tonyair/silverstripe-comments
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-comments synced 2024-10-22 11:05:49 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #166 from gordonbanderson/nonjsspamredirection

Browse Source 
FIX: Non JS spam/ham/approve now redirect back to relevant comment
This commit is contained in:
Damian Mooyman 2016-02-16 09:23:02 +13:00
commit b1bf62d49c
1 changed files with 59 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
code/controllers/CommentingController.php
View File

@ -243,10 +243,7 @@ class CommentingController extends Controller {
if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400); if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400);
$comment->markSpam(); $comment->markSpam();
return $this->renderChangedCommentState($comment);
return $this->request->isAjax()
? $comment->renderWith('CommentsInterface_singlecomment')
: $this->redirectBack();
} }
/** /**
@ -261,10 +258,7 @@ class CommentingController extends Controller {
if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400); if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400);
$comment->markApproved(); $comment->markApproved();
return $this->renderChangedCommentState($comment);
return $this->request->isAjax()
? $comment->renderWith('CommentsInterface_singlecomment')
: $this->redirectBack();
} }
/** /**
@ -279,12 +273,37 @@ class CommentingController extends Controller {
if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400); if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400);
$comment->markApproved(); $comment->markApproved();
return $this->renderChangedCommentState($comment);
return $this->request->isAjax()
? $comment->renderWith('CommentsInterface_singlecomment')
: $this->redirectBack();
} }
/**
* Redirect back to referer if available, ensuring that only site URLs
* are allowed to avoid phishing. If it's an AJAX request render the
* comment in it's new state
*/
private function renderChangedCommentState($comment) {
$referer = $this->request->getHeader('Referer');
// Render comment using AJAX
if ($this->request->isAjax()) {
return $comment->renderWith('CommentsInterface_singlecomment');
} else {
// Redirect to either the comment or start of the page
if (empty($referer)) {
return $this->redirectBack();
} else {
// Redirect to the comment, but check for phishing
$url = $referer . '#comment-' . $comment->ID;
// absolute redirection URLs not located on this site may cause phishing
if(Director::is_site_url($url)) {
return $this->redirect($url);
} else {
return false;
}
}
}
}
/** /**
* Returns the comment referenced in the URL (by ID). Permission checking * Returns the comment referenced in the URL (by ID). Permission checking
* should be done in the callee. * should be done in the callee.