diff options
| author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2006-07-27 12:10:24 +0000 |
|---|---|---|
| committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2006-07-27 12:10:24 +0000 |
| commit | 9869401a21a143eb2369beb24d8446d855c41464 (patch) | |
| tree | 3b6201acc73a70a9da47eae7335e8d7dabe68174 /wp-admin | |
| parent | c10072db73bbb839e2837c69c38e6c6d91d0f2ce (diff) | |
| download | wordpress-mu-9869401a21a143eb2369beb24d8446d855c41464.tar.gz wordpress-mu-9869401a21a143eb2369beb24d8446d855c41464.tar.xz wordpress-mu-9869401a21a143eb2369beb24d8446d855c41464.zip | |
Nonce fixes
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@711 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-admin')
| -rw-r--r-- | wp-admin/wpmu-blogs.php | 32 | ||||
| -rw-r--r-- | wp-admin/wpmu-edit.php | 27 | ||||
| -rw-r--r-- | wp-admin/wpmu-users.php | 63 |
3 files changed, 66 insertions, 56 deletions
diff --git a/wp-admin/wpmu-blogs.php b/wp-admin/wpmu-blogs.php index 323ec09..363df32 100644 --- a/wp-admin/wpmu-blogs.php +++ b/wp-admin/wpmu-blogs.php @@ -1,7 +1,7 @@ <?php require_once('admin.php'); -$title = __('WPMU Admin'); +$title = __('WPMU Admin: Blogs'); $parent_file = 'wpmu-admin.php'; require_once('admin-header.php'); if( is_site_admin() == false ) { @@ -309,9 +309,6 @@ function check_all_rows() { } } -function confirm_action( msg ) { - return confirm( msg ); -} // --> </script> @@ -404,6 +401,11 @@ if ($blog_list) { } } print "<tr $bgcolour class='$class'>"; + if( constant( "VHOST" ) == 'yes' ) { + $blogname = str_replace( '.' . $current_site->domain, '', $blog[ 'domain' ] ); + } else { + $blogname = $blog[ 'path' ]; + } foreach($posts_columns as $column_name=>$column_display_name) { @@ -417,7 +419,7 @@ foreach($posts_columns as $column_name=>$column_display_name) { case 'blogname': ?> - <td valign='top'><label for='<?php echo $blog[ 'blog_id' ] ?>'><?php if( constant( "VHOST" ) == 'yes' ) { echo str_replace( '.' . $current_site->domain, '', $blog[ 'domain' ] ); } else { echo $blog[ 'path' ]; } ?></label> + <td valign='top'><label for='<?php echo $blog[ 'blog_id' ] ?>'><?php echo $blogname ?></label> </td> <?php break; @@ -461,15 +463,11 @@ foreach($posts_columns as $column_name=>$column_display_name) { case 'control_spam': if( get_blog_status( $blog[ 'blog_id' ], "spam" ) == '1' ) { ?> - <td valign='top'><form action='wpmu-edit.php?action=unspamblog' method='POST' onSubmit='return confirm_action( "<?php _e("You are about to mark this blog as not spam.") ?>" )'> - <?php wp_nonce_field( "unspamblog" ); ?> - <input type='hidden' name='id' value='<?php echo $blog[ 'blog_id' ] ?>'><input type='submit' value='<?php _e('Not Spam') ?>'></form></td> + <td valign='top'><a class='edit' href="wpmu-edit.php?action=confirm&action2=unspamblog&id=<?php echo $blog[ 'blog_id' ] ?>&msg=<?php echo urlencode( sprintf( __( "You are about to unspam the blog %s" ), $blogname ) ) ?>"><?php _e("Not Spam") ?></a></td> <?php } else { ?> - <td valign='top'><form action='wpmu-edit.php?action=spamblog' method='POST' onSubmit='return confirm_action( "<?php _e("You are about to mark this blog as spam.") ?>" )'> - <?php wp_nonce_field( "spamblog" ); ?> - <input type='hidden' name='id' value='<?php echo $blog[ 'blog_id' ] ?>'><input type='submit' value='<?php _e('Spam') ?>'></form></td> + <td valign='top'><a class='edit' href="wpmu-edit.php?action=confirm&action2=spamblog&id=<?php echo $blog[ 'blog_id' ] ?>&msg=<?php echo urlencode( sprintf( __( "You are about to mark the blog %s as spam" ), $blogname ) ) ?>"><?php _e("Spam") ?