diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2009-12-20 16:52:43 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2009-12-20 16:52:43 +0000 |
| commit | d8ea07a04acc03160ac73f5db2a9249890e5fd13 (patch) | |
| tree | 63e0dfedbfc9565a265cb342da405cd79b4ff341 /admin | |
| parent | 69c56f829da3fc44e6dbcc14c364901b86f55421 (diff) | |
| download | ampache-d8ea07a04acc03160ac73f5db2a9249890e5fd13.tar.gz ampache-d8ea07a04acc03160ac73f5db2a9249890e5fd13.tar.bz2 ampache-d8ea07a04acc03160ac73f5db2a9249890e5fd13.zip | |
sync from 3.5.x and fix display issue on playlist view
Diffstat (limited to 'admin')
| -rw-r--r-- | admin/access.php | 14 | ||||
| -rw-r--r-- | admin/catalog.php | 17 | ||||
| -rw-r--r-- | admin/users.php | 8 |
3 files changed, 31 insertions, 8 deletions
diff --git a/admin/access.php b/admin/access.php index e4af598e..6a46c9f1 100644 --- a/admin/access.php +++ b/admin/access.php @@ -30,10 +30,20 @@ show_header(); switch ($_REQUEST['action']) { case 'delete_record': + if (!Core::form_verify('delete_access')) { + access_denied(); + exit; + } Access::delete($_REQUEST['access_id']); $url = Config::get('web_path') . '/admin/access.php'; show_confirmation(_('Deleted'),_('Your Access List Entry has been removed'),$url); break; + case 'show_delete_record': + if (Config::get('demo_mode')) { break; } + $access = new Access($_GET['access_id']); + show_confirmation(_('Deletion Request'),_('Are you sure you want to permanently delete') . ' ' . $access->name, + 'admin/access.php?action=delete_record&access_id=' . $access->id,1,'delete_access'); + break; case 'add_host': // Make sure we've got a valid form submission @@ -103,6 +113,10 @@ switch ($_REQUEST['action']) { } break; case 'update_record': + if (!Core::form_verify('edit_acl')) { + access_denied(); + exit; + } $access = new Access($_REQUEST['access_id']); $access->update($_POST); if (!Error::occurred()) { diff --git a/admin/catalog.php b/admin/catalog.php index bada8fad..619f96be 100644 --- a/admin/catalog.php +++ b/admin/catalog.php @@ -198,27 +198,32 @@ switch ($_REQUEST['action']) { ob_end_flush(); - if (!strlen($_REQUEST['path']) || !strlen($_REQUEST['name'])) { + if (!strlen($_POST['path']) || !strlen($_POST['name'])) { Error::add('general',_('Error: Name and path not specified')); } - if (substr($_REQUEST['path'],0,7) != 'http://' && $_REQUEST['type'] == 'remote') { + if (substr($_POST['path'],0,7) != 'http://' && $_POST['type'] == 'remote') { Error::add('general',_('Error: Remote selected, but path is not a URL')); } - if ($_REQUEST['type'] == 'remote' && !strlen($_REQUEST['key'])) { + if ($_POST['type'] == 'remote' && !strlen($_POST['key'])) { Error::add('general',_('Error: Remote Catalog specified, but no key provided')); } + if (!Core::form_verify('add_catalog','post')) { + access_denied(); + exit; + } + // Make sure that there isn't a catalog with a directory above this one - if (Catalog::get_from_path($_REQUEST['path'])) { + if (Catalog::get_from_path($_POST['path'])) { Error::add('general',_('Error: Defined Path is inside an existing catalog')); } // If an error hasn't occured if (!Error::occurred()) { - $catalog_id = Catalog::Create($_REQUEST); + $catalog_id = Catalog::Create($_POST); if (!$catalog_id) { require Config::get('prefix') . '/templates/show_add_catalog.inc.php'; @@ -228,7 +233,7 @@ switch ($_REQUEST['action']) { $catalog = new Catalog($catalog_id); // Run our initial add - $catalog->run_add($_REQUEST); + $catalog->run_add($_POST); show_box_top(); echo "<h2>" . _('Catalog Created') . "</h2>"; diff --git a/admin/users.php b/admin/users.php index 2726b740..9e6f138b 100644 --- a/admin/users.php +++ b/admin/users.php @@ -149,7 +149,11 @@ switch ($_REQUEST['action']) { require_once Config::get('prefix') . '/templates/show_edit_user.inc.php'; break; case 'confirm_delete': - if (Config::get('demo_mode')) { break; } + if (Config::get('demo_mode')) { break; } + if (!Core::form_verify('delete_user')) { + access_denied(); + exit; + } $client = new User($_REQUEST['user_id']); if ($client->delete()) { show_confirmation(_('User Deleted'), sprintf(_('%s has been Deleted'), $client->username), Config::get('web_path'). "/admin/users.php"); @@ -163,7 +167,7 @@ switch ($_REQUEST['action']) { $client = new User($_REQUEST['user_id']); show_confirmation(_('Deletion Request'), sprintf(_('Are you sure you want to permanently delete %s?'), $client->fullname), - Config::get('web_path')."/admin/users.php?action=confirm_delete&user_id=" . $_REQUEST['user_id'],1); + Config::get('web_path')."/admin/users.php?action=confirm_delete&user_id=" . $_REQUEST['user_id'],1,'delete_user'); break; /* Show IP History for the Specified User */ case 'show_ip_history': |