- merge from trunk with lots of security fixes

CHANGELOG

@@ -8,10 +8,15 @@
 - added autocompletion to document chooser
 - do not list documents in search result which cannot be accessed by the user
 
+-------------------------------------------------------------------------------
+                     Changes in version 3.3.8
+--------------------------------------------------------------------------------
+- more security fixes for preventing CSRF attacks
+
 --------------------------------------------------------------------------------
                      Changes in version 3.3.7
 --------------------------------------------------------------------------------
-- major security update which fixeѕ lots of possible XSS and CSRF attacts
+- major security update which fixeѕ lots of possible XSS and CSRF attacks
 - comment is no longer needed when adding a user, email is now required (this
   time it is really changed)
 

LetoDMS_Core/Core/inc.ClassDMS.php

@@ -940,7 +940,7 @@ class LetoDMS_Core_DMS {
 		}
 		if($role == '')
 			$role = '0';
-		$queryStr = "INSERT INTO tblUsers (login, pwd, fullName, email, language, theme, comment, role, hidden, disable, pwdExpiration) VALUES ('".$login."', '".$pwd."', '".$fullName."', '".$email."', '".$language."', '".$theme."', '".$comment."', '".$role."', '".$isHidden."', '".$isDisabled."', '".$pwdexpiration."')";
+		$queryStr = "INSERT INTO tblUsers (login, pwd, fullName, email, language, theme, comment, role, hidden, disabled, pwdExpiration) VALUES ('".$login."', '".$pwd."', '".$fullName."', '".$email."', '".$language."', '".$theme."', '".$comment."', '".$role."', '".$isHidden."', '".$isDisabled."', '".$pwdexpiration."')";
 		$res = $this->db->getResult($queryStr);
 		if (!$res)
 			return false;

Makefile

@@ -1,4 +1,4 @@
-VERSION=3.4.0-pre1
+VERSION=3.4.0
 SRC=CHANGELOG* inc conf utils index.php languages op out README README.Notification reset_db.sql drop-tables-innodb.sql delete_all_contents.sql styles js TODO LICENSE Makefile webdav install
 
 dist:

inc/inc.ClassSession.php

@@ -57,6 +57,7 @@ class LetoDMS_Session {
 	 */
 	function __construct($db) { /* {{{ */
 		$this->db = $db;
+		$this->id = false;
 	} /* }}} */
 
 	/**
@@ -75,6 +76,7 @@ class LetoDMS_Session {
 		$queryStr = "UPDATE tblSessions SET lastAccess = " . mktime() . " WHERE id = " . $this->db->qstr($id);
 		if (!$this->db->getResult($queryStr))
 			return false;
+		$this->id = $id;
 		return $resArr[0];
 	} /* }}} */
 
@@ -123,7 +125,17 @@ class LetoDMS_Session {
 		if (!$this->db->getResult($queryStr)) {
 			return false;
 		}
+		$this->id = false;
 		return true;
 	} /* }}} */
+
+	/**
+	 * Get session id
+	 *
+	 * @return string session id
+	 */
+	function getId() { /* {{{ */
+		return $this->id;
+	} /* }}} */
 }
 ?>

inc/inc.ClassSettings.php

@@ -53,6 +53,9 @@ class Settings { /* {{{ */
 	// Restricted access: only allow users to log in if they have an entry in
 	// the local database (irrespective of successful authentication with LDAP).
 	var $_restricted = true;
+	// abitray string used for creation of unique identifiers (e.g. the form
+	// key created by createFormKey())
+	var $_encryptionKey = '';
 	// Strict form checking
 	var $_strictFormCheck = false;
 	// Path to where letoDMS is located
@@ -300,6 +303,7 @@ class Settings { /* {{{ */
 		$this->_passwordExpiration = intval($tab["passwordExpiration"]);
 		$this->_passwordHistory = intval($tab["passwordHistory"]);
 		$this->_loginFailure = intval($tab["loginFailure"]);
+		$this->_encryptionKey = strval($tab["encryptionKey"]);
 		$this->_restricted = Settings::boolVal($tab["restricted"]);
 		$this->_enableUserImage = Settings::boolVal($tab["enableUserImage"]);
 		$this->_disableSelfEdit = Settings::boolVal($tab["disableSelfEdit"]);
@@ -525,6 +529,7 @@ class Settings { /* {{{ */
     $this->setXMLAttributValue($node, "passwordExpiration", $this->_passwordExpiration);
     $this->setXMLAttributValue($node, "passwordHistory", $this->_passwordHistory);
     $this->setXMLAttributValue($node, "loginFailure", $this->_loginFailure);
+    $this->setXMLAttributValue($node, "encryptionKey", $this->_encryptionKey);
     $this->setXMLAttributValue($node, "restricted", $this->_restricted);
     $this->setXMLAttributValue($node, "enableUserImage", $this->_enableUserImage);
     $this->setXMLAttributValue($node, "disableSelfEdit", $this->_disableSelfEdit);

inc/inc.Utils.php

@@ -280,4 +280,60 @@ function showtree() { /* {{{ */
 	return 1;
 } /* }}} */
 
+/**
+ * Create a unique key which is used for form validation to prevent
+ * CSRF attacks. The key is added to a any form that has to be secured
+ * as a hidden field. Once the form is submitted the key is compared
+ * to the current key in the session and the request is only executed
+ * if both are equal. The key is derived from the session id, a configurable
+ * encryption key and form identifierer.
+ *
+ * @param string $formid individual form identifier
+ * @return string session key
+ */
+function createFormKey($formid='') { /* {{{ */
+	global $settings, $session;
+
+	if($id = $session->getId()) {
+		return md5($id.$settings->_encryptionKey.$formid);
+	} else {
+		return false;
+	}
+} /* }}} */
+
+/**
+ * Create a hidden field with the name 'formtoken' and set its value
+ * to the key returned by createFormKey()
+ *
+ * @param string $formid individual form identifier
+ * @return string input field for html formular
+ */
+function createHiddenFieldWithKey($formid='') { /* {{{ */
+	return '<input type="hidden" name="formtoken" value="'.createFormKey($formid).'" />';	
+} /* }}} */
+
+/**
+ * Check if the form key in the POST or GET request variable 'formtoken'
+ * has the value of key returned by createFormKey(). Request to modify
+ * data in the DMS should always use POST because it is harder to run
+ * CSRF attacks using POST than GET.
+ *
+ * @param string $formid individual form identifier
+ * @param string $method defines if the form data is pass via GET or
+ * POST (default)
+ * @return boolean true if key matches otherwise false
+ */
+function checkFormKey($formid='', $method='POST') { /* {{{ */
+	switch($method) {
+		case 'GET':
+			if(isset($_GET['formtoken']) && $_GET['formtoken'] == createFormKey($formid))
+				return true;
+			break;
+		default:
+			if(isset($_POST['formtoken']) && $_POST['formtoken'] == createFormKey($formid))
+				return true;
+	}
+	
+	return false;
+} /* }}} */
 ?>

install.txt

@@ -1,147 +0,0 @@
-NOTE:
-creare il db mydms
-crere utente mydms con permessi sul db
-mysql -D mydms -u mydms -pmydms < create_tables.sql
-
-installare adodb versione 4
-modificare inc/inc.Settings.php
-
--------------------------------------------------------------------
-              MyDMS 1.7.2 Installation Instructions
--------------------------------------------------------------------
-
-
-1. Requirements
-
-MyDMS is a web-based application written in PHP. It uses the MySQL RDBMS to
-manage the documents that are loaded into the application.
-
-Make sure you have PHP 4.0 or higher installed, and MySQL 4 or higher. MyDMS
-will work with PHP running in CGI-mode as well as running as module under
-apache. If you want to give your users the opportunity of uploading passport
-photos you have to enable the gd-library (but the rest of MyDMS will
-work without gd, too).
-
-You will also need to download and install the ADODB database
-abstraction library from http://adodb.sf.net/ since MyDMS relies
-upon it for all database connectivity.
-
-
-2. Installation & Configuration
-
-Unzip the downloaded file (mydms-1.7.2.zip) in a directory that is
-accessible via your web server.
-
-You will also need to create a directory where the uploaded files
-are stored. This directory should not be accessible via your
-web-server for security reasons (create it outside of your www-root
-directory or put an appropriate .htaccess file in it).
-
-Download the ADODB package from SourceForge. The URL for the ADODB project
-page is:
-
-        http://adodb.sourceforge.net/
-
-Extract the distribution into a suitable directory. For example, one can
-extract the files into the MyDMS root directory.
-
-Next you should set up your Database. Use the included script
-create_tables.sql. Since the exact procedure differs on the
-different database-systems I cannot give you a detailed instruction
-here. Post any questions concering this problem to the MyDMS-Forum. In
-general, create the database, make sure that the database has been selected
-(e.g. "USE mydms;"), then run the script. As of 1.6.0, you must make sure
-that the database user has "create temporary table" privileges.
-
-N.B. If the create_tables.sql script fails, it may be because the database
-has been configured to use InnoDB tables by default instead of MyISAM tables.
-If this is the case, it will be necessary to alter the sript such that each
-create table command has the text " ENGINE = MyISAM" appended to the end,
-immediately prior to the semi-colon. For example:
-
-  Before:
-
-  CREATE TABLE `tblDocumentLocks` (
-    `document` int(11) NOT NULL default '0',
-    `userID` int(11) NOT NULL default '0',
-    PRIMARY KEY  (`document`)
-  ) ;
-
-  After:
-
-  CREATE TABLE `tblDocumentLocks` (
-    `document` int(11) NOT NULL default '0',
-    `userID` int(11) NOT NULL default '0',
-    PRIMARY KEY  (`document`)
-  ) ENGINE = MyISAM ;
-
-Now edit the configuration file. First, go to the "inc" directory and copy
-(or move) "inc.Settings-sample.php" to "inc.Settings.php". Open the file and
-set the variables to the correct values (you will find a short description
-for each variable in the file itself).
-
-TIP: You can find out your root-directory by placing the following
-line into a php-file: <?php phpInfo(); ?>
-Open it with your browser and look for "DOCUMENT_ROOT".
-
-When running into problems with the db-settings, read the readme-file
-in the adodb-directory or post questions to the MyDMS-Forum.
-
-By default PHP allows only files to be uploaded that are up to 2Mb
-in size. You can change this limit by editing php.ini: Search for
-"upload_max_filesize" and set it to the appropriate value (you
-should also change the value for "post_max_size" and make sure that
-your web-server does not limit the size either).
-
-
-3. Email Notification
-
-A new, re-vamped Notification system allows users to receive an email when a
-document or folder is changed. This is a new, event-based mechanism that
-notifies the user as soon as the change has been made and replaces the
-cron mechanism originally developed. Any user that has read access to a
-document or folder can subscribe to be notified of changes. Users that
-have been assigned as reviewers or approvers for a document are
-automatically added to the notification system for that document.
-
-A new page has been created for users to assist with the management of
-their notification subscriptions. This can be found in the "My Account"
-section under "Notification List".
-
-
-4. Auto-conversion to HTML
-
-Version 1.3.0 introduces a new feature: Documents can automatically be
-converted to HTML when uploading.
-You can enable this feature by setting $_enableConverting (in 
-inc.Settings.php) to true.
-You will also need to edit $_convertFileTypes (again in 
-inc.Settings.php). This array defines which file-types are converted
-and how.
-Under windows Word-, Excel- and Powerpoint-Files are automatically
-converted using js-Scipts and MS-Office. I tested it with Office 2000
-and it worked just fine.
-Under Linux mswordview is used to convert Word-Files by default.
-Warning: Getting this feature working can be very tricky but if it
-works it is a great enhancement I think.
-Especially IIS could cause problems with its IIS-Guest-Account not
-having enough rights to execute Word or Excel...
-You will also have to edit your httpd.conf to be able to view the converted
-files online. Load mod_rewrite and add to following lines to your conf:
-
-  RewriteEngine on
-  RewriteCond %{REQUEST_URI} (.*)viewonline/([0-9]+)/([0-9]+)/(.+)$
-  RewriteRule (.*)viewonline/([0-9]+)/([0-9]+)/(.+)$ $1op.ViewOnline.php?request=$2:$3 [PT]
-
-IIS Users can download the IIS Rewrite Engine for example:
-http://www.qwerksoft.com/products/iisrewrite/
-
-Post any questions to the MyDMS forum, please.
-
-
-5. Nearly finished
-
-Now point your browser to http://your.server.com/mydms/index.php
-and login with "admin" both as username and password.
-After having logged in you should first choose "My Account" and
-change the Administrator's password and email-address.

