Commit e2bee0d2 authored by merlinofchaos's avatar merlinofchaos
Browse files

Fix CSRF vulnerability.

parent b740cea9
......@@ -50,6 +50,9 @@ function template_preprocess_views_ui_list_views(&$vars) {
$views = views_get_all_views();
$token_enable = drupal_get_token('views-enable');
$token_disable = drupal_get_token('views-disable');
// Respond to a reset command by clearing session and doing a drupal goto
// back to the base URL.
if (isset($_GET['op']) && $_GET['op'] == t('Reset')) {
......@@ -116,10 +119,10 @@ function template_preprocess_views_ui_list_views(&$vars) {
}
else {
if (empty($view->disabled)) {
$item->ops[] = l(t('Disable'), "admin/build/views/disable/$view->name", array('query' => drupal_get_destination()));
$item->ops[] = l(t('Disable'), "admin/build/views/disable/$view->name", array('query' => drupal_get_destination() . '&token=' . $token_disable));
}
else {
$item->ops[] = l(t('Enable'), "admin/build/views/enable/$view->name", array('query' => drupal_get_destination()));
$item->ops[] = l(t('Enable'), "admin/build/views/enable/$view->name", array('query' => drupal_get_destination() . '&token=' . $token_enable));
}
}
......@@ -2667,24 +2670,34 @@ function views_ui_item_css($item) {
* Page callback for the Views enable page.
*/
function views_ui_enable_page($view) {
$views_status = variable_get('views_defaults', array());
$views_status[$view->name] = FALSE; // false is enabled
variable_set('views_defaults', $views_status);
views_invalidate_cache();
menu_rebuild();
drupal_goto('admin/build/views');
if (isset($_GET['token']) && drupal_valid_token($_GET['token'], 'views-enable')) {
$views_status = variable_get('views_defaults', array());
$views_status[$view->name] = FALSE; // false is enabled
variable_set('views_defaults', $views_status);
views_invalidate_cache();
menu_rebuild();
drupal_goto('admin/build/views');
}
else {
return drupal_access_denied();
}
}
/**
* Page callback for the Views enable page
*/
function views_ui_disable_page($view) {
$views_status = variable_get('views_defaults', array());
$views_status[$view->name] = TRUE; // True is disabled
variable_set('views_defaults', $views_status);
views_invalidate_cache();
menu_rebuild();
drupal_goto('admin/build/views');
if (isset($_GET['token']) && drupal_valid_token($_GET['token'], 'views-disable')) {
$views_status = variable_get('views_defaults', array());
$views_status[$view->name] = TRUE; // True is disabled
variable_set('views_defaults', $views_status);
views_invalidate_cache();
menu_rebuild();
drupal_goto('admin/build/views');
}
else {
return drupal_access_denied();
}
}
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment