From 927bcd313ca592a75914d6c07a6fedc9373684df Mon Sep 17 00:00:00 2001
From: Jacek Pyziak <jacek.pyziak@project-pro.pl>
Date: Wed, 1 Oct 2025 09:02:42 +0200
Subject: [PATCH] =?UTF-8?q?Dodanie=20obs=C5=82ugi=20token=C3=B3w=20przesy?=
 =?UTF-8?q?=C5=82ania=20i=20kluczy=20API=20w=20edytorach=20artyku=C5=82?=
 =?UTF-8?q?=C3=B3w,=20baner=C3=B3w=20i=20produkt=C3=B3w;=20aktualizacja=20?=
 =?UTF-8?q?adresu=20URL=20do=20changeloga?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 admin/templates/articles/article-edit.php     |  25 ++++++++++++--
 admin/templates/banners/banner-edit.php       |   7 +++-
 admin/templates/shop-producer/edit.php        |   8 ++++-
 admin/templates/shop-product/product-edit.php |  29 ++++++++++++++--
 admin/templates/update/main-view.php          |   2 +-
 autoload/admin/controls/class.Articles.php    |  25 ++++++++------
 autoload/admin/controls/class.ShopProduct.php |  31 +++++++++++-------
 autoload/admin/view/class.Articles.php        |  14 ++------
 templates/.DS_Store                           | Bin 6148 -> 6148 bytes
 9 files changed, 100 insertions(+), 41 deletions(-)

diff --git a/admin/templates/articles/article-edit.php b/admin/templates/articles/article-edit.php
index 24e8d84..248cb07 100644
--- a/admin/templates/articles/article-edit.php
+++ b/admin/templates/articles/article-edit.php
@@ -4,6 +4,17 @@
 <?
 global $db;
 
+$upload_token = bin2hex( random_bytes(24) );
+$_SESSION['upload_tokens'][$upload_token] = [
+  'user_id' => $this -> user['id'],
+  'expires' => time() + 60*20
+];
+
+$_SESSION['rfm_akey'] = bin2hex(random_bytes(16));
+$_SESSION['rfm_akey_expires'] = time() + 20*60;
+$_SESSION['can_use_rfm'] = true;
+$rfmAkeyJS = $_SESSION['rfm_akey'];
+
 ob_start();
 ?>
   <div id="settings-tabs">
@@ -63,7 +74,7 @@ ob_start();
                         'value' => htmlspecialchars( $this -> article['languages'][ $lg['id'] ]['main_image'] ),
                         'icon_content' => 'przeglądaj',
                         'inline'  => true,
-                        'icon_js' => "window.open ( '/libraries/filemanager-9.14.2/dialog.php?type=1&popup=1&field_id=main_image_" . $lg['id'] . "&akey=c3cb2537d25c0efc9e573d059d79c3b8', 'mywindow', 'location=1,status=1,scrollbars=1, width=1100,height=700');"
+                        'icon_js' => "window.open ( '/libraries/filemanager-9.14.2/dialog.php?type=1&popup=1&field_id=main_image_" . $lg['id'] . "&akey=" . $rfmAkeyJS . "', 'mywindow', 'location=1,status=1,scrollbars=1, width=1100,height=700');"
                     ] );
                   ?>
                   <?= \Html::textarea(
@@ -95,7 +106,11 @@ ob_start();
                     $( function() {
                       $( '#text_<?= $lg['id'];?>, #entry_<?= $lg['id'];?>, #table_of_contents_<?= $lg['id'];?>' ).ckeditor( {
                         toolbar : 'MyToolbar',
-                        height:'250'
+                        height:'250',
+                        filebrowserBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
                       });
                     });
                   </script>
@@ -401,6 +416,9 @@ echo $grid -> draw();
 
     $( "#images-uploader" ).pluploadQueue(
     {
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
       runtimes: 'html5,flash,html4',
       init:
       {
@@ -453,6 +471,9 @@ echo $grid -> draw();
 
     $( "#files-uploader" ).pluploadQueue(
     {
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
       runtimes: 'html5,flash,html4',
       init:
       {
diff --git a/admin/templates/banners/banner-edit.php b/admin/templates/banners/banner-edit.php
index 02ffcdf..dd811f6 100644
--- a/admin/templates/banners/banner-edit.php
+++ b/admin/templates/banners/banner-edit.php
@@ -4,6 +4,11 @@
 \S::set_session( 'admin', true );
 global $db;
 