install/settings.xml.template_install

@@ -90,6 +90,7 @@
 			 - passwordExpiration: number of days after password expires
 			 - passwordHistory: number of remembered passwords
 			 - passwordStrengthAlgorithm: algorithm used to calculate password strenght (simple or advanced)
+			 - encryptionKey: arbitrary string used for creating identifiers
     -->    
     <authentication
       enableGuestLogin = "false"
@@ -102,6 +103,7 @@
 			passwordHistory="0"
 			passwordStrengthAlgorithm="simple"
 			loginFailure="0"
+			encryptionKey=""
     >
       <connectors>
         <!-- ***** CONNECTOR LDAP  *****

languages/Catalan/lang.txt

@@ -142,7 +142,7 @@ $text["documents_user_requiring_attention"] = "Documents de la seva propietat qu
 $text["document_title"] = "Document '[documentname]'";
 $text["document_updated_email"] = "Document actualizat";
 $text["does_not_expire"] = "No caduca";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">heretar l'accés</a>";
+$text["does_not_inherit_access_msg"] = "heretar l'accés";
 $text["download"] = "Descarregar";
 $text["draft_pending_approval"] = "Esborrany - pendent d'aprovació";
 $text["draft_pending_review"] = "Esborrany - pendent de revisió";
@@ -213,7 +213,9 @@ $text["human_readable"] = "Arxiu llegible per humans";
 $text["include_documents"] = "Incloure documents";
 $text["include_subdirectories"] = "Incloure subdirectoris";
 $text["individuals"] = "Individuals";
-$text["inherits_access_msg"] = "Accés heretat.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Copiar llista d'accés heretat</a><br /><a class=\"inheritAccess\" href=\"[emptyurl]\">Començar amb una llista d'accés buida</a>";
+$text["inherits_access_msg"] = "Accés heretat";
+$text["inherits_access_copy_msg"] = "Copiar llista d'accés heretat";
+$text["inherits_access_empty_msg"] = "Començar amb una llista d'accés buida";
 $text["internal_error_exit"] = "Error intern. No és possible acabar la sol.licitud. Acabat.";
 $text["internal_error"] = "Error intern";
 $text["invalid_access_mode"] = "No és valid el mode d'accés";

languages/Chinese_ZH_CN/lang.inc

@@ -130,7 +130,7 @@ $text["documents_user_requiring_attention"] = "需您关注的文档";// "Docume
 $text["document_title"] = "文档名称 '[documentname]'";// "Document '[documentname]'";
 $text["document_updated_email"] = "文档已被更新";// "Document updated";
 $text["does_not_expire"] = "永不过期";// "Does not expire";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">继承访问权限</a>";// "<a class= "";//\"inheritAccess\" href= "";//\"[inheriturl]\">Inherit access</a>";
+$text["does_not_inherit_access_msg"] = "继承访问权限";// "<a class= "";//\"inheritAccess\" href= "";//\"[inheriturl]\">Inherit access</a>";
 $text["download"] = "下载";// "Download";
 $text["draft_pending_approval"] = "待审核";// "Draft - pending approval";
 $text["draft_pending_review"] = "待校对";// "Draft - pending review";
@@ -196,7 +196,9 @@ $text["human_readable"] = "可读存档";// "Human readable archive";
 $text["include_documents"] = "包含文档";// "Include documents";
 $text["include_subdirectories"] = "包含子目录";// "Include subdirectories";
 $text["individuals"] = "个人";// "Individuals";
-$text["inherits_access_msg"] = "继承访问权限<p><a class=\"inheritAccess\" href=\"[copyurl]\">复制继承访问权限列表</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">从访问权限空列表开始</a>";//"Access is being inherited.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Copy inherited access list</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Start with empty access list</a>";
+$text["inherits_access_msg"] = "继承访问权限";//"Access is being inherited.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Copy inherited access list</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Start with empty access list</a>";
+$text["inherits_access_copy_msg"] = "复制继承访问权限列表";
+$text["inherits_access_empty_msg"] = "从访问权限空列表开始";
 $text["internal_error_exit"] = "内部错误.无法完成请求.离开系统";// "Internal error. Unable to complete request. Exiting.";
 $text["internal_error"] = "内部错误";// "Internal error";
 $text["invalid_access_mode"] = "无效访问模式";// "Invalid Access Mode";
@@ -209,6 +211,7 @@ $text["invalid_file_id"] = "无效文件ID号";// "Invalid file ID";
 $text["invalid_folder_id"] = "无效文件夹ID号";// "Invalid Folder ID";
 $text["invalid_group_id"] = "无效组别ID号";// "Invalid Group ID";
 $text["invalid_link_id"] = "无效链接标示";// "Invalid link identifier";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "无效校对状态";// "Invalid Review Status";
 $text["invalid_sequence"] = "无效序列值";// "Invalid sequence value";
 $text["invalid_status"] = "无效文档状态";// "Invalid Document Status";

languages/Chinese_ZH_TW/lang.inc

@@ -135,7 +135,7 @@ $text["documents_to_approve"] = "Documents Awaiting User's Approval";
 $text["documents_to_review"] = "Documents Awaiting User's Review";
 $text["documents_user_requiring_attention"] = "Documents Owned by User That Require Attention";
 $text["does_not_expire"] = "‰é䆙ƉüĆ£–";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">„¹ì†ÿ¯‡ ­†ëÀ‡Üä…¡ÿ…Åû†¼è‰ÖÉ</a>";
+$text["does_not_inherit_access_msg"] = "„¹ì†ÿ¯‡ ­†ëÀ‡Üä…¡ÿ…Åû†¼è‰ÖÉ";
 $text["download"] = "†¬ö†íꄹë";
 $text["draft_pending_approval"] = "Draft - pending approval";
 $text["draft_pending_review"] = "Draft - pending review";
@@ -219,7 +219,9 @@ $text["guest_login_disabled"] = "Guest login is disabled.";
 $text["individual_approvers"] = "Individual Approvers";
 $text["individual_reviewers"] = "Individual Reviewers";
 $text["individuals"] = "Individuals";
-$text["inherits_access_msg"] = "ˆ«Ç…¯½†¼è‰ÖɈ󽇠­†ëÀƒÇé<p><a class=\"inheritAccess\" href=\"[copyurl]\">ˆñçˆú»†¼è‰ÖÉ…êùˆí¿</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">„»À‡ö¿‡¨¦‡Ü䆼è‰ÖÉ…êùˆí¿</a>";
+$text["inherits_access_msg"] = "ˆ«Ç…¯½†¼è‰ÖɈ󽇠­†ëÀƒÇé";
+$text["inherits_access_copy_msg"] = "ˆñçˆú»†¼è‰ÖÉ…êùˆí¿";
+$text["inherits_access_empty_msg"] = "„»À‡ö¿‡¨¦‡Ü䆼è‰ÖÉ…êùˆí¿";
 $text["internal_error"] = "Internal error";
 $text["internal_error_exit"] = "Internal error. Unable to complete request. Exiting.";
 $text["invalid_access_mode"] = "Invalid Access Mode";
@@ -231,6 +233,7 @@ $text["invalid_doc_id"] = "Invalid Document ID";
 $text["invalid_folder_id"] = "Invalid Folder ID";
 $text["invalid_group_id"] = "Invalid Group ID";
 $text["invalid_link_id"] = "Invalid link identifier";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Invalid Review Status";
 $text["invalid_sequence"] = "Invalid sequence value";
 $text["invalid_status"] = "Invalid Document Status";

languages/Czech/lang.inc

@@ -143,7 +143,7 @@ $text["documents_user_requiring_attention"] = "Dokumenty, které uživatel vlast
 $text["document_title"] = "Dokument '[documentname]'";
 $text["document_updated_email"] = "Dokument aktualizován";
 $text["does_not_expire"] = "Platnost nikdy nevyprší";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Zdědit přístup</a>";
+$text["does_not_inherit_access_msg"] = "Zdědit přístup";
 $text["download"] = "Stáhnout";
 $text["draft_pending_approval"] = "Návrh - čeká na schválení";
 $text["draft_pending_review"] = "Návrh - čeká na kontrolu";
@@ -214,7 +214,9 @@ $text["human_readable"] = "Bežně čitelný archiv";
 $text["include_documents"] = "Včetně dokumentů";
 $text["include_subdirectories"] = "Včetně podadresářů";
 $text["individuals"] = "Jednotlivci";
-$text["inherits_access_msg"] = "Přístup se dědí.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Zkopírovat zděděný seznam řízení přístupu</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Založit nový seznam řízení přístupu</a>";
+$text["inherits_access_msg"] = "Přístup se dědí.";
+$text["inherits_access_copy_msg"] = "Zkopírovat zděděný seznam řízení přístupu";
+$text["inherits_access_empty_msg"] = "Založit nový seznam řízení přístupu";
 $text["internal_error_exit"] = "Vnitřní chyba. Nebylo možné dokončit požadavek. Ukončuje se.";
 $text["internal_error"] = "Vnitřní chyba";
 $text["invalid_access_mode"] = "Neplatný režim přístupu";
@@ -227,6 +229,7 @@ $text["invalid_file_id"] = "Nevalidní ID souboru";
 $text["invalid_folder_id"] = "Neplatné ID adresáře";
 $text["invalid_group_id"] = "Neplatné ID skupiny";
 $text["invalid_link_id"] = "Neplatné ID odkazu";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Neplatný stav kontroly";
 $text["invalid_sequence"] = "Neplatná hodnota posloupnosti";
 $text["invalid_status"] = "Neplatný stav dokumentu";

languages/English/lang.inc

@@ -152,7 +152,7 @@ $text["documents_user_requiring_attention"] = "Documents owned by you that requi
 $text["document_title"] = "Document '[documentname]'";
 $text["document_updated_email"] = "Document updated";
 $text["does_not_expire"] = "Does not expire";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Inherit access</a>";
+$text["does_not_inherit_access_msg"] = "Inherit access";
 $text["download"] = "Download";
 $text["draft_pending_approval"] = "Draft - pending approval";
 $text["draft_pending_review"] = "Draft - pending review";
@@ -227,7 +227,9 @@ $text["include_documents"] = "Include documents";
 $text["include_subdirectories"] = "Include subdirectories";
 $text["index_converters"] = "Index document conversion";
 $text["individuals"] = "Individuals";
-$text["inherits_access_msg"] = "Access is being inherited.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Copy inherited access list</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Start with empty access list</a>";
+$text["inherits_access_msg"] = "Access is being inherited.";
+$text["inherits_access_copy_msg"] = "Copy inherited access list";
+$text["inherits_access_empty_msg"] = "Start with empty access list";
 $text["internal_error_exit"] = "Internal error. Unable to complete request. Exiting.";
 $text["internal_error"] = "Internal error";
 $text["invalid_access_mode"] = "Invalid Access Mode";
@@ -240,6 +242,7 @@ $text["invalid_file_id"] = "Invalid file ID";
 $text["invalid_folder_id"] = "Invalid Folder ID";
 $text["invalid_group_id"] = "Invalid Group ID";
 $text["invalid_link_id"] = "Invalid link identifier";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Invalid Review Status";
 $text["invalid_sequence"] = "Invalid sequence value";
 $text["invalid_status"] = "Invalid Document Status";
@@ -487,6 +490,8 @@ $text["settings_enableUserImage_desc"] = "Enable users images";
 $text["settings_enableUserImage"] = "Enable User Image";
 $text["settings_enableUsersView_desc"] = "Enable/disable group and user view for all users";
 $text["settings_enableUsersView"] = "Enable Users View";
+$text["settings_encryptionKey"] = "Encryption key";
+$text["settings_encryptionKey_desc"] = "This string is used for creating a unique identifier being added as a hidden field to a formular in order to prevent CSRF attacks.";
 $text["settings_error"] = "Error";
 $text["settings_expandFolderTree_desc"] = "Expand Folder Tree";
 $text["settings_expandFolderTree"] = "Expand Folder Tree";

languages/Francais/lang.inc

@@ -143,7 +143,7 @@ $text["documents_user_requiring_attention"] = "Documents détenu par l'utilisate
 $text["document_title"] = "Document '[documentname]'";
 $text["document_updated_email"] = "Document updated";
 $text["does_not_expire"] = "N'expire pas";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Accès hérité</a>";
+$text["does_not_inherit_access_msg"] = "Accès hérité";
 $text["download"] = "Téléchargement";
 $text["draft_pending_approval"] = "Ébauche - sous approbation";
 $text["draft_pending_review"] = "Ébauche - sous révision";
@@ -214,7 +214,9 @@ $text["human_readable"] = "Human readable archive";
 $text["include_documents"] = "Include documents";
 $text["include_subdirectories"] = "Include subdirectories";
 $text["individuals"] = "Individuels";
-$text["inherits_access_msg"] = "L'accès est hérité.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Copier la liste des accès hérités</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Commencer avec une liste d'accès vide</a>";
+$text["inherits_access_msg"] = "L'accès est hérité.";
+$text["inherits_access_copy_msg"] = "Copier la liste des accès hérités";
+$text["inherits_access_empty_msg"] = "Commencer avec une liste d'accès vide";
 $text["internal_error_exit"] = "Erreur interne. Impossible d'achever la demande. Sortie du programme.";
 $text["internal_error"] = "Erreur interne";
 $text["invalid_access_mode"] = "mode d'accès invalide";
@@ -227,6 +229,7 @@ $text["invalid_file_id"] = "Invalid file ID";
 $text["invalid_folder_id"] = "Identifiant de dossier invalide";
 $text["invalid_group_id"] = "Identifiant de groupe invalide";
 $text["invalid_link_id"] = "Identifiant de lien invalide";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Statut de révision invalide";
 $text["invalid_sequence"] = "Valeur de séquence invalide";
 $text["invalid_status"] = "Statut de document invalide";

