Nonce-verify install/uninstall themes

2025-11-03 03:46:30 +01:00 · 2015-11-19 23:01:14 +01:00
parent 1f6bda7d75
commit ce672e4919
3 changed files with 6 additions and 6 deletions
--- a/classes/admin.php
+++ b/classes/admin.php
@@ -384,7 +384,7 @@ class Admin
        }
        return $routes;
    }
-    
+
    /**
     * Count the pages
     *
@@ -451,7 +451,7 @@ class Admin
        if (!$gpm) {
            return;
        }
-        
+
        return $local ? $gpm->getInstalledThemes() : $gpm->getRepositoryThemes()->filter(function ($package, $slug) use
        (
            $gpm
--- a/themes/grav/templates/partials/plugins-list.html.twig
+++ b/themes/grav/templates/partials/plugins-list.html.twig
@@ -24,11 +24,11 @@
            </td>
            <td class="gpm-actions">
                {% if (not installing and (plugin.form.fields.enabled.type != 'hidden')) %}
-                    <a class="{{ data.get('enabled') ? 'enabled' : 'disabled' }}" href="{{ base_url_relative }}/plugins/{{ slug }}/task{{ config.system.param_sep }}{{ data.get('enabled') ? 'disable' : 'enable' }}">
+                    <a class="{{ data.get('enabled') ? 'enabled' : 'disabled' }}" href="{{ uri.addNonce(base_url_relative ~ '/plugins/' ~ slug ~ '/task' ~ config.system.param_sep ~ data.get('enabled') ? 'disable' : 'enable', 'admin-form', 'admin-nonce') }}">
                        <i class="fa fa-fw fa-toggle-{{ data.get('enabled') ? 'on' : 'off' }}"></i>
                    </a>
                {% elseif (installing) %}
-                    <a class="button" href="{{ base_url_relative }}/plugins/{{ slug }}/task{{ config.system.param_sep }}install"><i class="fa fa-plus"></i> Install</a>
+                    <a class="button" href="{{ uri.addNonce(base_url_relative ~ '/plugins/' ~ slug ~ '/task' ~ config.system.param_sep ~ 'install', 'admin-form', 'admin-nonce') }}"><i class="fa fa-plus"></i> Install</a>
                {% endif %}
                <span class="gpm-details-expand"><i class="fa fa-chevron-down"></i></span>
            </td>
--- a/themes/grav/templates/partials/themes-details.html.twig
+++ b/themes/grav/templates/partials/themes-details.html.twig
@@ -102,12 +102,12 @@
    {% if (config.get('system.pages.theme') != admin.route) %}
    <div class="button-bar danger">
        <span class="danger-zone"></span>
-        <a class="button" href="{{ base_url_relative }}/themes/{{ theme.slug }}/task{{ config.system.param_sep }}uninstall"><i class="fa fa-fw fa-warning"></i>{{ "PLUGIN_ADMIN.REMOVE_THEME"|tu }}</a>
+        <a class="button" href="{{ uri.addNonce(base_url_relative ~ '/themes/' ~ theme.slug ~ '/task' ~ config.system.param_sep ~ 'uninstall', 'admin-form', 'admin-nonce') }}"><i class="fa fa-fw fa-warning"></i>{{ "PLUGIN_ADMIN.REMOVE_THEME"|tu }}</a>
    </div>
    {% endif %}
 {% else %}
    <div class="button-bar success">
-        <a class="button" href="{{ base_url_relative }}/themes/{{ theme.slug }}/task{{ config.system.param_sep }}install"><i class="fa fa-fw fa-plus"></i>{{ "PLUGIN_ADMIN.INSTALL_THEME"|tu }}</a>
+        <a class="button" href="{{ uri.addNonce(base_url_relative ~ '/themes/' ~ theme.slug ~ '/task' ~ config.system.param_sep ~ 'install', 'admin-form', 'admin-nonce') }}"><i class="fa fa-fw fa-plus"></i>{{ "PLUGIN_ADMIN.INSTALL_THEME"|tu }}</a>
    </div>
 {% endif %}