+$_SESSION['rfm_akey'] = bin2hex(random_bytes(16));
+$_SESSION['rfm_akey_expires'] = time() + 20*60;
+$_SESSION['can_use_rfm'] = true;
+$rfmAkeyJS = $_SESSION['rfm_akey'];
+
 ob_start();
 ?>
 
@@ -80,7 +85,7 @@ ob_start();
                                       'id'           => 'src_' . $lg['id'],
                                       'value'        => $this -> banner['languages'][ $lg['id'] ]['src'],
                                       'icon_content' => 'przeglądaj',
-                                      'icon_js'      => "window.open ( 'http://" . $_SERVER['SERVER_NAME'] . "/libraries/filemanager-9.14.2/dialog.php?type=1&popup=1&field_id=src_" . $lg['id'] . "&akey=c3cb2537d25c0efc9e573d059d79c3b8', 'mywindow', 'location=1,status=1,scrollbars=1, width=1100,height=700');"
+                                      'icon_js'      => "window.open ( 'http://" . $_SERVER['SERVER_NAME'] . "/libraries/filemanager-9.14.2/dialog.php?type=1&popup=1&field_id=src_" . $lg['id'] . "&akey=" . $rfmAkeyJS . "', 'mywindow', 'location=1,status=1,scrollbars=1, width=1100,height=700');"
                               )
                 );
                 ?>
diff --git a/admin/templates/shop-producer/edit.php b/admin/templates/shop-producer/edit.php
index c9139ba..5cd1393 100644
--- a/admin/templates/shop-producer/edit.php
+++ b/admin/templates/shop-producer/edit.php
@@ -2,6 +2,12 @@
 <script type="text/javascript" src="/libraries/framework/vendor/plugins/ckeditor/adapters/jquery.js"></script>
 <?
 global $db;
+
+$_SESSION['rfm_akey'] = bin2hex(random_bytes(16));
+$_SESSION['rfm_akey_expires'] = time() + 20*60;
+$_SESSION['can_use_rfm'] = true;
+$rfmAkeyJS = $_SESSION['rfm_akey'];
+
 ob_start();
 ?>
   <div id="settings-tabs">
@@ -30,7 +36,7 @@ ob_start();
                     'id' => 'img',
                     'value' => $this -> producer['img'],
                     'icon_content' => 'przeglądaj',
-                    'icon_js' => "window.open ( 'http://" . $_SERVER['SERVER_NAME'] . "/libraries/filemanager-9.14.2/dialog.php?type=1&popup=1&field_id=img&akey=c3cb2537d25c0efc9e573d059d79c3b8', 'mywindow', 'location=1,status=1,scrollbars=1, width=1100,height=700');"
+                    'icon_js' => "window.open ( 'http://" . $_SERVER['SERVER_NAME'] . "/libraries/filemanager-9.14.2/dialog.php?type=1&popup=1&field_id=img&akey=" . $rfmAkeyJS . "', 'mywindow', 'location=1,status=1,scrollbars=1, width=1100,height=700');"
                 ] );
         ?>
       </div>
diff --git a/admin/templates/shop-product/product-edit.php b/admin/templates/shop-product/product-edit.php
index 528d301..d3ae45e 100644
--- a/admin/templates/shop-product/product-edit.php
+++ b/admin/templates/shop-product/product-edit.php
@@ -4,6 +4,17 @@
 <?
 global $db;
 
+$upload_token = bin2hex( random_bytes(24) );
+$_SESSION['upload_tokens'][$upload_token] = [
+  'user_id' => $this -> user['id'],
+  'expires' => time() + 60*20
+];
+
+$_SESSION['rfm_akey'] = bin2hex(random_bytes(16));
+$_SESSION['rfm_akey_expires'] = time() + 20*60;
+$_SESSION['can_use_rfm'] = true;
+$rfmAkeyJS = $_SESSION['rfm_akey'];
+
 ob_start();
 ?>
 
