Project-Pro/globelus.pl
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Dodaj walidację tokenów uploadu oraz zabezpieczenia dostępu w plikach dialog.php i upload-articles-*.php

Browse Source
This commit is contained in:
Jacek Pyziak
2025-09-28 10:36:40 +02:00
parent b6712fd486
commit 8d8d3b6174
4 changed files with 246 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
admin/templates/articles/article-edit.php
View File

@@ -2,8 +2,20 @@
<script type="text/javascript" src="/libraries/ckeditor/adapters/jquery.js"></script>
<script type="text/javascript" src="/libraries/jquery/sortable/sortable.js"></script>
<?
global $db, $settings;
global $db, $settings, $user;
if ( !$user ) {
header( 'Location: /admin/' );
exit;
}
$upload_token = bin2hex(random_bytes(24));
$_SESSION['upload_tokens'][$upload_token] = [
'user_id' => $user['id'],
'expires' => time() + 60*20,
];
$_SESSION['rfm_akey'] = bin2hex(random_bytes(16));
$_SESSION['rfm_akey_expires'] = time() + 20*60; // 20 min
$_SESSION['can_use_rfm'] = true; // Twoje uprawnienie do RFM
$rfmAkeyJS = $_SESSION['rfm_akey']; // bezpieczne do JS
ob_start();
?>
<div id="settings-tabs">
@@ -38,9 +50,9 @@ ob_start();
</ul>
<div class="resp-tabs-container languages-main">
<? if ( is_array( $this -> languages ) ): foreach ( $this -> languages as $lg ):?>
<?
<?
$languages = array();
$languages[''] = '---- wersja językowa ----';
if ( is_array( $this -> languages ) ) foreach ( $this -> languages as $lg_tmp )
{
@@ -90,7 +102,11 @@ ob_start();
$( function() {
$( '#text_<?= $lg['id'];?>, #entry_<?= $lg['id'];?>' ).ckeditor( {
toolbar : 'MyToolbar',
height:'350'
height:'350',
filebrowserBrowseUrl: '/libraries/filemanager-9.14.1/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.1/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
filebrowserUploadUrl: '/libraries/filemanager-9.14.1/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
filebrowserImageUploadUrl: '/libraries/filemanager-9.14.1/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
});
});
</script>
@@ -158,7 +174,7 @@ ob_start();
'id' => 'password',
'value' => $this -> article['password']
)
);?>
);?>
<?= \Html::select( [
'label' => 'Moduł Pixieset',
'name' => "pixieset",
@@ -281,7 +297,7 @@ ob_start();
</div>
</div>
<div>
<?
<?
$layouts[''] = '---- szablon domyślny ----';
if ( is_array( $this -> layouts ) ): foreach ( $this -> layouts as $layout ):
$layouts[ $layout['id'] ] = $layout['name'];
@@ -303,7 +319,7 @@ ob_start();
if ( is_array( $this -> menus ) ) foreach ( $this -> menus as $menu )
{
?>
<div class="menu_sortable">
<div class="menu_sortable">
<ol class="sortable" id="sortable_<?= $menu['id'];?>">
<li id="list_<?= $menu['id'];?>" class="menu_<?= $menu['id'];?>" menu="<?= $menu['id'];?>">
<div class="context_0 content content_menu" <? if ( !$menu['status'] ) echo 'style="color: #cc0000;"';?>>
@@ -346,7 +362,7 @@ ob_start();
<?
$files_count = 0;
if ( is_array( $this -> article['files'] ) ): foreach ( $this -> article['files'] as $file ):
if ( $file['name'] )
$name = $file['name'];
else
@@ -372,13 +388,13 @@ ob_start();
</div>
<? if ( is_array( $this -> additional_params_lon ) and count( $this -> additional_params_lon ) or is_array( $this -> additional_params_loff ) and count( $this -> additional_params_loff ) ):?>
<div>
<?
