editactive.php:

- new, small script to change the 'active' status
- also include CSRF protection token

edit.php:
- remove handling of 'active' to make it more readable

*list*.tpl:
- change links to use editactive.php, add CSRF token

configs/menu.conf
- add url_editactive


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1566 a1433add-5e2c-0410-b055-b7f2511e0802
pull/2/head
Christian Boltz 11 years ago
parent 508d05e1ed
commit e079e85461

@ -1,4 +1,5 @@
url_main = main.php
url_editactive = editactive.php?table=
# list_admin
url_list_admin = list-admin.php
url_create_admin = edit.php?table=admin

@ -19,7 +19,6 @@
* GET parameters:
* table what to edit (*Handler)
* edit item to edit (if net given: a new item will be created)
* active if given: only change active state to given value (which must be 0 or 1) and return to listview
* additional parameters will be accepted if specified in *Handler->webformConfig()[prefill] when creating a new item
*/
@ -40,19 +39,13 @@ $edit = safepost('edit', safeget('edit'));
$new = 0;
if ($edit == "") $new = 1;
$active = safeget('active');
$handler = new $handlerclass($new, $username);
$formconf = $handler->webformConfig();
authentication_require_role($formconf['required_role']);
if ($active != '0' && $active != '1') {
$active = ''; # ignore invalid values
}
if ($edit != '' || $active != '' || $formconf['early_init']) {
if ($edit != '' || $formconf['early_init']) {
if (!$handler->init($edit)) {
flash_error($handler->errormsg);
header ("Location: " . $formconf['listview']);
@ -63,7 +56,7 @@ if ($edit != '' || $active != '' || $formconf['early_init']) {
$form_fields = $handler->getStruct();
$id_field = $handler->getId_field();
if ($_SERVER['REQUEST_METHOD'] == "GET" && $active == '') {
if ($_SERVER['REQUEST_METHOD'] == "GET") {
if ($edit == '') { # new - prefill fields from URL parameters if allowed in $formconf['prefill']
if ( isset($formconf['prefill']) ) {
foreach ($formconf['prefill'] as $field) {
@ -113,11 +106,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
}
}
if ($active != '') {
$values['active'] = $active;
}
if ($_SERVER['REQUEST_METHOD'] == "POST" || $active != '') {
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (isset($formconf['hardcoded_edit']) && $formconf['hardcoded_edit']) {
$values[$id_field] = $form_fields[$id_field]['default'];
} elseif ($edit != "") {

@ -0,0 +1,61 @@
<?php
/**
* Postfix Admin
*
* LICENSE
* This source file is subject to the GPL license that is bundled with
* this package in the file LICENSE.TXT.
*
* Further details on the project are available at http://postfixadmin.sf.net
*
* @version $Id$
* @license GNU GPL v2 or later.
*
* File: delete.php
* Used to delete admins, domains, mailboxes, aliases etc.
*
* Template File: none
*/
require_once('common.php');
if (safeget('token') != $_SESSION['PFA_token']) die('Invalid token!');
$username = authentication_get_username(); # enforce login
$id = safeget('id');
$table = safeget('table');
$active = safeget('active');
$handlerclass = ucfirst($table) . 'Handler';
if ( !preg_match('/^[a-z]+$/', $table) || !file_exists("model/$handlerclass.php")) { # validate $table
die ("Invalid table name given!");
}
$handler = new $handlerclass(0, $username);
$formconf = $handler->webformConfig();
authentication_require_role($formconf['required_role']);
if ($handler->init($id)) { # errors will be displayed as last step anyway, no need for duplicated code ;-)
if ($active != '0' && $active != '1') {
die(Config::Lang('invalid_parameter'));
}
$values['active'] = $active;
if ( $handler->set(array('active' => $active)) ) {
$handler->store();
}
}
flash_error($handler->errormsg);
flash_info($handler->infomsg);
header ("Location: " . $formconf['listview']);
exit;
/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */
?>

@ -18,8 +18,8 @@
{/if}
</td>
<td>{$admin.modified}</td>
<td><a href="{#url_edit_admin#}&amp;edit={$admin.username|escape:"url"}&amp;active={if ($admin.active==0)}1{else}0{/if}">{$admin._active}</a></td>
<td><a href="{#url_edit_admin#}&edit={$admin.username|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="{#url_editactive#}admin&amp;id={$admin.username|escape:"url"}&amp;active={if ($admin.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$admin._active}</a></td>
<td><a href="{#url_edit_admin#}&amp;edit={$admin.username|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="{#url_delete#}?table=admin&amp;delete={$admin.username|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
</tr>

@ -33,7 +33,7 @@
{if $CONF.transport==YES}<td>{$domain.transport}</td>{/if}
<td>{$domain._backupmx}</td>
<td>{$domain.modified}</td>
<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}&amp;active={if ($domain.active==0)}1{else}0{/if}">{$domain._active}</a></td>
<td><a href="{#url_editactive#}domain&amp;id={$domain.domain|escape:"url"}&amp;active={if ($domain.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$domain._active}</a></td>
<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="{#url_delete#}?table=domain&amp;delete={$domain.domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>

@ -37,7 +37,7 @@
{/if}
<td>{$item.modified}</td>
{if $check_alias_owner[$i]==true}
<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}"
<td><a href="{#url_editactive#}alias&amp;id={$item.address|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}"
>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="delete.php?table=alias&amp;delete={$item.address|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"

@ -30,7 +30,7 @@
{/if}
{if $item.target_domain != $fDomain}</a>{/if}</td>
<td>{$item.modified}</td>
<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}">{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
<td><a href="{#url_editactive#}aliasdomain&amp;id={$item.alias_domain|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}">{$PALANG.edit}</a></td>
<td><a href="{#url_delete#}?table=aliasdomain&amp;delete={$item.alias_domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain} -&gt; {$item.target_domain}');">{$PALANG.del}</a></td>

@ -66,7 +66,7 @@
</td>
{/if}
<td>{$item.modified}</td>
<td><a href="{#url_create_mailbox#}&amp;edit={$item.username|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}"
<td><a href="{#url_editactive#}mailbox&amp;id={$item.username|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}"
>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
{if $CONF.vacation_control_admin===YES && $CONF.vacation===YES}
{if $item.v_active!==-1}

Loading…
Cancel
Save