issue: secure against external form submissions

[minimedit.git] / issue / index.php

diff --git a/issue/index.php b/issue/index.php
index 41d37491378b22eac9d670ab7dbb8cf4dfb355f6..704a405e879bf42b40d9d40c89acec27874ce816 100644 (file)
--- a/issue/index.php
+++ b/issue/index.php
@@ -1,20 +1,21 @@
 <?php
-global $User, $Db;
+global $User, $Db, $Issue;
 require_once 'database.inc.php';
 @list ($id, $title) = explode('/', ltrim($Page->path, '/'));
 
 if ($id and ctype_digit($id)) {
        $Page->title = "Issue #$id";
-       $Page->path = "/$id";  # minimal reference
+       $Page->link = $Page->handler . ($Page->path = "/$id");  # minimal reference
        $Issue = $Db->query(
                'SELECT * FROM issues WHERE page = ? AND id = ?', [$Page->handler, $id]
        )->fetch();
        if (!$Issue) throw new Exception('Issuenummer niet gevonden');
 
-       $replies = placeholder_include('reply');  # handle updates
+       $replies = $Page->widget('reply');  # handle updates
 
        $Page->title .= ': '.htmlspecialchars($Issue->subject);
        $Page->teaser = $Issue->body;
+       if ($Page->api) return;
        $Page->body = $replies;  # find image
 
        print "<h2>{$Page->title}</h2>\n";
@@ -41,8 +42,12 @@ if ($id and ctype_digit($id)) {
        return;
 }
 
-if ($_POST) {
+if ($Page->api) return;
+if ($_POST and isset($_POST['subject'])) {
                require_once 'upload.inc.php';
+               if (strlen($_POST['subject']) < 2) {
+                       throw new Exception('Een minimaal onderwerp is verplicht om een issue aan te maken.');
+               }
                $query = $Db->set('issues', [
                        'page'    => $Page->handler,
                        'subject' => $_POST['subject'],
@@ -97,4 +102,4 @@ while ($row = $query->fetch()) {
        print "</a></div></li>\n";
 }
 print "</ul>\n";
-$Place['issuelist'] = ob_get_clean();
+$Page->place['issuelist'] = ob_get_clean();