/** * Saves the settings. */ private final function _save() { $data = $_POST['setting']; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'setting')) { Flash::set('error', __('Invalid CSRF token found!')); Observer::notify('csrf_token_invalid', AuthUser::getUserName()); redirect(get_url('setting')); } } else { Flash::set('error', __('No CSRF token found!')); Observer::notify('csrf_token_not_found', AuthUser::getUserName()); redirect(get_url('setting')); } if (!isset($data['allow_html_title'])) { $data['allow_html_title'] = 'off'; } use_helper('Kses'); $allowed = array('img' => array('src' => array()), 'abbr' => array('title' => array()), 'acronym' => array('title' => array()), 'b' => array(), 'blockquote' => array('cite' => array()), 'br' => array(), 'code' => array(), 'em' => array(), 'i' => array(), 'p' => array(), 'strike' => array(), 'strong' => array()); $data['admin_title'] = kses(trim($data['admin_title']), $allowed); Setting::saveFromData($data); Flash::set('success', __('Settings have been saved!')); redirect(get_url('setting')); }
public function browse() { $this->_checkPermission(); $params = func_get_args(); $this->path = join('/', $params); // make sure there's a / at the end if (substr($this->path, -1, 1) != '/') { $this->path .= '/'; } //security // we dont allow back link if (strpos($this->path, '..') !== false) { if (Plugin::isEnabled('statistics_api')) { $user = null; if (AuthUser::isLoggedIn()) { $user = AuthUser::getUserName(); } $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $event = array('event_type' => 'hack_attempt', 'description' => __('A possible hack attempt was detected.'), 'ipaddress' => $ip, 'username' => $user); Observer::notify('stats_file_manager_hack_attempt', $event); } } $this->fullpath = FILES_DIR . '/sidebarlink/images/'; // clean up nicely $this->fullpath = preg_replace('/\\/\\//', '/', $this->fullpath); $this->display('sidebarlink/index', array('dir' => $this->path, 'files' => $this->_getListFiles(), 'sidebarlinks' => Record::findAllFrom('SidebarLink', '1=1 ORDER BY id desc'), 'pages' => Record::findAllFrom('Page', 'parent_id=1 OR parent_id=0 order by parent_id,position'))); }
function ru_logout() { // Allow plugins to handle logout events Observer::notify('logout_requested'); $username = AuthUser::getUserName(); AuthUser::logout(); Observer::notify('admin_after_logout', $username); redirect(get_url()); }
public function browse() { $this->_checkPermission(); $params = func_get_args(); $this->path = join('/', $params); // make sure there's a / at the end if (substr($this->path, -1, 1) != '/') { $this->path .= '/'; } //security // we dont allow back link if (strpos($this->path, '..') !== false) { if (Plugin::isEnabled('statistics_api')) { $user = null; if (AuthUser::isLoggedIn()) { $user = AuthUser::getUserName(); } $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $event = array('event_type' => 'hack_attempt', 'description' => __('A possible hack attempt was detected.'), 'ipaddress' => $ip, 'username' => $user); Observer::notify('stats_file_manager_hack_attempt', $event); } } $this->display('testimonial/index', array('testimonials' => Record::query('select * from ' . TABLE_PREFIX . 'testimonial ORDER BY ' . TABLE_PREFIX . 'testimonial.sequence, ' . TABLE_PREFIX . 'testimonial.id desc'), 'pages' => Record::findAllFrom('Page', 'parent_id=1 order by parent_id,position'))); }
public function browse() { $this->_checkPermission(); $params = func_get_args(); $this->path = join('/', $params); // make sure there's a / at the end if (substr($this->path, -1, 1) != '/') { $this->path .= '/'; } //security // we dont allow back link if (strpos($this->path, '..') !== false) { if (Plugin::isEnabled('statistics_api')) { $user = null; if (AuthUser::isLoggedIn()) { $user = AuthUser::getUserName(); } $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $event = array('event_type' => 'hack_attempt', 'description' => __('A possible hack attempt was detected.'), 'ipaddress' => $ip, 'username' => $user); Observer::notify('stats_file_manager_hack_attempt', $event); } } $this->fullpath = FILES_DIR . '/themes/promo/images/'; // clean up nicely $this->fullpath = preg_replace('/\\/\\//', '/', $this->fullpath); $newss = Record::query('select * from ' . TABLE_PREFIX . 'news ORDER BY type, sequence asc, id desc'); $this->display('news/index', array('dir' => $this->path, 'files' => $this->_getListFiles(), 'newss' => $newss)); }
