diff --git a/.gitattributes b/.gitattributes
index cf4591b5559f578416c25310f63844ed5c561cf4..0f862e83b745d959ba686e2e280dcbe4ddd7a6f6 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -309,6 +309,7 @@ dist/vignettes/xml.png -text
dist/vignettes/zip.png -text
dist/win_width.htc -text
ecrire/action/autoriser.php -text
+ecrire/action/converser.php -text
ecrire/action/dater.php -text
ecrire/action/documenter.php -text
ecrire/action/editer_article.php -text
@@ -492,6 +493,7 @@ ecrire/inc/plugin.php -text
ecrire/inc/popularites.php -text
ecrire/inc/referencer_traduction.php -text
ecrire/inc/regler_moderation.php -text
+ecrire/inc/securiser_action.php -text
ecrire/inc/selectionner.php -text
ecrire/inc/selectionner_auteur.php -text
ecrire/inc/sites_voir.php -text
diff --git a/dist/formulaires/formulaire_forum.html b/dist/formulaires/formulaire_forum.html
index bc6d139b560c560f0cafafe7d2db506dc6f479eb..ffb0b3b2cd24db3630c0f2842b35d4bf7c42494d 100644
--- a/dist/formulaires/formulaire_forum.html
+++ b/dist/formulaires/formulaire_forum.html
@@ -4,7 +4,7 @@
<form action="#ENV{url}#formulaire_forum" method="post">
[(#ENV{url_post}|form_hidden)]
-[<input type="hidden" name="alea" value="(#ENV{alea})" />]
+[<input type="hidden" name="arg" value="(#ENV{arg})" />]
[<input type="hidden" name="hash" value="(#ENV{hash})" />]
[<input type="hidden" name="verif_(#ENV{hash})" value="ok" />]
[<input type="hidden" name="afficher_texte" value="(#ENV{afficher_texte})" />]
diff --git a/ecrire/action/converser.php b/ecrire/action/converser.php
new file mode 100644
index 0000000000000000000000000000000000000000..14607f5299d29ef4e73adae8f86a7cb7f4f0f95d
--- /dev/null
+++ b/ecrire/action/converser.php
@@ -0,0 +1,48 @@
+<?php
+
+/***************************************************************************\
+ * SPIP, Systeme de publication pour l'internet *
+ * *
+ * Copyright (c) 2001-2006 *
+ * Arnaud Martin, Antoine Pitrou, Philippe Riviere, Emmanuel Saint-James *
+ * *
+ * Ce programme est un logiciel libre distribue sous licence GNU/GPL. *
+ * Pour plus de details voir le fichier COPYING.txt ou l'aide en ligne. *
+\***************************************************************************/
+
+if (!defined("_ECRIRE_INC_VERSION")) return;
+
+include_spip('inc/cookie');
+
+// changer de langue espace prive (ou login)
+
+function action_converser_dist()
+{
+ $lang = _request('var_lang_ecrire');
+
+ if (_FILE_CONNECT AND $lang) {
+ $var_f = charger_fonction('securiser_action', 'inc');
+ $var_f();
+ spip_query("UPDATE spip_auteurs SET lang = " . _q($lang) . " WHERE id_auteur = " . $GLOBALS['auteur_session']['id_auteur']);
+ $auteur_session['lang'] = $lang;
+ $var_f = charger_fonction('session', 'inc');
+ $var_f($auteur_session);
+ }
+}
+
+function action_converser_post()
+{
+ if ($lang = _request('var_lang_ecrire')) {
+ include_spip('inc/lang');
+
+ spip_setcookie('spip_lang_ecrire', $lang, time() + 365 * 24 * 3600);
+ spip_setcookie('spip_lang', $lang, time() + 365 * 24 * 3600);
+ }
+ $redirect = rawurldecode(_request('url'));
+ spip_log("acp $redirect");
+ if (!$redirect) $redirect = _DIR_RESTREINT_ABS;
+ $redirect = parametre_url($redirect,'lang',$lang,'&');
+ redirige_par_entete($redirect, true);
+}
+
+?>
diff --git a/ecrire/action/cookie.php b/ecrire/action/cookie.php
index 7892e12abb164d46c928e0fce2909e79da5d49c1..8893d23a9dad59832ae41d5a37a9cab6eddc9d49 100644
--- a/ecrire/action/cookie.php
+++ b/ecrire/action/cookie.php
@@ -161,24 +161,11 @@ if ($var_lang) {
}
}
-// changer de langue espace prive (ou login)
-if ($var_lang_ecrire) {
- include_spip('inc/lang');
-
- spip_setcookie('spip_lang_ecrire', $var_lang_ecrire, time() + 365 * 24 * 3600);
- spip_setcookie('spip_lang', $var_lang_ecrire, time() + 365 * 24 * 3600);
-
- if (_FILE_CONNECT
- AND verifier_action_auteur("cookie-var_lang_ecrire", $hash)) {
- spip_query("UPDATE spip_auteurs SET lang = " . _q($var_lang_ecrire) . " WHERE id_auteur = " . $GLOBALS['auteur_session']['id_auteur']);
- $auteur_session['lang'] = $var_lang_ecrire;
- $var_f = charger_fonction('session', 'inc');
- $var_f($auteur_session);
- }
-
- $redirect = parametre_url($redirect,'lang',$var_lang_ecrire,'&');
+// changer de langue espace prive avant le login (i.e. pas authentfie)
+elseif ($var_lang_ecrire) {
+ include_spip('action/converser');
+ action_converser_post();
}
-
redirige_par_entete($redirect, true);
}
?>
diff --git a/ecrire/action/dater.php b/ecrire/action/dater.php
