/[drupal]/contributions/modules/phplist/phplist.module

Diff of /contributions/modules/phplist/phplist.module

Parent Directory | Revision Log | View Revision Graph Revision Graph | View Patch Patch

-revision 1.12.2.29 by paulbeaney,
Thu Oct 29 10:03:33 2009 UTC
+revision 1.12.2.30 by pwolanin,
Wed Nov 18 14:36:46 2009 UTC
 Line 1
  <?php
- // $Id: phplist.module,v 1.12.2.28 2009/10/29 09:45:45 paulbeaney Exp $
+ // $Id: phplist.module,v 1.12.2.29 2009/10/29 10:03:33 paulbeaney Exp $
  /**
   * @module phplist
 Line 414 
 function _phplist_get_prefix() {
    static $prefix;
    if ($prefix === NULL) {
-     $prefix['prefix'] = variable_get('phplist_prefix', 'phplist_');
+     $prefix['prefix'] = db_escape_table(variable_get('phplist_prefix', 'phplist_'));
-     $prefix['user']   = variable_get('phplist_user_prefix', $prefix['prefix']);
+     $prefix['user']   = db_escape_table(variable_get('phplist_user_prefix', $prefix['prefix']));
      if ($prefix['user'] == '') $prefix['user'] = $prefix['prefix'];
    }
 Line 513 
 function phplist_user($op, &$edit, &$use
          db_set_active('phplist');
                  // Completely remove this user from PHPlist - could be enabled using another system variable
-         db_query("DELETE FROM $strprefix%s WHERE userid = %d", $prefix['prefix']."listuser", $phplistid);
+         /*db_query("DELETE FROM $strprefix%s WHERE userid = %d", $prefix['prefix']."listuser", $phplistid);
          db_query("DELETE FROM %s WHERE userid = %d", $prefix['user']."attribute", $phplistid);
          db_query("DELETE FROM $strprefix%s WHERE userid = %d", $prefix['prefix']."usermessage", $phplistid);
          db_query("DELETE FROM $strprefix%s WHERE user = %d", $prefix['user']."message_bounce", $phplistid);
          db_query("DELETE FROM %s WHERE id = %d", $prefix['user']."user", $phplistid);
          db_query("DELETE FROM %s WHERE userid = %d", $prefix['user']."user_history", $phplistid);
          db_query("DELETE FROM $strprefix%s WHERE userid = %d", $prefix['user']."rss", $phplistid);
+         */
          db_set_active('default');
        }
        break;
 Line 578 
 function _phplist_manage_subscription($e
    $lid    = intval($lid);
    $userid = intval($userid);
-   if ($userid > 0 && user_access("manage subscriptions")) {
+   // Check token - CSRF protection
-     // This is a manager updating another user's account
+   $path = preg_replace('/\/'. $value .'$/', '', $_GET['q']);
-     $user = user_load(array('uid' => $userid));
+   if ($redirect && (!isset($_GET['token']) || !phplist_check_token($_GET['token'], arg(4)))) {
-     $email = $user->mail;
+     drupal_set_message(t('Got an invalid token. Subscription not updated.'), 'error');
+     drupal_goto('user/'. $userid .'/edit/phplist');
    }
    else {
-     $user = user_load(array('mail' => $email));
+     if ($userid > 0 && user_access("manage subscriptions")) {
-   }
+       // This is a manager updating another user's account
+       $user = user_load(array('uid' => $userid));
-   if ($email == '') {
+       $email = $user->mail;
-     form_set_error("", t('Email address is empty for UID '. $userid));
+     }
-     return;
+     else {
-   }
+       $user = user_load(array('mail' => $email));
-   if ($lid == 0 || $lid == '') return;
+     }
-   $phplistid = _phplist_lookup_phplistid($email);
+     if ($email == '') {
-   if (PHPLIST_DEBUG) drupal_set_message("Found phplistid [$phplistid] for email $email");
+       form_set_error("", t('Email address is empty for UID '. $userid));
+       return;
+     }
+     if ($lid == 0 || $lid == '') return;
-   // This bit of code is for administrators who have forgotten to "sync users" first !!
-   // Thanks to Dave Cohen, http://drupal.org/node/249559
-   if (!$phplistid) {
-     $account = user_load(array('mail' => $email));
-     if ($account)
-       _phplist_sync_user($phplistid, $account);
      $phplistid = _phplist_lookup_phplistid($email);
-   }
+     if (PHPLIST_DEBUG) drupal_set_message("Found phplistid [$phplistid] for email $email");
-   $booOK = false;
+     // This bit of code is for administrators who have forgotten to "sync users" first !!
-   if ($phplistid) {
+     // Thanks to Dave Cohen, http://drupal.org/node/249559
-     if ($action == 'subscribe') {
+     if (!$phplistid) {
-       // Check user is allowed to subscribe to this list
+       $account = user_load(array('mail' => $email));
-       $roles = array();
+       if ($account)
-       if (isset($user->roles)) {
+         _phplist_sync_user($phplistid, $account);
-         foreach ($user->roles as $rid => $role) {
+       $phplistid = _phplist_lookup_phplistid($email);
-           $roles[] = $rid;
+     }
+     $booOK = false;
+     if ($phplistid) {
+       if ($action == 'subscribe') {
