equal
deleted
inserted
replaced
151 break; |
151 break; |
152 case 'Compose': |
152 case 'Compose': |
153 if ( $argv[1]=='Send' && isset($_POST['_send']) ) |
153 if ( $argv[1]=='Send' && isset($_POST['_send']) ) |
154 { |
154 { |
155 // Check each POST DATA parameter... |
155 // Check each POST DATA parameter... |
|
156 csrf_request_confirm(); |
156 $errors = array(); |
157 $errors = array(); |
157 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) |
158 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) |
158 { |
159 { |
159 $errors[] = $lang->get('privmsgs_err_need_username'); |
160 $errors[] = $lang->get('privmsgs_err_need_username'); |
160 } |
161 } |
193 return; |
194 return; |
194 } |
195 } |
195 } |
196 } |
196 else if ( $argv[1] == 'Send' && isset($_POST['_savedraft'] ) ) |
197 else if ( $argv[1] == 'Send' && isset($_POST['_savedraft'] ) ) |
197 { |
198 { |
|
199 csrf_request_confirm(); |
198 $errors = array(); |
200 $errors = array(); |
199 if ( !isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '') ) |
201 if ( !isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '') ) |
200 { |
202 { |
201 $errors[] = $lang->get('privmsgs_err_need_username'); |
203 $errors[] = $lang->get('privmsgs_err_need_username'); |
202 } |
204 } |
301 { |
303 { |
302 echo '<div class="info-box">' . $lang->get('privmsgs_msg_draft_saved') . '</div>'; |
304 echo '<div class="info-box">' . $lang->get('privmsgs_msg_draft_saved') . '</div>'; |
303 } |
305 } |
304 ?> |
306 ?> |
305 <br /> |
307 <br /> |
|
308 <input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" /> |
306 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
309 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
307 <tr> |
310 <tr> |
308 <th colspan="2"><?php echo $lang->get('privmsgs_lbl_compose_th'); ?></th> |
311 <th colspan="2"><?php echo $lang->get('privmsgs_lbl_compose_th'); ?></th> |
309 </tr> |
312 </tr> |
310 <tr> |
313 <tr> |
414 return; |
417 return; |
415 } |
418 } |
416 } |
419 } |
417 else if ( isset($_POST['_savedraft']) ) |
420 else if ( isset($_POST['_savedraft']) ) |
418 { |
421 { |
|
422 csrf_request_confirm(); |
419 // Check each POST DATA parameter... |
423 // Check each POST DATA parameter... |
420 $errors = array(); |
424 $errors = array(); |
421 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) |
425 if(!isset($_POST['to']) || ( isset($_POST['to']) && $_POST['to'] == '')) |
422 { |
426 { |
423 $errors[] = $lang->get('privmsgs_err_need_username'); |
427 $errors[] = $lang->get('privmsgs_err_need_username'); |
465 if ( isset($_POST['_savedraft']) ) |
469 if ( isset($_POST['_savedraft']) ) |
466 { |
470 { |
467 echo '<div class="info-box">' . $lang->get('privmsgs_msg_draft_saved') . '</div>'; |
471 echo '<div class="info-box">' . $lang->get('privmsgs_msg_draft_saved') . '</div>'; |
468 } |
472 } |
469 ?> |
473 ?> |
|
474 <input type="hidden" name="cstok" value="<?php echo $session->csrf_token; ?>" /> |
470 <br /> |
475 <br /> |
471 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
476 <div class="tblholder"><table border="0" width="100%" cellspacing="1" cellpadding="4"> |
472 <tr><th colspan="2"><?php echo $lang->get('privmsgs_lbl_edit_th'); ?></th></tr> |
477 <tr><th colspan="2"><?php echo $lang->get('privmsgs_lbl_edit_th'); ?></th></tr> |
473 <tr> |
478 <tr> |
474 <td class="row1"> |
479 <td class="row1"> |
646 <input type="submit" name="archive" value="' . $lang->get('privmsgs_btn_archive_selected') . '" /> |
651 <input type="submit" name="archive" value="' . $lang->get('privmsgs_btn_archive_selected') . '" /> |
647 <input type="submit" name="delete" value="' . $lang->get('privmsgs_btn_delete_selected') . '" /> |
652 <input type="submit" name="delete" value="' . $lang->get('privmsgs_btn_delete_selected') . '" /> |
648 <input type="submit" name="deleteall" value="' . $lang->get('privmsgs_btn_delete_all') . '" /> |
653 <input type="submit" name="deleteall" value="' . $lang->get('privmsgs_btn_delete_all') . '" /> |
649 </th> |
654 </th> |
650 </tr>'; |
655 </tr>'; |
651 echo '</table></div></form> |
656 echo '</table></div> |
|
657 <input type="hidden" name="cstok" value="' . $session->csrf_token . '" /> |
|
658 </form> |
652 <br /> |
659 <br /> |
653 <a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/').'">' . $lang->get('privmsgs_btn_compose') . '</a> |
660 <a href="'.makeUrlNS('Special', 'PrivateMessages/Compose/').'">' . $lang->get('privmsgs_btn_compose') . '</a> |
654 </td></tr></table>'; |
661 </td></tr></table>'; |
655 break; |
662 break; |
656 } |
663 } |
657 $template->footer(); |
664 $template->footer(); |
658 break; |
665 break; |
659 case 'PostHandler': |
666 case 'PostHandler': |
|
667 csrf_request_confirm(); |
660 $fname = $db->escape(strtolower($_POST['folder'])); |
668 $fname = $db->escape(strtolower($_POST['folder'])); |
661 if($fname=='drafts' || $fname=='outbox') |
669 if($fname=='drafts' || $fname=='outbox') |
662 { |
670 { |
663 $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\' ORDER BY date DESC;'); |
671 $q = $db->sql_query('SELECT p.message_id, p.message_from, p.message_to, p.date, p.subject FROM '.table_prefix.'privmsgs AS p WHERE p.folder_name=\''.$fname.'\' AND p.message_from=\''.$session->username.'\' ORDER BY date DESC;'); |
664 } else { |
672 } else { |