index fedab6711135183d91618d84380d940d84a9a04f..250da0243941059a2f26586e484e8fa425fa40b0 100644
--- a/ecrire/action/dater.php
+++ b/ecrire/action/dater.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_dater_dist
function action_dater_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/documenter.php b/ecrire/action/documenter.php
index 0141b1f2a68ed3bfd6331de433b9a7ae99141647..98fbf6676a72cd6badb82832fd7d390d9fb3006d 100644
--- a/ecrire/action/documenter.php
+++ b/ecrire/action/documenter.php
@@ -17,7 +17,7 @@ include_spip('action/supprimer');
// http://doc.spip.org/@action_documenter_dist
function action_documenter_dist()
{
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/editer_article.php b/ecrire/action/editer_article.php
index 5b82bb37bc7415d355b6b7eaba9eb1211f1ff0f6..2444079ce2fa703ea2bf72fdd9f0de51e6abde7d 100644
--- a/ecrire/action/editer_article.php
+++ b/ecrire/action/editer_article.php
@@ -12,12 +12,11 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
// http://doc.spip.org/@action_editer_article_dist
function action_editer_article_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/editer_auteurs.php b/ecrire/action/editer_auteurs.php
index bbef1cb854d69c4f463744d4f0f8d5b28ea6de27..7655da669e819db6542c6dd61ed4599e0b099768 100644
--- a/ecrire/action/editer_auteurs.php
+++ b/ecrire/action/editer_auteurs.php
@@ -13,12 +13,11 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('base/abstract_sql');
-include_spip('inc/actions');
// http://doc.spip.org/@action_editer_auteurs_dist
function action_editer_auteurs_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/editer_breve.php b/ecrire/action/editer_breve.php
index c202842e3e1022f848719d42fe4339695edaf507..4cf8d548e71534d575c5506e99e72500b57d3280 100644
--- a/ecrire/action/editer_breve.php
+++ b/ecrire/action/editer_breve.php
@@ -12,12 +12,11 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
// http://doc.spip.org/@action_editer_breve_dist
function action_editer_breve_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/editer_mot.php b/ecrire/action/editer_mot.php
index 7ed52ef808edd05d8de3aab476bc0540e6f1c32f..72f880ce8be353f36b979eee66f755ff4a35eb60 100644
--- a/ecrire/action/editer_mot.php
+++ b/ecrire/action/editer_mot.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_editer_mot_dist
function action_editer_mot_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/editer_rubrique.php b/ecrire/action/editer_rubrique.php
index 442ae698809b0139cb03c056e922f0803307b851..2ba0293086fc055e908540d4bd2e6048bf5c0423 100644
--- a/ecrire/action/editer_rubrique.php
+++ b/ecrire/action/editer_rubrique.php
@@ -12,13 +12,12 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
include_spip('inc/rubriques');
// http://doc.spip.org/@action_editer_rubrique_dist
function action_editer_rubrique_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/editer_signatures.php b/ecrire/action/editer_signatures.php
index fc77601ec4e1d7c9b38284e3a7aca76b91e758c6..993fc49cb0b6b3781373045c242b73d8fa966f1e 100644
--- a/ecrire/action/editer_signatures.php
+++ b/ecrire/action/editer_signatures.php
@@ -12,13 +12,12 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
// Modifier le reglage des forums publics de l'article x
// http://doc.spip.org/@action_editer_signatures_dist
function action_editer_signatures_dist()
{
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/editer_site.php b/ecrire/action/editer_site.php
index be6d608fc39154e18f0cc0ec357493e3339cafc4..37918111a632b81d11f7fe37d6ee577d94dc1b52 100644
--- a/ecrire/action/editer_site.php
+++ b/ecrire/action/editer_site.php
@@ -12,12 +12,11 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
// http://doc.spip.org/@action_editer_site_dist
function action_editer_site_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/iconifier.php b/ecrire/action/iconifier.php
index fee8d7824cd3aed39186802d453baec134fd9011..3af731f0822e39b49e518135024512c7cb3d906b 100644
--- a/ecrire/action/iconifier.php
+++ b/ecrire/action/iconifier.php
@@ -16,7 +16,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
function action_iconifier_dist()
{
include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
$iframe_redirect = _request('iframe_redirect');
diff --git a/ecrire/action/instituer_article.php b/ecrire/action/instituer_article.php
index 5a61d584f28fdb5152c03117e5cb183f041a08f4..92ecd3f931ad604996c56026e10fda9933631ce8 100644
--- a/ecrire/action/instituer_article.php
