bug 1328: first specific implementation of the check_pwg_token for the

admin/tags page (all actions : add/edit/delete).

The "check_token" function was renammed into check_pwg_token because the
word "token" is too much generic.

git-svn-id: http://piwigo.org/svn/branches/2.0@4503 68402e56-0260-453c-a942-63ccdbb3a9ee

admin/include/functions.php

@@ -30,11 +30,9 @@ include(PHPWG_ROOT_PATH.'admin/include/functions_metadata.php');
  *
  * @return void access denied if token given is not equal to server token 
  */
-function check_token()
+function check_pwg_token()
 {
-  global $conf;
-
-  $valid_token = hash_hmac('md5', session_id(), $conf['secret_key']);
+  $valid_token = get_pwg_token();
   $given_token = null;
 
   if (!empty($_POST['pwg_token']))
@@ -51,6 +49,13 @@ function check_token()
   }
 }
 
+function get_pwg_token()
+{
+  global $conf;
+
+  return hash_hmac('md5', session_id(), $conf['secret_key']);
+}
+
 // The function delete_site deletes a site and call the function
 // delete_categories for each primary category of the site
 function delete_site( $id )

admin/tags.php

@@ -29,6 +29,11 @@ if( !defined("PHPWG_ROOT_PATH") )
 include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 check_status(ACCESS_ADMINISTRATOR);
 
+if (!empty($_POST))
+{
+  check_pwg_token();
+}
+
 // +-----------------------------------------------------------------------+
 // |                                edit tags                              |
 // +-----------------------------------------------------------------------+
@@ -189,7 +194,8 @@ $template->set_filenames(array('tags' => 'tags.tpl'));
 
 $template->assign(
   array(
-    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags'
+    'F_ACTION' => PHPWG_ROOT_PATH.'admin.php?page=tags',
+    'PWG_TOKEN' => get_pwg_token(),
     )
   );
 

admin/template/goto/tags.tpl

@@ -4,6 +4,7 @@
 </div>
 
 <form action="{$F_ACTION}" method="post">
+  <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}" />
 
   {if isset($EDIT_TAGS_LIST)}
   <fieldset>