languages/German/lang.inc

@@ -151,7 +151,7 @@ $text["documents_user_requiring_attention"] = "Diese Dokumente sollte ich mal na
 $text["document_title"] = "Dokument '[documentname]'";
 $text["document_updated_email"] = "Dokument aktualisiert";
 $text["does_not_expire"] = "Keine Gültigkeit";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Berechtigungen wieder erben</a>";
+$text["does_not_inherit_access_msg"] = "Berechtigungen wieder erben";
 $text["download"] = "Download";
 $text["draft_pending_approval"] = "Entwurf - bevorstehende Freigabe";
 $text["draft_pending_review"] = "Entwurf - bevorstehende Prüfung";
@@ -226,7 +226,9 @@ $text["include_documents"] = "Dokumente miteinbeziehen";
 $text["include_subdirectories"] = "Unterverzeichnisse miteinbeziehen";
 $text["index_converters"] = "Index Dokumentenumwandlung";
 $text["individuals"] = "Einzelpersonen";
-$text["inherits_access_msg"] = "Zur Zeit werden die Rechte geerbt<p><a class=\"inheritAccess\" href=\"[copyurl]\">Berechtigungen kopieren</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Leere Zugriffsliste</a>";
+$text["inherits_access_msg"] = "Zur Zeit werden die Rechte geerbt";
+$text["inherits_access_copy_msg"] = "Berechtigungen kopieren";
+$text["inherits_access_empty_msg"] = "Leere Zugriffsliste";
 $text["internal_error_exit"] = "Interner Fehler: nicht imstande, Antrag durchzuführen. Herausnehmen. verlassen.";
 $text["internal_error"] = "Interner Fehler";
 $text["invalid_access_mode"] = "Unzulässige Zugangsart";
@@ -239,6 +241,7 @@ $text["invalid_file_id"] = "Ungültige Datei-ID";
 $text["invalid_folder_id"] = "Unzulässige Ordneridentifikation";
 $text["invalid_group_id"] = "Unzulässige Gruppenidentifikation";
 $text["invalid_link_id"] = "Unzulässige Linkbezeichnung";
+$text["invalid_request_token"] = "Ungültige Anfragekennung";
 $text["invalid_review_status"] = "Unzulässiger Überprüfungssstatus";
 $text["invalid_sequence"] = "Unzulässige Reihenfolge der Werte";
 $text["invalid_status"] = "Unzulässiger Dokumentenstatus";
@@ -487,6 +490,8 @@ $text["settings_enableUserImage"] = "Benutzerbilder einschalten";
 $text["settings_enableUsersView_desc"] = "Gruppen- und Benutzeransicht für alle Benutzer ein-/ausschalten";
 $text["settings_enableUsersView"] = "Benutzeransicht aktivieren";
 $text["settings_error"] = "Fehler";
+$text["settings_encryptionKey"] = "Verschlüsselungs-Sequenz";
+$text["settings_encryptionKey_desc"] = "Diese Zeichenkette wird verwendet um eine eindeutige Kennung zu erzeugen, die als verstecktes Feld in einem Formular untergebracht wird. Sie dient zur Verhinderung von CSRF-Attacken.";
 $text["settings_expandFolderTree_desc"] = "Auswählen, wie der Dokumenten-Baum nach der Anmeldung angezeigt wird.";
 $text["settings_expandFolderTree"] = "Dokumenten-Baum";
 $text["settings_expandFolderTree_val0"] = "versteckt";

languages/Hungarian/lang.inc

@@ -135,7 +135,7 @@ $text["documents_to_approve"] = "Documents Awaiting User's Approval";
 $text["documents_to_review"] = "Documents Awaiting User's Review";
 $text["documents_user_requiring_attention"] = "Documents Owned by User That Require Attention";
 $text["does_not_expire"] = "Soha nem jßr le";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Jogosultsßg ÷r÷k<C3B7>t‰se</a>";
+$text["does_not_inherit_access_msg"] = "Jogosultsßg ÷r÷k<C3B7>t‰se";
 $text["download"] = "Let÷lt‰s";
 $text["draft_pending_approval"] = "Draft - pending approval";
 $text["draft_pending_review"] = "Draft - pending review";
@@ -219,7 +219,9 @@ $text["guest_login_disabled"] = "Guest login is disabled.";
 $text["individual_approvers"] = "Individual Approvers";
 $text["individual_reviewers"] = "Individual Reviewers";
 $text["individuals"] = "Individuals";
-$text["inherits_access_msg"] = "Jogosultsßg ÷r÷k<C3B7>t‰se folyamatban.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Ùr÷k<C3B7>tett hozzßf‰r‰s lista mßsolßsa</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Indulßs ’res hozzßf‰r‰s listßval</a>";
+$text["inherits_access_msg"] = "Jogosultsßg ÷r÷k<C3B7>t‰se folyamatban.";
+$text["inherits_access_copy_msg"] = "Ùr÷k<EFBFBD>tett hozzßf‰r‰s lista mßsolßsa";
+$text["inherits_access_empty_msg"] = "Indulßs ’res hozzßf‰r‰s listßval";
 $text["internal_error"] = "Internal error";
 $text["internal_error_exit"] = "Internal error. Unable to complete request. Exiting.";
 $text["invalid_access_mode"] = "Invalid Access Mode";
@@ -231,6 +233,7 @@ $text["invalid_doc_id"] = "Invalid Document ID";
 $text["invalid_folder_id"] = "Invalid Folder ID";
 $text["invalid_group_id"] = "Invalid Group ID";
 $text["invalid_link_id"] = "Invalid link identifier";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Invalid Review Status";
 $text["invalid_sequence"] = "Invalid sequence value";
 $text["invalid_status"] = "Invalid Document Status";

languages/Italian/lang.inc

@@ -143,7 +143,7 @@ $text["documents_user_requiring_attention"] = "Tuoi documenti in attesa di revis
 $text["document_title"] = "Documento '[documentname]'";
 $text["document_updated_email"] = "Documento aggiornato";
 $text["does_not_expire"] = "Nessuna scadenza";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Imposta permessi ereditari</a>";
+$text["does_not_inherit_access_msg"] = "Imposta permessi ereditari";
 $text["download"] = "Scarica";
 $text["draft_pending_approval"] = "Bozza in approvazione";
 $text["draft_pending_review"] = "Bozza in revisione";
@@ -214,7 +214,9 @@ $text["human_readable"] = "Archivio per uso esterno";
 $text["include_documents"] = "Includi documenti";
 $text["include_subdirectories"] = "Includi sottocartelle";
 $text["individuals"] = "Singoli";
-$text["inherits_access_msg"] = "E' impostato il permesso ereditario.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Modifica la lista degli accessi ereditati</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Riimposta una lista di permessi vuota</a>";
+$text["inherits_access_msg"] = "E' impostato il permesso ereditario.";
+$text["inherits_access_copy_msg"] = "Modifica la lista degli accessi ereditati";
+$text["inherits_access_empty_msg"] = "Riimposta una lista di permessi vuota";
 $text["internal_error_exit"] = "Errore interno. Impossibile completare la richiesta. Uscire.";
 $text["internal_error"] = "Errore interno";
 $text["invalid_access_mode"] = "Permessi non validi";
@@ -227,6 +229,7 @@ $text["invalid_file_id"] = "ID del file non valido";
 $text["invalid_folder_id"] = "ID cartella non valido";
 $text["invalid_group_id"] = "ID gruppo non valido";
 $text["invalid_link_id"] = "ID di collegamento non valido";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Stato revisione non valido";
 $text["invalid_sequence"] = "Valore di sequenza non valido";
 $text["invalid_status"] = "Stato del documento non valido";

languages/Netherlands/lang.inc

@@ -129,7 +129,7 @@ $text["documents_user_requiring_attention"] = "Eigen documenten die (nog) aandac
 $text["document_title"] = "Document '[documentname]'";
 $text["document_updated_email"] = "Document bijgewerkt";
 $text["does_not_expire"] = "Verloopt niet";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Erft toegang</a>";
+$text["does_not_inherit_access_msg"] = "Erft toegang";
 $text["download"] = "Download";
 $text["draft_pending_approval"] = "Draft - in afwachting van goedkeuring";
 $text["draft_pending_review"] = "Draft - in afwachting van controle";
@@ -193,7 +193,9 @@ $text["human_readable"] = "Leesbaar Archief";
 $text["include_documents"] = "Inclusief documenten";
 $text["include_subdirectories"] = "Inclusief subfolders/-mappen";
 $text["individuals"] = "Individuen";
-$text["inherits_access_msg"] = "Toegang is (over/ge)erfd..<p><a class=\"inheritAccess\" href=\"[copyurl]\">Kopie lijst overerfde toegang</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Begin met lege toegangslijst</a>";
+$text["inherits_access_msg"] = "Toegang is (over/ge)erfd..";
+$text["inherits_access_copy_msg"] = "Kopie lijst overerfde toegang";
+$text["inherits_access_empty_msg"] = "Begin met lege toegangslijst";
 $text["internal_error_exit"] = "Interne fout. Niet mogelijk om verzoek uit de voeren. Systeem stopt.";
 $text["internal_error"] = "Interne fout";
 $text["invalid_access_mode"] = "Foutmelding: verkeerde toegangsmode";
@@ -206,6 +208,7 @@ $text["invalid_file_id"] = "Foutieve Bestand ID";
 $text["invalid_folder_id"] = "Foutieve Folder/Map ID";
 $text["invalid_group_id"] = "Foutieve Groep ID";
 $text["invalid_link_id"] = "Foutieve link identifier";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Foutieve Controle Status";
 $text["invalid_sequence"] = "Foutieve volgorde waarde";
 $text["invalid_status"] = "Foutieve Document Status";

languages/Portuguese_BR/lang.inc

@@ -135,7 +135,7 @@ $text["documents_to_approve"] = "Documents Awaiting User's Approval";
 $text["documents_to_review"] = "Documents Awaiting User's Review";
 $text["documents_user_requiring_attention"] = "Documents Owned by User That Require Attention";
 $text["does_not_expire"] = "Nƒo Expira";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Inherit access</a>";
+$text["does_not_inherit_access_msg"] = "Inherit access";
 $text["download"] = "Download";
 $text["draft_pending_approval"] = "Draft - pending approval";
 $text["draft_pending_review"] = "Draft - pending review";
@@ -219,7 +219,9 @@ $text["guest_login_disabled"] = "Guest login is disabled.";
 $text["individual_approvers"] = "Individual Approvers";
 $text["individual_reviewers"] = "Individual Reviewers";
 $text["individuals"] = "Individuals";
-$text["inherits_access_msg"] = "Acesso estß endo herdado.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Copy inherited access-list</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Inicie com a lista de acesso vazia</a>";
+$text["inherits_access_msg"] = "Acesso estß endo herdado.";
+$text["inherits_access_copy_msg"] = "Copy inherited access list";
+$text["inherits_access_empty_msg"] = "Inicie com a lista de acesso vazia";
 $text["internal_error"] = "Internal error";
 $text["internal_error_exit"] = "Internal error. Unable to complete request. Exiting.";
 $text["invalid_access_mode"] = "Invalid Access Mode";
@@ -231,6 +233,7 @@ $text["invalid_doc_id"] = "Invalid Document ID";
 $text["invalid_folder_id"] = "Invalid Folder ID";
 $text["invalid_group_id"] = "Invalid Group ID";
 $text["invalid_link_id"] = "Invalid link identifier";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Invalid Review Status";
 $text["invalid_sequence"] = "Invalid sequence value";
 $text["invalid_status"] = "Invalid Document Status";