+++ b/ecrire/action/instituer_article.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_instituer_article_dist
function action_instituer_article_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_auteur.php b/ecrire/action/instituer_auteur.php
index aee5128d49a181f98f7e6ca80fd468ba9cd66f4c..bd038ba9f41fdab9c228ba9a9c74feea6f34455f 100644
--- a/ecrire/action/instituer_auteur.php
+++ b/ecrire/action/instituer_auteur.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_instituer_auteur_dist
function action_instituer_auteur_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_breve.php b/ecrire/action/instituer_breve.php
index b11babd458655379e75e3d066aa675f0eb4dde41..54f8d8a6e7059a7bf11ae22b4874594847a42274 100644
--- a/ecrire/action/instituer_breve.php
+++ b/ecrire/action/instituer_breve.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_instituer_breve_dist
function action_instituer_breve_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_collaboration.php b/ecrire/action/instituer_collaboration.php
index c56d5274b9e04474101832d375d5ee1c292dc2fd..c9ee8b49ddc576d42834ce4e86811a9a737e2203 100644
--- a/ecrire/action/instituer_collaboration.php
+++ b/ecrire/action/instituer_collaboration.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_instituer_collaboration_dist
function action_instituer_collaboration_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_forum.php b/ecrire/action/instituer_forum.php
index fb00e7a7a1612418ffa718cdf1f31e332f597abd..76bc0ab7eb11f87119e2ec4c7137737b44710159 100644
--- a/ecrire/action/instituer_forum.php
+++ b/ecrire/action/instituer_forum.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_instituer_forum_dist
function action_instituer_forum_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_groupe_mots.php b/ecrire/action/instituer_groupe_mots.php
index 685aa5f8032cf62530b95075358ffda5c9c62c89..d99749429a4b4116c1deccbb7bc500598791b194 100644
--- a/ecrire/action/instituer_groupe_mots.php
+++ b/ecrire/action/instituer_groupe_mots.php
@@ -12,14 +12,13 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
include_spip('inc/filtres');
include_spip('base/abstract_sql');
// http://doc.spip.org/@action_instituer_groupe_mots_dist
function action_instituer_groupe_mots_dist()
{
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_langue_rubrique.php b/ecrire/action/instituer_langue_rubrique.php
index e0dc25453fbd6489de67e28a7bca0d464a801ae3..d84119926e0220f5f7a47d09c1494a6acb58b626 100644
--- a/ecrire/action/instituer_langue_rubrique.php
+++ b/ecrire/action/instituer_langue_rubrique.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_instituer_langue_rubrique_dist
function action_instituer_langue_rubrique_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_mot.php b/ecrire/action/instituer_mot.php
index 47642858c3696a9bcaeae66c851c274a000d3ee2..ffb90af76b5cd5d8688aa8e7f871db7fcfb059cc 100644
--- a/ecrire/action/instituer_mot.php
+++ b/ecrire/action/instituer_mot.php
@@ -12,7 +12,6 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
include_spip('inc/filtres');
include_spip('base/abstract_sql');
@@ -20,7 +19,7 @@ include_spip('base/abstract_sql');
// http://doc.spip.org/@action_instituer_mot_dist
function action_instituer_mot_dist()
{
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/instituer_syndic.php b/ecrire/action/instituer_syndic.php
index ea14ebe0a8664e818437185795b926a67490faba..3298dffb9ed6c271c3589193e522951bd6dd580b 100644
--- a/ecrire/action/instituer_syndic.php
+++ b/ecrire/action/instituer_syndic.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_instituer_syndic_dist
function action_instituer_syndic_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/joindre.php b/ecrire/action/joindre.php
index e824dc5a8a7f2018e8303ed995a186bfe9c09121..8852155f125ec342e0f56e17b609add5334e128a 100644
--- a/ecrire/action/joindre.php
+++ b/ecrire/action/joindre.php
@@ -27,7 +27,7 @@ function action_joindre_dist()
$sousaction5,
$_FILES, $HTTP_POST_FILES;
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$redirect = _request('redirect');
diff --git a/ecrire/action/legender.php b/ecrire/action/legender.php
index b6ad9f370d61e1c65f9c15dc7880038a097756ca..c3384cfe51c1e5f2032c5b3b04056ffd1b3a8387 100644
--- a/ecrire/action/legender.php
+++ b/ecrire/action/legender.php
@@ -13,7 +13,6 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('inc/filtres');
-include_spip('inc/actions');
// En Ajax on utilise GET et sinon POST.
