diff options
| author | Andrew Dolgov <[email protected]> | 2021-02-17 21:44:21 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2021-02-17 21:44:21 +0300 |
| commit | e4609c18efceebb1e021d814f53061ada7f6489a (patch) | |
| tree | 0968e0da3dc2d1b4cdc12c2a29549c27dc82ea14 /classes | |
| parent | b16abc157ee584f4be80a537ee24ec9e5ff25496 (diff) | |
* add (disabled) shortcut syntax for plugin methods
* add controls shortcut for pluginhandler tags
* add similar shortcut for frontend
* allow plugins to selectively exclude their methods from CSRF checking
Diffstat (limited to 'classes')
| -rw-r--r-- | classes/plugin.php | 4 | ||||
| -rw-r--r-- | classes/pluginhandler.php | 2 | ||||
| -rwxr-xr-x | classes/pluginhost.php | 13 |
3 files changed, 17 insertions, 2 deletions
diff --git a/classes/plugin.php b/classes/plugin.php index 2416418cd..6c572467a 100644 --- a/classes/plugin.php +++ b/classes/plugin.php @@ -54,4 +54,8 @@ abstract class Plugin { return vsprintf($this->__($msgid), $args); } + + function csrf_ignore($method) { + return false; + } } diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php index a0e60b4e6..608f80dcb 100644 --- a/classes/pluginhandler.php +++ b/classes/pluginhandler.php @@ -11,7 +11,7 @@ class PluginHandler extends Handler_Protected { if ($plugin) { if (method_exists($plugin, $method)) { - if (validate_csrf($csrf_token)) { + if (validate_csrf($csrf_token) || $plugin->csrf_ignore($method)) { $plugin->$method(); } else { user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING); diff --git a/classes/pluginhost.php b/classes/pluginhost.php index 097bf987c..065fa99c4 100755 --- a/classes/pluginhost.php +++ b/classes/pluginhost.php @@ -611,6 +611,17 @@ class PluginHost { $params)); } + // shortcut syntax (disabled for now) + /* function get_method_url(Plugin $sender, string $method, $params) { + return get_self_url_prefix() . "/backend.php?" . + http_build_query( + array_merge( + [ + "op" => strtolower(get_class($sender) . self::PUBLIC_METHOD_DELIMITER . $method), + ], + $params)); + } */ + // WARNING: endpoint in public.php, exposed to unauthenticated users function get_public_method_url(Plugin $sender, string $method, $params) { if ($sender->is_public_method($method)) { @@ -618,7 +629,7 @@ class PluginHost { http_build_query( array_merge( [ - "op" => strtolower(get_class($sender) . PluginHost::PUBLIC_METHOD_DELIMITER . $method), + "op" => strtolower(get_class($sender) . self::PUBLIC_METHOD_DELIMITER . $method), ], $params)); } else { |