Navigation

Changeset 1614

Timestamp:

08/06/08 07:51:33 (4 months ago)

Author:

misja

Message:

Files:

r1540	r1614
10	10	// Create a new weblog post
11	11	case "weblogs:post:add":
	12	// Check form_key
	13	if (!elggform_key_check(optional_param('form_key'), "blog_add_{$page_owner}")) break;
12	14	$post = new StdClass;
13	15	$post->title = trim(optional_param('new_weblog_title'));
…	…
67	69	$post->icon = optional_param('edit_weblog_icon',user_info("icon",$_SESSION['userid']),PARAM_INT);
68	70	$post->ident = optional_param('edit_weblog_post_id',0,PARAM_INT);
	71
69	72	if (logged_on && !empty($post->body) && !empty($post->access) && !empty($post->ident)) {
70	73	$exists = false;
71	74	if ($oldpost = get_record('weblog_posts','ident',$post->ident)) {
72		if (run("permissions:check", array("weblog:edit", $oldpost->owner,$oldpost->weblog))) {
	75	// Check form key here
	76	if (run("permissions:check", array("weblog:edit", $oldpost->owner,$oldpost->weblog)) && elggform_key_check(optional_param('form_key'), "blog_edit_{$oldpost->weblog}_{$post->ident}")) {
73	77	$exists = true;
74	78	}

r1540	r1614
44	44	$postButton = __gettext("Publish"); // gettext variable
45	45
	46	// form key
	47	$form_key = elggform_key_get("blog_add_{$page_owner}");
46	48
47	49
…	…
110	112	<input type="hidden" name="action" value="weblogs:post:add" />
111	113	<input type="hidden" name="extension" value="{$extensionContext}" />
	114	<input type="hidden" name="form_key" value="{$form_key}" />
112	115	<input type="submit" value="$postButton" />
113	116	</p>

r1540	r1614
56	56	$postButton = __gettext("Publish");
57	57
	58	// Form key against CSRF
	59	$form_key = elggform_key_get("blog_edit_{$page_owner}_{$post->ident}");
58	60
59	61	$body = <<< END
…	…
127	129	<input type="hidden" name="edit_weblog_post_id" value="{$post->ident}" />
128	130	<input type="hidden" name="extension" value="{$extensionContext}" />
	131	<input type="hidden" name="form_key" value="{$form_key}" />
129	132	<input type="submit" value="$postButton" />
130	133	</p>