></a></td> <?php } break; @@ -477,24 +475,18 @@ foreach($posts_columns as $column_name=>$column_display_name) { case 'control_deactivate': if( is_archived( $blog[ 'blog_id' ] ) == '1' ) { ?> - <td valign='top'><form action='wpmu-edit.php?action=activateblog' method='POST' onSubmit='return confirm_action( "<?php _e("You are about to activate this blog.") ?>" )'> - <?php wp_nonce_field( "activateblog" ); ?> - <input type='hidden' name='id' value='<?php echo $blog[ 'blog_id' ] ?>'><input type='submit' value='<?php _e('Activate') ?>'></form></td> + <td valign='top'><a class='edit' href="wpmu-edit.php?action=confirm&action2=activateblog&id=<?php echo $blog[ 'blog_id' ] ?>&msg=<?php echo urlencode( sprintf( __( "You are about to activate the blog %s" ), $blogname ) ) ?>"><?php _e("Activate") ?></a></td> <?php } else { ?> - <td valign='top'><form action='wpmu-edit.php?action=deactivateblog' method='POST' onSubmit='return confirm_action( "<?php _e("You are about to deactivate this blog.") ?>" )'> - <?php wp_nonce_field( "deactivateblog" ); ?> - <input type='hidden' name='id' value='<?php echo $blog[ 'blog_id' ] ?>'><input type='submit' value='<?php _e('Deactivate') ?>'></form></td> + <td valign='top'><a class='edit' href="wpmu-edit.php?action=confirm&action2=deactivateblog&id=<?php echo $blog[ 'blog_id' ] ?>&msg=<?php echo urlencode( sprintf( __( "You are about to deactivate the blog %s" ), $blogname ) ) ?>"><?php _e("Deactivate") ?></a></td> <?php } break; case 'control_delete': ?> - <td valign='top'><form action='wpmu-edit.php?action=deleteblog' method='POST' onSubmit='return confirm_action( "<?php _e("You are about to completely delete this blog, its database tables and uploaded files.") ?>" )'> - <?php wp_nonce_field( "deleteblog" ); ?> - <input type='hidden' name='id' value='<?php echo $blog[ 'blog_id' ] ?>'><input type='submit' value='<?php _e('Delete') ?>'></form></td> + <td valign='top'><a class='edit' href="wpmu-edit.php?action=confirm&action2=deleteblog&id=<?php echo $blog[ 'blog_id' ] ?>&msg=<?php echo urlencode( sprintf( __( "You are about to delete the blog %s" ), $blogname ) ) ?>"><?php _e("Delete") ?></a></td> <?php break; diff --git a/wp-admin/wpmu-edit.php b/wp-admin/wpmu-edit.php index 65a8a23..a94b70c 100644 --- a/wp-admin/wpmu-edit.php +++ b/wp-admin/wpmu-edit.php @@ -5,9 +5,9 @@ do_action( "wpmuadminedit", "" ); $_POST[ 'id' ] = intval( $_POST[ 'id' ] ); $_GET[ 'id' ] = intval( $_GET[ 'id' ] ); -$id = $_POST[ 'id' ]; +$id = intval( $_REQUEST[ 'id' ] ); -switch( $_GET[ 'action' ] ) { +switch( $_REQUEST[ 'action' ] ) { case "siteoptions": if( is_site_admin() == false ) { die( __('<p>You do not have permission to access this page.</p>') ); @@ -209,7 +209,6 @@ switch( $_GET[ 'action' ] ) { die( __('<p>You do not have permission to access this page.</p>') ); } check_admin_referer('deleteblog'); - $id = intval( $_REQUEST[ 'id' ] ); if( $id != '0' && $id != '1' ) wpmu_delete_blog( $id, true ); wpmu_admin_do_redirect( "wpmu-blogs.php" ); @@ -242,7 +241,6 @@ switch( $_GET[ 'action' ] ) { die( __('<p>You do not have permission to access this page.</p>') ); } check_admin_referer('activateblog'); - $id = intval( $_REQUEST[ 'id' ] ); update_archived( $id, '0' ); do_action( "activate_blog", $id ); wpmu_admin_do_redirect( "wpmu-blogs.php" ); @@ -252,9 +250,8 @@ switch( $_GET[ 'action' ] ) { die( __('<p>You do not have permission to access this page.</p>') ); } check_admin_referer('deactivateblog'); - $id = intval( $_REQUEST[ 'id' ] ); do_action( "deactivate_blog", $id ); - update_archived( $id, '1' ); + update_blog_status( $id, "archived", '1' ); wpmu_admin_do_redirect( "wpmu-blogs.php" ); break; case "unspamblog": @@ -262,17 +259,21 @@ switch( $_GET[ 'action' ] ) { die( __('<p>You do not have permission to access this page.