editactive.php:

- new, small script to change the 'active' status
- also include CSRF protection token

edit.php:
- remove handling of 'active' to make it more readable

*list*.tpl:
- change links to use editactive.php, add CSRF token

configs/menu.conf
- add url_editactive


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1566 a1433add-5e2c-0410-b055-b7f2511e0802

configs/menu.conf

@@ -1,4 +1,5 @@
 url_main = main.php
+url_editactive = editactive.php?table=
 # list_admin
 url_list_admin = list-admin.php
 url_create_admin = edit.php?table=admin

edit.php

@@ -19,7 +19,6 @@
  * GET parameters:
  *      table   what to edit (*Handler)
  *      edit    item to edit (if net given: a new item will be created)
- *      active  if given: only change active state to given value (which must be 0 or 1) and return to listview
  *      additional parameters will be accepted if specified in *Handler->webformConfig()[prefill] when creating a new item
  */
 
@@ -40,19 +39,13 @@ $edit = safepost('edit', safeget('edit'));
 $new  = 0;
 if ($edit == "") $new = 1;
 
-$active = safeget('active');
-
 $handler     = new $handlerclass($new, $username);
 
 $formconf = $handler->webformConfig();
 
 authentication_require_role($formconf['required_role']);
 
-if ($active != '0' && $active != '1') {
-    $active = ''; # ignore invalid values
-}
-
-if ($edit != '' || $active != '' || $formconf['early_init']) {
+if ($edit != '' || $formconf['early_init']) {
     if (!$handler->init($edit)) {
         flash_error($handler->errormsg);
         header ("Location: " . $formconf['listview']);
@@ -63,7 +56,7 @@ if ($edit != '' || $active != '' || $formconf['early_init']) {
 $form_fields = $handler->getStruct();
 $id_field    = $handler->getId_field();
 
-if ($_SERVER['REQUEST_METHOD'] == "GET" && $active == '') {
+if ($_SERVER['REQUEST_METHOD'] == "GET") {
     if ($edit == '') { # new - prefill fields from URL parameters if allowed in $formconf['prefill']
         if ( isset($formconf['prefill']) ) {
             foreach ($formconf['prefill'] as $field) {
@@ -113,11 +106,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
     }
 }
 
-if ($active != '') {
-    $values['active'] = $active;
-}
-
-if ($_SERVER['REQUEST_METHOD'] == "POST" || $active != '') {
+if ($_SERVER['REQUEST_METHOD'] == "POST") {
     if (isset($formconf['hardcoded_edit']) && $formconf['hardcoded_edit']) {
         $values[$id_field] = $form_fields[$id_field]['default'];
     } elseif ($edit != "") {

editactive.php

@@ -0,0 +1,61 @@
+<?php
+/** 
+ * Postfix Admin 
+ * 
+ * LICENSE 
+ * This source file is subject to the GPL license that is bundled with  
+ * this package in the file LICENSE.TXT. 
+ * 
+ * Further details on the project are available at http://postfixadmin.sf.net 
+ * 
+ * @version $Id$ 
+ * @license GNU GPL v2 or later. 
+ * 
+ * File: delete.php
+ * Used to delete admins, domains, mailboxes, aliases etc.
+ *
+ * Template File: none
+ */
+
+require_once('common.php');
+
+if (safeget('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
+$username = authentication_get_username(); # enforce login
+
+$id     = safeget('id');
+$table  = safeget('table');
+$active = safeget('active');
+
+$handlerclass = ucfirst($table) . 'Handler';
+
+if ( !preg_match('/^[a-z]+$/', $table) || !file_exists("model/$handlerclass.php")) { # validate $table
+    die ("Invalid table name given!");
+}
+
+$handler = new $handlerclass(0, $username);                                                                                                           
+
+$formconf = $handler->webformConfig();
+
+authentication_require_role($formconf['required_role']);
+
+if ($handler->init($id)) { # errors will be displayed as last step anyway, no need for duplicated code ;-)
+    if ($active != '0' && $active != '1') {
+        die(Config::Lang('invalid_parameter'));
+    }
+
+    $values['active'] = $active;
+
+    if ( $handler->set(array('active' => $active)) ) {
+        $handler->store();
+    }
+}
+
+flash_error($handler->errormsg);
+flash_info($handler->infomsg);
+
+header ("Location: " . $formconf['listview']);
+exit;
+
+/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */
+?>

