From cc99c0f1e967c5f1722a0cce30ff42374a7bbc23 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Fri, 6 Oct 2023 15:13:04 +0200
Subject: [PATCH] fixes GHSA-qg85-957m-7vgg providing plugin_id in URL is
 useless since Piwigo 12

---
 admin/plugins_new.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/admin/plugins_new.php b/admin/plugins_new.php
index 991c49948..811b0e6c9 100644
--- a/admin/plugins_new.php
+++ b/admin/plugins_new.php
@@ -47,11 +47,11 @@ if (isset($_GET['installstatus']))
   switch ($_GET['installstatus'])
   {
     case 'ok':
-      $activate_url = get_root_url().'admin.php?page=plugins'
-        . '&amp;plugin=' . $_GET['plugin_id']
-        . '&amp;pwg_token=' . get_pwg_token()
-        . '&amp;action=activate'
-        . '&amp;filter=deactivated';
+      // since Piwigo 12, you need to be on the page of installed plugins to active a plugin with
+      // a JS action, no need to provide plugin_id in URL, just link to the page of installed
+      // plugins, filtered on deactivated plugins. The webmaster will have to find its newly
+      // installed plugin and click on the activation switch.
+      $activate_url = get_root_url().'admin.php?page=plugins&amp;filter=deactivated';
 
       $page['infos'][] = l10n('Plugin has been successfully copied');
       $page['infos'][] = '<a href="'. $activate_url . '">' . l10n('Activate it now') . '</a>';