From 921f3a2eeeca9be23cb006a31b6d6f71e186374a Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Fri, 27 Mar 2009 03:43:21 +0000
Subject: Put csrf token into Admin_View and Theme_View by default, then use it
 directly wherever possible instead of access::csrf_token().

---
 core/controllers/admin_maintenance.php   | 1 -
 core/controllers/admin_themes.php        | 1 +
 core/controllers/quick.php               | 1 +
 core/libraries/Theme_View.php            | 1 +
 core/views/admin_dashboard.html.php      | 2 +-
 core/views/admin_graphics.html.php       | 2 +-
 core/views/admin_maintenance.html.php    | 4 ++--
 core/views/admin_themes.html.php         | 2 +-
 core/views/admin_themes_preview.html.php | 2 +-
 core/views/permissions_browse.html.php   | 2 +-
 core/views/quick_pane.html.php           | 8 ++++----
 core/views/simple_uploader.html.php      | 2 +-
 12 files changed, 15 insertions(+), 13 deletions(-)

(limited to 'core')

diff --git a/core/controllers/admin_maintenance.php b/core/controllers/admin_maintenance.php
index df912e29..52378fbc 100644
--- a/core/controllers/admin_maintenance.php
+++ b/core/controllers/admin_maintenance.php
@@ -44,7 +44,6 @@ class Admin_Maintenance_Controller extends Admin_Controller {
       ->where("done", 0)->orderby("updated", "DESC")->find_all();
     $view->content->finished_tasks = ORM::factory("task")
       ->where("done", 1)->orderby("updated", "DESC")->find_all();
-    $view->content->csrf = access::csrf_token();
     print $view;
   }
 
diff --git a/core/controllers/admin_themes.php b/core/controllers/admin_themes.php
index e6751bed..6ace4036 100644
--- a/core/controllers/admin_themes.php
+++ b/core/controllers/admin_themes.php
@@ -53,6 +53,7 @@ class Admin_Themes_Controller extends Admin_Controller {
     } else {
       $view->url = url::site("albums/1?theme=$theme_name");
     }
+    $view->csrf = access::csrf_token();
     print $view;
   }
 
diff --git a/core/controllers/quick.php b/core/controllers/quick.php
index 1b6e2bf8..166591fd 100644
--- a/core/controllers/quick.php
+++ b/core/controllers/quick.php
@@ -26,6 +26,7 @@ class Quick_Controller extends Controller {
 
     $view = new View("quick_pane.html");
     $view->item = $item;
+    $view->csrf = access::csrf_token();
     print $view;
   }
 
diff --git a/core/libraries/Theme_View.php b/core/libraries/Theme_View.php
index cce315ff..bcd1604f 100644
--- a/core/libraries/Theme_View.php
+++ b/core/libraries/Theme_View.php
@@ -47,6 +47,7 @@ class Theme_View_Core extends View {
     $this->set_global("theme", $this);
     $this->set_global("user", user::active());
     $this->set_global("page_type", $page_type);
+    $this->set_global("csrf", access::csrf_token());
 
