cursor: pointer;
}
+input[type=submit].delete {
+ background : url('../img/delete.png') no-repeat center center;
+ width : 16px;
+ height :16px;
+ border : none;
+ color : transparent;
+ cursor: pointer;
+ font-size : 0;
+}
+
#main #content {
margin-top: 20px;
}
min-height: 8em;
-webkit-border-radius: 2px;
border-radius: 2px;
- -webkit-box-shadow: 0px 0px 2px -1px #000;
- box-shadow: 0px 0px 2px -1px #000;
+ -webkit-box-shadow: 0px 0px 6px -1px #000;
+ box-shadow: 0px 0px 6px -1px #000;
width: 30%;
margin: 10px;
float: left;
}
-
+#main .entrie h2 {
+ width: 95%;
+}
#main .entrie h2 a {
text-decoration: none;
}
color: #F5BE00;
}
-#main .entrie .tools {
- position:absolute;
- bottom: 0;
- width: 100%;
+.tools {
+ position: absolute;
+ top: 20px;
+ right: 20px;
+ width: 30px;
text-align: right;
- margin-left: -20px;
+}
+
+.tools ul {
+ padding: 0; margin: 0;
+ list-style-type: none;
+}
+
+.tools ul li {
+ line-height: 20px;
+}
+
+.tools a.tool {
+ cursor: pointer;
}
#article .tools {
+ position: relative;
display: inline;
+ top: 0px;
+ right: 0px;
+ width: 100%;
+ text-align: left;
}
-#article .tools a.tool {
- cursor: pointer;
+#article.tools ul li{
+ display: inline;
}
#main .entrie .tools a.tool span, #article .tools a.tool span {
raintpl::$base_url = get_poche_url();
raintpl::configure('path_replace', false);
raintpl::configure('debug', false);
-$tpl = new raintpl();
\ No newline at end of file
+$tpl = new raintpl();
+
+session_start();
+
+if (!isset($_SESSION['token_poche'])) {
+ $token = md5(uniqid(rand(), TRUE));
+ $_SESSION['token_poche'] = $token;
+ $_SESSION['token_time_poche'] = time();
+}
\ No newline at end of file
/**
* Appel d'une action (mark as fav, archive, delete)
*/
-function action_to_do($action, $id)
+function action_to_do($action, $id, $url, $token)
{
global $db;
$params_action = array($url, $parametres_url['title'], $parametres_url['content']);
break;
case 'delete':
- $sql_action = "DELETE FROM entries WHERE id=?";
- $params_action = array($id);
+ if (verif_token($token)) {
+ $sql_action = "DELETE FROM entries WHERE id=?";
+ $params_action = array($id);
+ }
+ else die('CSRF problem');
break;
default:
break;
}
return $entry;
+}
+
+/**
+ * Vérifie si le jeton passé en $_POST correspond à celui en session
+ */
+function verif_token($token)
+{
+ if(isset($_SESSION['token_poche']) && isset($_SESSION['token_time_poche']) && isset($token))
+ {
+ if($_SESSION['token_poche'] == $token)
+ {
+ $old_timestamp = time() - (15*60);
+ if($_SESSION['token_time_poche'] >= $old_timestamp)
+ {
+ return TRUE;
+ }
+ else return FALSE;
+ }
+ else return FALSE;
+ }
+ else return FALSE;
}
\ No newline at end of file
include dirname(__FILE__).'/inc/config.php';
-$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : '';
-$view = (isset ($_GET['view'])) ? htmlspecialchars($_GET['view']) : 'index';
-$id = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : '';
+$action = (isset ($_REQUEST['action'])) ? htmlentities($_REQUEST['action']) : '';
+$view = (isset ($_GET['view'])) ? htmlentities($_GET['view']) : 'index';
+$id = (isset ($_REQUEST['id'])) ? htmlspecialchars($_REQUEST['id']) : '';
$url = (isset ($_GET['url'])) ? $_GET['url'] : '';
+$token = (isset ($_POST['token'])) ? $_POST['token'] : '';
+
+if ($action != '') {
+ action_to_do($action, $id, $url, $token);
+}
-action_to_do($action, $id);
$entries = display_view($view);
$tpl->assign('title', 'poche, a read it later open source system');
$tpl->assign('poche_url', get_poche_url());
$tpl->assign('entries', $entries);
$tpl->assign('load_all_js', 1);
+$tpl->assign('token', $_SESSION['token_poche']);
$tpl->draw('home');
\ No newline at end of file
-function toggle_favorite(element, id) {
+function toggle_favorite(element, id, token) {
$(element).toggleClass('fav-off');
$.ajax ({
url: "process.php?action=toggle_fav",
- data:{id:id}
+ data:{id:id, token:token}
});
}
-function toggle_archive(element, id, view_article) {
+function toggle_archive(element, id, token, view_article) {
$(element).toggleClass('archive-off');
$.ajax ({
url: "process.php?action=toggle_archive",
- data:{id:id}
+ data:{id:id, token:token}
});
var obj = $('#entry-'+id);
include dirname(__FILE__).'/inc/config.php';
$db = new db(DB_PATH);
-$action = (isset ($_GET['action'])) ? htmlspecialchars($_GET['action']) : '';
-$id = (isset ($_GET['id'])) ? htmlspecialchars($_GET['id']) : '';
+$action = (isset ($_GET['action'])) ? htmlentities($_GET['action']) : '';
+$id = (isset ($_GET['id'])) ? htmlentities($_GET['id']) : '';
+$token = (isset ($_GET['token'])) ? $_GET['token'] : '';