<?
if ( is_array( $this -> article['params'] ) ) foreach ( $this -> article['params'] as $param )
$params[ $param['param_id'] . '_' . $param['language_id'] ] = $param['value'];
?>
<? if ( is_array( $this -> additional_params_loff ) and count( $this -> additional_params_loff ) ):?>
<? foreach ( $this -> additional_params_loff as $param ):?>
<? if ( $param['type'] == 'input-date' ):?>
<? if ( $param['type'] == 'input-date' ):?>
<?= \Html::input(
array(
'label' => $param['display_name'],
@@ -399,7 +415,7 @@ ob_start();
)
);?>
<? endif;?>
<? if ( $param['type'] == 'input-text' ):?>
<? if ( $param['type'] == 'input-text' ):?>
<?= \Html::input(
array(
'label' => $param['display_name'],
@@ -409,7 +425,7 @@ ob_start();
)
);?>
<? endif;?>
<? if ( $param['type'] == 'ckeditor' ):?>
<? if ( $param['type'] == 'ckeditor' ):?>
<?= \Html::textarea(
array(
'label' => $param['display_name'],
@@ -423,7 +439,11 @@ ob_start();
$( function() {
$( '#ap_<?= $param['name'];?>' ).ckeditor( {
toolbar : 'MyTool',
height:'350'
height:'350',
filebrowserBrowseUrl: '/libraries/filemanager-9.14.1/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.1/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
filebrowserUploadUrl: '/libraries/filemanager-9.14.1/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
filebrowserImageUploadUrl: '/libraries/filemanager-9.14.1/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
});
});
</script>
@@ -444,7 +464,7 @@ ob_start();
<? if ( $lg['status'] ):?>
<div>
<? foreach ( $this -> additional_params_lon as $param ):?>
<? if ( $param['type'] == 'input-text' ):?>
<? if ( $param['type'] == 'input-text' ):?>
<?= \Html::input(
array(
'label' => $param['display_name'],
@@ -454,7 +474,7 @@ ob_start();
)
);?>
<? endif;?>
<? if ( $param['type'] == 'ckeditor' ):?>
<? if ( $param['type'] == 'ckeditor' ):?>
<?= \Html::textarea(
array(
'label' => $param['display_name'],
@@ -468,7 +488,11 @@ ob_start();
$( function() {
$( '#ap_<?= $param['name'];?>_<?= $lg['id'];?>' ).ckeditor( {
toolbar : 'MyTool',
height:'350'
height:'350',
filebrowserBrowseUrl: '/libraries/filemanager-9.14.1/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.1/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
filebrowserUploadUrl: '/libraries/filemanager-9.14.1/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
filebrowserImageUploadUrl: '/libraries/filemanager-9.14.1/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
});
});
</script>
@@ -511,9 +535,9 @@ $grid -> fields = [
'value' => $this -> article['id']
]
];
$grid -> actions = [
'save' => [ 'url' => '/admin/articles/article_save/', 'back_url' => '/admin/articles/view_list/' ],
'cancel' => [ 'url' => '/admin/articles/view_list/' ]
$grid -> actions = [
'save' => [ 'url' => '/admin/articles/article_save/', 'back_url' => '/admin/articles/view_list/' ],
'cancel' => [ 'url' => '/admin/articles/view_list/' ]
];
$grid -> external_code = $out;
$grid -> persist_edit = true;
@@ -536,21 +560,21 @@ echo $grid -> draw();
<script type="text/javascript">
var images_count = <?= $images_count;?>;
var files_count = <?= $files_count;?>;
function google_preview( lang_id )
{
var meta_title = $.trim( $( '#meta_title_' + lang_id ).val() );
var title = $( '#title_' + lang_id ).val();
var seo_link = $( '#seo_link_' + lang_id ).val();
var description = $( '#meta_description_' + lang_id ).val();
if ( typeof title !== "undefined" && title != '' || typeof meta_title !== "undefined" && meta_title != '' )
{
if ( meta_title != '' )
var title_tmp = meta_title
else
var title_tmp = title;
if ( title_tmp.length < 65 )
$( '#google-preview-' + lang_id + ' .google-title' ).html( title_tmp );
else if ( typeof description !== "undefined" )
@@ -559,7 +583,7 @@ echo $grid -> draw();
