From 0ab0dc62ce1ab93fdc0cf7e06faaeba2093ddcd2 Mon Sep 17 00:00:00 2001
From: Cerdic <cedric@yterium.com>
Date: Fri, 22 Jan 2010 20:04:29 +0000
Subject: [PATCH] les action/editer_ acceptent de recevoir $arg en argument de
 la fonction au lieu de _request, et dans ce cas n'ont pas besoin d'etre
 securisees. Permettra d'eviter l'injection de arg et hash en input hidden
 dans les formulaires.

---
 ecrire/action/editer_article.php  | 8 +++++---
 ecrire/action/editer_auteur.php   | 9 ++++++---
 ecrire/action/editer_breve.php    | 8 +++++---
 ecrire/action/editer_message.php  | 8 +++++---
 ecrire/action/editer_mot.php      | 9 ++++++---
 ecrire/action/editer_rubrique.php | 8 +++++---
 ecrire/action/editer_site.php     | 8 +++++---
 ecrire/inc/editer.php             | 5 ++++-
 8 files changed, 41 insertions(+), 22 deletions(-)

diff --git a/ecrire/action/editer_article.php b/ecrire/action/editer_article.php
index 0064ca35fb..d584465d46 100644
--- a/ecrire/action/editer_article.php
+++ b/ecrire/action/editer_article.php
@@ -13,10 +13,12 @@
 if (!defined("_ECRIRE_INC_VERSION")) return;
 
 // http://doc.spip.org/@action_editer_article_dist
-function action_editer_article_dist() {
+function action_editer_article_dist($arg=null) {
 
-	$securiser_action = charger_fonction('securiser_action', 'inc');
-	$arg = $securiser_action();
+	if (is_null($arg)){
+		$securiser_action = charger_fonction('securiser_action', 'inc');
+		$arg = $securiser_action();
+	}
 
 	// si id_article n'est pas un nombre, c'est une creation 
 	// mais on verifie qu'on a toutes les donnees qu'il faut.
diff --git a/ecrire/action/editer_auteur.php b/ecrire/action/editer_auteur.php
index 5520bc7ad0..a51d8b6c27 100644
--- a/ecrire/action/editer_auteur.php
+++ b/ecrire/action/editer_auteur.php
@@ -13,9 +13,12 @@
 if (!defined("_ECRIRE_INC_VERSION")) return;
 
 // http://doc.spip.org/@action_editer_auteur_dist
-function action_editer_auteur_dist() {
-	$securiser_action = charger_fonction('securiser_action', 'inc');
-	$arg = $securiser_action();
+function action_editer_auteur_dist($arg=null) {
+
+	if (is_null($arg)){
+		$securiser_action = charger_fonction('securiser_action', 'inc');
+		$arg = $securiser_action();
+	}
 
 
 	// si id_auteur n'est pas un nombre, c'est une creation
diff --git a/ecrire/action/editer_breve.php b/ecrire/action/editer_breve.php
index 0819c6429a..d2b2bc439c 100644
--- a/ecrire/action/editer_breve.php
+++ b/ecrire/action/editer_breve.php
@@ -13,10 +13,12 @@
 if (!defined("_ECRIRE_INC_VERSION")) return;
 
 // http://doc.spip.org/@action_editer_breve_dist
-function action_editer_breve_dist() {
+function action_editer_breve_dist($arg=null) {
 
-	$securiser_action = charger_fonction('securiser_action', 'inc');
-	$arg = $securiser_action();
+	if (is_null($arg)){
+		$securiser_action = charger_fonction('securiser_action', 'inc');
+		$arg = $securiser_action();
+	}
 
 	// Envoi depuis les boutons "publier/supprimer cette breve"
 	if (preg_match(',^(\d+)\Wstatut\W(\w+)$,', $arg, $r)) {
diff --git a/ecrire/action/editer_message.php b/ecrire/action/editer_message.php
index 66eef64217..8b3d2de5e4 100644
--- a/ecrire/action/editer_message.php
+++ b/ecrire/action/editer_message.php
@@ -15,10 +15,12 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
 include_spip('inc/filtres');
 
 // http://doc.spip.org/@action_editer_message_dist
-function action_editer_message_dist() {
+function action_editer_message_dist($arg=null) {
 