languages/Russian/lang.inc

@@ -149,7 +149,7 @@ $text["documents_user_requiring_attention"] = "Ваши документы, тр
 $text["document_title"] = "Документ '[documentname]'";
 $text["document_updated_email"] = "Документ обновлен";
 $text["does_not_expire"] = "Без срока";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Наследовать уровень доступа</a>";
+$text["does_not_inherit_access_msg"] = "Наследовать уровень доступа";
 $text["download"] = "Скачать";
 $text["draft_pending_approval"] = "Черновик - ожидает утверждения";
 $text["draft_pending_review"] = "Черновик - ожидает рецензии";
@@ -223,7 +223,9 @@ $text["human_readable"] = "Человекопонятный архив";
 $text["include_documents"] = "Включить документы";
 $text["include_subdirectories"] = "Включить подкаталоги";
 $text["individuals"] = "Личности";
-$text["inherits_access_msg"] = "Доступ унаследован.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Скопировать наследованный список</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Начать с пустова списка доступа</a>";
+$text["inherits_access_msg"] = "Доступ унаследован.";
+$text["inherits_access_copy_msg"] = "Скопировать наследованный список";
+$text["inherits_access_empty_msg"] = "Начать с пустова списка доступа";
 $text["internal_error_exit"] = "Внутренняя ошибка. Невозможно выполнить запрос. Завершение.";
 $text["internal_error"] = "Внутренняя ошибка";
 $text["invalid_access_mode"] = "Неверный уровень доступа";
@@ -236,6 +238,7 @@ $text["invalid_file_id"] = "Неверный идентификатор файл
 $text["invalid_folder_id"] = "Неверный идентификатор папки";
 $text["invalid_group_id"] = "Неверный идентификатор группы";
 $text["invalid_link_id"] = "Неверный идентификатор ссылки";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Неверный статус рецензирования";
 $text["invalid_sequence"] = "Неверное значение последовательности";
 $text["invalid_status"] = "Неверный статус документа";

languages/Slovak/lang.inc

@@ -131,7 +131,7 @@ $text["documents_user_requiring_attention"] = "Dokumenty, ktoré používateľ v
 $text["document_title"] = "Dokument '[documentname]'";
 $text["document_updated_email"] = "Dokument aktualizovany";
 $text["does_not_expire"] = "Platnosť nikdy nevyprší";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Zdediť prístup</a>";
+$text["does_not_inherit_access_msg"] = "Zdediť prístup";
 $text["download"] = "Stiahnuť";
 $text["draft_pending_approval"] = "Návrh - čaká na schválenie";
 $text["draft_pending_review"] = "Návrh - čaká na kontrolu";
@@ -195,7 +195,9 @@ $text["human_readable"] = "Použivateľský archív";
 $text["include_documents"] = "Vrátane súborov";
 $text["include_subdirectories"] = "Vrátane podzložiek";
 $text["individuals"] = "Jednotlivci";
-$text["inherits_access_msg"] = "Prístup sa dedí.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Skopírovať zdedený zoznam riadenia prístupu</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Založiť nový zoznam riadenia prístupu</a>";
+$text["inherits_access_msg"] = "Prístup sa dedí.";
+$text["inherits_access_copy_msg"] = "Skopírovať zdedený zoznam riadenia prístupu";
+$text["inherits_access_empty_msg"] = "Založiť nový zoznam riadenia prístupu";
 $text["internal_error_exit"] = "Vnútorná chyba. Nebolo možné dokončiť požiadavku. Ukončuje sa.";
 $text["internal_error"] = "Vnútorná chyba";
 $text["invalid_access_mode"] = "Neplatný režim prístupu";
@@ -208,6 +210,7 @@ $text["invalid_file_id"] = "Nesprávne ID súboru";
 $text["invalid_folder_id"] = "Neplatný ID zložky";
 $text["invalid_group_id"] = "Neplatný ID skupiny";
 $text["invalid_link_id"] = "Neplatný ID odkazu";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Neplatný stav kontroly";
 $text["invalid_sequence"] = "Neplatná hodnota postupnosti";
 $text["invalid_status"] = "Neplatný stav dokumentu";

languages/Spanish/lang.inc

@@ -155,7 +155,7 @@ $text["documents_user_requiring_attention"] = "Documentos de su propiedad que re
 $text["document_title"] = "Documento '[documentname]'";
 $text["document_updated_email"] = "Documento actualizado";
 $text["does_not_expire"] = "No caduca";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">heredar el acceso</a>";
+$text["does_not_inherit_access_msg"] = "heredar el acceso";
 $text["download"] = "Descargar";
 $text["draft_pending_approval"] = "Borador - pendiente de aprobación";
 $text["draft_pending_review"] = "Borrador - pendiente de revisión";
@@ -230,7 +230,9 @@ $text["include_documents"] = "Incluir documentos";
 $text["include_subdirectories"] = "Incluir subdirectorios";
 $text["index_converters"] = "translate: Index document conversion";
 $text["individuals"] = "Individuales";
-$text["inherits_access_msg"] = "Acceso heredado.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Copiar lista de acceso heredado</a><br /><a class=\"inheritAccess\" href=\"[emptyurl]\">Empezar con una lista de acceso vacía</a>";
+$text["inherits_access_msg"] = "Acceso heredado.";
+$text["inherits_access_copy_msg"] = "Copiar lista de acceso heredado";
+$text["inherits_access_empty_msg"] = "Empezar con una lista de acceso vacía";
 $text["internal_error_exit"] = "Error interno. No es posible terminar la solicitud. Terminado.";
 $text["internal_error"] = "Error interno";
 $text["invalid_access_mode"] = "Modo de acceso no válido";
@@ -243,6 +245,7 @@ $text["invalid_file_id"] = "ID de fichero no válida";
 $text["invalid_folder_id"] = "ID de carpeta no válida";
 $text["invalid_group_id"] = "ID de grupo no válida";
 $text["invalid_link_id"] = "Identificador de enlace no válido";
+$text["invalid_request_token"] = "Translate: Invalid Request Token";
 $text["invalid_review_status"] = "Estado de revisión no válido";
 $text["invalid_sequence"] = "Valor de secuencia no válido";
 $text["invalid_status"] = "Estado de documento no válido";

languages/Swedish/lang.inc

@@ -149,7 +149,7 @@ $text["documents_user_requiring_attention"] = "Dokument som du äger och som beh
 $text["document_title"] = "Dokument '[documentname]'";
 $text["document_updated_email"] = "Dokument uppdaterat";
 $text["does_not_expire"] = "Löper aldrig ut";
-$text["does_not_inherit_access_msg"] = "<a class=\"inheritAccess\" href=\"[inheriturl]\">Ärva behörighet</a>";
+$text["does_not_inherit_access_msg"] = "Ärva behörighet";
 $text["download"] = "Ladda ner";
 $text["draft_pending_approval"] = "Utkast - väntar på godkännande";
 $text["draft_pending_review"] = "Utkast - väntar på granskning";
@@ -223,7 +223,9 @@ $text["human_readable"] = "Arkiv som är läsbart av människor";
 $text["include_documents"] = "Inkludera dokument";
 $text["include_subdirectories"] = "Inkludera under-kataloger";
 $text["individuals"] = "Personer";
-$text["inherits_access_msg"] = "Behörighet har ärvts.<p><a class=\"inheritAccess\" href=\"[copyurl]\">Kopiera behörighetsarvslista</a><br><a class=\"inheritAccess\" href=\"[emptyurl]\">Börja med tom behörighetslista</a>";
+$text["inherits_access_msg"] = "Behörighet har ärvts.";
+$text["inherits_access_copy_msg"] = "Kopiera behörighetsarvslista";
+$text["inherits_access_empty_msg"] = "Börja med tom behörighetslista";
 $text["internal_error_exit"] = "Internt fel. Förfrågan kunde inte utföras. Avslutar.";
 $text["internal_error"] = "Internt fel";
 $text["invalid_access_mode"] = "Ogiltig behörighetsnivå";
@@ -236,6 +238,7 @@ $text["invalid_file_id"] = "Ogiltigt fil-ID";
 $text["invalid_folder_id"] = "Ogiltigt katalog-ID";
 $text["invalid_group_id"] = "Ogiltigt grupp-ID";
 $text["invalid_link_id"] = "Ogiltigt länk-ID";
+$text["invalid_request_token"] = "Invalid Request Token";
 $text["invalid_review_status"] = "Ogiltig granskningsstatus";
 $text["invalid_sequence"] = "Ogiltigt sekvensvärde";
 $text["invalid_status"] = "Ogiltig dokumentstatus";

op/op.Categories.php

@@ -28,12 +28,18 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
-$action = $_GET["action"];
+if (isset($_POST["action"])) $action=$_POST["action"];
+else $action=NULL;
 
 //Neue Kategorie anlegen -----------------------------------------------------------------------------
 if ($action == "addcategory") {
 	
-	$name = trim($_GET["name"]);
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('addcategory')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	$name = trim($_POST["name"]);
 	if($name == '') {
 		UI::exitError(getMLText("admin_tools"),getMLText("category_noname"));
 	}
@@ -50,10 +56,15 @@ if ($action == "addcategory") {
 //Kategorie löschen ----------------------------------------------------------------------------------
 else if ($action == "removecategory") {
 
-	if (!isset($_GET["categoryid"]) || !is_numeric($_GET["categoryid"]) || intval($_GET["categoryid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('removecategory')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["categoryid"]) || !is_numeric($_POST["categoryid"]) || intval($_POST["categoryid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_document_category"));
 	}
-	$categoryid = $_GET["categoryid"];
+	$categoryid = $_POST["categoryid"];
 	$category = $dms->getDocumentCategory($categoryid);
 	if (!is_object($category)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_document_category"));
@@ -68,16 +79,21 @@ else if ($action == "removecategory") {
 //Kategorie bearbeiten: Neuer Name --------------------------------------------------------------------
 else if ($action == "editcategory") {
 
-	if (!isset($_GET["categoryid"]) || !is_numeric($_GET["categoryid"]) || intval($_GET["categoryid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('editcategory')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["categoryid"]) || !is_numeric($_POST["categoryid"]) || intval($_POST["categoryid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_document_category"));
 	}
-	$categoryid = $_GET["categoryid"];
+	$categoryid = $_POST["categoryid"];
 	$category = $dms->getDocumentCategory($categoryid);
 	if (!is_object($category)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_document_category"));
 	}
 
-	$name = $_GET["name"];
+	$name = $_POST["name"];
 	if (!$category->setName($name)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
 	}

op/op.DefaultKeywords.php

@@ -28,12 +28,18 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
-$action = $_GET["action"];
+if (isset($_POST["action"])) $action=$_POST["action"];
+else $action=NULL;
 
 //Neue Kategorie anlegen -----------------------------------------------------------------------------
 if ($action == "addcategory") {
 
-	$name = $_GET["name"];
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('addcategory')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	$name = $_POST["name"];
 	if (is_object($dms->getKeywordCategoryByName($name, $user->getID()))) {
 		UI::exitError(getMLText("admin_tools"),getMLText("keyword_exists"));
 	}
@@ -47,10 +53,15 @@ if ($action == "addcategory") {
 //Kategorie löschen ----------------------------------------------------------------------------------
 else if ($action == "removecategory") {
 
-	if (!isset($_GET["categoryid"]) || !is_numeric($_GET["categoryid"]) || intval($_GET["categoryid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('removecategory')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["categoryid"]) || !is_numeric($_POST["categoryid"]) || intval($_POST["categoryid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
 	}
-	$categoryid = $_GET["categoryid"];
+	$categoryid = $_POST["categoryid"];
 	$category = $dms->getKeywordCategory($categoryid);
 	if (!is_object($category)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
@@ -69,10 +80,15 @@ else if ($action == "removecategory") {
 //Kategorie bearbeiten: Neuer Name --------------------------------------------------------------------
 else if ($action == "editcategory") {
 
-	if (!isset($_GET["categoryid"]) || !is_numeric($_GET["categoryid"]) || intval($_GET["categoryid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('editcategory')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["categoryid"]) || !is_numeric($_POST["categoryid"]) || intval($_POST["categoryid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
 	}
-	$categoryid = $_GET["categoryid"];
+	$categoryid = $_POST["categoryid"];
 	$category = $dms->getKeywordCategory($categoryid);
 	if (!is_object($category)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
@@ -83,7 +99,7 @@ else if ($action == "editcategory") {
 		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	}
 
-	$name = $_GET["name"];
+	$name = $_POST["name"];
 	if (!$category->setName($name)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
 	}
@@ -92,27 +108,38 @@ else if ($action == "editcategory") {
 //Kategorie bearbeiten: Neue Stichwortliste  ----------------------------------------------------------
 else if ($action == "newkeywords") {
 	
-	$categoryid = (int) $_GET["categoryid"];
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('newkeywords')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	$categoryid = (int) $_POST["categoryid"];
 	$category = $dms->getKeywordCategory($categoryid);
 	$owner    = $category->getOwner();
 	if (!$owner->isAdmin()) {
 		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	}
 