$( '#google-preview-' + lang_id + ' .google-title' ).html( title_tmp.substring( 0, space ).concat( '...' ) );
}
}
if ( typeof description !== "undefined" && description.length < 153 )
$( '#google-preview-' + lang_id + ' .google-description' ).html( description );
else if ( typeof description !== "undefined" )
@@ -567,7 +591,7 @@ echo $grid -> draw();
var space = description.lastIndexOf( " ", 153 );
$( '#google-preview-' + lang_id + ' .google-description' ).html( description.substring( 0, space ).concat( '...' ) );
}
if ( seo_link )
$( '#google-preview-' + lang_id + ' .google-url' ).html( '<?= $_SERVER['SERVER_NAME'];?>/' + seo_link );
else
@@ -582,55 +606,55 @@ echo $grid -> draw();
title: title,
article_id: $( '#id' ).val()
},
success: function( data )
success: function( data )
{
$( '#google-preview-' + lang_id + ' .google-url' ).html( data );
}
});
}
}
$( function()
$( function()
{
const observer = lozad();
observer.observe();
<? if ( is_array( $this -> languages ) ): foreach ( $this -> languages as $lg ):?>
google_preview( '<?= $lg['id'];?>' );
<? endforeach; endif;?>
disable_menu();
var el = document.getElementById( 'images-list' );
var sortable = Sortable.create(el, {
onEnd: function ( evt ) {
var order = '';
$( '#images-list li' ).each( function()
$( '#images-list li' ).each( function()
{
if ( order !== '' )
order += ';';
order += $( this ).children( 'a' ).attr( 'image-id' );
});
$.ajax(
{
type: 'POST',
cache: false,
url: '/admin/articles/gallery_order_save/',
data:
data:
{
article_id: '<?= $this -> article['id'];?>',
order: order
},
beforeSend: function()
beforeSend: function()
{
$( '#overlay' ).show();
},
success: function( data )
success: function( data )
{
$( '#overlay' ).hide();
response = jQuery.parseJSON( data );
response = jQuery.parseJSON( data );
if ( response.status !== 'ok' )
create_error( response.msg );
@@ -638,11 +662,11 @@ echo $grid -> draw();
});
}
});
$(".tm-input").tagsManager(
{
tagsContainer: '.tags',
prefilled: [ <?
prefilled: [ <?
if ( is_array( $this -> article['tags'] ) ): foreach ( $this -> article['tags'] as $tag ):
echo '"' . $tag . '"';
if ( end( $this -> article['tags'] ) != $tag )
@@ -651,23 +675,26 @@ echo $grid -> draw();
?>],
tagClass: 'tm-tag-info'
});
jQuery( 'body' ).on( 'click', '.fa-calendar', function()
{
$( this ).parents( '.input-group' ).children( 'input' ).trigger( 'click' );
});
$( "#images-uploader" ).pluploadQueue(
{
multipart_params: {
upload_token: '<?= $upload_token ?>',
},
runtimes: 'html5,flash,html4',
init:
{
Refresh: function(up)
init:
{
Refresh: function(up)
{
$( ".plupload_buttons" ).css( "display", "inline" );
$( ".plupload_upload_status" ).css( "display", "inline" );
$( ".plupload_start" ).addClass( "plupload_disabled" );
$( ".plupload_start" ).removeClass( "plupload_disabled" );
$( ".plupload_start" ).removeClass( "plupload_disabled" );
},
UploadComplete: function()
{
@@ -676,17 +703,17 @@ echo $grid -> draw();
$( ".plupload_start" ).addClass( "plupload_disabled" );
$( ".plupload_start" ).removeClass( "plupload_disabled" );
},
FileUploaded: function( up, file, response )
{
FileUploaded: function( up, file, response )
{
data = jQuery.parseJSON( response.response );
$( '#images-list' ).append(
$( '#images-list' ).append(
'<li id="image-' + data.image_id + '">' +
'<img class="article-image lozad" data-src="/libraries/thumb.php?img=' + data.data_link + '&w=300&h=300">' +
'<a href="#" class="input-group-addon btn btn-danger article_image_delete" image-id="' + data.image_id + '">' +
'<i class="fa fa-trash"></i>' +
'</a>' +
'<input type="text" class="form-control image-alt" value="" image-id="' + data.image_id + '" placeholder="atrybut alt...">' +
'</li>'
'</li>'
);
images_count++;
observer.observe();
@@ -708,18 +735,21 @@ echo $grid -> draw();
],
flash_swf_url: '/../libraries/plupload/plupload.flash.swf'