// De plus Ajax en POST ne remplit pas $_POST
@@ -23,7 +22,7 @@ include_spip('inc/actions');
// http://doc.spip.org/@action_legender_dist
function action_legender_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/legender_auteur.php b/ecrire/action/legender_auteur.php
index fa3d84a6debe283beb441e6614f4bcd4db709266..38c2d20e426eb5cd08b66562d7e2c6d3899f52ba 100644
--- a/ecrire/action/legender_auteur.php
+++ b/ecrire/action/legender_auteur.php
@@ -13,14 +13,13 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('inc/filtres');
-include_spip('inc/actions');
include_spip('inc/acces');
include_spip('base/abstract_sql');
// http://doc.spip.org/@action_legender_auteur_dist
function action_legender_auteur_dist()
{
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/petitionner.php b/ecrire/action/petitionner.php
index 46172020270c8ef318d7072856c1a8e4512df28b..a408fd6a740b6f9082b6d8ea9a4d0b7efca46ed0 100644
--- a/ecrire/action/petitionner.php
+++ b/ecrire/action/petitionner.php
@@ -15,10 +15,9 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_petitionner_dist
function action_petitionner_dist() {
- include_spip('inc/actions');
include_spip('inc/autoriser');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/poster_forum_prive.php b/ecrire/action/poster_forum_prive.php
index 616e3d3903225d89187864f0ba00e6ddc7ca07cd..9c498d117aa2a49bdade7a5c1daec7f97f81877f 100644
--- a/ecrire/action/poster_forum_prive.php
+++ b/ecrire/action/poster_forum_prive.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_poster_forum_prive_dist
function action_poster_forum_prive_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/purger.php b/ecrire/action/purger.php
index b38b96ce979a6c1f57033efd9ce46ef84a36c841..71123a953aa532b9f023728c38593708864fd2f7 100644
--- a/ecrire/action/purger.php
+++ b/ecrire/action/purger.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return; // securiser
// http://doc.spip.org/@action_purger_dist
function action_purger_dist()
{
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/referencer_traduction.php b/ecrire/action/referencer_traduction.php
index ae3dad508203c637e183935d9dec08aa8fa958e2..4386626e3165e3bb6b7b1b711a1cd32f41fd2564 100644
--- a/ecrire/action/referencer_traduction.php
+++ b/ecrire/action/referencer_traduction.php
@@ -13,12 +13,11 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('inc/filtres');
-include_spip('inc/actions');
// http://doc.spip.org/@action_referencer_traduction_dist
function action_referencer_traduction_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/regler_moderation.php b/ecrire/action/regler_moderation.php
index 44d2cf0c3d57b49da189a7efe815948b70205c2b..ea7300bfb8acc045b0c5fbf42775f8cd5a2945cb 100644
--- a/ecrire/action/regler_moderation.php
+++ b/ecrire/action/regler_moderation.php
@@ -16,10 +16,9 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_regler_moderation_dist
function action_regler_moderation_dist()
{
- include_spip('inc/actions');
include_spip('inc/autoriser');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/reorganiser.php b/ecrire/action/reorganiser.php
index 31ccbcafff60f79a86e227781551c5adfdf370fe..32a8deac38370031ec4f403d4daf02e7b6d046ed 100644
--- a/ecrire/action/reorganiser.php
+++ b/ecrire/action/reorganiser.php
@@ -12,7 +12,6 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
-include_spip('inc/actions');
include_spip('inc/autoriser');
// http://doc.spip.org/@gerer_deplacements
@@ -40,17 +39,16 @@ function gerer_deplacements($deplacements){
// http://doc.spip.org/@action_reorganiser_dist
function action_reorganiser_dist(){
- global $auteur_session;
- $arg = _request('arg');
- $hash = _request('hash');
- $id_auteur = $auteur_session['id_auteur'];
+
+ $var_f = charger_fonction('securiser_action', 'inc');
