diff options
author | webchick <webchick@24967.no-reply.drupal.org> | 2012-02-01 13:29:51 -0800 |
---|---|---|
committer | webchick <webchick@24967.no-reply.drupal.org> | 2012-02-01 13:29:51 -0800 |
commit | 40093b2fa7dde4a5f3c6806aad91b9302c232903 (patch) | |
tree | 0c5ce465e4a9c25113c536d39f1051b65f403f68 /modules/aggregator | |
parent | 2dd2f4f2a215e0c023513d5a63df0dd1205776fc (diff) | |
download | brdo-40093b2fa7dde4a5f3c6806aad91b9302c232903.tar.gz brdo-40093b2fa7dde4a5f3c6806aad91b9302c232903.tar.bz2 |
SA-CORE-2012-001
Diffstat (limited to 'modules/aggregator')
-rw-r--r-- | modules/aggregator/aggregator.admin.inc | 5 | ||||
-rw-r--r-- | modules/aggregator/aggregator.test | 13 |
2 files changed, 12 insertions, 6 deletions
diff --git a/modules/aggregator/aggregator.admin.inc b/modules/aggregator/aggregator.admin.inc index 08087afb2..52af1a631 100644 --- a/modules/aggregator/aggregator.admin.inc +++ b/modules/aggregator/aggregator.admin.inc @@ -33,7 +33,7 @@ function aggregator_view() { ($feed->checked && $feed->refresh ? t('%time left', array('%time' => format_interval($feed->checked + $feed->refresh - REQUEST_TIME))) : t('never')), l(t('edit'), "admin/config/services/aggregator/edit/feed/$feed->fid"), l(t('remove items'), "admin/config/services/aggregator/remove/$feed->fid"), - l(t('update items'), "admin/config/services/aggregator/update/$feed->fid"), + l(t('update items'), "admin/config/services/aggregator/update/$feed->fid", array('query' => array('token' => drupal_get_token("aggregator/update/$feed->fid")))), ); } $output .= theme('table', array('header' => $header, 'rows' => $rows, 'empty' => t('No feeds available. <a href="@link">Add feed</a>.', array('@link' => url('admin/config/services/aggregator/add/feed'))))); @@ -386,6 +386,9 @@ function _aggregator_parse_opml($opml) { * An object describing the feed to be refreshed. */ function aggregator_admin_refresh_feed($feed) { + if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'aggregator/update/' . $feed->fid)) { + return MENU_ACCESS_DENIED; + } aggregator_refresh($feed); drupal_goto('admin/config/services/aggregator'); } diff --git a/modules/aggregator/aggregator.test b/modules/aggregator/aggregator.test index 0d1e31ba5..fd3e852fc 100644 --- a/modules/aggregator/aggregator.test +++ b/modules/aggregator/aggregator.test @@ -92,8 +92,13 @@ class AggregatorTestCase extends DrupalWebTestCase { $this->drupalGet($feed->url); $this->assertResponse(200, t('!url is reachable.', array('!url' => $feed->url))); - // Refresh the feed (simulated link click). + // Attempt to access the update link directly without an access token. $this->drupalGet('admin/config/services/aggregator/update/' . $feed->fid); + $this->assertResponse(403); + + // Refresh the feed (simulated link click). + $this->drupalGet('admin/config/services/aggregator'); + $this->clickLink('update items'); // Ensure we have the right number of items. $result = db_query('SELECT iid FROM {aggregator_item} WHERE fid = :fid', array(':fid' => $feed->fid)); @@ -466,8 +471,8 @@ class UpdateFeedItemTestCase extends AggregatorTestCase { $this->assertRaw(t('The feed %name has been added.', array('%name' => $edit['title'])), t('The feed !name has been added.', array('!name' => $edit['title']))); $feed = db_query("SELECT * FROM {aggregator_feed} WHERE url = :url", array(':url' => $edit['url']))->fetchObject(); - $this->drupalGet('admin/config/services/aggregator/update/' . $feed->fid); + aggregator_refresh($feed); $before = db_query('SELECT timestamp FROM {aggregator_item} WHERE fid = :fid', array(':fid' => $feed->fid))->fetchField(); // Sleep for 3 second. @@ -481,10 +486,9 @@ class UpdateFeedItemTestCase extends AggregatorTestCase { 'modified' => 0, )) ->execute(); - $this->drupalGet('admin/config/services/aggregator/update/' . $feed->fid); + aggregator_refresh($feed); $after = db_query('SELECT timestamp FROM {aggregator_item} WHERE fid = :fid', array(':fid' => $feed->fid))->fetchField(); - $this->assertTrue($before === $after, t('Publish timestamp of feed item was not updated (!before === !after)', array('!before' => $before, '!after' => $after))); } } @@ -884,4 +888,3 @@ class FeedParserTestCase extends AggregatorTestCase { $this->assertEqual('urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a', db_query('SELECT guid FROM {aggregator_item} WHERE link = :link', array(':link' => 'http://example.org/2003/12/13/atom03'))->fetchField(), 'Atom entry id element is parsed correctly.'); } } - |