Esempio n. 1
0
/**
 * for retrocompatibility with old AdminTab, old index.php
 *
 * @return void
 */
function runAdminTab($tab, $ajaxMode = false)
{
    $ajaxMode = (bool) $ajaxMode;
    require_once _PS_ADMIN_DIR_ . '/init.php';
    $cookie = Context::getContext()->cookie;
    if (empty($tab) && !sizeof($_POST)) {
        $tab = 'AdminDashboard';
        $_POST['tab'] = $tab;
        $_POST['token'] = Tools::getAdminTokenLite($tab);
    }
    // $tab = $_REQUEST['tab'];
    if ($adminObj = checkingTab($tab)) {
        Context::getContext()->controller = $adminObj;
        // init is different for new tabs (AdminController) and old tabs (AdminTab)
        if ($adminObj instanceof AdminController) {
            if ($ajaxMode) {
                $adminObj->ajax = true;
            }
            $adminObj->path = dirname($_SERVER["PHP_SELF"]);
            $adminObj->run();
        } else {
            if (!$ajaxMode) {
                require_once _PS_ADMIN_DIR_ . '/header.inc.php';
            }
            $isoUser = Context::getContext()->language->id;
            $tabs = array();
            $tabs = Tab::recursiveTab($adminObj->id, $tabs);
            $tabs = array_reverse($tabs);
            $bread = '';
            foreach ($tabs as $key => $item) {
                $bread .= ' <img src="../img/admin/separator_breadcrumb.png" style="margin-right:5px" alt="&gt;" />';
                if (count($tabs) - 1 > $key) {
                    $bread .= '<a href="?tab=' . $item['class_name'] . '&token=' . Tools::getAdminToken($item['class_name'] . intval($item['id_tab']) . (int) Context::getContext()->employee->id) . '">';
                }
                $bread .= $item['name'];
                if (count($tabs) - 1 > $key) {
                    $bread .= '</a>';
                }
            }
            if (!$ajaxMode && Shop::isFeatureActive() && Shop::getContext() != Shop::CONTEXT_ALL && Context::getContext()->controller->multishop_context != Shop::CONTEXT_ALL) {
                echo '<div class="multishop_info">';
                if (Shop::getContext() == Shop::CONTEXT_GROUP) {
                    $shop_group = new ShopGroup((int) Shop::getContextShopGroupID());
                    printf(Translate::getAdminTranslation('You are configuring your store for group shop %s'), '<b>' . $shop_group->name . '</b>');
                } elseif (Shop::getContext() == Shop::CONTEXT_SHOP) {
                    printf(Translate::getAdminTranslation('You are configuring your store for shop %s'), '<b>' . Context::getContext()->shop->name . '</b>');
                }
                echo '</div>';
            }
            if (Validate::isLoadedObject($adminObj)) {
                if ($adminObj->checkToken()) {
                    if ($ajaxMode) {
                        // the differences with index.php is here
                        $adminObj->ajaxPreProcess();
                        $action = Tools::getValue('action');
                        // no need to use displayConf() here
                        if (!empty($action) && method_exists($adminObj, 'ajaxProcess' . Tools::toCamelCase($action))) {
                            $adminObj->{'ajaxProcess' . Tools::toCamelCase($action)}();
                        } else {
                            $adminObj->ajaxProcess();
                        }
                        // @TODO We should use a displayAjaxError
                        $adminObj->displayErrors();
                        if (!empty($action) && method_exists($adminObj, 'displayAjax' . Tools::toCamelCase($action))) {
                            $adminObj->{'displayAjax' . $action}();
                        } else {
                            $adminObj->displayAjax();
                        }
                    } else {
                        /* Filter memorization */
                        if (isset($_POST) && !empty($_POST) && isset($adminObj->table)) {
                            foreach ($_POST as $key => $value) {
                                if (is_array($adminObj->table)) {
                                    foreach ($adminObj->table as $table) {
                                        if (strncmp($key, $table . 'Filter_', 7) === 0 || strncmp($key, 'submitFilter', 12) === 0) {
                                            $cookie->{$key} = !is_array($value) ? $value : serialize($value);
                                        }
                                    }
                                } elseif (strncmp($key, $adminObj->table . 'Filter_', 7) === 0 || strncmp($key, 'submitFilter', 12) === 0) {
                                    $cookie->{$key} = !is_array($value) ? $value : serialize($value);
                                }
                            }
                        }
                        if (isset($_GET) && !empty($_GET) && isset($adminObj->table)) {
                            foreach ($_GET as $key => $value) {
                                if (is_array($adminObj->table)) {
                                    foreach ($adminObj->table as $table) {
