diff options
author | dizzy <diosmosis@users.noreply.github.com> | 2021-04-24 06:28:08 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-24 06:28:08 +0300 |
commit | 6227cb05197d4dfd0aa0d695eb665b6c1ef455d6 (patch) | |
tree | 3d100156c4d2c0effc981ebb8c041a840ee76ac1 /plugins/CorePluginsAdmin/Controller.php | |
parent | d1422903bb698fac80e1ab0590d62c63dd6574bf (diff) |
Require password confirmation for more plugin operations. (#17345)
* Require password confirmation for more plugin operations.
* renormalize
* add optional password confirmation to CorePluginsAdmin.setSystemSettings
* Add developer changelog entry.
* ask for password confirmation when saving plugin settings and use onOpenEnd materializecss modal event handler instead of ready since ready no longer exists in used version
* Fix redirectTo==referrer for other plugin actions that now have password confirmation.
* fix build
* try fixing build again
Diffstat (limited to 'plugins/CorePluginsAdmin/Controller.php')
-rw-r--r-- | plugins/CorePluginsAdmin/Controller.php | 54 |
1 files changed, 51 insertions, 3 deletions
diff --git a/plugins/CorePluginsAdmin/Controller.php b/plugins/CorePluginsAdmin/Controller.php index df3f1de171..3501de4737 100644 --- a/plugins/CorePluginsAdmin/Controller.php +++ b/plugins/CorePluginsAdmin/Controller.php @@ -425,9 +425,23 @@ class Controller extends Plugin\ControllerAdmin public function activate($redirectAfter = true) { - $pluginName = $this->initPluginModification(static::ACTIVATE_NONCE); $this->dieIfPluginsAdminIsDisabled(); + $params = [ + 'module' => 'CorePluginsAdmin', + 'action' => 'activate', + 'pluginName' => Common::getRequestVar('pluginName'), + 'nonce' => Common::getRequestVar('nonce'), + 'redirectTo' => Common::getRequestVar('redirectTo'), + 'referrer' => urlencode(Url::getReferrer()), + ]; + + if (!$this->passwordVerify->requirePasswordVerifiedRecently($params)) { + return; + } + + $pluginName = $this->initPluginModification(static::ACTIVATE_NONCE); + $this->pluginManager->activatePlugin($pluginName); if ($redirectAfter) { @@ -469,6 +483,18 @@ class Controller extends Plugin\ControllerAdmin public function deactivate($redirectAfter = true) { + $params = [ + 'module' => 'CorePluginsAdmin', + 'action' => 'deactivate', + 'pluginName' => Common::getRequestVar('pluginName'), + 'nonce' => Common::getRequestVar('nonce'), + 'redirectTo' => Common::getRequestVar('redirectTo'), + 'referrer' => urlencode(Url::getReferrer()), + ]; + if (!$this->passwordVerify->requirePasswordVerifiedRecently($params)) { + return; + } + if($this->isAllowedToTroubleshootAsSuperUser()) { Access::doAsSuperUser(function() use ($redirectAfter) { $this->doDeactivatePlugin($redirectAfter); @@ -480,9 +506,21 @@ class Controller extends Plugin\ControllerAdmin public function uninstall($redirectAfter = true) { - $pluginName = $this->initPluginModification(static::UNINSTALL_NONCE); $this->dieIfPluginsAdminIsDisabled(); + $params = [ + 'module' => 'CorePluginsAdmin', + 'action' => 'uninstall', + 'pluginName' => Common::getRequestVar('pluginName'), + 'nonce' => Common::getRequestVar('nonce'), + 'referrer' => urlencode(Url::getReferrer()), + ]; + if (!$this->passwordVerify->requirePasswordVerifiedRecently($params)) { + return; + } + + $pluginName = $this->initPluginModification(static::UNINSTALL_NONCE); + $uninstalled = $this->pluginManager->uninstallPlugin($pluginName); if (!$uninstalled) { @@ -552,7 +590,17 @@ class Controller extends Plugin\ControllerAdmin protected function redirectAfterModification($redirectAfter) { - if ($redirectAfter) { + if (!$redirectAfter) { + return; + } + + $referrer = Common::getRequestVar('referrer', false); + $referrer = Common::unsanitizeInputValue($referrer); + if (!empty($referrer) + && Url::isLocalUrl($referrer) + ) { + Url::redirectToUrl($referrer); + } else { Url::redirectToReferrer(); } } |