Put csrf token into Admin_View and Theme_View by default, then use it

directly wherever possible instead of access::csrf_token().

19 files changed, 27 insertions, 28 deletions

diff --git a/core/controllers/admin_maintenance.php b/core/controllers/admin_maintenance.php
index df912e29..52378fbc 100644
--- a/core/controllers/admin_maintenance.php
+++ b/core/controllers/admin_maintenance.php
@@ -44,7 +44,6 @@ class Admin_Maintenance_Controller extends Admin_Controller {
       ->where("done", 0)->orderby("updated", "DESC")->find_all();
     $view->content->finished_tasks = ORM::factory("task")
       ->where("done", 1)->orderby("updated", "DESC")->find_all();
-    $view->content->csrf = access::csrf_token();
     print $view;
   }
 
diff --git a/core/controllers/admin_themes.php b/core/controllers/admin_themes.php
index e6751bed..6ace4036 100644
--- a/core/controllers/admin_themes.php
+++ b/core/controllers/admin_themes.php
@@ -53,6 +53,7 @@ class Admin_Themes_Controller extends Admin_Controller {
     } else {
       $view->url = url::site("albums/1?theme=$theme_name");
     }
+    $view->csrf = access::csrf_token();
     print $view;
   }
 
diff --git a/core/controllers/quick.php b/core/controllers/quick.php
index 1b6e2bf8..166591fd 100644
--- a/core/controllers/quick.php
+++ b/core/controllers/quick.php
@@ -26,6 +26,7 @@ class Quick_Controller extends Controller {
 
     $view = new View("quick_pane.html");
     $view->item = $item;
+    $view->csrf = access::csrf_token();
     print $view;
   }
 
diff --git a/core/libraries/Theme_View.php b/core/libraries/Theme_View.php
index cce315ff..bcd1604f 100644
--- a/core/libraries/Theme_View.php
+++ b/core/libraries/Theme_View.php
@@ -47,6 +47,7 @@ class Theme_View_Core extends View {
     $this->set_global("theme", $this);
     $this->set_global("user", user::active());
     $this->set_global("page_type", $page_type);
+    $this->set_global("csrf", access::csrf_token());
 
     $maintenance_mode = Kohana::config("core.maintenance_mode", false, false);
     if ($maintenance_mode) {
diff --git a/core/views/admin_dashboard.html.php b/core/views/admin_dashboard.html.php
index 05fec643..c266d7e1 100644
--- a/core/views/admin_dashboard.html.php
+++ b/core/views/admin_dashboard.html.php
@@ -2,7 +2,7 @@
 <script type="text/javascript">
   update_blocks = function() {
     $.get("<?= url::site("admin/dashboard/reorder") ?>",
-          {"csrf": "<?= access::csrf_token() ?>",
+          {"csrf": "<?= $csrf ?>",
            "dashboard_center[]": $("#gAdminDashboard").sortable(
              "toArray", {attribute: "block_id"}),
            "dashboard_sidebar[]": $("#gAdminDashboardSidebar").sortable(
diff --git a/core/views/admin_graphics.html.php b/core/views/admin_graphics.html.php
index add88b16..08374471 100644
--- a/core/views/admin_graphics.html.php
+++ b/core/views/admin_graphics.html.php
@@ -3,7 +3,7 @@
   $(document).ready(function() {
     select_toolkit = function(el) {
       if (!$(this).hasClass("gUnavailable")) {
-        window.location = '<?= url::site("admin/graphics/choose/__TK__?csrf=" . access::csrf_token()) ?>'
+        window.location = '<?= url::site("admin/graphics/choose/__TK__?csrf=$csrf") ?>'
           .replace("__TK__", $(this).attr("id"));
       }
     };
diff --git a/core/views/admin_maintenance.html.php b/core/views/admin_maintenance.html.php
index 8d067a65..5cf9f134 100644
--- a/core/views/admin_maintenance.html.php
+++ b/core/views/admin_maintenance.html.php
@@ -92,7 +92,7 @@
         </td>
         <td>
           <? if ($task->state == "stalled"): ?>
-          <a href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
+          <a class="gDialogLink" href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
             <?= t("resume") ?>
           </a>
           <? endif ?>
@@ -163,7 +163,7 @@
             <?= t("remove") ?>
           </a>
           <? else: ?>
-          <a href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
+          <a class="gDialogLink" href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
             <?= t("resume") ?>
           </a>
           <a href="<?= url::site("admin/maintenance/cancel/$task->id?csrf=$csrf") ?>">
diff --git a/core/views/admin_themes.html.php b/core/views/admin_themes.html.php
index 2155e39b..f85bce70 100644
--- a/core/views/admin_themes.html.php
+++ b/core/views/admin_themes.html.php
@@ -2,7 +2,7 @@
 <script type="text/javascript">
   var select_url = "<?= url::site("admin/themes/choose") ?>";
   select = function(type, id) {
-    $.post(select_url, {"type": type, "id": id, "csrf": '<?= access::csrf_token() ?>'},
+    $.post(select_url, {"type": type, "id": id, "csrf": '<?= $csrf ?>'},
       function() { load(type) });
   }
 </script>
diff --git a/core/views/admin_themes_preview.html.php b/core/views/admin_themes_preview.html.php
index d4fa617d..a7aea172 100644
--- a/core/views/admin_themes_preview.html.php
+++ b/core/views/admin_themes_preview.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <p>
-  <a href="<?= url::site("admin/themes/choose/$type/$theme_name?csrf=" . access::csrf_token()) ?>">
+  <a href="<?= url::site("admin/themes/choose/$type/$theme_name?csrf=$csrf") ?>">
     <?= t("Activate <strong>%theme_name</strong>", array("theme_name" => $info->name)) ?>
   </a>
 </p>
diff --git a/core/views/permissions_browse.html.php b/core/views/permissions_browse.html.php
index 4c960134..36d097cc 100644
--- a/core/views/permissions_browse.html.php
+++ b/core/views/permissions_browse.html.php
@@ -12,7 +12,7 @@
     });
   }
 
