);
$form .= form_submit(t('Preview comment'));
......
......@@ -102,6 +102,7 @@ function contact_mail_user() {
if (!$edit['subject']) {
form_set_error('subject', t('You must enter a subject.'));
}
form_validate($edit, $edit['mail'] . $user->name . $user->mail);
if (!form_get_errors()) {
// Compose the body:
......@@ -154,6 +155,7 @@ function contact_mail_user() {
$output .= form_textfield(t('Subject'), 'subject', $edit['subject'], 60, 50, NULL, NULL, TRUE);
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 15, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($edit['mail'] . $user->name . $user->mail);
$output .= form_submit(t('Send e-mail'));
$output = form($output);
}
......@@ -260,6 +262,7 @@ function contact_mail_page() {
form_set_error('category', t('You must select a valid category.'));
}
}
form_validate($edit, $user->name . $user->mail);
if (!form_get_errors()) {
// Prepare the sender:
......@@ -328,6 +331,7 @@ function contact_mail_page() {
}
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 5, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($user->name . $user->mail);
$output .= form_submit(t('Send e-mail'));
$output = form($output);
}
......
......@@ -102,6 +102,7 @@ function contact_mail_user() {
if (!$edit['subject']) {
form_set_error('subject', t('You must enter a subject.'));
}
form_validate($edit, $edit['mail'] . $user->name . $user->mail);
if (!form_get_errors()) {
// Compose the body:
......@@ -154,6 +155,7 @@ function contact_mail_user() {
$output .= form_textfield(t('Subject'), 'subject', $edit['subject'], 60, 50, NULL, NULL, TRUE);
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 15, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($edit['mail'] . $user->name . $user->mail);
$output .= form_submit(t('Send e-mail'));
$output = form($output);
}
......@@ -260,6 +262,7 @@ function contact_mail_page() {
form_set_error('category', t('You must select a valid category.'));
}
}
form_validate($edit, $user->name . $user->mail);
if (!form_get_errors()) {
// Prepare the sender:
......@@ -328,6 +331,7 @@ function contact_mail_page() {
}
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 5, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($user->name . $user->mail);
$output .= form_submit(t('Send e-mail'));
$output = form($output);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment