Public/pics
2
2
Fork 2
Code Issues 5 Pull Requests Releases Wiki Activity

Move photo deletion from ViewPhoto to EditAsset

Browse Source 
Removes the intermediate confirmation page, instead using JavaScript for confirmation.

Fixes an XSS issue, in that the previous method was not passing or checking the session (!)
This commit is contained in:
Aaron van Geffen
2023-11-11 15:29:32 +01:00
parent 83da4a26ac
commit e28fcd8b03
5 changed files with 37 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
templates/EditAssetForm.php
View File

@@ -23,7 +23,10 @@ class EditAssetForm extends Template
<form id="asset_form" action="" method="post" enctype="multipart/form-data">
<div class="content-box">
<div class="float-end">
<a class="btn btn-danger" href="', BASEURL, '/', $this->asset->getSlug(), '?delete_confirmed">Delete asset</a>
<a class="btn btn-danger" href="', $this->asset->getDeleteUrl(), '&',
Session::getSessionTokenKey(), '=', Session::getSessionToken(),
'" onclick="return confirm(\'Are you sure you want to delete this asset?\');">',
'Delete asset</a>
<button class="btn btn-primary" type="submit">Save asset data</button>
</div>
<h2>Edit asset \'', $this->asset->getTitle(), '\' (', $this->asset->getFilename(), ')</h2>

16
templates/PhotoPage.php
View File

@@ -54,9 +54,7 @@ class PhotoPage extends Template
<div class="col-lg-4">';
$this->photoMeta();
if ($this->is_asset_owner)
$this->addUserActions();
$this->userActions();
echo '
</div>
@@ -259,13 +257,19 @@ class PhotoPage extends Template
$this->exif = $exif;
}
public function addUserActions()
public function userActions()
{
if (!$this->photo->isOwnedBy(Registry::get('user')))
return;
echo '
<div id="user_actions_box" class="content-box">
<h3>Actions</h3>
<a class="btn btn-primary" href="', BASEURL, '/editasset/?id=', $this->photo->getId(), '">Edit photo</a>
<a class="btn btn-danger" href="', BASEURL, '/', $this->photo->getSlug(), '/?confirm_delete">Delete photo</a>
<a class="btn btn-primary" href="', $this->photo->getEditUrl(), '">Edit photo</a>
<a class="btn btn-danger" href="', $this->photo->getDeleteUrl(), '&',
Session::getSessionTokenKey(), '=', Session::getSessionToken(),
'" onclick="return confirm(\'Are you sure you want to delete this photo?\');"',
'">Delete photo</a>
</div>';
}
}