-  var action_url = "<?= url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=" . access::csrf_token()) ?>";
+  var action_url = "<?= url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=$csrf") ?>";
   set = function(cmd, group_id, perm_id, item_id) {
     $.ajax({
       url: action_url.replace("__CMD__", cmd).replace("__GROUP__", group_id).
diff --git a/core/views/quick_pane.html.php b/core/views/quick_pane.html.php
index 45d14251..d6f097d4 100644
--- a/core/views/quick_pane.html.php
+++ b/core/views/quick_pane.html.php
@@ -14,14 +14,14 @@
 </a>
 
 <? if ($item->is_photo() && graphics::can("rotate")): ?>
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/ccw?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/ccw?csrf=$csrf") ?>"
   title="<?= t("Rotate 90 degrees counter clockwise") ?>">
   <span class="ui-icon ui-icon-rotate-ccw">
     <?= t("Rotate 90 degrees counter clockwise") ?>
   </span>
 </a>
 
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/cw?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/cw?csrf=$csrf") ?>"
   title="<?= t("Rotate 90 degrees clockwise") ?>">
   <span class="ui-icon ui-icon-rotate-cw">
     <?= t("Rotate 90 degrees clockwise") ?>
@@ -51,7 +51,7 @@
 <? elseif ($item->type == "album"): ?>
 <? $title = t("Choose this album as the album cover") ?>
 <? endif ?>
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/make_album_cover/$item->id?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/make_album_cover/$item->id?csrf=$csrf") ?>"
    title="<?= $title ?>">
   <span class="ui-icon ui-icon-star">
     <?= $title ?>
@@ -65,7 +65,7 @@
 <? elseif ($item->type == "album"): ?>
 <? $title = t("Delete this album") ?>
 <? endif ?>
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/delete/$item->id?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/delete/$item->id?csrf=$csrf") ?>"
    title="<?= $title ?>">
   <span class="ui-icon ui-icon-trash">
     <?= $title ?>
diff --git a/core/views/simple_uploader.html.php b/core/views/simple_uploader.html.php
index 246e59b2..16ca0d0b 100644
--- a/core/views/simple_uploader.html.php
+++ b/core/views/simple_uploader.html.php
@@ -68,7 +68,7 @@
     post_params: {
       "g3sid": "<?= Session::instance()->id() ?>",
       "user_agent": "<?= Input::instance()->server("HTTP_USER_AGENT") ?>",
-      "csrf": "<?= access::csrf_token() ?>"
+      "csrf": "<?= $csrf ?>"
     },
     file_size_limit : "100 MB",
     file_types : "*.gif;*.jpg;*.png;*.flv;*.mp4",
diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index c5689e08..63b1a394 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -1,7 +1,7 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script type="text/javascript">
   var set_state_url =
-    "<?= url::site("admin/comments/set_state/__ID__/__STATE__?csrf=" . access::csrf_token()) ?>";
+    "<?= url::site("admin/comments/set_state/__ID__/__STATE__?csrf=$csrf") ?>";
   function set_state(state, id) {
     $.get(set_state_url.replace("__STATE__", state).replace("__ID__", id),
           {},
@@ -12,7 +12,7 @@
   }
 
