Skip to content

Commit

Permalink
Merge branch 'dev'
Browse files Browse the repository at this point in the history
  • Loading branch information
@Awilum
Awilum committed Apr 5, 2016
2 parents 9181877 + 16a0014 commit 78e7b83
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 25 deletions.
5 changes: 5 additions & 0 deletions .htaccess
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,5 +59,10 @@ AddDefaultCharset UTF-8
Satisfy All
</FilesMatch>

# Allow read files.
<Files robots.txt>
Allow from all
</Files>

# Don't show directory listings for URLs which map to a directory.
Options -Indexes
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
Monstra 3.0.4, 2016-04-05
------------------------
- Fixed User Security by adding a check that compares POST id with SESSION
id for none admin edits
- Fixed ability to read robots.txt
- Stylesheet: Changed minified URIs to eliminate query strings


Monstra 3.0.3, 2016-01-29
------------------------
- Improved Monstra Security
Expand Down
2 changes: 1 addition & 1 deletion engine/Monstra.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ class Monstra
/**
* The version of Monstra
*/
const VERSION = '3.0.3';
const VERSION = '3.0.4';


/**
Expand Down
4 changes: 2 additions & 2 deletions engine/Plugin/Javascript.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ public static function add($file, $load = 'frontend', $priority = 10)
public static function load()
{
$backend_site_js_path = MINIFY . DS . 'backend_site.minify.js';
$frontend_site_js_path = MINIFY . DS . 'frontend_site.minify.js';
$frontend_site_js_path = MINIFY . DS . 'frontend_site.minify.'.Option::get('javascript_version').'.js';

// Load javascripts
if (count(Javascript::$javascripts) > 0) {
Expand Down Expand Up @@ -122,7 +122,7 @@ public static function load()
if (BACKEND) {
echo '<script type="text/javascript" src="'.Option::get('siteurl').'/tmp/minify/backend_site.minify.js?'.Option::get('javascript_version').'"></script>';
} else {
echo '<script type="text/javascript" src="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.js?'.Option::get('javascript_version').'"></script>'."\n";
echo '<script type="text/javascript" src="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.'.Option::get('javascript_version').'.js"></script>'."\n";
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions engine/Plugin/Stylesheet.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ public static function add($file, $load = 'frontend', $priority = 10)
public static function load()
{
$backend_site_css_path = MINIFY . DS . 'backend_site.minify.css';
$frontend_site_css_path = MINIFY . DS . 'frontend_site.minify.css';
$frontend_site_css_path = MINIFY . DS . 'frontend_site.minify.'.Option::get('styles_version').'.css';

// Load stylesheets
if (count(Stylesheet::$stylesheets) > 0) {
Expand Down Expand Up @@ -124,7 +124,7 @@ public static function load()
if (BACKEND) {
echo '<link rel="stylesheet" href="'.Option::get('siteurl').'/tmp/minify/backend_site.minify.css?'.Option::get('styles_version').'" type="text/css" />';
} else {
echo '<link rel="stylesheet" href="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.css?'.Option::get('styles_version').'" type="text/css" />'."\n";
echo '<link rel="stylesheet" href="'.Option::get('siteurl').'/tmp/minify/frontend_site.minify.'.Option::get('styles_version').'.css" type="text/css" />'."\n";
}
}
}
Expand Down
45 changes: 25 additions & 20 deletions plugins/box/users/users.plugin.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,27 +228,32 @@ public static function getProfileEdit($id)

// Check csrf
if (Security::check(Request::post('csrf'))) {

if (Security::safeName(Request::post('login')) != '') {
if (Users::$users->update(Request::post('user_id'),
array('login' => Security::safeName(Request::post('login')),
'firstname' => Request::post('firstname'),
'lastname' => Request::post('lastname'),
'email' => Request::post('email'),
'skype' => Request::post('skype'),
'about_me' => Request::post('about_me'),
'twitter' => Request::post('twitter')))) {

// Change password
if (trim(Request::post('new_password')) != '') {
Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));

// Check for POST data manipulation
if( ((int) Session::get('user_id') == (int) Request::post('user_id')) or (in_array(Session::get('user_role'), array('admin'))) ) {

if (Security::safeName(Request::post('login')) != '') {
if (Users::$users->update(Request::post('user_id'),
array('login' => Security::safeName(Request::post('login')),
'firstname' => Request::post('firstname'),
'lastname' => Request::post('lastname'),
'email' => Request::post('email'),
'skype' => Request::post('skype'),
'about_me' => Request::post('about_me'),
'twitter' => Request::post('twitter')))) {

// Change password
if (trim(Request::post('new_password')) != '') {
Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
}

Notification::set('success', __('Your changes have been saved.', 'users'));
Request::redirect(Site::url().'/users/'.$user['id']);
}

Notification::set('success', __('Your changes have been saved.', 'users'));
Request::redirect(Site::url().'/users/'.$user['id']);
}
} else { }

} else { }

} else { die('Monstra says: This is not your profile...'); }

} else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }

}
Expand Down

0 comments on commit 78e7b83

Please sign in to comment.