source: subversion/trunk/roundcubemail/program/steps/addressbook/save.inc @ 2755

Last change on this file since 2755 was 2755, checked in by thomasb, 4 years ago

Use request tokens to protect POST requests from CSFR
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 4.2 KB
Line 
1<?php
2
3/*
4 +-----------------------------------------------------------------------+
5 | program/steps/addressbook/save.inc                                    |
6 |                                                                       |
7 | This file is part of the RoundCube Webmail client                     |
8 | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |
9 | Licensed under the GNU GPL                                            |
10 |                                                                       |
11 | PURPOSE:                                                              |
12 |   Save a contact entry or to add a new one                            |
13 |                                                                       |
14 +-----------------------------------------------------------------------+
15 | Author: Thomas Bruederli <roundcube@gmail.com>                        |
16 +-----------------------------------------------------------------------+
17
18 $Id$
19
20*/
21
22$cid = get_input_value('_cid', RCUBE_INPUT_POST);
23$return_action = empty($cid) ? 'add' : 'show';
24
25// check request token and exit if invalid
26if (!$RCMAIL->check_request('save.'.intval($cid), RCUBE_INPUT_POST))
27{
28  $OUTPUT->show_message('invalidrequest', 'error');
29  rcmail_overwrite_action($return_action);
30  return;
31}
32
33// cannot edit record
34if ($CONTACTS->readonly)
35{
36  $OUTPUT->show_message('contactreadonly', 'error');
37  rcmail_overwrite_action($return_action);
38  return;
39}
40
41// check input
42if ((!get_input_value('_name', RCUBE_INPUT_POST) || !get_input_value('_email', RCUBE_INPUT_POST)))
43{
44  $OUTPUT->show_message('formincomplete', 'warning');
45  rcmail_overwrite_action($return_action);
46  return;
47}
48
49
50// setup some vars we need
51$a_save_cols = array('name', 'firstname', 'surname', 'email');
52$a_record = array();
53
54// read POST values into hash array
55foreach ($a_save_cols as $col)
56{
57  $fname = '_'.$col;
58  if (isset($_POST[$fname]))
59    $a_record[$col] = get_input_value($fname, RCUBE_INPUT_POST);
60}
61
62// update an existing contact
63if (!empty($cid))
64{
65  $plugin = $RCMAIL->plugins->exec_hook('save_contact', array('id' => $cid, 'record' => $a_record, 'source' => get_input_value('_source', RCUBE_INPUT_GPC)));
66  $a_record = $plugin['record'];
67 
68  if (!$plugin['abort'] && $CONTACTS->update($cid, $a_record))
69  {
70    // define list of cols to be displayed
71    $a_js_cols = array();
72    $record = $CONTACTS->get_record($cid, true);
73
74    foreach (array('name', 'email') as $col)
75      $a_js_cols[] = (string)$record[$col];
76
77    // update the changed col in list
78    $OUTPUT->command('parent.update_contact_row', $cid, $a_js_cols);
79     
80    // show confirmation
81    $OUTPUT->show_message('successfullysaved', 'confirmation', null, false);
82    rcmail_overwrite_action('show');
83  }
84  else
85  {
86    // show error message
87    $OUTPUT->show_message('errorsaving', 'error', null, false);
88    rcmail_overwrite_action('show');
89  }
90}
91
92// insert a new contact
93else
94{
95  // check for existing contacts
96  $existing = $CONTACTS->search('email', $a_record['email'], true, false);
97 
98  // show warning message
99  if ($existing->count)
100  {
101    $OUTPUT->show_message('contactexists', 'warning', null, false);
102    rcmail_overwrite_action('add');
103    return;
104  }
105
106  $plugin = $RCMAIL->plugins->exec_hook('create_contact', array('record' => $a_record, 'source' => get_input_value('_source', RCUBE_INPUT_GPC)));
107  $a_record = $plugin['record'];
108
109  // insert record and send response
110  if (!$plugin['abort'] && ($insert_id = $CONTACTS->insert($a_record)))
111  {
112    // add contact row or jump to the page where it should appear
113    $CONTACTS->reset();
114    $result = $CONTACTS->search($CONTACTS->primary_key, $insert_id);
115
116    rcmail_js_contacts_list($result, 'parent.');
117    $OUTPUT->command('parent.contact_list.select', $insert_id);
118
119    // update record count display
120    $CONTACTS->reset();
121    $OUTPUT->command('parent.set_rowcount', rcmail_get_rowcount_text());
122
123    // show confirmation
124    $OUTPUT->show_message('successfullysaved', 'confirmation', null, false);
125    rcmail_overwrite_action('show');
126    $_GET['_cid'] = $insert_id;
127  }
128  else
129  {
130    // show error message
131    $OUTPUT->show_message('errorsaving', 'error', null, false);
132    rcmail_overwrite_action('add');
133  }
134}
135
136?>
Note: See TracBrowser for help on using the repository browser.