-	$securiser_action = charger_fonction('securiser_action', 'inc');
-	$arg = $securiser_action();
+	if (is_null($arg)){
+		$securiser_action = charger_fonction('securiser_action', 'inc');
+		$arg = $securiser_action();
+	}
 
 	if (preg_match(',^(\d+)$,', $arg, $r))
 		action_editer_message_post_vieux($arg); 
diff --git a/ecrire/action/editer_mot.php b/ecrire/action/editer_mot.php
index 231ccbf4d9..4148065663 100644
--- a/ecrire/action/editer_mot.php
+++ b/ecrire/action/editer_mot.php
@@ -16,10 +16,13 @@ include_spip('inc/filtres');
 
 // Editer (modification) d'un mot-cle
 // http://doc.spip.org/@action_editer_mot_dist
-function action_editer_mot_dist()
+function action_editer_mot_dist($arg=null)
 {
-	$securiser_action = charger_fonction('securiser_action', 'inc');
-	$id_mot = intval($securiser_action());
+	if (is_null($arg)){
+		$securiser_action = charger_fonction('securiser_action', 'inc');
+		$arg = $securiser_action();
+	}
+	$id_mot = intval($arg);
 
 	$id_groupe = intval(_request('id_groupe'));
 	if (!$id_mot AND $id_groupe) {
diff --git a/ecrire/action/editer_rubrique.php b/ecrire/action/editer_rubrique.php
index feab60044b..8ba1480a30 100644
--- a/ecrire/action/editer_rubrique.php
+++ b/ecrire/action/editer_rubrique.php
@@ -15,10 +15,12 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
 include_spip('inc/rubriques');
 
 // http://doc.spip.org/@action_editer_rubrique_dist
-function action_editer_rubrique_dist() {
+function action_editer_rubrique_dist($arg=null) {
 
-	$securiser_action = charger_fonction('securiser_action', 'inc');
-	$arg = $securiser_action();
+	if (is_null($arg)){
+		$securiser_action = charger_fonction('securiser_action', 'inc');
+		$arg = $securiser_action();
+	}
 
 	if (!$id_rubrique = intval($arg)) {
 		if ($arg != 'oui') {
diff --git a/ecrire/action/editer_site.php b/ecrire/action/editer_site.php
index c4b51dbcd6..c0d405ad61 100644
--- a/ecrire/action/editer_site.php
+++ b/ecrire/action/editer_site.php
@@ -13,10 +13,12 @@
 if (!defined("_ECRIRE_INC_VERSION")) return;
 
 // http://doc.spip.org/@action_editer_site_dist
-function action_editer_site_dist() {
+function action_editer_site_dist($arg=null) {
 
-	$securiser_action = charger_fonction('securiser_action', 'inc');
-	$arg = $securiser_action();
+	if (is_null($arg)){
+		$securiser_action = charger_fonction('securiser_action', 'inc');
+		$arg = $securiser_action();
+	}
 	$resyndiquer = false;
 
 	include_spip('inc/filtres'); // pour vider_url()
diff --git a/ecrire/inc/editer.php b/ecrire/inc/editer.php
index c95c98e986..b590f79e8c 100644
--- a/ecrire/inc/editer.php
+++ b/ecrire/inc/editer.php
@@ -18,7 +18,7 @@ function formulaires_editer_objet_traiter($type, $id='new', $id_parent=0, $lier_
 
 	$res = array();
 	$action_editer = charger_fonction("editer_$type",'action');
-	list($id,$err) = $action_editer();
+	list($id,$err) = $action_editer($id);
 	$id_table_objet = id_table_objet($type);
 	$res[$id_table_objet] = $id;
 	if ($err){
@@ -116,7 +116,10 @@ function formulaires_editer_objet_charger($type, $id='new', $id_parent=0, $lier_
 		$contexte['extra'] = unserialize($contexte['extra']);
 	// preciser que le formulaire doit passer dans un pipeline
 	$contexte['_pipeline'] = array('editer_contenu_objet',array('type'=>$type,'id'=>$id));
+
 	// preciser que le formulaire doit etre securise auteur/action
+	// n'est plus utile lorsque l'action accepte l'id en argument direct
+	// on le garde pour compat 
 	$contexte['_action'] = array("editer_$type",$id);
 
 	return $contexte;
-- 
GitLab