templates/adminlistadmin.tpl

@@ -18,8 +18,8 @@
 				{/if}
 			</td>
 			<td>{$admin.modified}</td>
-			<td><a href="{#url_edit_admin#}&amp;edit={$admin.username|escape:"url"}&amp;active={if ($admin.active==0)}1{else}0{/if}">{$admin._active}</a></td>
-			<td><a href="{#url_edit_admin#}&edit={$admin.username|escape:"url"}">{$PALANG.edit}</a></td>
+			<td><a href="{#url_editactive#}admin&amp;id={$admin.username|escape:"url"}&amp;active={if ($admin.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$admin._active}</a></td>
+			<td><a href="{#url_edit_admin#}&amp;edit={$admin.username|escape:"url"}">{$PALANG.edit}</a></td>
 			<td><a href="{#url_delete#}?table=admin&amp;delete={$admin.username|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}" 
 				onclick="return confirm ('{$PALANG.confirm}{$PALANG.admin}: {$admin.username}');">{$PALANG.del}</a></td>
 		</tr>

templates/adminlistdomain.tpl

@@ -33,7 +33,7 @@
 			{if $CONF.transport==YES}<td>{$domain.transport}</td>{/if}
 			<td>{$domain._backupmx}</td>
 			<td>{$domain.modified}</td>
-			<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}&amp;active={if ($domain.active==0)}1{else}0{/if}">{$domain._active}</a></td>
+			<td><a href="{#url_editactive#}domain&amp;id={$domain.domain|escape:"url"}&amp;active={if ($domain.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$domain._active}</a></td>
 			<td><a href="{#url_edit_domain#}&amp;edit={$domain.domain|escape:"url"}">{$PALANG.edit}</a></td>
 			<td><a href="{#url_delete#}?table=domain&amp;delete={$domain.domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}" 
 				onclick="return confirm ('{$PALANG.confirm_domain}{$PALANG.domain}: {$domain.domain}')">{$PALANG.del}</a></td>

templates/list-virtual_alias.tpl

@@ -37,7 +37,7 @@
 		{/if}
 		<td>{$item.modified}</td>
 		{if $check_alias_owner[$i]==true}
-			<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}"
+			<td><a href="{#url_editactive#}alias&amp;id={$item.address|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}"
 				>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
 			<td><a href="{#url_create_alias#}&amp;edit={$item.address|escape:"url"}">{$PALANG.edit}</a></td>
 			<td><a href="delete.php?table=alias&amp;delete={$item.address|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}" 

templates/list-virtual_alias_domain.tpl

@@ -30,7 +30,7 @@
 					{/if}
 					{if $item.target_domain != $fDomain}</a>{/if}</td>
 				<td>{$item.modified}</td>
-				<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}">{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
+				<td><a href="{#url_editactive#}aliasdomain&amp;id={$item.alias_domain|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
 				<td><a href="{#url_create_alias_domain#}&amp;edit={$item.alias_domain|escape:"url"}">{$PALANG.edit}</a></td>
 				<td><a href="{#url_delete#}?table=aliasdomain&amp;delete={$item.alias_domain|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
 					onclick="return confirm ('{$PALANG.confirm}{$PALANG.pOverview_get_alias_domains}: {$item.alias_domain} -&gt; {$item.target_domain}');">{$PALANG.del}</a></td>

templates/list-virtual_mailbox.tpl

@@ -66,7 +66,7 @@
 				</td>
 			{/if}
 			<td>{$item.modified}</td>
-			<td><a href="{#url_create_mailbox#}&amp;edit={$item.username|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}"
+			<td><a href="{#url_editactive#}mailbox&amp;id={$item.username|escape:"url"}&amp;active={if ($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}"
 				>{if $item.active==1}{$PALANG.YES}{else}{$PALANG.NO}{/if}</a></td>
 			{if $CONF.vacation_control_admin===YES && $CONF.vacation===YES}
 				{if $item.v_active!==-1}