});
$( "#files-uploader" ).pluploadQueue(
{
multipart_params: {
upload_token: '<?= $upload_token ?>',
},
runtimes: 'html5,flash,html4',
init:
{
Refresh: function( up )
init:
{
Refresh: function( up )
{
$( ".plupload_buttons" ).css( "display", "inline" );
$( ".plupload_upload_status" ).css( "display", "inline" );
$( ".plupload_start" ).addClass( "plupload_disabled" );
$( ".plupload_start" ).removeClass( "plupload_disabled" );
$( ".plupload_start" ).removeClass( "plupload_disabled" );
},
UploadComplete: function()
{
@@ -728,18 +758,18 @@ echo $grid -> draw();
$( ".plupload_start" ).addClass( "plupload_disabled" );
$( ".plupload_start" ).removeClass( "plupload_disabled" );
},
FileUploaded: function( up, file, response )
{
FileUploaded: function( up, file, response )
{
data = jQuery.parseJSON( response.response );
$( '#files-list' ).append(
'<li id="file-' + data.file_id + '">' +
$( '#files-list' ).append(
'<li id="file-' + data.file_id + '">' +
'<div class="input-group">' +
'<input type="text" class="form-control article_file_edit" file_id="' + data.file_id + '" value="' + data.file_name + '" />' +
'<a href="#" class="input-group-addon btn btn-info article_file_delete" file_id="' + data.file_id + '">' +
'<i class="fa fa-trash"></i>' +
'</a>' +
'</a>' +
'</div>' +
'</li>'
'</li>'
);
files_count++;
$( 'html, body' ).animate({
@@ -755,32 +785,32 @@ echo $grid -> draw();
],
flash_swf_url: '/../libraries/plupload/plupload.flash.swf'
});
$( '#settings-tabs' ).easyResponsiveTabs({
width: 'auto',
fit: true,
tabidentify: 'settings-tabs',
type: 'vertical'
});
$( '#languages-main' ).easyResponsiveTabs({
width: 'auto',
fit: true,
tabidentify: 'languages-main'
});
$( '#languages-seo' ).easyResponsiveTabs({
width: 'auto',
fit: true,
tabidentify: 'languages-seo'
});
$( '#languages-params' ).easyResponsiveTabs({
width: 'auto',
fit: true,
tabidentify: 'languages-params'
});
$('ol.sortable').nestedSortable({
forcePlaceholderSize: true,
handle: 'div',
@@ -804,13 +834,13 @@ echo $grid -> draw();
$( '.disclose' ).on( 'click', function() {
$( this ).closest( 'li' ).toggleClass( 'sort-collapsed' ).toggleClass( 'sort-expanded' );
});
$( '.disclose' ).mousedown( function(e) {
if ( e.which === 1 ) {
if ( $( this ).parent( 'div' ).hasClass( 'content_menu' ) )
if ( $( this ).parent( 'div' ).hasClass( 'content_menu' ) )
{
var menu_id = $( this ).parent( 'div' ).parent( 'li' ).attr( 'menu' );
$.ajax(
{
type: 'POST',
@@ -825,7 +855,7 @@ echo $grid -> draw();
else
{
var page_id = $( this ).parent( 'div' ).parent( 'li' ).attr( 'id' );
$.ajax(
{
type: 'POST',
@@ -839,7 +869,7 @@ echo $grid -> draw();
}
}
});
<?php
$array = unserialize( $_COOKIE[ 'cookie_pages' ] );
if ( is_array( $array ) ): foreach ( $array as $key => $val ):
@@ -847,7 +877,7 @@ echo $grid -> draw();
?>$( '.<?= $key;?>' ).children( 'div' ).children( 'span.disclose' ).click();<?
endif;
endforeach; endif;
$array = unserialize( $_COOKIE[ 'cookie_menus' ] );
if ( is_array( $array ) ): foreach ( $array as $key => $val ):
if ( $val ):
@@ -855,99 +885,99 @@ echo $grid -> draw();
endif;
endforeach; endif;
?>
$( 'body' ).on( 'change', '.image-alt', function()
{
var image_alt = $( this ).val();
var image_id = $( this ).attr( 'image-id' );
$.ajax(
{
type: 'POST',
cache: false,
url: '/admin/ajax.php',
data:
data:
{
a: 'article_image_alt_change',
image_id: image_id,
image_alt: image_alt
},
beforeSend: function()
beforeSend: function()
{
$( '#overlay' ).show();
},
success: function( data )
success: function( data )
{
$( '#overlay' ).hide();
response = jQuery.parseJSON( data );
response = jQuery.parseJSON( data );
if ( response.status !== 'ok' )
create_error( response.msg );
}
});
});
$( 'body' ).on( 'change', '.article_file_edit', function()
{
var file_name = $( this ).val();