     $maintenance_mode = Kohana::config("core.maintenance_mode", false, false);
     if ($maintenance_mode) {
diff --git a/core/views/admin_dashboard.html.php b/core/views/admin_dashboard.html.php
index 05fec643..c266d7e1 100644
--- a/core/views/admin_dashboard.html.php
+++ b/core/views/admin_dashboard.html.php
@@ -2,7 +2,7 @@
 <script type="text/javascript">
   update_blocks = function() {
     $.get("<?= url::site("admin/dashboard/reorder") ?>",
-          {"csrf": "<?= access::csrf_token() ?>",
+          {"csrf": "<?= $csrf ?>",
            "dashboard_center[]": $("#gAdminDashboard").sortable(
              "toArray", {attribute: "block_id"}),
            "dashboard_sidebar[]": $("#gAdminDashboardSidebar").sortable(
diff --git a/core/views/admin_graphics.html.php b/core/views/admin_graphics.html.php
index add88b16..08374471 100644
--- a/core/views/admin_graphics.html.php
+++ b/core/views/admin_graphics.html.php
@@ -3,7 +3,7 @@
   $(document).ready(function() {
     select_toolkit = function(el) {
       if (!$(this).hasClass("gUnavailable")) {
-        window.location = '<?= url::site("admin/graphics/choose/__TK__?csrf=" . access::csrf_token()) ?>'
+        window.location = '<?= url::site("admin/graphics/choose/__TK__?csrf=$csrf") ?>'
           .replace("__TK__", $(this).attr("id"));
       }
     };
diff --git a/core/views/admin_maintenance.html.php b/core/views/admin_maintenance.html.php
index 8d067a65..5cf9f134 100644
--- a/core/views/admin_maintenance.html.php
+++ b/core/views/admin_maintenance.html.php
@@ -92,7 +92,7 @@
         </td>
         <td>
           <? if ($task->state == "stalled"): ?>
-          <a href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
+          <a class="gDialogLink" href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
             <?= t("resume") ?>
           </a>
           <? endif ?>
@@ -163,7 +163,7 @@
             <?= t("remove") ?>
           </a>
           <? else: ?>
-          <a href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
+          <a class="gDialogLink" href="<?= url::site("admin/maintenance/resume/$task->id?csrf=$csrf") ?>">
             <?= t("resume") ?>
           </a>
           <a href="<?= url::site("admin/maintenance/cancel/$task->id?csrf=$csrf") ?>">
diff --git a/core/views/admin_themes.html.php b/core/views/admin_themes.html.php
index 2155e39b..f85bce70 100644
--- a/core/views/admin_themes.html.php
+++ b/core/views/admin_themes.html.php
@@ -2,7 +2,7 @@
 <script type="text/javascript">
   var select_url = "<?= url::site("admin/themes/choose") ?>";
   select = function(type, id) {
-    $.post(select_url, {"type": type, "id": id, "csrf": '<?= access::csrf_token() ?>'},
+    $.post(select_url, {"type": type, "id": id, "csrf": '<?= $csrf ?>'},
       function() { load(type) });
   }
 </script>
diff --git a/core/views/admin_themes_preview.html.php b/core/views/admin_themes_preview.html.php
index d4fa617d..a7aea172 100644
--- a/core/views/admin_themes_preview.html.php
+++ b/core/views/admin_themes_preview.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <p>
-  <a href="<?= url::site("admin/themes/choose/$type/$theme_name?csrf=" . access::csrf_token()) ?>">
+  <a href="<?= url::site("admin/themes/choose/$type/$theme_name?csrf=$csrf") ?>">
     <?= t("Activate <strong>%theme_name</strong>", array("theme_name" => $info->name)) ?>
   </a>
 </p>
diff --git a/core/views/permissions_browse.html.php b/core/views/permissions_browse.html.php
index 4c960134..36d097cc 100644
--- a/core/views/permissions_browse.html.php
+++ b/core/views/permissions_browse.html.php
@@ -12,7 +12,7 @@
     });
   }
 
-  var action_url = "<?= url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=" . access::csrf_token()) ?>";
+  var action_url = "<?= url::site("permissions/change/__CMD__/__GROUP__/__PERM__/__ITEM__?csrf=$csrf") ?>";
   set = function(cmd, group_id, perm_id, item_id) {
     $.ajax({
       url: action_url.replace("__CMD__", cmd).replace("__GROUP__", group_id).
diff --git a/core/views/quick_pane.html.php b/core/views/quick_pane.html.php
index 45d14251..d6f097d4 100644
--- a/core/views/quick_pane.html.php
+++ b/core/views/quick_pane.html.php
@@ -14,14 +14,14 @@
 </a>
 
 <? if ($item->is_photo() && graphics::can("rotate")): ?>
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/ccw?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/ccw?csrf=$csrf") ?>"
   title="<?= t("Rotate 90 degrees counter clockwise") ?>">
   <span class="ui-icon ui-icon-rotate-ccw">
     <?= t("Rotate 90 degrees counter clockwise") ?>
   </span>
 </a>
 
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/cw?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/rotate/$item->id/cw?csrf=$csrf") ?>"
   title="<?= t("Rotate 90 degrees clockwise") ?>">
   <span class="ui-icon ui-icon-rotate-cw">
     <?= t("Rotate 90 degrees clockwise") ?>
@@ -51,7 +51,7 @@
 <? elseif ($item->type == "album"): ?>
 <? $title = t("Choose this album as the album cover") ?>
 <? endif ?>
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/make_album_cover/$item->id?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/make_album_cover/$item->id?csrf=$csrf") ?>"
    title="<?= $title ?>">
   <span class="ui-icon ui-icon-star">
     <?= $title ?>
@@ -65,7 +65,7 @@
 <? elseif ($item->type == "album"): ?>
 <? $title = t("Delete this album") ?>
 <? endif ?>
-<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/delete/$item->id?csrf=" . access::csrf_token()) ?>"
+<a class="gButtonLink ui-corner-all ui-state-default" href="<?= url::site("quick/delete/$item->id?csrf=$csrf") ?>"
    title="<?= $title ?>">
   <span class="ui-icon ui-icon-trash">
     <?= $title ?>
diff --git a/core/views/simple_uploader.html.php b/core/views/simple_uploader.html.php
index 246e59b2..16ca0d0b 100644
--- a/core/views/simple_uploader.html.php
+++ b/core/views/simple_uploader.html.php
@@ -68,7 +68,7 @@
     post_params: {
       "g3sid": "<?= Session::instance()->id() ?>",
       "user_agent": "<?= Input::instance()->server("HTTP_USER_AGENT") ?>",
-      "csrf": "<?= access::csrf_token() ?>"
+      "csrf": "<?= $csrf ?>"
     },
     file_size_limit : "100 MB",
     file_types : "*.gif;*.jpg;*.png;*.flv;*.mp4",
-- 
cgit v1.2.3