   var delete_url =
-    "<?= url::site("admin/comments/delete/__ID__?csrf=" . access::csrf_token()) ?>";
+    "<?= url::site("admin/comments/delete/__ID__?csrf=$csrf") ?>";
 
   function del(id) {
     $.get(delete_url.replace("__ID__", id),
@@ -63,7 +63,7 @@
              $spam->count()) ?>
     </p>
     <p>
-      <a href="<?= url::site("admin/comments/delete_all_spam?csrf=" . access::csrf_token()) ?>">
+      <a href="<?= url::site("admin/comments/delete_all_spam?csrf=$csrf") ?>">
         <?= t("Delete all spam") ?>
       </a>
       <? else: ?>
diff --git a/modules/exif/helpers/exif_theme.php b/modules/exif/helpers/exif_theme.php
index 41eb5c76..432bca40 100644
--- a/modules/exif/helpers/exif_theme.php
+++ b/modules/exif/helpers/exif_theme.php
@@ -26,11 +26,9 @@ class exif_theme_Core {
 
       if (!empty($exif_count)) {
         $view = new View("exif_sidebar.html");
-      
-        $csrf = access::csrf_token();
-        $view->url = url::site("exif/show/{$item->id}?csrf=$csrf");
+        $view->item = $item;
         return $view;
-      } 
+      }
     }
     return null;
   }
diff --git a/modules/exif/views/exif_sidebar.html.php b/modules/exif/views/exif_sidebar.html.php
index 21f5a79b..fa482204 100644
--- a/modules/exif/views/exif_sidebar.html.php
+++ b/modules/exif/views/exif_sidebar.html.php
@@ -1,8 +1,7 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<a href="<?= $url ?>" title="<?= t("Photo Details") ?>"
+<a href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details") ?>"
   class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all">
   <span class="ui-icon ui-icon-info"></span>
   <?= t("View more information") ?>
 </a>
 
-  
\ No newline at end of file
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index e37b262c..6f87c512 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -8,7 +8,7 @@
     <ul id="gPathList">
       <? foreach ($paths as $id => $path): ?>
       <li class="ui-icon-left">
-        <a href="<?= url::site("admin/server_add/remove_path?path=$path&csrf=" . access::csrf_token()) ?>"
+        <a href="<?= url::site("admin/server_add/remove_path?path=$path&csrf=$csrf") ?>"
            id="icon_<?= $id?>"
            class="gRemoveDir ui-icon ui-icon-trash">
           X
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index db51555a..48d2d0f8 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -5,12 +5,12 @@
     // using JS for adding link titles to avoid running t() for each tag
     $("#gTagAdmin .tag-name").attr("title", "<?= t("Click to edit this tag") ?>");
     $("#gTagAdmin .delete-link").attr("title", $(".delete-link:first span").html());
-    
+
     // In-place editing for tag admin
     $(".gEditable").bind("click", editInplace);
   });
   // make some values available within tag.js
-  var csrf_token = "<?= access::csrf_token() ?>";
+  var csrf_token = "<?= $csrf ?>";
   var save_i18n = '<?= t("save") ?>';
   var or_i18n = '<?= t("or") ?>';
   var cancel_i18n = '<?= t("cancel") ?>';
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 2d30b218..67dd297d 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script type="text/javascript">
-  var add_user_to_group_url = "<?= url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=" . access::csrf_token()) ?>";
+  var add_user_to_group_url = "<?= url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
   $(document).ready(function(){
     $("#gUserAdminList .core-info").draggable({
       helper: "clone"
@@ -32,7 +32,7 @@
   }
 
   var remove_user = function(user_id, group_id) {
-    var remove_user_url = "<?= url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=" . access::csrf_token()) ?>";
+    var remove_user_url = "<?= url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
     $.get(remove_user_url.replace("__USERID__", user_id).replace("__GROUPID__", group_id),
           {},
           function() {
diff --git a/themes/admin_default/views/block.html.php b/themes/admin_default/views/block.html.php
index 332e440b..21512d02 100644
--- a/themes/admin_default/views/block.html.php
+++ b/themes/admin_default/views/block.html.php
@@ -2,7 +2,7 @@
 <div block_id="<?= $id ?>" id="<?= $css_id ?>" class="gBlock ui-widget">
   <div class="ui-dialog-titlebar ui-widget-header ui-helper-clearfix ui-icon-right">
     <? if ($css_id != "gBlockAdder"): ?>
-    <a href="<?= url::site("admin/dashboard/remove_block/$id?csrf=" . access::csrf_token()) ?>"
+    <a href="<?= url::site("admin/dashboard/remove_block/$id?csrf=$csrf") ?>"
        class="ui-dialog-titlebar-close ui-corner-all">
       <span class="ui-icon ui-icon-closethick">remove</span>
     </a>