-	$keywords = $_GET["keywords"];
-	
-	if (!$category->addKeywordList($keywords)) {
-		UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
-	}
+	$keywords = $_POST["keywords"];
+	if(trim($keywords)) {
+		if (!$category->addKeywordList($keywords)) {
+			UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
+		}
+	}
 }
 
 //Kategorie bearbeiten: Stichwortliste bearbeiten ----------------------------------------------------------
 else if ($action == "editkeywords")
 {
-	if (!isset($_GET["categoryid"]) || !is_numeric($_GET["categoryid"]) || intval($_GET["categoryid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('editkeywords')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["categoryid"]) || !is_numeric($_POST["categoryid"]) || intval($_POST["categoryid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
 	}
-	$categoryid = $_GET["categoryid"];
+	$categoryid = $_POST["categoryid"];
 	$category = $dms->getKeywordCategory($categoryid);
 	if (!is_object($category)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
@@ -124,12 +151,12 @@ else if ($action == "editkeywords")
 		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	}
 
-	if (!isset($_GET["keywordsid"]) || !is_numeric($_GET["keywordsid"]) || intval($_GET["keywordsid"])<1) {
+	if (!isset($_POST["keywordsid"]) || !is_numeric($_POST["keywordsid"]) || intval($_POST["keywordsid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 	}
-	$keywordsid = $_GET["keywordsid"];
+	$keywordsid = $_POST["keywordsid"];
 
-	$keywords = $_GET["keywords"];
+	$keywords = $_POST["keywords"];
 	if (!$category->editKeywordList($keywordsid, $keywords)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));
 	}
@@ -138,10 +165,15 @@ else if ($action == "editkeywords")
 //Kategorie bearbeiten: Neue Stichwortliste löschen ----------------------------------------------------------
 else if ($action == "removekeywords") {
 	
-	if (!isset($_GET["categoryid"]) || !is_numeric($_GET["categoryid"]) || intval($_GET["categoryid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('removekeywords')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["categoryid"]) || !is_numeric($_POST["categoryid"]) || intval($_POST["categoryid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
 	}
-	$categoryid = $_GET["categoryid"];
+	$categoryid = $_POST["categoryid"];
 	$category = $dms->getKeywordCategory($categoryid);
 	if (!is_object($category)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_keyword_category"));
@@ -152,10 +184,10 @@ else if ($action == "removekeywords") {
 		UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 	}
 
-	if (!isset($_GET["keywordsid"]) || !is_numeric($_GET["keywordsid"]) || intval($_GET["keywordsid"])<1) {
+	if (!isset($_POST["keywordsid"]) || !is_numeric($_POST["keywordsid"]) || intval($_POST["keywordsid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 	}
-	$keywordsid = $_GET["keywordsid"];
+	$keywordsid = $_POST["keywordsid"];
 
 	if (!$category->removeKeywordList($keywordsid)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("error_occured"));

op/op.DocumentAccess.php

@@ -43,6 +43,12 @@ if ($document->getAccessMode($user) < M_ALL) {
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
 }
 
+/* Check if the form data comes for a trusted request */
+/* FIXME: Currently GET request are allowed. */
+if(!checkFormKey('documentaccess', 'GET')) {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_request_token"));
+}
+
 switch ($_GET["action"]) {
 	case "setowner":
 	case "delaccess":

op/op.EditEvent.php

@@ -32,6 +32,11 @@ if ($user->isGuest()) {
 	UI::exitError(getMLText("edit_event"),getMLText("access_denied"));
 }
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('editevent')) {
+	UI::exitError(getMLText("edit_event"),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["frommonth"]) || !isset($_POST["fromday"]) || !isset($_POST["fromyear"]) ) {
 	UI::exitError(getMLText("edit_event"),getMLText("error_occured"));
 }

op/op.GroupMgr.php

@@ -30,15 +30,19 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
-if (isset($_GET["action"])) $action = $_GET["action"];
-else if (isset($_POST["action"])) $action = $_POST["action"];
-
+if (isset($_POST["action"])) $action = $_POST["action"];
+else $action = null;
 
 //Neue Gruppe anlegen -----------------------------------------------------------------------------
 if ($action == "addgroup") {
 
-	$name = $_GET["name"];
-	$comment = $_GET["comment"];
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('addgroup')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	$name = $_POST["name"];
+	$comment = $_POST["comment"];
 
 	if (is_object($dms->getGroupByName($name))) {
 		UI::exitError(getMLText("admin_tools"),getMLText("group_exists"));
@@ -57,6 +61,11 @@ if ($action == "addgroup") {
 //Gruppe löschen ----------------------------------------------------------------------------------
 else if ($action == "removegroup") {
 	
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('removegroup')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
 	if (!isset($_POST["groupid"]) || !is_numeric($_POST["groupid"]) || intval($_POST["groupid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
@@ -76,19 +85,24 @@ else if ($action == "removegroup") {
 //Gruppe bearbeiten -------------------------------------------------------------------------------
 else if ($action == "editgroup") {
 
-	if (!isset($_GET["groupid"]) || !is_numeric($_GET["groupid"]) || intval($_GET["groupid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('editgroup')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["groupid"]) || !is_numeric($_POST["groupid"]) || intval($_POST["groupid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
 	
-	$groupid=$_GET["groupid"];
+	$groupid=$_POST["groupid"];
 	$group = $dms->getGroup($groupid);
 	
 	if (!is_object($group)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
 	
-	$name = $_GET["name"];
-	$comment = $_GET["comment"];
+	$name = $_POST["name"];
+	$comment = $_POST["comment"];
 
 	if ($group->getName() != $name)
 		$group->setName($name);
@@ -101,6 +115,11 @@ else if ($action == "editgroup") {
 //Benutzer zu Gruppe hinzufügen -------------------------------------------------------------------
 else if ($action == "addmember") {
 
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('addmember')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
 	if (!isset($_POST["groupid"]) || !is_numeric($_POST["groupid"]) || intval($_POST["groupid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
@@ -132,22 +151,27 @@ else if ($action == "addmember") {
 //Benutzer aus Gruppe entfernen -------------------------------------------------------------------
 else if ($action == "rmmember") {
 
-	if (!isset($_GET["groupid"]) || !is_numeric($_GET["groupid"]) || intval($_GET["groupid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('rmmember')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["groupid"]) || !is_numeric($_POST["groupid"]) || intval($_POST["groupid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
 	
-	$groupid=$_GET["groupid"];
+	$groupid=$_POST["groupid"];
 	$group = $dms->getGroup($groupid);
 	
 	if (!is_object($group)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
 
-	if (!isset($_GET["userid"]) || !is_numeric($_GET["userid"]) || intval($_GET["userid"])<1) {
+	if (!isset($_POST["userid"]) || !is_numeric($_POST["userid"]) || intval($_POST["userid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_user_id"));
 	}
 	
-	$oldMember = $dms->getUser($_GET["userid"]);
+	$oldMember = $dms->getUser($_POST["userid"]);
 	if (!is_object($oldMember)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_user_id"));
 	}
@@ -160,22 +184,27 @@ else if ($action == "rmmember") {
 // toggle manager flag
 else if ($action == "tmanager") {
 
-	if (!isset($_GET["groupid"]) || !is_numeric($_GET["groupid"]) || intval($_GET["groupid"])<1) {
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('tmanager')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
+	if (!isset($_POST["groupid"]) || !is_numeric($_POST["groupid"]) || intval($_POST["groupid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
 	
-	$groupid=$_GET["groupid"];
+	$groupid=$_POST["groupid"];
 	$group = $dms->getGroup($groupid);
 	
 	if (!is_object($group)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_group_id"));
 	}
 
-	if (!isset($_GET["userid"]) || !is_numeric($_GET["userid"]) || intval($_GET["userid"])<1) {
+	if (!isset($_POST["userid"]) || !is_numeric($_POST["userid"]) || intval($_POST["userid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_user_id"));
 	}
 	
-	$usertoedit = $dms->getUser($_GET["userid"]);
+	$usertoedit = $dms->getUser($_POST["userid"]);
 	if (!is_object($usertoedit)) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_user_id"));
 	}

op/op.RemoveArchive.php

@@ -27,6 +27,11 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removearchive')) {
+	UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["arkname"]) || !file_exists($settings->_contentDir.$_POST["arkname"]) ) {
 	UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 }

op/op.RemoveDocument.php

@@ -25,6 +25,11 @@ include("../inc/inc.Language.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removedocument')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

op/op.RemoveDocumentFile.php

@@ -24,6 +24,11 @@ include("../inc/inc.Language.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removedocumentfile')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }

op/op.RemoveDocumentLink.php

@@ -23,22 +23,27 @@ include("../inc/inc.Language.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
-if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removedocumentlink')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
+if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-$documentid = $_GET["documentid"];
+$documentid = $_POST["documentid"];
 $document = $dms->getDocument($documentid);
 
 if (!is_object($document)) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
 
-if (!isset($_GET["linkid"]) || !is_numeric($_GET["linkid"]) || intval($_GET["linkid"])<1) {
+if (!isset($_POST["linkid"]) || !is_numeric($_POST["linkid"]) || intval($_POST["linkid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("invalid_link_id"));
 }
 
-$linkid = $_GET["linkid"];
+$linkid = $_POST["linkid"];
 $link = $document->getDocumentLink($linkid);
 
 if (!is_object($link)) {

op/op.RemoveDump.php

@@ -27,6 +27,11 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removedump')) {
+	UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["dumpname"]) || !file_exists($settings->_contentDir.$_POST["dumpname"]) ) {
 	UI::exitError(getMLText("admin_tools"),getMLText("unknown_id"));
 }

op/op.RemoveEvent.php

@@ -28,6 +28,11 @@ include("../inc/inc.ClassUI.php");
 include("../inc/inc.Calendar.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removeevent')) {
+	UI::exitError(getMLText("edit_event"),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["eventid"]) || !is_numeric($_POST["eventid"]) || intval($_POST["eventid"])<1) {
 	UI::exitError(getMLText("edit_event"),getMLText("error_occured"));
 }

op/op.RemoveFolder.php

@@ -25,10 +25,15 @@ include("../inc/inc.Language.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
-if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET["folderid"])<1) {
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removefolder')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
+if (!isset($_POST["folderid"]) || !is_numeric($_POST["folderid"]) || intval($_POST["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
-$folderid = $_GET["folderid"];
+$folderid = $_POST["folderid"];
 $folder = $dms->getFolder($folderid);
 
 if (!is_object($folder)) {
@@ -71,6 +76,6 @@ if ($folder->remove()) {
 
 add_log_line();
 
-header("Location:../out/out.ViewFolder.php?folderid=".$parent->getID()."&showtree=".$_GET["showtree"]);
+header("Location:../out/out.ViewFolder.php?folderid=".$parent->getID()."&showtree=".$_POST["showtree"]);
 
 ?>

op/op.RemoveFolderFiles.php

@@ -28,6 +28,11 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removefolderfiles')) {
+	UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+}
+
 function removeFolderFiles($folder) {
 	global $dms;
 

op/op.RemoveLog.php

@@ -23,6 +23,11 @@ include("../inc/inc.Language.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
+/* Check if the form data comes for a trusted request */
+if(!checkFormKey('removelog')) {
+	UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+}
+
 if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }

op/op.Settings.php

@@ -97,6 +97,7 @@ if ($action == "saveSettings")
   $settings->_passwordExpiration = intval($_POST["passwordExpiration"]);
   $settings->_passwordHistory = intval($_POST["passwordHistory"]);
   $settings->_loginFailure = intval($_POST["loginFailure"]);
+  $settings->_encryptionKey = strval($_POST["encryptionKey"]);
 
   // TODO Connectors
 

op/op.UsrMgr.php

@@ -33,12 +33,16 @@ if (!$user->isAdmin()) {
 }
 
 if (isset($_POST["action"])) $action=$_POST["action"];
-else if (isset($_GET["action"])) $action=$_GET["action"];
 else $action=NULL;
 
 //Neuen Benutzer anlegen --------------------------------------------------------------------------
 if ($action == "adduser") {
 	
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('adduser')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
 	$login   = $_POST["login"];
 	$pwd     = $_POST["pwd"];
 	$pwdexpiration = $_POST["pwdexpiration"];
@@ -103,12 +107,14 @@ if ($action == "adduser") {
 //Benutzer löschen --------------------------------------------------------------------------------
 else if ($action == "removeuser") {
 
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('removeuser')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
 	if (isset($_POST["userid"])) {
 		$userid = $_POST["userid"];
 	}
-	else if (isset($_GET["userid"])) {
-		$userid = $_GET["userid"];
-	}
 
 	if (!isset($userid) || !is_numeric($userid) || intval($userid)<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_user_id"));
@@ -139,6 +145,11 @@ else if ($action == "removeuser") {
 //Benutzer bearbeiten -----------------------------------------------------------------------------
 else if ($action == "edituser") {
 