                                        if (strncmp($key, $table . 'OrderBy', 7) === 0 || strncmp($key, $table . 'Orderway', 8) === 0) {
                                            $cookie->{$key} = $value;
                                        }
                                    }
                                } elseif (strncmp($key, $adminObj->table . 'OrderBy', 7) === 0 || strncmp($key, $adminObj->table . 'Orderway', 12) === 0) {
                                    $cookie->{$key} = $value;
                                }
                            }
                        }
                        $adminObj->displayConf();
                        $adminObj->postProcess();
                        $adminObj->displayErrors();
                        $adminObj->display();
                        include _PS_ADMIN_DIR_ . '/footer.inc.php';
                    }
                } else {
                    if ($ajaxMode) {
                        // If this is an XSS attempt, then we should only display a simple, secure page
                        if (ob_get_level() && ob_get_length() > 0) {
                            ob_clean();
                        }
                        // ${1} in the replacement string of the regexp is required, because the token may begin with a number and mix up with it (e.g. $17)
                        $url = preg_replace('/([&?]token=)[^&]*(&.*)?$/', '${1}' . $adminObj->token . '$2', $_SERVER['REQUEST_URI']);
                        if (false === strpos($url, '?token=') && false === strpos($url, '&token=')) {
                            $url .= '&token=' . $adminObj->token;
                        }
                        // we can display the correct url
                        // die(Tools::jsonEncode(array(Translate::getAdminTranslation('Invalid security token'),$url)));
                        die(Tools::jsonEncode(Translate::getAdminTranslation('Invalid security token')));
                    } else {
                        // If this is an XSS attempt, then we should only display a simple, secure page
                        if (ob_get_level() && ob_get_length() > 0) {
                            ob_clean();
                        }
                        // ${1} in the replacement string of the regexp is required, because the token may begin with a number and mix up with it (e.g. $17)
                        $url = preg_replace('/([&?]token=)[^&]*(&.*)?$/', '${1}' . $adminObj->token . '$2', $_SERVER['REQUEST_URI']);
                        if (false === strpos($url, '?token=') && false === strpos($url, '&token=')) {
                            $url .= '&token=' . $adminObj->token;
                        }
                        $message = Translate::getAdminTranslation('Invalid security token');
                        echo '<html><head><title>' . $message . '</title></head><body style="font-family:Arial,Verdana,Helvetica,sans-serif;background-color:#EC8686">
							<div style="background-color:#FAE2E3;border:1px solid #000000;color:#383838;font-weight:700;line-height:20px;margin:0 0 10px;padding:10px 15px;width:500px">
								<img src="../img/admin/error2.png" style="margin:-4px 5px 0 0;vertical-align:middle">
								' . $message . '
							</div>';
                        echo '<a href="' . htmlentities($url) . '" method="get" style="float:left;margin:10px">
								<input type="button" value="' . Tools::htmlentitiesUTF8(Translate::getAdminTranslation('I understand the risks and I really want to display this page')) . '" style="height:30px;margin-top:5px" />
							</a>
							<a href="index.php" method="get" style="float:left;margin:10px">
								<input type="button" value="' . Tools::htmlentitiesUTF8(Translate::getAdminTranslation('Take me out of here!')) . '" style="height:40px" />
							</a>
						</body></html>';
                        die;
                    }
                }
            }
        }
    }
}
Esempio n. 2
0
*  @version  Release: $Revision: 6594 $
*  @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
*  International Registered Trademark & Property of PrestaShop SA
*/
define('_PS_ADMIN_DIR_', getcwd());
define('PS_ADMIN_DIR', _PS_ADMIN_DIR_);
// Retro-compatibility
include PS_ADMIN_DIR . '/../config/config.inc.php';
include PS_ADMIN_DIR . '/functions.php';
include PS_ADMIN_DIR . '/header.inc.php';
if (empty($tab) and !sizeof($_POST)) {
    $tab = 'AdminHome';
    $_POST['tab'] = 'AdminHome';
    $_POST['token'] = Tools::getAdminTokenLite($tab);
}
if ($id_tab = checkingTab($tab)) {
    $isoUser = Language::getIsoById(intval($cookie->id_lang));
    $tabs = array();
    recursiveTab($id_tab);
    $tabs = array_reverse($tabs);
    $bread = '';
    foreach ($tabs as $key => $item) {
        $bread .= ' <img src="../img/admin/separator_breadcrum.png" style="margin-right:5px" />
			' . (sizeof($tabs) - 1 > $key ? '<a href="?tab=' . $item['class_name'] . '&token=' . Tools::getAdminToken($item['class_name'] . intval($item['id_tab']) . intval($cookie->id_employee)) . '">' : '') . '
			' . $item['name'] . (sizeof($tabs) - 1 > $key ? '</a>' : '');
    }
    echo '<script type="text/javascript">

		$(function() {
			$.ajax({
				type: \'POST\',