+ $var_f();
+
+ if (_request('deplacements')!==NULL)
+ gerer_deplacements(_request('deplacements'));
+
$redirect = _request('redirect');
if ($redirect==NULL) $redirect="";
- include_spip("inc/actions");
- if (verifier_action_auteur("reorganiser-$arg",$hash,$id_auteur)==TRUE) {
- if (_request('deplacements')!==NULL)
- gerer_deplacements(_request('deplacements'));
- }
+
redirige_par_entete(str_replace("&","&",urldecode($redirect)));
}
diff --git a/ecrire/action/supprimer.php b/ecrire/action/supprimer.php
index 1643db848a6117092c6dcfbfdbc18e9bb3489789..2f8943c9ebf44b9afdcbb97f5cc29702a29a24f7 100644
--- a/ecrire/action/supprimer.php
+++ b/ecrire/action/supprimer.php
@@ -14,13 +14,12 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('inc/charsets'); # pour le nom de fichier
include_spip('base/abstract_sql');
-include_spip('inc/actions');
// Effacer un doc (et sa vignette)
// http://doc.spip.org/@action_supprimer_dist
function action_supprimer_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/supprimer_traduction.php b/ecrire/action/supprimer_traduction.php
index 236a2efd5c4ea44ac8c2b9f854f9402d1e04157c..fad48a8f5067abe205930b3905f6f035fabe97f3 100644
--- a/ecrire/action/supprimer_traduction.php
+++ b/ecrire/action/supprimer_traduction.php
@@ -15,8 +15,7 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
// http://doc.spip.org/@action_supprimer_traduction_dist
function action_supprimer_traduction_dist() {
- include_spip('inc/actions');
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/tourner.php b/ecrire/action/tourner.php
index c7093c9fddec00e72d62a22783941813c9147362..48029f13e4f25206d8474b4adce94a094e685aef 100644
--- a/ecrire/action/tourner.php
+++ b/ecrire/action/tourner.php
@@ -14,13 +14,12 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('inc/charsets'); # pour le nom de fichier
include_spip('base/abstract_sql');
-include_spip('inc/actions');
// http://doc.spip.org/@action_tourner_dist
function action_tourner_dist() {
include_spip('inc/distant'); # pour copie_locale
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/action/virtualiser.php b/ecrire/action/virtualiser.php
index dd4ed55a8ed09636a9e53c37b67d6c159cf0ef1b..4c90d5ca8d0b804a3264cd3f630909152b0f59e9 100644
--- a/ecrire/action/virtualiser.php
+++ b/ecrire/action/virtualiser.php
@@ -13,12 +13,11 @@
if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('inc/filtres');
-include_spip('inc/actions');
// http://doc.spip.org/@action_virtualiser_dist
function action_virtualiser_dist() {
- $var_f = charger_fonction('controler_action_auteur', 'inc');
+ $var_f = charger_fonction('securiser_action', 'inc');
$var_f();
$arg = _request('arg');
diff --git a/ecrire/balise/formulaire_forum.php b/ecrire/balise/formulaire_forum.php
index 63c340eb405702104ec0ee0ca6018bff9b96294d..8fd286d2681b4b68ed1251a3cbfdcc182716cb6d 100644
--- a/ecrire/balise/formulaire_forum.php
+++ b/ecrire/balise/formulaire_forum.php
@@ -161,10 +161,11 @@ $ajouter_mot, $ajouter_groupe, $afficher_texte, $url_param_retour)
if ($afficher_texte != 'non')
$previsu = inclure_previsu($texte, $titre, $email_auteur, $auteur, $url_site, $nom_site_forum, $ajouter_mot);
- $alea = forum_fichier_tmp();
+ $arg = forum_fichier_tmp(join('', $ids));
- include_spip('inc/actions');
- $hash = calculer_action_auteur('ajout_forum'.join(' ', $ids).' '.$alea);
+ $securiser_action = charger_fonction('securiser_action', 'inc');
+ // on sait que cette fonction est dans le fichier associe
+ $hash = calculer_action_auteur("ajout_forum-$arg");
// Poser un cookie pour ne pas retaper les infos invariables
include_spip('inc/cookie');
@@ -194,7 +195,7 @@ $ajouter_mot, $ajouter_groupe, $afficher_texte, $url_param_retour)
'url' => $script, # ce sur quoi on fait le action='...'