+	/* Check if the form data comes for a trusted request */
+	if(!checkFormKey('edituser')) {
+		UI::exitError(getMLText("admin_tools"),getMLText("invalid_request_token"));
+	}
+
 	if (!isset($_POST["userid"]) || !is_numeric($_POST["userid"]) || intval($_POST["userid"])<1) {
 		UI::exitError(getMLText("admin_tools"),getMLText("invalid_user_id"));
 	}

out/out.Categories.php

@@ -78,7 +78,8 @@ UI::contentContainerStart();
 		</td>
 
 		<td id="categories0" style="display : none;">	
-			<form action="../op/op.Categories.php" >
+			<form action="../op/op.Categories.php" method="post">
+  		<?php echo createHiddenFieldWithKey('addcategory'); ?>
 			<input type="Hidden" name="action" value="addcategory">
 			<?php printMLText("name");?> : <input name="name">
 			<input type="Submit" value="<?php printMLText("new_document_category"); ?>">
@@ -97,7 +98,12 @@ UI::contentContainerStart();
 <?php
 		if(!$category->isUsed()) {
 ?>
-						<a href="../op/op.Categories.php?categoryid=<?php print $category->getID();?>&action=removecategory"><img src="images/del.gif" border="0"><?php printMLText("rm_document_category");?></a>
+						<form style="display: inline-block;" method="post" action="../op/op.Categories.php" >
+						<?php echo createHiddenFieldWithKey('removecategory'); ?>
+						<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
+						<input type="Hidden" name="action" value="removecategory">
+						<input value="<?php echo getMLText("rm_document_category")?>" type="submit">
+						</form>
 <?php
 		} else {
 ?>
@@ -116,6 +122,7 @@ UI::contentContainerStart();
 					<td><?php echo getMLText("name")?>:</td>
 					<td>
 						<form action="../op/op.Categories.php" >
+  		        <?php echo createHiddenFieldWithKey('editcategory'); ?>
 							<input type="Hidden" name="action" value="editcategory">
 							<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
 							<input name="name" value="<?php echo htmlspecialchars($category->getName()) ?>">&nbsp;

out/out.DefaultKeywords.php

@@ -81,7 +81,8 @@ UI::contentContainerStart();
 		</td>
 
 		<td id="keywords0" style="display : none;">	
-			<form action="../op/op.DefaultKeywords.php" >
+			<form action="../op/op.DefaultKeywords.php" method="post">
+  		<?php echo createHiddenFieldWithKey('addcategory'); ?>
 			<input type="Hidden" name="action" value="addcategory">
 			<?php printMLText("name");?> : <input name="name">
 			<input type="Submit" value="<?php printMLText("new_default_keyword_category"); ?>">
@@ -100,7 +101,12 @@ UI::contentContainerStart();
 			<table>
 				<tr>
 					<td colspan="2">
-						<a href="../op/op.DefaultKeywords.php?categoryid=<?php print $category->getID();?>&action=removecategory"><img src="images/del.gif" border="0"><?php printMLText("rm_default_keyword_category");?></a>
+						<form action="../op/op.DefaultKeywords.php" method="post">
+  						<?php echo createHiddenFieldWithKey('removecategory'); ?>
+							<input type="Hidden" name="action" value="removecategory">
+							<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
+							<input value="<?php printMLText("rm_default_keyword_category");?>" type="submit" title="<?php echo getMLText("delete")?>">
+						</form>
 					</td>
 				</tr>
 				<tr>
@@ -111,7 +117,8 @@ UI::contentContainerStart();
 				<tr>
 					<td><?php echo getMLText("name")?>:</td>
 					<td>
-						<form action="../op/op.DefaultKeywords.php" >
+						<form action="../op/op.DefaultKeywords.php" method="post">
+  						<?php echo createHiddenFieldWithKey('editcategory'); ?>
 							<input type="Hidden" name="action" value="editcategory">
 							<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
 							<input name="name" value="<?php echo htmlspecialchars($category->getName()) ?>">&nbsp;
@@ -135,20 +142,29 @@ UI::contentContainerStart();
 							else
 								foreach ($lists as $list) {
 						?>
-									<form action="../op/op.DefaultKeywords.php" >
+									<form style="display: inline-block;" method="post" action="../op/op.DefaultKeywords.php" >
+  								<?php echo createHiddenFieldWithKey('editkeywords'); ?>
 									<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
 									<input type="Hidden" name="keywordsid" value="<?php echo $list["id"]?>">
 									<input type="Hidden" name="action" value="editkeywords">
 									<input name="keywords" value="<?php echo htmlspecialchars($list["keywords"]) ?>">
-									<input name="action" value="editkeywords" type="Image" src="images/save.gif" title="<?php echo getMLText("save")?>">
+									<input name="action" value="editkeywords" type="Image" src="images/save.gif" title="<?php echo getMLText("save")?>" style="border: 0px;">
 									<!--	 <input name="action" value="removekeywords" type="Image" src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"> &nbsp; -->
-									<a href="../op/op.DefaultKeywords.php?categoryid=<?php echo $category->getID()?>&keywordsid=<?php echo $list["id"]?>&action=removekeywords"><img src="images/del.gif" title="<?php echo getMLText("delete")?>" border="0"></a>
-									</form><br>
+									</form>
+									<form style="display: inline-block;" method="post" action="../op/op.DefaultKeywords.php" >
+  								<?php echo createHiddenFieldWithKey('removekeywords'); ?>
+									<input type="Hidden" name="categoryid" value="<?php echo $category->getID()?>">
+									<input type="Hidden" name="keywordsid" value="<?php echo $list["id"]?>">
+									<input type="Hidden" name="action" value="removekeywords">
+									<input name="action" value="removekeywords" type="Image" src="images/del.gif" title="<?php echo getMLText("delete")?>" style="border: 0px;">
+									</form>
+									<br>
 						<?php }  ?>
 					</td>
 				</tr>			
 				<tr>
-					<form action="../op/op.DefaultKeywords.php" >
+					<form action="../op/op.DefaultKeywords.php" method="post">
+  				<?php echo createHiddenFieldWithKey('newkeywords'); ?>
 					<td><input type="Submit" value="<?php printMLText("new_default_keywords");?>"></td>
 					<td>
 						<input type="Hidden" name="action" value="newkeywords">

out/out.DocumentAccess.php

@@ -76,7 +76,7 @@ function checkForm()
 </script>
 
 <?php
-$allUsers = $dms->getAllUsers();
+$allUsers = $dms->getAllUsers($settings->_sortUsersInList);
 
 UI::contentHeading(getMLText("edit_document_access"));
 UI::contentContainerStart();
@@ -86,6 +86,7 @@ if ($user->isAdmin()) {
 	UI::contentSubHeading(getMLText("set_owner"));
 ?>
 	<form action="../op/op.DocumentAccess.php">
+  <?php echo createHiddenFieldWithKey('documentaccess'); ?>
 	<input type="Hidden" name="action" value="setowner">
 	<input type="Hidden" name="documentid" value="<?php print $documentid;?>">
 	<?php printMLText("owner");?> : <select name="ownerid">
@@ -97,7 +98,7 @@ if ($user->isAdmin()) {
 		print "<option value=\"".$currUser->getID()."\"";
 		if ($currUser->getID() == $owner->getID())
 			print " selected";
-		print ">" . htmlspecialchars($currUser->getFullname()) . "</option>\n";
+		print ">" . htmlspecialchars($currUser->getLogin() . " - " . $currUser->getFullname()) . "</option>\n";
 	}
 	?>
 	</select>
@@ -109,14 +110,37 @@ if ($user->isAdmin()) {
 UI::contentSubHeading(getMLText("access_inheritance"));
 
 if ($document->inheritsAccess()) {
-	printMLText("inherits_access_msg", array(
-		"copyurl" => "../op/op.DocumentAccess.php?documentid=".$documentid."&action=notinherit&mode=copy", 
-		"emptyurl" => "../op/op.DocumentAccess.php?documentid=".$documentid."&action=notinherit&mode=empty"));
+	printMLText("inherits_access_msg");
+?>
+  <p>
+	<form action="../op/op.DocumentAccess.php" style="display: inline-block;">
+  <?php echo createHiddenFieldWithKey('documentaccess'); ?>
+	<input type="hidden" name="documentid" value="<?php print $documentid;?>">
+	<input type="hidden" name="action" value="notinherit">
+	<input type="hidden" name="mode" value="copy">
+	<input type="submit" value="<?php printMLText("inherits_access_copy_msg")?>">
+	</form>
+	<form action="../op/op.DocumentAccess.php" style="display: inline-block;">
+  <?php echo createHiddenFieldWithKey('documentaccess'); ?>
+	<input type="hidden" name="documentid" value="<?php print $documentid;?>">
+	<input type="hidden" name="action" value="notinherit">
+	<input type="hidden" name="mode" value="empty">
+	<input type="submit" value="<?php printMLText("inherits_access_empty_msg")?>">
+	</form>
+	</p>
+<?php
 	UI::contentContainerEnd();
 	UI::htmlEndPage();
 	exit();
 }
-printMLText("does_not_inherit_access_msg", array("inheriturl" => "../op/op.DocumentAccess.php?documentid=".$documentid."&action=inherit"));
+?>
+	<form action="../op/op.DocumentAccess.php">
+  <?php echo createHiddenFieldWithKey('documentaccess'); ?>
+	<input type="hidden" name="documentid" value="<?php print $documentid;?>">
+	<input type="hidden" name="action" value="inherit">
+	<input type="submit" value="<?php printMLText("does_not_inherit_access_msg")?>">
+	</form>
+<?php
 
 $accessList = $document->getAccessList();
 
@@ -124,6 +148,7 @@ UI::contentSubHeading(getMLText("default_access"));
 
 ?>
 <form action="../op/op.DocumentAccess.php">
+  <?php echo createHiddenFieldWithKey('documentaccess'); ?>
 	<input type="Hidden" name="documentid" value="<?php print $documentid;?>">
 	<input type="Hidden" name="action" value="setdefault">
 	<?php printAccessModeSelection($document->getDefaultAccess()); ?>
@@ -143,43 +168,63 @@ if (count($accessList["users"]) != 0 || count($accessList["groups"]) != 0) {
 	foreach ($accessList["users"] as $userAccess) {
 		$userObj = $userAccess->getUser();
 		$memusers[] = $userObj->getID();
-		print "<form action=\"../op/op.DocumentAccess.php\">\n";
-		print "<input type=\"Hidden\" name=\"documentid\" value=\"".$documentid."\">\n";
-		print "<input type=\"Hidden\" name=\"action\" value=\"editaccess\">\n";
-		print "<input type=\"Hidden\" name=\"userid\" value=\"".$userObj->getID()."\">\n";
 		print "<tr>\n";
 		print "<td><img src=\"images/usericon.gif\" class=\"mimeicon\"></td>\n";
 		print "<td>". htmlspecialchars($userObj->getFullName()) . "</td>\n";
 		print "<td>\n";
+		print "<form action=\"../op/op.DocumentAccess.php\">\n";
 		printAccessModeSelection($userAccess->getMode());
 		print "</td>\n";
 		print "<td><span class=\"actions\">\n";
+  	echo createHiddenFieldWithKey('documentaccess')."\n";
+		print "<input type=\"Hidden\" name=\"documentid\" value=\"".$documentid."\">\n";
+		print "<input type=\"Hidden\" name=\"action\" value=\"editaccess\">\n";
+		print "<input type=\"Hidden\" name=\"userid\" value=\"".$userObj->getID()."\">\n";
 		print "<input type=\"Image\" class=\"mimeicon\" src=\"images/save.gif\">".getMLText("save")." ";
-		print "<a href=\"../op/op.DocumentAccess.php?documentid=".$documentid."&action=delaccess&userid=".$userObj->getID()."\"><img src=\"images/del.gif\" class=\"mimeicon\"></a>".getMLText("delete");
-		print "</span></td></tr>\n";
+		print "</span></td>\n";
 		print "</form>\n";
+		print "<td><span class=\"actions\">\n";
+		print "<form action=\"../op/op.DocumentAccess.php\">\n";
+  	echo createHiddenFieldWithKey('documentaccess')."\n";
+		print "<input type=\"Hidden\" name=\"documentid\" value=\"".$documentid."\">\n";
+		print "<input type=\"Hidden\" name=\"action\" value=\"delaccess\">\n";
+		print "<input type=\"Hidden\" name=\"userid\" value=\"".$userObj->getID()."\">\n";
+		print "<input type=\"Image\" class=\"mimeicon\" src=\"images/del.gif\">".getMLText("delete")." ";
+		print "</form>\n";
+		print "<span></td>\n";
+		print "</tr>\n";
 	}
 
