Commit dec4ddd3 authored by Dries's avatar Dries

- Patch #28420 by Jeremy: provide a more generic interface that can be used

  to validate other form submissions, not just comments. Two new functions
  are introduced, form_token() and form_validate(). The first function uses
  a private key and a public key to set a token in a hidden field. The second
  function validates the token. The comment and contect module are updated to
  use these functions.
parent 2ef6b52c
...@@ -519,6 +519,9 @@ function comment_validate($edit) { ...@@ -519,6 +519,9 @@ function comment_validate($edit) {
} }
} }
} }
// verify that this submission was actually generated using a local form
form_validate($edit, 'comment'. $edit['nid'] . $edit['pid']);
return $edit; return $edit;
} }
...@@ -1426,6 +1429,8 @@ function theme_comment_form($edit, $title = NULL) { ...@@ -1426,6 +1429,8 @@ function theme_comment_form($edit, $title = NULL) {
$form .= form_hidden('pid', $edit['pid']); $form .= form_hidden('pid', $edit['pid']);
$form .= form_hidden('nid', $edit['nid']); $form .= form_hidden('nid', $edit['nid']);
$form .= form_hidden('uid', $edit['uid']); $form .= form_hidden('uid', $edit['uid']);
// generate a token used to validate that submissions came from this form
$form .= form_token('comment'. $edit['nid'] . $edit['pid']);
$form .= form_submit(t('Preview comment')); $form .= form_submit(t('Preview comment'));
......
...@@ -519,6 +519,9 @@ function comment_validate($edit) { ...@@ -519,6 +519,9 @@ function comment_validate($edit) {
} }
} }
} }
// verify that this submission was actually generated using a local form
form_validate($edit, 'comment'. $edit['nid'] . $edit['pid']);
return $edit; return $edit;
} }
...@@ -1426,6 +1429,8 @@ function theme_comment_form($edit, $title = NULL) { ...@@ -1426,6 +1429,8 @@ function theme_comment_form($edit, $title = NULL) {
$form .= form_hidden('pid', $edit['pid']); $form .= form_hidden('pid', $edit['pid']);
$form .= form_hidden('nid', $edit['nid']); $form .= form_hidden('nid', $edit['nid']);
$form .= form_hidden('uid', $edit['uid']); $form .= form_hidden('uid', $edit['uid']);
// generate a token used to validate that submissions came from this form
$form .= form_token('comment'. $edit['nid'] . $edit['pid']);
$form .= form_submit(t('Preview comment')); $form .= form_submit(t('Preview comment'));
......
...@@ -102,6 +102,7 @@ function contact_mail_user() { ...@@ -102,6 +102,7 @@ function contact_mail_user() {
if (!$edit['subject']) { if (!$edit['subject']) {
form_set_error('subject', t('You must enter a subject.')); form_set_error('subject', t('You must enter a subject.'));
} }
form_validate($edit, $edit['mail'] . $user->name . $user->mail);
if (!form_get_errors()) { if (!form_get_errors()) {
// Compose the body: // Compose the body:
...@@ -154,6 +155,7 @@ function contact_mail_user() { ...@@ -154,6 +155,7 @@ function contact_mail_user() {
$output .= form_textfield(t('Subject'), 'subject', $edit['subject'], 60, 50, NULL, NULL, TRUE); $output .= form_textfield(t('Subject'), 'subject', $edit['subject'], 60, 50, NULL, NULL, TRUE);
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 15, NULL, NULL, TRUE); $output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 15, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']); $output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($edit['mail'] . $user->name . $user->mail);
$output .= form_submit(t('Send e-mail')); $output .= form_submit(t('Send e-mail'));
$output = form($output); $output = form($output);
} }
...@@ -260,6 +262,7 @@ function contact_mail_page() { ...@@ -260,6 +262,7 @@ function contact_mail_page() {
form_set_error('category', t('You must select a valid category.')); form_set_error('category', t('You must select a valid category.'));
} }
} }
form_validate($edit, $user->name . $user->mail);
if (!form_get_errors()) { if (!form_get_errors()) {
// Prepare the sender: // Prepare the sender:
...@@ -328,6 +331,7 @@ function contact_mail_page() { ...@@ -328,6 +331,7 @@ function contact_mail_page() {
} }
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 5, NULL, NULL, TRUE); $output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 5, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']); $output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($user->name . $user->mail);
$output .= form_submit(t('Send e-mail')); $output .= form_submit(t('Send e-mail'));
$output = form($output); $output = form($output);
} }
......
...@@ -102,6 +102,7 @@ function contact_mail_user() { ...@@ -102,6 +102,7 @@ function contact_mail_user() {
if (!$edit['subject']) { if (!$edit['subject']) {
form_set_error('subject', t('You must enter a subject.')); form_set_error('subject', t('You must enter a subject.'));
} }
form_validate($edit, $edit['mail'] . $user->name . $user->mail);
if (!form_get_errors()) { if (!form_get_errors()) {
// Compose the body: // Compose the body:
...@@ -154,6 +155,7 @@ function contact_mail_user() { ...@@ -154,6 +155,7 @@ function contact_mail_user() {
$output .= form_textfield(t('Subject'), 'subject', $edit['subject'], 60, 50, NULL, NULL, TRUE); $output .= form_textfield(t('Subject'), 'subject', $edit['subject'], 60, 50, NULL, NULL, TRUE);
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 15, NULL, NULL, TRUE); $output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 15, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']); $output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($edit['mail'] . $user->name . $user->mail);
$output .= form_submit(t('Send e-mail')); $output .= form_submit(t('Send e-mail'));
$output = form($output); $output = form($output);
} }
...@@ -260,6 +262,7 @@ function contact_mail_page() { ...@@ -260,6 +262,7 @@ function contact_mail_page() {
form_set_error('category', t('You must select a valid category.')); form_set_error('category', t('You must select a valid category.'));
} }
} }
form_validate($edit, $user->name . $user->mail);
if (!form_get_errors()) { if (!form_get_errors()) {
// Prepare the sender: // Prepare the sender:
...@@ -328,6 +331,7 @@ function contact_mail_page() { ...@@ -328,6 +331,7 @@ function contact_mail_page() {
} }
$output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 5, NULL, NULL, TRUE); $output .= form_textarea(t('Message'), 'message', $edit['message'], 60, 5, NULL, NULL, TRUE);
$output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']); $output .= form_checkbox(t('Send me a copy.'), 'copy', $edit['copy']);
$output .= form_token($user->name . $user->mail);
$output .= form_submit(t('Send e-mail')); $output .= form_submit(t('Send e-mail'));
$output = form($output); $output = form($output);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment