Merge pull request #72 from flatCore/develop

Merge Develop Branch

Author: patkon

.gitignore

@@ -30,11 +30,15 @@ release-notes.html
 
 # styles, except default #
 /styles/**/*
-!/styles/default/*
 /styles/default/.DS_Store
 
+!/styles/default/*
+!/styles/default/**/*
+!/styles/default/php/*
+
 !index.html
 
 config_database.php
 
 /content/SQLite/.DS_Store
+acp/theme/config.codekit3

.htaccess

@@ -6,4 +6,9 @@ RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.*)$ index.php?query=$1 [L,QSA]
 
-</IfModule>
+</IfModule>
+
+<FilesMatch "\.(pdf|doc|docx|xls|xlsx|xlsm)$" >
+    ForceType application/octet-stream
+    Header add Content-Disposition "attachment"
+</FilesMatch>

_htaccess

@@ -6,4 +6,9 @@ RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.*)$ index.php?query=$1 [L,QSA]
 
-</IfModule>
+</IfModule>
+
+<FilesMatch "\.(pdf|doc|docx|xls|xlsx|xlsm)$" >
+    ForceType application/octet-stream
+    Header add Content-Disposition "attachment"
+</FilesMatch>

acp/acp.php

@@ -982,12 +982,13 @@ function expandHelpSidebar(){
 				$('.page-info-btn').click(function(){
 
 				   var pageid = $(this).data('id');
+				   var csrf_token = $(this).data('token');
 
 				   // AJAX request
 				   $.ajax({
 				    url: 'core/pages.info.php',
 				    type: 'post',
-				    data: {pageid: pageid},
+				    data: {pageid: pageid, csrf_token: csrf_token},
 				    success: function(response){ 
 				      // Add response in Modal body
 				      $('#pageInfoModal .modal-body').html(response);

acp/core/access.php

@@ -96,12 +96,17 @@ function fc_start_user_session($ud) {
 	die('Error: CSRF Token is invalid');
 }
 
+/* stop all $_POST actions if csrf token is empty or invalid */
 
-if(sizeof($_POST)>1) {
+if(!empty($_POST)) {
+	if(empty($_POST['csrf_token'])) {
+		die('Error: CSRF Token is empty');
+	}
 	if($_POST['csrf_token'] !== $_SESSION['token']) {
 		die('Error: CSRF Token is invalid');	
 	}
 }
 
+$hidden_csrf_token = '<input type="hidden" name="csrf_token" value="'.$_SESSION['token'].'">';
 
 ?>

acp/core/dashboard.top.php

@@ -3,15 +3,12 @@
 //prohibit unauthorized access
 require 'core/access.php';
 
-if(isset($_GET['a'])) {
-	
-	if($_GET['a'] == 'delete_cache') {
-		fc_delete_smarty_cache('all');
-	}
-	if($_GET['a'] == 'update_index') {
-		fc_update_bulk_page_index();
-	}
-	
+if(isset($_POST['delete_cache'])) {
+	fc_delete_smarty_cache('all');
+}
+
+if(isset($_POST['update_index'])) {
+	fc_update_bulk_page_index();
 }
 
 
@@ -64,15 +61,22 @@
 		if($user_result[$i]['user_class'] == "deleted"){
 			$user_nick = "<strike>$user_nick</strike>";
 		}
-		$user_latest5 .= '<a href="acp.php?tn=user&sub=edit&edituser='.$user_id.'" class="list-group-item list-group-item-ghost list-group-item-action flex-column align-items-start">';
+		
+		$user_latest5 .= '<div class="list-group-item list-group-item-ghost list-group-item-action flex-column align-items-start">';
 		$user_latest5 .= '<div class="d-flex w-100 justify-content-between">';
+		
 		$user_latest5 .= '<div>';
 		$user_latest5 .= '<h6 class="mb-0">'.$user_nick.'</h6>';
 		$user_latest5 .= '<small>'.$user_name.'</small>';
-		$user_latest5 .= '</div>';
 		$user_latest5 .= '<small>'.$user_registerdate.'</small>';
 		$user_latest5 .= '</div>';
-		$user_latest5 .= '</a>';
+		$user_latest5 .= '<form class="inline" action="?tn=user&sub=edit" method="POST">';	
+		$user_latest5 .= '<button name="edituser" value='.$user_id.'" class="btn btn-fc btn-sm">'.$icon['edit'].'</button>';
+		$user_latest5 .= $hidden_csrf_token;
+		$user_latest5 .= '</form>';
+		
+		$user_latest5 .= '</div>';
+		$user_latest5 .= '</div>';
 	}
 
 }
@@ -126,6 +130,7 @@
 		$top5pages .= '</div>';
 		$top5pages .= '<form class="inline" action="?tn=pages&sub=edit" method="POST">';
 		$top5pages .= '<button class="btn btn-fc btn-sm" name="editpage" value="'.$allPages[$i]['page_id'].'">'.$icon['edit'].'</button>';
+		$top5pages .= $hidden_csrf_token;
 		$top5pages .= '</form>';
 		$top5pages .= '</div>';
 
@@ -172,6 +177,7 @@
 		$top5posts .= '</div>';
 		$top5posts .= '<form class="inline" action="?tn=posts&sub=edit" method="POST">';
 		$top5posts .= '<button class="btn btn-fc btn-sm" name="post_id" value="'.$allPosts[$i]['post_id'].'">'.$icon['edit'].'</button>';
+		$top5posts .= $hidden_csrf_token;
 		$top5posts .= '</form>';
 		$top5posts .= '</div>';
 
@@ -210,6 +216,7 @@
 		$top5comments .= '</div>';
 		$top5comments .= '<form class="inline" action="?tn=comments&sub=list#comid'.$allComments[$i]['comment_id'].'" method="POST">';
 		$top5comments .= '<button class="btn btn-fc btn-sm" name="editid" value="'.$allComments[$i]['comment_id'].'">'.$icon['edit'].'</button>';
+		$top5comments .= $hidden_csrf_token;
 		$top5comments .= '</form>';
 		$top5comments .= '</div>';
 		$top5comments .= '</div>';
@@ -286,12 +293,13 @@
 
 $btn_page_overview = '<a href="acp.php?tn=pages" class="btn btn-fc btn-sm w-100">'.$icon['sitemap'].'</a>';
 $btn_new_page = '<a href="acp.php?tn=pages&sub=new" class="btn btn-fc btn-sm w-100">'.$icon['plus'].' '.$lang['new'].'</a>';
-$btn_update_index = '<a href="acp.php?tn=dashboard&a=update_index" class="btn btn-fc btn-sm w-100">'.$icon['sync_alt'].' Index</a>';
-$btn_delete_cache = '<a href="acp.php?tn=dashboard&a=delete_cache" class="btn btn-fc btn-sm w-100">'.$icon['trash_alt'].' Cache</a>';
+
+$btn_update_index = '<form action="?tn=dashboard" method="POST" class="d-inline"><button name="update_index" class="btn btn-fc btn-sm w-100 text-nowrap">'.$icon['sync_alt'].' Index</button>'.$hidden_csrf_token.'</form>';
+$btn_delete_cache = '<form action="?tn=dashboard" method="POST"><button name="delete_cache" class="btn btn-fc btn-sm w-100 text-nowrap">'.$icon['trash_alt'].' Cache</button>'.$hidden_csrf_token.'</form>';
 
 $btn_post_overview = '<a href="acp.php?tn=posts" class="btn btn-fc btn-sm w-100">'.$lang['tn_posts'].'</a>';
 $btn_new_post = '<a href="acp.php?tn=posts&sub=edit" class="btn btn-fc btn-sm w-100">'.$icon['plus'].' '.$lang['new'].'</a>';
-$btn_comments_overview = '<a href="acp.php?tn=comments" class="btn btn-fc btn-sm w-100">'.$lang['tn_comments'].'</a>';
+$btn_comments_overview = '<a href="acp.php?tn=reactions" class="btn btn-fc btn-sm w-100">'.$lang['tn_comments'].'</a>';
 
 $btn_user_overview = '<a href="acp.php?tn=user" class="btn btn-fc btn-sm w-100">'.$lang['list_user'].'</a>';
 $btn_new_user = '<a href="acp.php?tn=user&sub=new" class="btn btn-fc btn-sm w-100">'.$icon['plus'].' '.$lang['new_user'].'</a>';

acp/core/files.browser.php

@@ -130,8 +130,9 @@
 }
 $select_dir .= '</optgroup>';
 $select_dir .= '</select>';
-$select_dir  .= '</div>';
-$select_dir  .= '</div>';
+$select_dir .= '</div>';
+$select_dir .= '</div>';
+$select_dir .= $hidden_csrf_token;
 $select_dir .= '</form>';
 
 
@@ -612,6 +613,7 @@ function delete_folder($dir) {
 	echo '<form class="inline pull-right" action="acp.php?tn=filebrowser&sub=browse&selected_folder='.dirname($disk).'" method="POST">';
 	echo '<input type="submit" value="'.$lang['delete_folder'].'" class="btn btn-danger" onclick="return confirm(\''.$lang['confirm_delete_folder'].'\')">';
 	echo '<input type="hidden" name="delete_folder" value="'.$disk.'">';
+	echo $hidden_csrf_token;
 	echo '</form>';
 	echo '</div>';
 }
@@ -794,6 +796,7 @@ function delete_folder($dir) {
 echo '<div class="btn-group d-flex" role="group">';
 echo '<button class="btn btn-sm btn-fc w-100" type="submit" name="rebuild" value="database">Database '.$icon['wrench'].'</button>';
 echo '<button class="btn btn-sm btn-fc w-100" type="submit" name="clear_tmb">Thumbnails '.$icon['trash_alt'].'</button>';
+echo $hidden_csrf_token;
 echo '</div>';
 echo '</form>';
 

acp/core/files.edit.php

@@ -8,6 +8,7 @@
 $set_lang = $languagePack;
 if(isset($_REQUEST['set_lang'])) {
 	$set_lang = $_REQUEST['set_lang'];
+	unset($media_data);
 }
 
 $form_tpl = file_get_contents('templates/media-edit-form.tpl');
@@ -36,7 +37,7 @@
 
 
 if(isset($_POST['save'])) {
-	$savedMedia = fc_write_media_data($_POST['realpath'],$_POST['title'],$_POST['notes'],$_POST['keywords'],$_POST['text'],$_POST['url'],$_POST['alt'],$set_lang,$_POST['credit'],$_POST['priority'],$_POST['license'],time(),$filesize,$_POST['version'],$_POST['media_labels']);
+	$savedMedia = fc_write_media_data($_POST['realpath'],$_POST['title'],$_POST['notes'],$_POST['keywords'],$_POST['text'],$_POST['url'],$_POST['alt'],$_POST['set_lang'],$_POST['credit'],$_POST['priority'],$_POST['license'],time(),$filesize,$_POST['version'],$_POST['media_labels']);
 	if($savedMedia == 'success') {
 		$message = '<div class="alert alert-success alert-auto-close">'.$lang['db_changed'].'</div>';
 	} else {
@@ -54,8 +55,8 @@
 echo '</div>';
 
 $arr_lang = get_all_languages();
-$langSwitch = '<form action="?tn=filebrowser&sub=edit">';
-$langSwitch .= '<div class="btn-group" role="group">';
+
+$langSwitch = '<div class="btn-group" role="group">';
 foreach($arr_lang as $langs) {
 	$btn_status = '';
 	if($langs['lang_sign'] == "$set_lang") { $btn_status = 'active'; }
@@ -64,7 +65,7 @@
 $langSwitch .= '</div>';
 $langSwitch .= '<input type="hidden" name="file" value="'.$media_filename.'">';
 $langSwitch .= '<input type="hidden" name="folder" value="'.$_REQUEST['folder'].'">';
-$langSwitch .= '</form>';
+
 
 $media_data = fc_get_media_data($realpath,$set_lang);
 

acp/core/files.upload-script.php

@@ -20,16 +20,13 @@
 	$db_type = 'mysql';
 
 	$database = new Medoo([
-
-		'database_type' => 'mysql',
-		'database_name' => "$database_name",
-		'server' => "$database_host",
+		'type' => 'mysql',
+		'database' => "$database_name",
+		'host' => "$database_host",
 		'username' => "$database_user",
 		'password' => "$database_psw",
-	 
 		'charset' => 'utf8',
 		'port' => $database_port,
-	 
 		'prefix' => DB_PREFIX
 	]);
 
@@ -51,8 +48,8 @@
 	define("CONTENT_DB", "$fc_db_content");
 
 	$db_content = new Medoo([
-		'database_type' => 'sqlite',
-		'database_file' => CONTENT_DB
+		'type' => 'sqlite',
+		'database' => CONTENT_DB
 	]);
 }
 
