Firefox PHP

Topic Poll Module

Posted by Maurice Makaay 
Re: Topic Poll Module
October 26, 2010 10:32PM
Alright, so I determined the only way to do it is to modify topic_poll.php unfortunately. I added this line of code to line 751:

$PHORUM["DATA"]["POLL"]["POST_URL"] = $messages[$message_id]["URL"]["READ"];

Pretty simple.
Re: Topic Poll Module
October 27, 2010 12:17AM
To make future upgrades easier, I would suggest putting the line change (and line number) in a {your_site_name}_changes.txt file within the module's folder on your server. Then you can easily recreate the changes in the future.


Joe Curia (aka Azumandias)
Modules: l0Admin Mass Email00000000l000000Automatic Time Zones000ll.l00000Enhanced Custom Profiles0.00Google Calendar0000l.l000000Post Previews
000000000Admin Security Suite000000000000Check Modules for Upgrades0000External Authentication000000Group Auto-Email00000.00000Private Message Alerts
000000000Attachment Download Counter0000Custom Attachment Icons000ll.ll00Favorite Forums000000.00000Highlighted Search Terms0000Self-Delete Posts Option
000000000Attachment Watermarks0l00000000Custom Language Database00l.l.0Forum Lockdown00000.00000Ignore Forums0000000000000Threaded Tree View
000000000Automatic Message Pruning00.llll.00Easy Color Scheme Manager0l.l00Forum Subscriptions0000lll000Moderated User Group
Templates:lGeneric Integration000000000 0000Simple Rounded000000 00000000Tabbed Emerald
Re: Topic Poll Module
October 27, 2010 08:40AM
POST_URL is not part of my templates, so I guess you did a template change as well, by adding {POLL->POST_URL} to the template as the form action parameter.

I updated the package to include this URL. The default templates use the updated action parameter by default now. Note that voting_results.tpl was also updated to use this action URL.

Try topic poll v.1.0.19 to see if the package fits your use case now.

This thread is about the Phorum 5.1 version of the module. Check the Phorum 5.2 module forum for the updated package.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce



Edited 1 time(s). Last edit at 10/27/2010 08:42AM by Maurice Makaay.
Re: Topic Poll Module
October 27, 2010 05:13PM
The version I had did not have a url in the post action. I'll take a look at the updated topic poll. Thanks!

- Vote revoking only revokes the vote for the first post in list.php regardless of which revoke vote button you click in any message.
- I inserted {POLL->POST_URL} into the post action in voting_results.tpl to fix it.



Edited 6 time(s). Last edit at 10/27/2010 05:37PM by Meadock.
Re: Topic Poll Module
October 28, 2010 08:20PM
Ok, so I don't know what I did, or if it had to do with upgrading to the latest version of topic poll, but now I'm getting an error message that reads "Possible hack attempt detected. The posted form data was rejected."

{POST_VARS} outputs <input type="hidden" name="forum_id" value="2" /> and <input type="hidden" name="posting_token:post" value="33e185e306259b0a99ffa2ba7b34bbbf"/> on read.php, but only <input type="hidden" name="forum_id" value="2" /> on list.php

Does this have to do with the newer version of topic poll or did I manage to goof something up with my template? Thanks.
Re: Topic Poll Module
October 29, 2010 03:01AM
That means that the anti-CSRF hack protection has kicked in. The posting token is missing (what you also discovered yourself). Without a posting token, the client's post data is rejected.

This is indeed a result of upgrading the topic poll, since CSRF protection is relatively new in there.

Easiest solution would be to hack the topic_poll.php. Search for the following code:
    // To satisfy the CSRF check that the posting form uses on the
    // same page as our topic poll form. This will add a posting
    // token to the {POST_VARS}. The forms that we use have the
    // {POST_VARS} in them, so when posting a poll form, the CSRF
    // check from posting.php will succeed.
    // The function_exists is for making this work in older versions
    // of Phorum as well.
    if (function_exists('phorum_check_posting_token')) {
        phorum_check_posting_token('post');
    }

and change it to
    // To satisfy the CSRF check that the posting form uses on the
    // same page as our topic poll form. This will add a posting
    // token to the {POST_VARS}. The forms that we use have the
    // {POST_VARS} in them, so when posting a poll form, the CSRF
    // check from posting.php will succeed.
    // The function_exists is for making this work in older versions
    // of Phorum as well.
#    if (function_exists('phorum_check_posting_token')) {
#        phorum_check_posting_token('post');
#   }

The other solution would be to make sure that on the list page, the POST_DATA is extended with a valid posting_token that will be accepted by the read page.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Topic Poll Module
October 29, 2010 04:53PM
Lol. Yes commenting those lines of code out would be easiest. I'm going to try to figure out how to get a valid posting_token in the POST_VARS.
Re: Topic Poll Module
October 30, 2010 12:46PM
Ok so I just tried what you suggested, Maurice. I'm still getting the "Possible hack attempt detected. The posted form data was rejected." message. However, the voting action does succeed. I just have to go back to list.php and refresh. So maybe this is happening somewhere else in the code?
Re: Topic Poll Module
October 30, 2010 01:27PM
Try changing phorum_check_posting_token() to phorum_check_posting_token('read') within the topic poll code. That should setup a token that can be processed on the read page (which matches the posting target URL that you setup).


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Topic Poll Module
October 30, 2010 01:35PM
Doesn't appear to have worked. I don't understand what happened. If I remember correctly, it was working not too long ago. I'm not sure what I changed that causes it not to work...

So how are the {POST_VARS} set up? I see $PHORUM["DATA"]["POST_VARS"] is assigned the data in phorum_mod_topic_poll_posting_custom_action. This takes place during poll creation right? phorum_check_posting_token('post'); adds a posting token to {POST_VARS} in phorum_mod_topic_poll_read. So why does it do it in read.php but not list.php. I made sure hook: list|phorum_mod_topic_poll_read was included in info.txt, although since the information is going to read.php anyway, this probably doesn't matter.

I've been looking at the code and I really am at a loss. What determines what goes into {POST_VARS} and when?



Edited 4 time(s). Last edit at 10/30/2010 02:16PM by Meadock.
Sorry, only registered users may post in this forum.

Click here to login