'url_post' => $script_hidden, # pour les variables hidden
'url_site' => ($url_site ? $url_site : "http://"),
- 'alea' => $alea,
+ 'arg' => $arg,
'hash' => $hash,
'nobot' => _request('nobot'),
'ajouter_groupe' => $ajouter_groupe,
@@ -253,10 +254,10 @@ function inclure_previsu($texte,$titre, $email_auteur, $auteur, $url_site, $nom_
// si $afficher_texte = 'non')
// http://doc.spip.org/@forum_fichier_tmp
-function forum_fichier_tmp()
+function forum_fichier_tmp($arg)
{
# astuce : mt_rand pour autoriser les hits simultanes
- while (($alea = time() + @mt_rand())
+ while (($alea = time() + @mt_rand()) + intval($arg)
AND @file_exists($f = _DIR_TMP."forum_$alea.lck"))
{};
spip_touch ($f);
diff --git a/ecrire/inc/actions.php b/ecrire/inc/actions.php
index 2c1f82b8a046b68e1bd24f95504dff73f7b2f1a1..bbbc4b74de8fcc23a9f080936d0324b1ef4ea2db 100644
--- a/ecrire/inc/actions.php
+++ b/ecrire/inc/actions.php
@@ -14,100 +14,10 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
include_spip('inc/meta');
-// fonction de securite appelee par les scripts de action/
-// cf fabrication des arguments dans generer_action_auteur
-
-// http://doc.spip.org/@inc_controler_action_auteur_dist
-function inc_controler_action_auteur_dist()
-{
- $arg = _request('arg');
- $hash = _request('hash');
- $action = _request('action');
-
- if (!verifier_action_auteur("$action-$arg", $hash)) {
- include_spip('inc/minipres');
- minipres(_T('info_acces_interdit'));
- }
-}
-
-// http://doc.spip.org/@caracteriser_auteur
-function caracteriser_auteur() {
- global $auteur_session;
- static $caracterisation = array();
-
- if ($caracterisation) return $caracterisation;
-
- $id_auteur = $auteur_session['id_auteur'];
- if (!$id_auteur) {
- // si l'auteur courant n'est pas connu alors qu'il peut demander une action
- // c'est une connexion par php_auth, on se rabat sur le cookie.
- // S'il n'avait pas le droit de realiser cette action, le hash sera faux.
- if (isset($_COOKIE['spip_session'])
- AND (preg_match('/^(\d+)/',$_COOKIE['spip_session'],$r))) {
- return array($r[1], '');
- // Necessaire aux forums anonymes.
- // Pour le reste, ca echouera.
- } else return array('','');
- }
- // Eviter l'acces SQL si le pass est connu de PHP
-
- if ($auteur_session['pass'])
- return $caracterisation = array($id_auteur, $auteur_session['pass']);
- else {
- $t = spip_query("SELECT id_auteur, pass FROM spip_auteurs WHERE id_auteur=$id_auteur");
- if ($t = spip_fetch_array($t))
- return $caracterisation = array($t['id_auteur'], $t['pass']);
- spip_log("auteur $id_auteur sans caracterisation");
- die(_T('info_acces_interdit'));
- }
-}
-
-// http://doc.spip.org/@_action_auteur
-function _action_auteur($action, $id_auteur, $pass, $nom_alea) {
- return md5($action.$id_auteur.$pass .$GLOBALS['meta'][$nom_alea]);
-}
-
-// http://doc.spip.org/@calculer_action_auteur
-function calculer_action_auteur($action) {
- list($id_auteur, $pass) = caracteriser_auteur();
- return _action_auteur($action, $id_auteur, $pass, 'alea_ephemere');
-}
-
-// http://doc.spip.org/@verifier_action_auteur
-function verifier_action_auteur($action, $valeur) {
- list($id_auteur, $pass) = caracteriser_auteur();
-
- if ($valeur == _action_auteur($action, $id_auteur, $pass, 'alea_ephemere'))
- return true;
- if ($valeur == _action_auteur($action, $id_auteur, $pass, 'alea_ephemere_ancien'))
- return true;
- spip_log("verifier action $action $id_auteur : echec");
- return false;
-}
-
-
-// http://doc.spip.org/@generer_action_auteur
function generer_action_auteur($action, $arg, $redirect="", $mode=false, $att='')
{
- static $id_auteur=0, $pass;
- if (!$id_auteur) {
- list($id_auteur, $pass) = caracteriser_auteur();
- }
- $hash = _action_auteur("$action-$arg", $id_auteur, $pass, 'alea_ephemere');
- $r = rawurlencode($redirect);
- if (!is_string($mode))
- return generer_url_action($action, "arg=$arg&hash=$hash" . (!$r ? '' : "&redirect=$r"), $mode);
-
- // Attention, JS n'aime pas le melange de param GET/POST
- return "\n<form style='margin:0px' action='" .
- generer_url_public('') .
- "'$att>\n\t<div>
- <input name='hash' type='hidden' value='$hash' />
- <input name='action' type='hidden' value='$action' />
- <input name='arg' type='hidden' value='$arg' />" .