-switch ($action)
-{
- case 'toggle_fav' :
- $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
- $params_action = array($id);
- break;
- case 'toggle_archive' :
- $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?";
- $params_action = array($id);
- break;
- default:
- break;
-}
+if (verif_token($token)) {
+ switch ($action)
+ {
+ case 'toggle_fav' :
+ $sql_action = "UPDATE entries SET is_fav=~is_fav WHERE id=?";
+ $params_action = array($id);
+ break;
+ case 'toggle_archive' :
+ $sql_action = "UPDATE entries SET is_read=~is_read WHERE id=?";
+ $params_action = array($id);
+ break;
+ default:
+ break;
+ }
-# action query
-if (isset($sql_action))
-{
- $query = $db->getHandle()->prepare($sql_action);
- $query->execute($params_action);
+ # action query
+ if (isset($sql_action))
+ {
+ $query = $db->getHandle()->prepare($sql_action);
+ $query->execute($params_action);
+ }
}
-?>
\ No newline at end of file
+else die('CSRF problem');
\ No newline at end of file
<li><a href="index.php" {if="$view == 'index'"}class="current"{/if}>home</a></li>
<li><a href="?view=fav" {if="$view == 'fav'"}class="current"{/if}>favorites</a></li>
<li><a href="?view=archive" {if="$view == 'archive'"}class="current"{/if}>archive</a></li>
- <li><a style="cursor: move" title="i am a bookmarklet, use me !" href="javascript:(function(){var%20url%20=%20location.href;var%20title%20=%20document.title%20||%20url;window.open('{$poche_url}?action=add&url='%20+%20encodeURIComponent(url),'_self');})();">poche it !</a></li>
+ <li><a style="cursor: move" title="i am a bookmarklet, use me !" href="javascript:(function(){var%20url%20=%20location.href%20||%20url;window.open('{$poche_url}?action=add&url='%20+%20encodeURIComponent(url),'_self');})();">poche it !</a></li>
</ul>
<div id="content">
{loop="entries"}
<a href="view.php?id={$value.id}">{$value.title}</a>
</h2>
<div class="tools">
- <a title="toggle mark as read" class="tool archive {if="$value.is_read == '0'"}archive-off{/if}" onclick="toggle_archive(this, {$value.id})"><span></span></a>
- <a title="toggle favorite" class="tool fav {if="$value.is_fav == '0'"}fav-off{/if}" onclick="toggle_favorite(this, {$value.id})"><span></span></a>
- <a href="?action=delete&id={$value.id}" title="toggle delete" onclick="return confirm('Are you sure?')" class="tool delete"><span></span></a>
+ <ul>
+ <li><a title="toggle mark as read" class="tool archive {if="$value.is_read == '0'"}archive-off{/if}" onclick="toggle_archive(this, {$value.id}, '{$token}')"><span></span></a></li>
+ <li><a title="toggle favorite" class="tool fav {if="$value.is_fav == '0'"}fav-off{/if}" onclick="toggle_favorite(this, {$value.id}, '{$token}')"><span></span></a></li>
+ <li><form method="post" onsubmit="return confirm('Are you sure?')" style="display: inline;"><input type="hidden" name="token" id="token" value="{$token}" /><input type="hidden" id="action" name="action" value="delete" /><input type="hidden" id="id" name="id" value="{$value.id}" /><input type="submit" class="delete" title="toggle delete" /></form></li>
+ </ul>
</div>
</span>
</div>
<a href="index.php" title="back to home">←</a>
</div>
<div class="tools">
- <a title="toggle mark as read" class="tool archive {if="$is_read == 0"}archive-off{/if}" onclick="toggle_archive(this, {$id}, 1)"><span></span></a>
- <a title="toggle favorite" class="tool fav {if="$is_fav == 0"}fav-off{/if}" onclick="toggle_favorite(this, {$id})"><span></span></a>
- <a href="index.php?action=delete&id={$id}" title="toggle delete" onclick="return confirm('Are you sure?')" class="tool delete"><span></span></a>
+ <ul>
+ <li><a title="toggle mark as read" class="tool archive {if="$is_read == '0'"}archive-off{/if}" onclick="toggle_archive(this, {$id}, '{$token}')"><span></span></a></li>
+ <li><a title="toggle favorite" class="tool fav {if="$is_fav == '0'"}fav-off{/if}" onclick="toggle_favorite(this, {$id}, '{$token}')"><span></span></a></li>
+ <li><form method="post" onsubmit="return confirm('Are you sure?')" style="display: inline;"><input type="hidden" name="token" id="token" value="{$token}" /><input type="hidden" id="action" name="action" value="delete" /><input type="hidden" id="id" name="id" value="{$id}" /><input type="submit" class="delete" title="toggle delete" /></form></li>
+ </ul>
</div>
<header class="mbm">
<h1><a href="{$url}">{$title}</a></h1>
$tpl->assign('is_fav', $entry[0]['is_fav']);
$tpl->assign('is_read', $entry[0]['is_read']);
$tpl->assign('load_all_js', 0);
+ $tpl->assign('token', $_SESSION['token_poche']);
$tpl->draw('view');
}
else {