/** * Saves the edited Snippet. * * @todo Merge _edit() and edit() * * @param string $id Snippet id. */ private function _edit($id) { $data = $_POST['snippet']; $data['id'] = $id; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'snippet/edit')) { Flash::set('post_data', (object) $data); Flash::set('error', __('Invalid CSRF token found!')); Observer::notify('csrf_token_invalid', AuthUser::getUserName()); redirect(get_url('snippet/edit/' . $id)); } } else { Flash::set('post_data', (object) $data); Flash::set('error', __('No CSRF token found!')); Observer::notify('csrf_token_not_found', AuthUser::getUserName()); redirect(get_url('snippet/edit/' . $id)); } $snippet = new Snippet($data); if (!$snippet->save()) { Flash::set('post_data', (object) $data); Flash::set('error', __('Snippet :name has not been saved. Name must be unique!', array(':name' => $snippet->name))); redirect(get_url('snippet/edit/' . $id)); } else { Flash::set('success', __('Snippet :name has been saved!', array(':name' => $snippet->name))); Observer::notify('snippet_after_edit', $snippet); } // save and quit or save and continue editing? if (isset($_POST['commit'])) { redirect(get_url('snippet')); } else { redirect(get_url('snippet/edit/' . $id)); } }
public function view() { $params = func_get_args(); $content = ''; $filename = urldecode(join('/', $params)); // Sanitize filename for securtiy // We don't allow backlinks if (strpos($filename, '..') !== false) { if (Plugin::isEnabled('statistics_api')) { $user = null; if (AuthUser::isLoggedIn()) { $user = AuthUser::getUserName(); } $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $event = array('event_type' => 'hack_attempt', 'description' => __('A possible hack attempt was detected.'), 'ipaddress' => $ip, 'username' => $user); Observer::notify('stats_file_manager_hack_attempt', $event); } } $filename = str_replace('..', '', $filename); // Clean up nicely $filename = str_replace('//', '', $filename); // We don't allow leading slashes $filename = preg_replace('/^\\//', '', $filename); $file = FILES_DIR . '/' . $filename; if (!$this->_isImage($file) && file_exists($file)) { $content = file_get_contents($file); } $this->display('file_manager/views/view', array('is_image' => $this->_isImage($file), 'filename' => $filename, 'content' => $content)); }
/** * Allows a user to logout. */ function logout() { // CSRF checks if (isset($_GET['csrf_token'])) { $csrf_token = $_GET['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'login/logout')) { Flash::set('error', __('Invalid CSRF token found!')); redirect(get_url()); } } else { Flash::set('error', __('No CSRF token found!')); redirect(get_url()); } // Allow plugins to handle logout events Observer::notify('logout_requested'); $username = AuthUser::getUserName(); AuthUser::logout(); // Also eat cookies that were set by JS for backend gui setcookie("expanded_rows", "", time() - 3600); setcookie("meta_tab", "", time() - 3600); setcookie("page_tab", "", time() - 3600); Observer::notify('admin_after_logout', $username); redirect(get_url()); }
/** * Allows a user to logout. */ function logout() { $username = AuthUser::getUserName(); AuthUser::logout(); Observer::notify('admin_after_logout', $username); redirect(get_url()); }
/** * Saves the settings. */ private final function _save() { $data = $_POST['setting']; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'setting')) { Flash::set('error', __('Invalid CSRF token found!')); Observer::notify('csrf_token_invalid', AuthUser::getUserName()); redirect(get_url('setting')); } } else { Flash::set('error', __('No CSRF token found!')); Observer::notify('csrf_token_not_found', AuthUser::getUserName()); redirect(get_url('setting')); } if (!isset($data['allow_html_title'])) { $data['allow_html_title'] = 'off'; } Setting::saveFromData($data); Flash::set('success', __('Settings have been saved!')); redirect(get_url('setting')); }
public function browse_cat($cat_id) { $this->_checkPermission(); $params = func_get_args(); $this->path = join('/', $params); // make sure there's a / at the end if (substr($this->path, -1, 1) != '/') { $this->path .= '/'; } //security // we dont allow back link if (strpos($this->path, '..') !== false) { if (Plugin::isEnabled('statistics_api')) { $user = null; if (AuthUser::isLoggedIn()) { $user = AuthUser::getUserName(); } $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; $event = array('event_type' => 'hack_attempt', 'description' => __('A possible hack attempt was detected.'), 'ipaddress' => $ip, 'username' => $user); Observer::notify('stats_file_manager_hack_attempt', $event); } } $this->fullpath = FILES_DIR . '/themes/news/images/'; // clean up nicely $this->fullpath = preg_replace('/\\/\\//', '/', $this->fullpath); $news_arr = News::findByCatId($cat_id); $category_name = News::getCategoryName($cat_id); $this->display('news/view_news', array('dir' => $this->path, 'files' => $this->_getListFiles(), 'news_arr' => $news_arr, 'category_name' => $category_name, 'cat_id' => $cat_id)); }
/** * Allows a user to logout. */ function logout() { // CSRF checks if (isset($_GET['csrf_token'])) { $csrf_token = $_GET['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'login/logout')) { Flash::set('error', __('Invalid CSRF token found!')); redirect(get_url()); } } else { Flash::set('error', __('No CSRF token found!')); redirect(get_url()); } // Allow plugins to handle logout events Observer::notify('logout_requested'); $username = AuthUser::getUserName(); AuthUser::logout(); Observer::notify('admin_after_logout', $username); redirect(get_url()); }