- (!$r ? '' : "\n\t\t<input name='redirect' type='hidden' value='$r' />") .
- $mode .
- "\n\t</div>\n</form>\n";
+ $securiser_action = charger_fonction('securiser_action', 'inc');
+ return $securiser_action($action, $arg, $redirect, $mode, $att);
}
// http://doc.spip.org/@redirige_action_auteur
diff --git a/ecrire/inc/forum_insert.php b/ecrire/inc/forum_insert.php
index f8b6d355971280a3b89fb7a032c592daae163f08..468cd0138e1fffbe928ed4883f6bf838df9458c0 100644
--- a/ecrire/inc/forum_insert.php
+++ b/ecrire/inc/forum_insert.php
@@ -113,28 +113,6 @@ function mots_du_forum($ajouter_mot, $id_message)
spip_abstract_insert('spip_mots_forum', '(id_mot, id_forum)', "($id_mot, $id_message)");
}
-// Recalcule la signature faite dans formulaires/inc-formulaire-forum
-// en fonction des input POST (ne pas se fier aux parametres d'URL)
-// Retourne le fichier verrouillant si correct
-
-// http://doc.spip.org/@forum_insert_secure
-function forum_insert_secure($alea, $hash)
-{
- $ids = array();
-
- foreach (array('id_article', 'id_breve', 'id_forum', 'id_rubrique', 'id_syndic') as $o) {
- $ids[$o] = ($x = intval($_POST[$o])) ? $x : '';
- }
-
- if (!verifier_action_auteur('ajout_forum'.join(' ', $ids).' '.$alea,
- $hash)) {
- spip_log('erreur hash forum');
- die (_T('forum_titre_erreur')); # echec du POST
- }
-
- $file = _DIR_TMP ."forum_" . preg_replace('/[^0-9]/', '', $alea) .".lck";
- return file_exists($file) ? $file : '';
-}
// http://doc.spip.org/@reduce_strlen
function reduce_strlen($n, $c)
@@ -204,8 +182,15 @@ function inc_forum_insert_dist() {
// Verifier hash securite pour les forums avec previsu
if ($afficher_texte <> 'non') {
- $file = forum_insert_secure(_request('alea'), _request('hash'));
- if (!$file) {
+
+ // simuler une action venant de l'espace public
+ // pour se conformer au a general.
+ set_request('action', 'ajout_forum');
+ $var_f = charger_fonction('securiser_action', 'inc');
+ $var_f();
+
+ $file = _DIR_TMP ."forum_" . preg_replace('/[^0-9]/', '', _request('arg')) .".lck";
+ if (!file_exists($file)) {
# ne pas tracer cette erreur, peut etre due a un double POST
# tracer_erreur_forum('session absente');
return $retour_forum; # echec silencieux du POST
diff --git a/ecrire/inc/lang.php b/ecrire/inc/lang.php
index b3f21ccef866ba3c6304a29fffadc51a2c3e8501..7ccf45f4be6d8f30d327c4241bd80623ea7cb66c 100644
--- a/ecrire/inc/lang.php
+++ b/ecrire/inc/lang.php
@@ -129,7 +129,7 @@ function menu_langues($nom_select = 'var_lang', $default = '', $texte = '', $her
} else {
$cible = _DIR_RESTREINT_ABS . $lien;
if (_FILE_CONNECT) {
- $lien = generer_action_auteur('cookie','var_lang_ecrire');
+ $lien = generer_action_auteur('converser','');
} else $lien = generer_url_action('cookie');
}
}
diff --git a/ecrire/inc/securiser_action.php b/ecrire/inc/securiser_action.php
new file mode 100644
index 0000000000000000000000000000000000000000..3b5099311478bf39653c57a3dc4d7ac546d0cff3
--- /dev/null
+++ b/ecrire/inc/securiser_action.php
@@ -0,0 +1,111 @@
+<?php
+
+/***************************************************************************\
+ * SPIP, Systeme de publication pour l'internet *
+ * *
+ * Copyright (c) 2001-2006 *
+ * Arnaud Martin, Antoine Pitrou, Philippe Riviere, Emmanuel Saint-James *
+ * *
+ * Ce programme est un logiciel libre distribue sous licence GNU/GPL. *
+ * Pour plus de details voir le fichier COPYING.txt ou l'aide en ligne. *
+\***************************************************************************/
+
+if (!defined("_ECRIRE_INC_VERSION")) return;
+
+include_spip('inc/meta');
+
+// interface d'appel:
+// - avec au moins un argument, construit une URL ou un formulaire securises
+// - sans argument: verifie que les param HTTP attestent de la securite
+
+function inc_securiser_action_dist($action='', $arg='', $redirect="", $mode=false, $att='')
+{
+ if ($action)
+ return securiser_action_auteur($action, $arg, $redirect, $mode, $att);
+ elseif (!verifier_action_auteur(_request('action') . '-' . _request('arg'), _request('hash'))) {
+ include_spip('inc/minipres');
+ minipres(_T('info_acces_interdit'));
+ }
+}
+
+// http://doc.spip.org/@generer_action_auteur
+function securiser_action_auteur($action, $arg, $redirect="", $mode=false, $att='')
+{
+ static $id_auteur=0, $pass;
+ if (!$id_auteur) {
+ list($id_auteur, $pass) = caracteriser_auteur();
+ }
+ $hash = _action_auteur("$action-$arg", $id_auteur, $pass, 'alea_ephemere');
+ $r = rawurlencode($redirect);
+ if (!is_string($mode))
+ return generer_url_action($action, "arg=$arg&hash=$hash" . (!$r ? '' : "&redirect=$r"), $mode);
+
+ // Attention, JS n'aime pas le melange de param GET/POST
+ return "\n<form style='margin:0px' action='" .