-	/* memorїze groups with access rights */
+	/* memorize groups with access rights */
 	$memgroups = array();
 	foreach ($accessList["groups"] as $groupAccess) {
 		$groupObj = $groupAccess->getGroup();
 		$memgroups[] = $groupObj->getID();
 		$mode = $groupAccess->getMode();
-		print "<form action=\"../op/op.DocumentAccess.php\">";
-		print "<input type=\"Hidden\" name=\"documentid\" value=\"".$documentid."\">";
-		print "<input type=\"Hidden\" name=\"action\" value=\"editaccess\">";
-		print "<input type=\"Hidden\" name=\"groupid\" value=\"".$groupObj->getID()."\">";
 		print "<tr>";
 		print "<td><img src=\"images/groupicon.gif\" class=\"mimeicon\"></td>";
 		print "<td>". htmlspecialchars($groupObj->getName()) . "</td>";
+		print "<form action=\"../op/op.DocumentAccess.php\">";
 		print "<td>";
 		printAccessModeSelection($groupAccess->getMode());
 		print "</td>\n";
 		print "<td><span class=\"actions\">\n";
+  	echo createHiddenFieldWithKey('documentaccess')."\n";
+		print "<input type=\"Hidden\" name=\"documentid\" value=\"".$documentid."\">";
+		print "<input type=\"Hidden\" name=\"action\" value=\"editaccess\">";
+		print "<input type=\"Hidden\" name=\"groupid\" value=\"".$groupObj->getID()."\">";
 		print "<input type=\"Image\" class=\"mimeicon\" src=\"images/save.gif\">".getMLText("save")." ";
-		print "<a href=\"../op/op.DocumentAccess.php?documentid=".$documentid."&action=delaccess&groupid=".$groupObj->getID()."\"><img src=\"images/del.gif\" class=\"mimeicon\"></a>".getMLText("delete");
-		print "</span></td></tr>";
+		print "</span></td>\n";
+		print "</form>";
+		print "<td><span class=\"actions\">\n";
+		print "<form action=\"../op/op.DocumentAccess.php\">\n";
+  	echo createHiddenFieldWithKey('documentaccess')."\n";
+		print "<input type=\"Hidden\" name=\"documentid\" value=\"".$documentid."\">\n";
+		print "<input type=\"Hidden\" name=\"action\" value=\"delaccess\">\n";
+		print "<input type=\"Hidden\" name=\"groupid\" value=\"".$groupObj->getID()."\">\n";
+		print "<input type=\"Image\" class=\"mimeicon\" src=\"images/del.gif\">".getMLText("delete")." ";
+		print "</span></td>\n";
+		print "</tr>\n";
 		print "</form>";
 	}
 	
@@ -187,6 +232,7 @@ if (count($accessList["users"]) != 0 || count($accessList["groups"]) != 0) {
 }
 ?>
 <form action="../op/op.DocumentAccess.php" name="form1" onsubmit="return checkForm();">
+<?php echo createHiddenFieldWithKey('documentaccess'); ?>
 <input type="Hidden" name="documentid" value="<?php print $documentid?>">
 <input type="Hidden" name="action" value="addaccess">
 <table>
@@ -200,7 +246,7 @@ foreach ($allUsers as $userObj) {
 	if ($userObj->isGuest() || in_array($userObj->getID(), $memusers)) {
 		continue;
 	}
-	print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "</option>\n";
+	print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($currUser->getLogin() . " - " . $userObj->getFullName()) . "</option>\n";
 }
 ?>
 </select>

out/out.DocumentNotify.php

@@ -116,10 +116,10 @@ print "</table>\n";
 				<option value="-1"><?php printMLText("select_one");?>
 				<?php
 					if ($user->isAdmin()) {
-						$allUsers = $dms->getAllUsers();
+						$allUsers = $dms->getAllUsers($settings->_sortUsersInList);
 						foreach ($allUsers as $userObj) {
 							if (!$userObj->isGuest() && ($document->getAccessMode($userObj) >= M_READ) && !in_array($userObj->getID(), $userNotifyIDs))
-								print "<option value=\"".$userObj->getID()."\">" . $userObj->getFullName() . "\n";
+								print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getLogin() . " - " . $userObj->getFullName()) . "\n";
 						}
 					}
 					elseif (!$user->isGuest() && !in_array($user->getID(), $userNotifyIDs)) {

out/out.EditEvent.php

@@ -70,6 +70,7 @@ function checkForm()
 </script>
 
 <form action="../op/op.EditEvent.php" name="form1" onsubmit="return checkForm();" method="POST">
+  <?php echo createHiddenFieldWithKey('editevent'); ?>
 
 	<input type="Hidden" name="eventid" value="<?php echo (int) $_GET["id"]; ?>">
 

out/out.FolderNotify.php

@@ -115,7 +115,7 @@ print "</table>\n";
 				<option value="-1"><?php printMLText("select_one");?>
 				<?php
 					if ($user->isAdmin()) {
-						$allUsers = $dms->getAllUsers();
+						$allUsers = $dms->getAllUsers($settings->_sortUsersInList);
 						foreach ($allUsers as $userObj) {
 							if (!$userObj->isGuest() && ($folder->getAccessMode($userObj) >= M_READ) && !in_array($userObj->getID(), $userNotifyIDs))
 								print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "\n";

out/out.GroupMgr.php

@@ -29,7 +29,7 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
-$allUsers = $dms->getAllUsers();
+$allUsers = $dms->getAllUsers($settings->_sortUsersInList);
 
 if (is_bool($allUsers)) {
 	UI::exitError(getMLText("admin_tools"),getMLText("internal_error"));
@@ -126,7 +126,8 @@ UI::contentContainerStart();
 
 	<td id="keywords0" style="display : none;">
 	
-	<form action="../op/op.GroupMgr.php" name="form0_1" onsubmit="return checkForm1('0');">
+	<form action="../op/op.GroupMgr.php" name="form0_1" method="post" onsubmit="return checkForm1('0');">
+  <?php echo createHiddenFieldWithKey('addgroup'); ?>
 	<input type="Hidden" name="action" value="addgroup">
 	<table>
 		<tr>
@@ -161,7 +162,8 @@ UI::contentContainerStart();
 	<?php	UI::contentSubHeading(getMLText("edit_group"));?>
 		
 	
-	<form action="../op/op.GroupMgr.php" name="form<?php print $group->getID();?>_1" onsubmit="return checkForm1('<?php print $group->getID();?>');">
+	<form action="../op/op.GroupMgr.php" name="form<?php print $group->getID();?>_1" method="post" onsubmit="return checkForm1('<?php print $group->getID();?>');">
+	<?php echo createHiddenFieldWithKey('editgroup'); ?>
 	<input type="Hidden" name="groupid" value="<?php print $group->getID();?>">
 	<input type="Hidden" name="action" value="editgroup">
 	<table>
@@ -195,8 +197,8 @@ UI::contentContainerStart();
 					print "<td>" . htmlspecialchars($member->getFullName()) . "</td>";
 					print "<td>" . ($group->isMember($member,true)?getMLText("manager"):"&nbsp;") . "</td>";
 					print "<td align=\"right\"><ul class=\"actions\">";
-					print "<li><a href=\"../op/op.GroupMgr.php?groupid=". $group->getID() . "&userid=".$member->getID()."&action=rmmember\">".getMLText("delete")."</a>";
-					print "<li><a href=\"../op/op.GroupMgr.php?groupid=". $group->getID() . "&userid=".$member->getID()."&action=tmanager\">".getMLText("toggle_manager")."</a>";
+					print "<li><form action=\"../op/op.GroupMgr.php\" method=\"post\"><input type=\"hidden\" name=\"action\" value=\"rmmember\" /><input type=\"hidden\" name=\"groupid\" value=\"".$group->getID()."\" /><input type=\"hidden\" name=\"userid\" value=\"".$member->getID()."\" />".createHiddenFieldWithKey('rmmember')."<input type=\"submit\" value=\"".getMLText("delete")."\" /></form>";
+					print "<li><form action=\"../op/op.GroupMgr.php\" method=\"post\"><input type=\"hidden\" name=\"groupid\" value=\"".$group->getID()."\" /><input type=\"hidden\" name=\"action\" value=\"tmanager\" /><input type=\"hidden\" name=\"userid\" value=\"".$member->getID()."\" />".createHiddenFieldWithKey('tmanager')."<input type=\"submit\" value=\"".getMLText("toggle_manager")."\" /></form>";
 					print "</td></tr>";
 				}
 			}
@@ -210,7 +212,8 @@ UI::contentContainerStart();
 		
 		?>
 		
-		<form action="../op/op.GroupMgr.php" method=POST name="form<?php print $group->getID();?>_2" onsubmit="return checkForm2('<?php print $group->getID();?>');">
+		<form action="../op/op.GroupMgr.php" method="POST" name="form<?php print $group->getID();?>_2" onsubmit="return checkForm2('<?php print $group->getID();?>');">
+		<?php echo createHiddenFieldWithKey('addmember'); ?>
 		<input type="Hidden" name="action" value="addmember">
 		<input type="Hidden" name="groupid" value="<?php print $group->getID();?>">
 		<table width="100%">

out/out.RemoveArchive.php

@@ -41,6 +41,7 @@ UI::contentContainerStart();
 ?>
 <form action="../op/op.RemoveArchive.php" name="form1" method="POST">
 	<input type="Hidden" name="arkname" value="<?php echo sanitizeString($arkname); ?>">
+  <?php echo createHiddenFieldWithKey('removearchive'); ?>
 	<p><?php printMLText("confirm_rm_backup", array ("arkname" => sanitizeString($arkname)));?></p>
 	<input type="Submit" value="<?php printMLText("backup_remove");?>">
 </form>

out/out.RemoveDocument.php

@@ -51,6 +51,7 @@ UI::contentContainerStart();
 ?>
 <form action="../op/op.RemoveDocument.php" name="form1" method="POST">
 <input type="Hidden" name="documentid" value="<?php print $documentid;?>">
+<?php echo createHiddenFieldWithKey('removedocument'); ?>
 <p>
 <?php printMLText("confirm_rm_document", array ("documentname" => htmlspecialchars($document->getName())));?>
 </p>

out/out.RemoveDocumentFile.php

@@ -61,6 +61,7 @@ UI::contentContainerStart();
 
 ?>
 <form action="../op/op.RemoveDocumentFile.php" name="form1" method="POST">
+  <?php echo createHiddenFieldWithKey('removedocumentfile'); ?>
 	<input type="Hidden" name="documentid" value="<?php echo $documentid?>">
 	<input type="Hidden" name="fileid" value="<?php echo $fileid?>">
 	<p><?php printMLText("confirm_rm_file", array ("documentname" => $document->getName(), "name" => htmlspecialchars($file->getName())));?></p>

out/out.RemoveDump.php

@@ -41,6 +41,7 @@ UI::contentContainerStart();
 ?>
 <form action="../op/op.RemoveDump.php" name="form1" method="POST">
 	<input type="Hidden" name="dumpname" value="<?php echo sanitizeString($dumpname); ?>">
+  <?php echo createHiddenFieldWithKey('removedump'); ?>
 	<p><?php printMLText("confirm_rm_dump", array ("dumpname" => sanitizeString($dumpname)));?></p>
 	<input type="Submit" value="<?php printMLText("dump_remove");?>">
 </form>

out/out.RemoveEvent.php

@@ -45,6 +45,7 @@ UI::contentContainerStart();
 
 ?>
 <form action="../op/op.RemoveEvent.php" name="form1" method="POST">
+  <?php echo createHiddenFieldWithKey('removeevent'); ?>
 	<input type="Hidden" name="eventid" value="<?php echo intval($_GET["id"]); ?>">
 	<p><?php printMLText("confirm_rm_event", array ("name" => htmlspecialchars($event["name"])));?></p>
 	<input type="Submit" value="<?php printMLText("delete");?>">

out/out.RemoveFolder.php

@@ -52,9 +52,10 @@ UI::contentHeading(getMLText("rm_folder"));
 UI::contentContainerStart();
 
 ?>
-<form action="../op/op.RemoveFolder.php" name="form1">
+<form action="../op/op.RemoveFolder.php" method="post" name="form1">
 	<input type="Hidden" name="folderid" value="<?php print $folderid;?>">
 	<input type="Hidden" name="showtree" value="<?php echo showtree();?>">
+  <?php echo createHiddenFieldWithKey('removefolder'); ?>
 	<p>
 	<?php printMLText("confirm_rm_folder", array ("foldername" => htmlspecialchars($folder->getName())));?>
 	</p>

out/out.RemoveFolderFiles.php

@@ -46,6 +46,7 @@ UI::contentContainerStart();
 