</p>') ); } check_admin_referer('unspamblog'); - $id = intval( $_REQUEST[ 'id' ] ); update_blog_status( $id, "spam", '0' ); do_action( "unspam_blog", $id ); - wpmu_admin_do_redirect( "wpmu-blogs.php" ); + + if( get_blog_status( $wpdb->blogid, "spam" ) == 1 ) { + header( "Location: http://{$current_site->domain}{$current_site->path}wp-admin/wpmu-admin.php?updated=true" ); + die(); + } else { + wpmu_admin_do_redirect( "wpmu-blogs.php" ); + } break; case "spamblog": if( is_site_admin() == false ) { die( __('<p>You do not have permission to access this page.</p>') ); } check_admin_referer('spamblog'); - $id = intval( $_REQUEST[ 'id' ] ); do_action( "make_spam_blog", $id ); update_blog_status( $id, "spam", '1' ); wpmu_admin_do_redirect( "wpmu-blogs.php" ); @@ -281,7 +282,6 @@ switch( $_GET[ 'action' ] ) { if( is_site_admin() == false ) { die( __('<p>You do not have permission to access this page.</p>') ); } - $id = intval( $_REQUEST[ 'id' ] ); update_blog_status( $id, 'mature', '1' ); do_action( 'mature_blog', $id ); wpmu_admin_do_redirect( "wpmu-blogs.php" ); @@ -290,12 +290,12 @@ switch( $_GET[ 'action' ] ) { if( is_site_admin() == false ) { die( __('<p>You do not have permission to access this page.</p>') ); } - $id = intval( $_REQUEST[ 'id' ] ); update_blog_status( $id, 'mature', '0' ); do_action( 'unmature_blog', $id ); wpmu_admin_do_redirect( "wpmu-blogs.php" ); break; case "updateuser": + check_admin_referer('edituser'); if( is_site_admin() == false ) { die( __('<p>You do not have permission to access this page.</p>') ); } @@ -336,6 +336,11 @@ switch( $_GET[ 'action' ] ) { } wpmu_admin_do_redirect( "wpmu-themes.php" ); break; + case "confirm": + ?> + <form action='wpmu-edit.php'><input type='hidden' name='action' value='<?php echo wp_specialchars( $_GET[ 'action2' ] ) ?>'><input type='hidden' name='id' value='<?php echo wp_specialchars( $_GET[ 'id' ] ) ?>'><?php wp_nonce_field( $_GET[ 'action2' ] ) ?><p><?php echo wp_specialchars( $_GET[ 'msg' ] ) ?></p><input type='submit' value='Confirm'></form> + <?php + break; default: wpmu_admin_do_redirect( "wpmu-admin.php" ); break; diff --git a/wp-admin/wpmu-users.php b/wp-admin/wpmu-users.php index dbbc689..3ac294d 100644 --- a/wp-admin/wpmu-users.php +++ b/wp-admin/wpmu-users.php @@ -1,37 +1,49 @@ <?php require_once('admin.php'); +$title = __('WPMU Admin: Users'); +$parent_file = 'wpmu-admin.php'; -switch( $_GET[ 'action' ] ) { - case "delete": - $id = intval( $_GET[ 'id' ] ); +$id = intval( $_REQUEST[ 'id' ] ); + +switch( $_REQUEST[ 'action' ] ) { + case "confirm": + ?> + <form action='wpmu-users.php'><input type='hidden' name='action' value='<?php echo wp_specialchars( $_GET[ 'action2' ] ) ?>'><input type='hidden' name='id' value='<?php echo wp_specialchars( $_GET[ 'id' ] ) ?>'><?php wp_nonce_field( $_GET[ 'action2' ] ) ?><p><?php echo wp_specialchars( $_GET[ 'msg' ] ) ?></p><input type='submit' value='Confirm'></form> + <?php + die(); + break; + case "deleteuser": + check_admin_referer('deleteuser'); if( $id != '0' && $id != '1' ) wpmu_delete_user($id); wpmu_admin_do_redirect( "wpmu-users.php" ); die(); break; case "allusers": + check_admin_referer('allusers'); if( is_site_admin() == false ) { die( __('<p>You do not have permission to access this page.