+ generer_url_public('') .
+ "'$att>\n\t<div>
+ <input name='hash' type='hidden' value='$hash' />
+ <input name='action' type='hidden' value='$action' />
+ <input name='arg' type='hidden' value='$arg' />" .
+ (!$r ? '' : "\n\t\t<input name='redirect' type='hidden' value='$r' />") .
+ $mode .
+ "\n\t</div>\n</form>\n";
+}
+
+// http://doc.spip.org/@caracteriser_auteur
+function caracteriser_auteur() {
+ global $auteur_session;
+ static $caracterisation = array();
+
+ if ($caracterisation) return $caracterisation;
+
+ $id_auteur = $auteur_session['id_auteur'];
+ if (!$id_auteur) {
+ // si l'auteur courant n'est pas connu alors qu'il peut demander une action
+ // c'est une connexion par php_auth, on se rabat sur le cookie.
+ // S'il n'avait pas le droit de realiser cette action, le hash sera faux.
+ if (isset($_COOKIE['spip_session'])
+ AND (preg_match('/^(\d+)/',$_COOKIE['spip_session'],$r))) {
+ return array($r[1], '');
+ // Necessaire aux forums anonymes.
+ // Pour le reste, ca echouera.
+ } else return array('','');
+ }
+ // Eviter l'acces SQL si le pass est connu de PHP
+
+ if ($auteur_session['pass'])
+ return $caracterisation = array($id_auteur, $auteur_session['pass']);
+ else {
+ $t = spip_query("SELECT id_auteur, pass FROM spip_auteurs WHERE id_auteur=$id_auteur");
+ if ($t = spip_fetch_array($t))
+ return $caracterisation = array($t['id_auteur'], $t['pass']);
+ spip_log("auteur $id_auteur sans caracterisation");
+ die(_T('info_acces_interdit'));
+ }
+}
+
+// http://doc.spip.org/@_action_auteur
+function _action_auteur($action, $id_auteur, $pass, $nom_alea) {
+ return md5($action.$id_auteur.$pass .$GLOBALS['meta'][$nom_alea]);
+}
+
+// http://doc.spip.org/@calculer_action_auteur
+function calculer_action_auteur($action) {
+ list($id_auteur, $pass) = caracteriser_auteur();
+ return _action_auteur($action, $id_auteur, $pass, 'alea_ephemere');
+}
+
+// http://doc.spip.org/@verifier_action_auteur
+function verifier_action_auteur($action, $valeur) {
+ list($id_auteur, $pass) = caracteriser_auteur();
+
+ if ($valeur == _action_auteur($action, $id_auteur, $pass, 'alea_ephemere'))
+ return true;
+ if ($valeur == _action_auteur($action, $id_auteur, $pass, 'alea_ephemere_ancien'))
+ return true;
+ spip_log("verifier action $action $id_auteur : echec");
+ return false;
+}
+
+
+?>
\ No newline at end of file
diff --git a/spip.php b/spip.php
index 665e940a09bb2376a8a2c34ebe9ee714e86b26e7..e8300e1eae797aae0d509e57acf92d53ef69dda7 100644
--- a/spip.php
+++ b/spip.php
@@ -15,8 +15,10 @@
include_once _DIR_RESTREINT_ABS.'inc_version.php';
# rediriger les anciens URLs de la forme page.php3fond=xxx
-if (isset($_GET['fond']))
+if (isset($_GET['fond'])) {
+ include_spip('inc/headers');
redirige_par_entete(generer_url_public($_GET['fond']));
+ }
# au travail...
include _DIR_RESTREINT_ABS.'public.php';