 ?>
 <form action="../op/op.RemoveFolderFiles.php" name="form1" method="POST">
+  <?php echo createHiddenFieldWithKey('removefolderfiles'); ?>
 	<input type="Hidden" name="folderid" value="<?php echo $folderid?>">
 	<p><?php printMLText("confirm_rm_folder_files", array ("foldername" => htmlspecialchars($folder->getName())));?></p>
 	<input type="Submit" value="<?php printMLText("accept");?>">

out/out.RemoveGroup.php

@@ -48,6 +48,7 @@ UI::contentContainerStart();
 <form action="../op/op.GroupMgr.php" name="form1" method="POST">
 <input type="Hidden" name="groupid" value="<?php print $groupid;?>">
 <input type="Hidden" name="action" value="removegroup">
+<?php echo createHiddenFieldWithKey('removegroup'); ?>
 <p>
 <?php printMLText("confirm_rm_group", array ("groupname" => htmlspecialchars($currGroup->getName())));?>
 </p>

out/out.RemoveLog.php

@@ -40,6 +40,7 @@ UI::contentContainerStart();
 
 ?>
 <form action="../op/op.RemoveLog.php" name="form1" method="POST">
+  <?php echo createHiddenFieldWithKey('removelog'); ?>
 	<input type="Hidden" name="logname" value="<?php echo $logname?>">
 	<p><?php printMLText("confirm_rm_log", array ("logname" => $logname));?></p>
 	<input type="Submit" value="<?php printMLText("rm_file");?>">

out/out.RemoveUser.php

@@ -53,6 +53,7 @@ UI::contentContainerStart();
 <form action="../op/op.UsrMgr.php" name="form1" method="POST">
 <input type="Hidden" name="userid" value="<?php print $userid;?>">
 <input type="Hidden" name="action" value="removeuser">
+<?php echo createHiddenFieldWithKey('removeuser'); ?>
 <p>
 <?php printMLText("confirm_rm_user", array ("username" => htmlspecialchars($currUser->getFullName())));?>
 </p>
@@ -61,7 +62,7 @@ UI::contentContainerStart();
 <?php printMLText("assign_user_property_to"); ?> :
 <select name="assignTo">
 <?php
-	$users = $dms->getAllUsers();
+	$users = $dms->getAllUsers($settings->_sortUsersInList);
 	foreach ($users as $currUser) {
 		if ($currUser->isGuest() || ($currUser->getID() == $userid) )
 			continue;

out/out.SearchForm.php

@@ -139,12 +139,12 @@ foreach ($allCats as $catObj) {
 <select name="ownerid">
 <option value="-1"><?php printMLText("all_users");?>
 <?php
-$allUsers = $dms->getAllUsers();
+$allUsers = $dms->getAllUsers($settings->_sortUsersInList);
 foreach ($allUsers as $userObj)
 {
 	if ($userObj->isGuest())
 		continue;
-	print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "\n";
+	print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getLogin()." - ".$userObj->getFullName()) . "\n";
 }
 ?>
 </select>
@@ -232,12 +232,12 @@ foreach ($allCats as $catObj) {
 <select name="ownerid">
 <option value="-1"><?php printMLText("all_users");?>
 <?php
-$allUsers = $dms->getAllUsers();
+$allUsers = $dms->getAllUsers($settings->_sortUsersInList);
 foreach ($allUsers as $userObj)
 {
 	if ($userObj->isGuest())
 		continue;
-	print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getFullName()) . "\n";
+	print "<option value=\"".$userObj->getID()."\">" . htmlspecialchars($userObj->getLogin()." - ".$userObj->getFullName()) . "\n";
 }
 ?>
 </select>

out/out.Settings.php

@@ -26,6 +26,10 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
+/* Set an encryption key if is not set */
+if(!trim($settings->_encryptionKey))
+	$settings->_encryptionKey = md5(uniqid());
+
 UI::htmlStartPage(getMLText("admin_tools"));
 UI::globalNavigation();
 UI::pageNavigation(getMLText("admin_tools"), "admin_tools");
@@ -306,6 +310,10 @@ if(!is_writeable($settings->_configFilePath)) {
         <td><?php printMLText("settings_loginFailure");?>:</td>
         <td><input name="loginFailure" value="<?php echo $settings->_loginFailure; ?>" size="2" /></td>
       </tr>
+      <tr title="<?php printMLText("settings_encryptionKey_desc");?>">
+        <td><?php printMLText("settings_encryptionKey");?>:</td>
+        <td><input name="encryptionKey" value="<?php echo $settings->_encryptionKey; ?>" size="32" /></td>
+      </tr>
 
       <!-- TODO Connectors -->
 

out/out.UserList.php

@@ -32,9 +32,8 @@ UI::pageNavigation(getMLText("admin_tools"), "admin_tools");
 UI::contentHeading(getMLText("user_list"));
 UI::contentContainerStart();
 
-$users = getAllUsers();
-for ($i = 0; $i < count($users); $i++) {
-	$currUser = $users[$i];
+$users = $dms->getAllUsers($settings->_sortUsersInList);
+foreach ($users as $currUser) {
 	if ($currUser->isGuest())
 		continue;
 

out/out.UsrMgr.php

@@ -118,6 +118,7 @@ UI::contentContainerStart();
 <td id="keywords0" style="display : none;">
 
 	<form action="../op/op.UsrMgr.php" method="post" enctype="multipart/form-data" name="form0" onsubmit="return checkForm('0');">
+  <?php echo createHiddenFieldWithKey('adduser'); ?>
 	<input type="Hidden" name="action" value="adduser">
 	<table>
 		<tr>
@@ -256,6 +257,7 @@ UI::contentContainerStart();
 	<?php	UI::contentSubHeading(getMLText("edit_user"));?>
 
 	<form action="../op/op.UsrMgr.php" method="post" enctype="multipart/form-data" name="form<?php print $currUser->getID();?>" onsubmit="return checkForm('<?php print $currUser->getID();?>');">
+	<?php echo createHiddenFieldWithKey('edituser'); ?>
 	<input type="Hidden" name="userid" value="<?php print $currUser->getID();?>">
 	<input type="Hidden" name="action" value="edituser">
 	<table>

out/out.ViewDocument.php

@@ -418,7 +418,7 @@ if (count($files) > 0) {
 	
 		print "<td><span class=\"actions\">";
 		if (($document->getAccessMode($user) == M_ALL)||($file->getUserID()==$user->getID()))
-			print "<a href=\"../out/out.RemoveDocumentFile.php?documentid=".$documentid."&fileid=".$file->getID()."\">".getMLText("delete")."</a>";
+			print "<form action=\"../out/out.RemoveDocumentFile.php\" method=\"get\"><input type=\"hidden\" name=\"documentid\" value=\"".$documentid."\" /><input type=\"hidden\" name=\"fileid\" value=\"".$file->getID()."\" /><input type=\"submit\" value=\"".getMLText("delete")."\" /></form>";
 		print "</span></td>";		
 		
 		print "</tr>";
@@ -463,7 +463,7 @@ if (count($links) > 0) {
 		print "</td>";
 		print "<td><span class=\"actions\">";
 		if (($user->getID() == $responsibleUser->getID()) || ($document->getAccessMode($user) == M_ALL ))
-			print "<a href=\"../op/op.RemoveDocumentLink.php?documentid=".$documentid."&linkid=".$link->getID()."\">".getMLText("delete")."</a>";
+			print "<form action=\"../op/op.RemoveDocumentLink.php\" method=\"post\">".createHiddenFieldWithKey('removedocumentlink')."<input type=\"hidden\" name=\"documentid\" value=\"".$documentid."\" /><input type=\"hidden\" name=\"linkid\" value=\"".$link->getID()."\" /><input type=\"submit\" value=\"".getMLText("delete")."\" /></form>";
 		print "</span></td>";
 		print "</tr>";
 	}

update/update.php

@@ -1,122 +0,0 @@
-<?php
-//    MyDMS. Document Management System
-//    Copyright (C) 2002-2005  Markus Westphal
-//    Copyright (C) 2006-2008 Malcolm Cowe
-//    Copyright (C) 2010 Matteo Lucarelli
-//
-//    This program is free software; you can redistribute it and/or modify
-//    it under the terms of the GNU General Public License as published by
-//    the Free Software Foundation; either version 2 of the License, or
-//    (at your option) any later version.
-//
-//    This program is distributed in the hope that it will be useful,
-//    but WITHOUT ANY WARRANTY; without even the implied warranty of
-//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//    GNU General Public License for more details.
-//
-//    You should have received a copy of the GNU General Public License
-//    along with this program; if not, write to the Free Software
-//    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
-include("../inc/inc.Settings.php");
-include("../inc/inc.AccessUtils.php");
-include("../inc/inc.ClassAccess.php");
-include("../inc/inc.ClassDocument.php");
-include("../inc/inc.ClassFolder.php");
-include("../inc/inc.ClassGroup.php");
-include("../inc/inc.ClassUser.php");
-include("../inc/inc.DBAccess.php");
-include("../inc/inc.FileUtils.php");
-include("../inc/inc.Authentication.php");
-
-print "<html></body>";
-
-if (!$user->isAdmin()) {
-	print "<b>ERROR: You must be administrator to execute the update</b>";
-	die;
-}
-
-function update_content()
-{
-
-	GLOBAL $db,$settings;
-	
-	// create temp folder
-	if (!makedir($settings->_contentDir."/temp")) return false;
-	
-	// for all contents
-	$queryStr = "SELECT * FROM tblDocumentContent";
-	$contents = $db->getResultArray($queryStr);
-	
-	if (is_bool($contents)&&!$contents) return false;
-	
-	for ($i=0;$i<count($contents);$i++){
-	
-		// create temp/documentID folder
-		if (!makedir($settings->_contentDir."/temp/".$contents[$i]["document"]) return false;
-		
-		// move every content in temp/documentID/version.fileType
-		$source = $settings->_contentDir."/".$settings->_contentOffsetDir."/".$i."/data".$contents[$i]["fileType"];
-		$target = $settings->_contentDir."/temp/".$contents[$i]["document"]."/".$contents[$i]["version"].$contents[$i]["fileType"];		
-		if (!copyFile($source, $target) return false;
-	}
-	
-	
-	// change directory
-	if (!renameDir($settings->_contentDir."/".$settings->_contentOffsetDir,$settings->_contentDir."/old") return false;
-	if (!renameDir($settings->_contentDir."/temp",$settings->_contentDir."/".$settings->_contentOffsetDir) return false;
-	
-	return true;
-}
-
-function update_db()
-{
-	GLOBAL $db,$settings;
-
-	// for all contents
-	$queryStr = "SELECT * FROM tblDocumentContent";
-	$contents = $db->getResultArray($queryStr);
-	
-	if (is_bool($contents)&&!$contents) return false;
-	
-	for ($i=0;$i<count($contents);$i++){
-	
-		$queryStr = "UPDATE tblDocumentContent set dir = ". $settings->_contentOffsetDir."/".$contents[$i]["document"]." WHERE id = ".$i;
-		if (!$db->getResult($queryStr)) return false;
-	
-	}
-
-	// run the update-2.0.sql
-	$fd = fopen ("update.sql", "r");
-	
-	if (is_bool($fd)&&!$fd) return false;
-	
-	$queryStr = fread($fd, filesize("update.sql"));
-	
-	if (is_bool($queryStr)&&!$queryStr) return false;
-	
-	fclose ($fd);
-	if (!$db->getResult($queryStr)) return false;
-	
-	return true;
-}
-
-
-print "<b>Updating ...please wait</b><br>";
-
-
-if (!update_content()) {
-	print "<b>ERROR: An error occurred during the directory reordering</b>";
-	die;
-}
-
-if (!update_db()) {
-	print "<b>ERROR: An error occurred during the DB update</b>";
-	die;
-}
-
-print "<b>Update done</b><br>";
-
-
print "</body></html>";
-
-?>

update/update.sql

@@ -1,33 +0,0 @@
--- mysql -uroot -ppassword mydms < update-2.0.sql
-
-
--- --------------------------------------------------------
-
--- 
--- New table for document-related files
--- 
-
-CREATE TABLE `tblDocumentFiles` (
-  `id` int(11) NOT NULL auto_increment,
-  `document` int(11) NOT NULL default '0',
-  `userID` int(11) NOT NULL default '0',
-  `comment` text,
-  `name` varchar(150) default NULL,
-  `date` int(12) default NULL,
-  `dir` varchar(255) NOT NULL default '',
-  `orgFileName` varchar(150) NOT NULL default '',
-  `fileType` varchar(10) NOT NULL default '',
-  `mimeType` varchar(70) NOT NULL default '',  
-  PRIMARY KEY  (`id`)
-) ;
-
--- --------------------------------------------------------
-
--- 
--- Not longer required by new filesystem structure
--- 
-
-DROP TABLE `tblDirPath`;
-DROP TABLE `tblPathList`;
-
-