@@ -119,7 +130,11 @@ ob_start();
                     $(function() {
                       $('#short_description_<?= $lg['id']; ?>, #description_<?= $lg['id']; ?>').ckeditor({
                         toolbar: 'MyToolbar',
-                        height: '250'
+                        height: '250',
+                        filebrowserBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
                       });
                     });
                   </script>
@@ -208,7 +223,11 @@ ob_start();
                     $(function() {
                       $('#tab_description_1_<?= $lg['id']; ?>, #tab_description_2_<?= $lg['id']; ?>').ckeditor({
                         toolbar: 'MyToolbar',
-                        height: '250'
+                        height: '250',
+                        filebrowserBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageBrowseUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=2&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>',
+                        filebrowserImageUploadUrl: '/libraries/filemanager-9.14.2/dialog.php?type=1&editor=ckeditor&upload=1&akey=<?= $rfmAkeyJS;?>'
                       });
                     });
                   </script>
@@ -826,6 +845,9 @@ echo $grid->draw();
     });
 
     $("#images-uploader").pluploadQueue({
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
       runtimes: 'html5,flash,html4',
       init: {
         Refresh: function(up) {
@@ -874,6 +896,9 @@ echo $grid->draw();
     });
 
     $("#files-uploader").pluploadQueue({
+      multipart_params: {
+        upload_token: '<?= $upload_token ?>',
+      },
       runtimes: 'html5,flash,html4',
       init: {
         Refresh: function(up) {
diff --git a/admin/templates/update/main-view.php b/admin/templates/update/main-view.php
index af81a3c..d22a1db 100644
--- a/admin/templates/update/main-view.php
+++ b/admin/templates/update/main-view.php
@@ -64,7 +64,7 @@ echo $grid -> draw();
 ?>
 <?
 ob_start();
-echo $versions = file_get_contents( 'http://www.shoppro.project-dc.pl/updates/changelog.php' );
+echo $versions = file_get_contents( 'https://shoppro.project-dc.pl/updates/changelog.php' );
 $out = ob_get_clean();
 
 $grid                    = new \gridEdit;
diff --git a/autoload/admin/controls/class.Articles.php b/autoload/admin/controls/class.Articles.php
index 376df2d..a7e32b3 100644
--- a/autoload/admin/controls/class.Articles.php
+++ b/autoload/admin/controls/class.Articles.php
@@ -39,19 +39,24 @@ class Articles
     exit;
   }
 
-  public static function article_edit()
-  {
+  public static function article_edit() {
+    global $user;
+
+    if ( !$user ) {
+      header( 'Location: /admin/' );
+      exit;
+    }
+
     \admin\factory\Articles::delete_nonassigned_images();
     \admin\factory\Articles::delete_nonassigned_files();
 
-    return \admin\view\Articles::article_edit(
-              \admin\factory\Articles::article_details(
-                \S::get( 'id' )
-              ),
-              \admin\factory\Pages::menus_list(),
-              \admin\factory\Languages::languages_list(),
-              \admin\factory\Layouts::layouts_list()
-            );
+    return \Tpl::view( 'articles/article-edit', [
+      'article'   => \admin\factory\Articles::article_details( (int)\S::get( 'id' ) ),
+      'menus'     => \admin\factory\Pages::menus_list(),
+      'languages' => \admin\factory\Languages::languages_list(),
+      'layouts'   => \admin\factory\Layouts::layouts_list(),
+      'user'      => $user
+    ] );
   }
 
   public static function view_list()
diff --git a/autoload/admin/controls/class.ShopProduct.php b/autoload/admin/controls/class.ShopProduct.php
index 9bb79f5..5a086bf 100644
--- a/autoload/admin/controls/class.ShopProduct.php
+++ b/autoload/admin/controls/class.ShopProduct.php
@@ -229,22 +229,29 @@ class ShopProduct
   }
 
   // edycja produktu
-  public static function product_edit()
-  {
+  public static function product_edit() {
+    global $user;
+
+    if ( !$user ) {
+      header( 'Location: /admin/' );
+      exit;
+    }
+
     \admin\factory\ShopProduct::delete_nonassigned_images();
     \admin\factory\ShopProduct::delete_nonassigned_files();
 