var file_id = $( this ).attr( 'file_id' );
$.ajax({
type: 'POST',
cache: false,
url: '/admin/ajax.php',
data:
data:
{
a: 'article_file_name_change',
file_id: file_id,
file_name: file_name
},
beforeSend: function()
beforeSend: function()
{
$( '#overlay' ).show();
},
success: function( data )
success: function( data )
{
$( '#overlay' ).hide();
response = jQuery.parseJSON( data );
response = jQuery.parseJSON( data );
if ( response.status !== 'ok' )
create_error( response.msg );
}
});
});
$( 'body' ).on( 'click', '.article_file_delete', function()
$( 'body' ).on( 'click', '.article_file_delete', function()
{
$( this ).blur();
var file_id = $( this ).attr( 'file_id' );
$.prompt( 'Na pewno chcesz usunąć wybrany plik?', {
$.prompt( 'Na pewno chcesz usunąć wybrany plik?', {
title: 'Potwierdź?',
submit: function(e,v,m,f)
{
submit: function(e,v,m,f)
{
if ( v === true )
{
$.ajax({
type: 'POST',
cache: false,
url: '/admin/ajax.php',
data:
data:
{
a: 'article_file_delete',
file_id: file_id
},
beforeSend: function()
beforeSend: function()
{
$( '#file-' + file_id ).children( 'input' ).addClass( 'disabled' );
$( '#file-' + file_id ).children( 'a' ).addClass( 'disabled' );
},
success: function( data )
success: function( data )
{
response = jQuery.parseJSON( data );
response = jQuery.parseJSON( data );
if ( response.status === 'ok' )
$( '#file-' + file_id ).remove();
@@ -956,26 +986,26 @@ echo $grid -> draw();
}
});
}
},
buttons: {
'tak': true,
'nie': false
},
},
buttons: {
'tak': true,
'nie': false
},
focus: 0
});
});
$( 'body' ).on( 'click', '.article_image_delete', function()
$( 'body' ).on( 'click', '.article_image_delete', function()
{
$( this ).blur();
var image_id = $( this ).attr( 'image-id' );
$.prompt( 'Na pewno chcesz usunąć wybrane zdjęcie?',
{
$.prompt( 'Na pewno chcesz usunąć wybrane zdjęcie?',
{
title: 'Potwierdź?',
submit: function(e,v,m,f)
{
submit: function(e,v,m,f)
{
if ( v === true )
{
$.ajax(
@@ -983,19 +1013,19 @@ echo $grid -> draw();
type: 'POST',
cache: false,
url: '/admin/ajax.php',
data:
data:
{
a: 'article_image_delete',
image_id: image_id
},
beforeSend: function()
beforeSend: function()
{
$( '#overlay' ).show();
},
success: function( data )
success: function( data )
{
$( '#overlay' ).hide();
response = jQuery.parseJSON( data );
response = jQuery.parseJSON( data );
if ( response.status === 'ok' )
$( '#image-' + image_id ).remove();
@@ -1004,61 +1034,61 @@ echo $grid -> draw();
}
});
}
},
buttons: {
'tak': true,
'nie': false
},
},
buttons: {
'tak': true,
'nie': false
},
focus: 0
});
return false;
});
$( '#g-menu' ).attr( 'data-spy', 'affix' );
$( '#g-menu' ).attr( 'data-offset-top', '135' );
$( '#g-menu' ).attr( 'data-offset-top', '135' );
});
function generate_seo_links( lang, title, article_id )
{
{
if ( title === '' )
return false;
$.ajax(
{
type: 'POST',
cache: false,
url: '/admin/ajax.php',
data:
data:
{
a: 'generate_seo_link',
title: title,
article_id: article_id
},
beforeSend: function()
beforeSend: function()
{
$( '#seo_link_' + lang ).parents( '.g-form-data' ).find( 'input, a' ).each( function()
$( '#seo_link_' + lang ).parents( '.g-form-data' ).find( 'input, a' ).each( function()
{
$( this ).prop( 'disabled', true ).addClass( 'disabled' );
});
},
success: function( data ) {
$( '#seo_link_' + lang ).parents( '.g-form-data' ).find( 'input, a' ).each( function() {
$( this ).prop( 'disabled', false ).removeClass( 'disabled' );
});
response = jQuery.parseJSON( data );
if ( response.status === 'ok' ){
$( '#seo_link_' + lang ).val( response.seo_link );
$( '#google-preview-' + lang + ' .google-url' ).html( '<?= $_SERVER['SERVER_NAME'];?>/' + response.seo_link );
}
else
create_error( response.msg );
create_error( response.msg );
}
});
}
</script>
<script>CKEDITOR.dtd.$removeEmpty['span'] = false;</script>
</style>
</style>