+         // Check user is allowed to subscribe to this list
+         $roles = array();
+         if (isset($user->roles)) {
+           foreach ($user->roles as $rid => $role) {
+             $roles[] = $rid;
+           }
          }
+         $roles = implode(",", $roles);
+         if (db_result(db_query("SELECT lid FROM {phplist_access} WHERE lid=%d AND rid IN (%s)", $lid, $roles))) $booOK = true;
+       }
+       else {
+         $booOK = true;
+       }
+       db_set_active('phplist');
+       switch ($action) {
+         case 'subscribe';
+           if ($booOK) {
+             db_query("INSERT INTO {$prefix['prefix']}listuser(userid, listid, entered) VALUES(%d, %d, NOW())", $phplistid, $lid);
+             if (PHPLIST_DEBUG) drupal_set_message("Subscribing $phplistid to list $lid");
+           }
+           break;
+         case 'unsubscribe':
+           db_query("DELETE FROM {$prefix['prefix']}listuser WHERE userid=%d AND listid=%d", $phplistid, $lid);
+           if (PHPLIST_DEBUG) drupal_set_message("Unsubscribing $phplistid from list $lid");
+           break;
        }
-       $roles = implode(",", $roles);
+       db_set_active('default');
-       if (db_result(db_query("SELECT lid FROM {phplist_access} WHERE lid=%d AND rid IN (%s)", $lid, $roles))) $booOK = true;
+       if ($redirect) {
+         if ($booOK) drupal_set_message(t("Your subscriptions have been updated"));
+         else drupal_set_message(t('You do not have permission to subscribe to this list'));
+         drupal_goto('user/'. $userid .'/edit/phplist');
+       }
      }
      else {
-       $booOK = true;
+       drupal_set_message(t('Failed to update email newsletter subscription.'));
      }
-     db_set_active('phplist');
-     switch ($action) {
-       case 'subscribe';
-         if ($booOK) {
-           db_query("INSERT INTO {$prefix['prefix']}listuser(userid, listid, entered) VALUES(%d, %d, NOW())", $phplistid, $lid);
-           if (PHPLIST_DEBUG) drupal_set_message("Subscribing $phplistid to list $lid");
-         }
-         break;
-       case 'unsubscribe':
-         db_query("DELETE FROM {$prefix['prefix']}listuser WHERE userid=%d AND listid=%d", $phplistid, $lid);
-         if (PHPLIST_DEBUG) drupal_set_message("Unsubscribing $phplistid from list $lid");
-         break;
-     }
-     db_set_active('default');
-     if ($redirect) {
-       if ($booOK) drupal_set_message(t("Your subscriptions have been updated"));
-       else drupal_set_message(t('You do not have permission to subscribe to this list'));
-       drupal_goto('user/'. $userid .'/edit/phplist');
-     }
-   }
-   else {
-     drupal_set_message(t('Failed to update email newsletter subscription.'));
    }
  }
-Line 681 
 function phplist_lists($user, $op='list'
+Line 689 
 function phplist_lists($user, $op='list'
    foreach ($lists as $list) {
      if ($list->userid == '' && !$subonly) {
        $rows[] = array('name' => "<b>". $list->name ."</b>". ($booshowdescription ? " <br />". $list->description : ""),
-         'subscribe' => l(t('Subscribe'), "user/". $user->uid ."/phplist/subscribe/". $list->lid)
+         'subscribe' => l(t('Subscribe'), "user/". $user->uid ."/phplist/subscribe/". $list->lid, array('query' => array('token' => phplist_get_token($list->lid))))
        );
      }
      elseif ($list->userid != '') {
        $rows[] = array('name' => "<b>". $list->name ."</b>". ($booshowdescription ? " <br />". $list->description : ""),
-         'unsubscribe' => l(t('Unsubscribe'), "user/". $user->uid ."/phplist/unsubscribe/". $list->lid)
+         'unsubscribe' => l(t('Unsubscribe'), "user/". $user->uid ."/phplist/unsubscribe/". $list->lid, array('query' => array('token' => phplist_get_token($list->lid))))
        );
      }
    }
-Line 1477 
 function phplist_confirm_subscription()
+Line 1485 
 function phplist_confirm_subscription()
    }
    return $form;
+ }
+ /**
+  * Get a private token used to protect links from CSRF attacks.
+  * "Borrowed" from 5 Star module :D
+  */
+ function phplist_get_token($value) {
+   global $user;
+   // Anonymous users don't get a session ID, which breaks page caching.
+   $session_id = $user->uid ? session_id() : '';
+   $private_key = drupal_get_private_key();
+   return md5($session_id . $value . $private_key);
+ }
+ /**
+  * Check to see if a token value matches the specified node.
+  * "Borrowed" from 5 Star module :D
+  */
+ function phplist_check_token($token, $value) {
+   return phplist_get_token($value) == $token;
  }

 Legend:



Removed from v.1.12.2.29
 


changed lines


 
Added in v.1.12.2.30
 Legend:



Removed from v.1.12.2.29
 


changed lines


 
Added in v.1.12.2.30
-Removed from v.1.12.2.29
+Added in v.1.12.2.30

	ViewVC Help
Powered by ViewVC 1.1.3