     return \Tpl::view( 'shop-product/product-edit', [
-            'product' => \admin\factory\ShopProduct::product_details( (int) \S::get( 'id' ) ),
-            'languages' => \admin\factory\Languages::languages_list(),
-            'categories' => \admin\factory\ShopCategory::subcategories( null ),
-            'layouts' => \admin\factory\Layouts::layouts_list(),
-            'products' => \admin\factory\ShopProduct::products_list(),
-            'dlang' => \front\factory\Languages::default_language(),
-            'sets' => \shop\ProductSet::sets_list(),
-            'producers' => \admin\factory\ShopProducer::all(),
-            'units' => \admin\factory\Dictionaries::all_units()
-        ] );
+      'product'     => \admin\factory\ShopProduct::product_details( (int) \S::get( 'id' ) ),
+      'languages'   => \admin\factory\Languages::languages_list(),
+      'categories'  => \admin\factory\ShopCategory::subcategories( null ),
+      'layouts'     => \admin\factory\Layouts::layouts_list(),
+      'products'    => \admin\factory\ShopProduct::products_list(),
+      'dlang'       => \front\factory\Languages::default_language(),
+      'sets'        => \shop\ProductSet::sets_list(),
+      'producers'   => \admin\factory\ShopProducer::all(),
+      'units'       => \admin\factory\Dictionaries::all_units(),
+      'user'        => $user
+    ] );
   }
 
   // ajax_load_products ARCHIVE
diff --git a/autoload/admin/view/class.Articles.php b/autoload/admin/view/class.Articles.php
index 4722564..687c4cd 100644
--- a/autoload/admin/view/class.Articles.php
+++ b/autoload/admin/view/class.Articles.php
@@ -8,7 +8,7 @@ class Articles
     $tpl = new \Tpl;
     return $tpl -> render( 'articles/articles-browse-list' );
   }
-  
+
   public static function subpages_list( $pages, $article_pages, $parent_id = 0, $step = 1 )
   {
     $tpl = new \Tpl();
@@ -18,21 +18,11 @@ class Articles
     $tpl -> article_pages = $article_pages;
     return $tpl -> render( 'articles/subpages-list' );
   }
-  
+
   public static function articles_list()
   {
     $tpl = new \Tpl;
     return $tpl -> render( 'articles/articles-list' );
   }
-  
-  public static function article_edit( $article, $menus, $languages, $layouts )
-  {
-    $tpl = new \Tpl;
-    $tpl -> article     = $article;
-    $tpl -> menus       = $menus;
-    $tpl -> languages   = $languages;
-    $tpl -> layouts     = $layouts;
-    return $tpl -> render( 'articles/article-edit' );
-  }
 }
 ?>
\ No newline at end of file
diff --git a/templates/.DS_Store b/templates/.DS_Store
index 35bede8d531112e15bff3d5d1313559df4ac3aa3..96797d4292e50044254a7be6c0d61b9e1f76789e 100644
GIT binary patch
literal 6148
zcmeHKu};H44E2=`fr8Yr3)1lc4BZ(*6uzKrEKq`|M5Bue?D+-w0(K-mgYV+`Y?VZ5
zidayEY{`BX$G$l4+W3x$T=rZ{iN-{fKp6-7FdKyLvvy>l9=_?~9H%s=8+xP%y6Z%n
zV;33VwHsl@78IzW=K4J?@29idP*zg*@mqgn8S;F-40A*zua_S$+1cm$w&>y)(bb|^
zg~zmX(5N@iiVFPNR_$t!PWs}SwN4JN-nG_^bC%(|(w}16b@Kno#27FJjDekH06m)}
z83~#-28;n?V9fx3A3T&XRjdW$rvoM)0f0leqhK8OK0wb7V5(RP!UJ)V3Y1i*M+_(F
z@OzC*6>C9BCl{ZLdGyInPbf}zUe3pGa;czMW55__Gq5L@WA6VK{pbI7l3f`C#=yT~
zzzy?Rp5c|Ww{~8Rd##6FLs>Yk7F?%b5L+=~xfM^KQQ-GH0H%tyAUqJ;2t*pp7z2OG
Fz!x5GRMh|g

delta 260
zcmZoMXfc=|#>B`mu~2NHo}wrV0|Nsi1A_nqgDyh>LlHwhLkdIb#KPtEAPF9ZVulQ$
zPyw<eLo!22PP$=ma(-?BPz?;=RGXXc;*yk;p9ECM(Jd-2cp&VUBan?peF{*$5%C%d
tG9ZrGT*y3)Wpe}bR>sZj9Q+(WKLSO*Gf(ChvE%@`66j5)%>g1?m;q#AI7|Ql