</p>') ); } - if( is_array( $_POST[ 'allusers' ] ) ) { - while( list( $key, $val ) = each( $_POST[ 'allusers' ] ) ) { - if( $val != '' && $val != '0' && $val != '1' ) { - $user_details = get_userdata( $val ); - if( $_POST[ 'userfunction' ] == 'delete' ) { - wpmu_delete_user($val); - } elseif( $_POST[ 'userfunction' ] == 'spam' ) { - $blogs = get_blogs_of_user( $val ); - if( is_array( $blogs ) ) { - while( list( $key, $details ) = each( $blogs ) ) { - update_blog_status( $details->userblog_id, "spam", '1' ); - do_action( "make_spam_blog", $details->userblog_id ); + if( is_array( $_POST[ 'allusers' ] ) ) { + while( list( $key, $val ) = each( $_POST[ 'allusers' ] ) ) { + if( $val != '' && $val != '0' && $val != '1' ) { + $user_details = get_userdata( $val ); + if( $_POST[ 'userfunction' ] == 'delete' ) { + wpmu_delete_user($val); + } elseif( $_POST[ 'userfunction' ] == 'spam' ) { + $blogs = get_blogs_of_user( $val ); + if( is_array( $blogs ) ) { + while( list( $key, $details ) = each( $blogs ) ) { + update_blog_status( $details->userblog_id, "spam", '1' ); + do_action( "make_spam_blog", $details->userblog_id ); + } } } } } } - } - wpmu_admin_do_redirect( "wpmu-users.php" ); + wpmu_admin_do_redirect( "wpmu-users.php" ); + die(); break; } @@ -61,17 +73,19 @@ switch( $_GET[ 'action' ] ) { ?> <table><td valign='top'> <form name="form1" method="post" action="wpmu-edit.php?action=updateuser"> - <input type="hidden" name="id" value="<?php echo $_GET[ 'id' ] ?>" /> + <input type="hidden" name="action" value="updateuser" /> + <input type="hidden" name="id" value="<?php echo intval( $_GET[ 'id' ] ) ?>" /> + <?php wp_nonce_field( "edituser" ); ?> <table width="100%" cellspacing="2" cellpadding="5" class="editform"> <?php unset( $userdetails[0][ 'ID' ] ); while( list( $key, $val ) = each( $userdetails[0] ) ) { - ?> + ?> <tr valign="top"> <th width="33%" scope="row"><?php echo ucwords( str_replace( "_", " ", $key ) ) ?></th> <td><input name="option[<?php echo $key ?>]" type="text" id="<?php echo $val ?>" value="<?php echo $val ?>" size="40" /></td> </tr> - <?php + <?php } ?> </table> @@ -82,13 +96,13 @@ switch( $_GET[ 'action' ] ) { while( list( $key, $val ) = each( $usermetadetails ) ) { if( substr( $val[ 'meta_key' ], -12 ) == 'capabilities' ) return; - ?> + ?> <tr valign="top"> <th width="33%" scope="row"><input name="metaname[<?php echo $val[ 'umeta_id' ] ?>]" type="text" id="<?php echo $val[ 'meta_key' ] ?>" value="<?php echo $val[ 'meta_key' ] ?>"></th> <td><input name="meta[<?php echo $val[ 'umeta_id' ] ?>]" type="text" id="<?php echo $val[ 'meta_value' ] ?>" value="<?php echo addslashes( $val[ 'meta_value' ] ) ?>" size="40" /></td> <td><input type='checkbox' name='metadelete[<?php echo $val[ 'umeta_id' ] ?>]'></td> </tr> - <?php + <?php } ?> </table> @@ -111,8 +125,7 @@ switch( $_GET[ 'action' ] ) { $num = intval( $_GET[ 'num' ] ); } - $query = "SELECT * - FROM ".$wpdb->users; + $query = "SELECT * FROM ".$wpdb->users; if( $_GET[ 's' ] != '' ) { $search = '%' . addslashes( $_GET['s'] ) . '%'; $query .= " WHERE user_login LIKE '$search' OR user_email LIKE '$search'"; @@ -300,7 +313,7 @@ foreach($posts_columns as $column_name=>$column_display_name) { case 'control_delete': ?> - <td><?php echo "<a href='wpmu-users.php?action=delete&id=".$user[ 'ID' ]."&redirect=".wpmu_admin_redirect_url()."' class='delete' onclick=\"return confirm('" . sprintf(__("You are about to delete this user?\\n \'OK\' to delete, \'Cancel\' to stop.") ) . "')\">" . __('Delete') . "</a>"; ?></td> + <td><?php echo "<a href='wpmu-users.php?action=confirm&action2=deleteuser&msg=" . urlencode( __("You are about to delete this user.") ) . "&id=".$user[ 'ID' ]."&redirect=".wpmu_admin_redirect_url()."' class='delete')\">" . __('Delete') . "</a>"; ?></td> <?php break; |