@@ -164,51 +161,53 @@
 	}
 }
 
-/* upload files to /upload/plugins/ */
-if($_REQUEST['upload_type'] == 'plugin') {
-	if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
-		$tmp_name = $_FILES["file"]["tmp_name"];   
-	  $org_name = $_FILES["file"]["name"];
-	  $suffix = strtolower(substr(strrchr($org_name,'.'),1));
-	  $prefix = basename($org_name,".$suffix");
-	  $files_name = clean_filename($prefix,$suffix);
-	  if(!is_dir('../../upload/plugins')) {
-		  mkdir("../../upload/plugins", 0777, true);
-	  }
-	  $target = "../../upload/plugins/$files_name";
-		@move_uploaded_file($tmp_name, $target);
+if($fc_upload_addons === true) {
+	/* upload files to /upload/plugins/ */
+	if($_REQUEST['upload_type'] == 'plugin') {
+		if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
+			$tmp_name = $_FILES["file"]["tmp_name"];   
+		  $org_name = $_FILES["file"]["name"];
+		  $suffix = strtolower(substr(strrchr($org_name,'.'),1));
+		  $prefix = basename($org_name,".$suffix");
+		  $files_name = clean_filename($prefix,$suffix);
+		  if(!is_dir('../../upload/plugins')) {
+			  mkdir("../../upload/plugins", 0777, true);
+		  }
+		  $target = "../../upload/plugins/$files_name";
+			@move_uploaded_file($tmp_name, $target);
+		}
 	}
-}
-
-/* upload files to /upload/themes/ */
-if($_REQUEST['upload_type'] == 'theme') {
-	if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
-		$tmp_name = $_FILES["file"]["tmp_name"];   
-	  $org_name = $_FILES["file"]["name"];
-	  $suffix = strtolower(substr(strrchr($org_name,'.'),1));
-	  $prefix = basename($org_name,".$suffix");
-	  $files_name = clean_filename($prefix,$suffix);
-	  if(!is_dir('../../upload/themes')) {
-		  mkdir("../../upload/themes", 0777, true);
-	  }
-	  $target = "../../upload/themes/$files_name";
-		@move_uploaded_file($tmp_name, $target);
+	
+	/* upload files to /upload/themes/ */
+	if($_REQUEST['upload_type'] == 'theme') {
+		if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
+			$tmp_name = $_FILES["file"]["tmp_name"];   
+		  $org_name = $_FILES["file"]["name"];
+		  $suffix = strtolower(substr(strrchr($org_name,'.'),1));
+		  $prefix = basename($org_name,".$suffix");
+		  $files_name = clean_filename($prefix,$suffix);
+		  if(!is_dir('../../upload/themes')) {
+			  mkdir("../../upload/themes", 0777, true);
+		  }
+		  $target = "../../upload/themes/$files_name";
+			@move_uploaded_file($tmp_name, $target);
+		}
 	}
-}
-
-/* upload files to /upload/modules/ */
-if($_REQUEST['upload_type'] == 'module') {
-	if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
-		$tmp_name = $_FILES["file"]["tmp_name"];   
-	  $org_name = $_FILES["file"]["name"];
-	  $suffix = strtolower(substr(strrchr($org_name,'.'),1));
-	  $prefix = basename($org_name,".$suffix");
-	  $files_name = clean_filename($prefix,$suffix);
-	  if(!is_dir('../../upload/modules')) {
-		  mkdir("../../upload/modules", 0777, true);
-	  }
-	  $target = "../../upload/modules/$files_name";
-		@move_uploaded_file($tmp_name, $target);
+	
+	/* upload files to /upload/modules/ */
+	if($_REQUEST['upload_type'] == 'module') {
+		if(array_key_exists('file',$_FILES) && $_FILES['file']['error'] == 0 ){
+			$tmp_name = $_FILES["file"]["tmp_name"];   
+		  $org_name = $_FILES["file"]["name"];
+		  $suffix = strtolower(substr(strrchr($org_name,'.'),1));
+		  $prefix = basename($org_name,".$suffix");
+		  $files_name = clean_filename($prefix,$suffix);
+		  if(!is_dir('../../upload/modules')) {
+			  mkdir("../../upload/modules", 0777, true);
+		  }
+		  $target = "../../upload/modules/$files_name";
+			@move_uploaded_file($tmp_name, $target);
+		}
 	}
 }