From 0c3e0e90fcf648802a60f09bea2ebddb5b5116b6 Mon Sep 17 00:00:00 2001
From: David Anderson <davea@ssl.berkeley.edu>
Date: Wed, 30 May 2007 21:35:14 +0000
Subject: [PATCH] - add token protection to the previous checkin;     for prefs
 edit, don't demand token if only showing form.     (opt_out.php doesn't
 supply tokens)

html/user/
    prefs_edit.php
    merge_by_name.php

svn path=/trunk/boinc/; revision=12786
---
 checkin_notes               | 9 +++++++++
 html/user/merge_by_name.php | 5 ++++-
 html/user/prefs_edit.php    | 2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/checkin_notes b/checkin_notes
index bdc3c54b96..0a4e6590d9 100755
--- a/checkin_notes
+++ b/checkin_notes
@@ -5602,3 +5602,12 @@ David  30 May 2007
             host_edit_action.php
             merge_by_name.php (new)
             hosts_user.php
+
+David  30 May 2007
+    - add token protection to the previous checkin;
+        for prefs edit, don't demand token if only showing form.
+        (opt_out.php doesn't supply tokens)
+
+    html/user/
+        prefs_edit.php
+        merge_by_name.php
diff --git a/html/user/merge_by_name.php b/html/user/merge_by_name.php
index 7773b15478..4da5553fec 100644
--- a/html/user/merge_by_name.php
+++ b/html/user/merge_by_name.php
@@ -1,5 +1,6 @@
 <?php
 
+require_once("../inc/util.inc");
 require_once("../inc/db.inc");
 require_once("../inc/host.inc");
 
@@ -44,12 +45,14 @@ $user = get_logged_in_user();
 page_head("Merge computers by name");
 
 if ($_GET['confirmed']) {
+    check_tokens($user->authenticator);
     merge_by_name($user->id);
     echo "
         <p><a href=hosts_user.php>
         Return to the list of your computers</a>.
     ";
 } else {
+    $tokens = url_tokens($user->authenticator);
     echo "
         This operation will merge all of your computers
         that have the same domain name.
@@ -58,7 +61,7 @@ if ($_GET['confirmed']) {
         having that name with the newest computer having that name.
         Incompatible computers will not be merged.
         <p>
-        Click <a href=merge_by_name.php?confirmed=1>here</a>
+        Click <a href=merge_by_name.php?confirmed=1&$tokens>here</a>
         if you're sure you want to do this.
         <p>Click <a href=hosts_user.php>here</a>
         to return to the list of your computers.
diff --git a/html/user/prefs_edit.php b/html/user/prefs_edit.php
index e7039488ce..f145b85e91 100644
--- a/html/user/prefs_edit.php
+++ b/html/user/prefs_edit.php
@@ -6,7 +6,6 @@ include_once("../inc/prefs.inc");
 db_init();
 
 $user = get_logged_in_user();
-check_tokens($user->authenticator);
 
 $action = get_str("action", true);
 $subset = get_str("subset");
@@ -16,6 +15,7 @@ $c = $columns?"&cols=$columns":"";
 check_subset($subset);
 
 if ($action) {
+    check_tokens($user->authenticator);
     if ($subset == "global") {
         $main_prefs = prefs_parse_global($user->global_prefs);
         if ($venue) $prefs = $main_prefs->$venue;