diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2010-09-11 01:46:45 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2010-09-11 01:46:45 -0700 |
| commit | 67f45cfa781ef4b446676e199470e421f5463812 (patch) | |
| tree | 751fabecfcd5892f100604dd9ed2bb947d9c0b08 /modules/gallery/controllers | |
| parent | a88b3f580812e7670933a6d695c89ef93f0142d4 (diff) | |
Add CSRF protection to the upgrader. And update the CLI output so
that it tells you which modules failed to upgrade properly. Fixes
ticket #1359.
Diffstat (limited to 'modules/gallery/controllers')
| -rw-r--r-- | modules/gallery/controllers/upgrader.php | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php index 6613d671..b2646874 100644 --- a/modules/gallery/controllers/upgrader.php +++ b/modules/gallery/controllers/upgrader.php @@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller { // @todo this may screw up some module installers, but we don't have a better answer at // this time. $_SERVER["HTTP_HOST"] = "example.com"; - } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { - access::forbidden(); + } else { + if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { + access::forbidden(); + } + + try { + access::verify_csrf(); + } catch (Exception $e) { + url::redirect("upgrader"); + } } $available = module::available(); @@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller { site_status::clear("upgrade_now"); if (php_sapi_name() == "cli") { - print "Upgrade complete\n"; + if ($failed) { + print "Upgrade completed ** WITH FAILURES **\n"; + print "The following modules were not successfully upgraded:\n"; + print " " . implode($failed, "\n ") . "\n"; + print "Try getting newer versions or deactivating those modules\n"; + } else { + print "Upgrade complete\n"; + } } else { url::redirect("upgrader?failed=" . join(",", $failed)); } |