! Now is really AJAX! :P Including error handling for token and session verification failures

Sources/ManageSettings.php

@@ -342,6 +342,15 @@ function ModifyCoreFeatures($return_config = false)
 	if (isset($_POST['save']))
 	{
 		checkSession();
+
+	if (isset($_GET['xml']))
+	{
+		$tokenValidation = validateToken('admin-core', 'post', false);
+
+		if (empty($tokenValidation))
+			return 'token_verify_fail';
+	}
+	else
 		validateToken('admin-core');
 
 		$setting_changes = array('admin_features' => array());
@@ -389,7 +398,8 @@ function ModifyCoreFeatures($return_config = false)
 				$feature['save_callback'](!empty($_POST['feature_' . $id]));
 		}
 
-		redirectexit('action=admin;area=corefeatures;' . $context['session_var'] . '=' . $context['session_id']);
+		if (!isset($_REQUEST['xml']))
+			redirectexit('action=admin;area=corefeatures;' . $context['session_var'] . '=' . $context['session_id']);
 	}
 
 	// Put them in context.
@@ -410,6 +420,10 @@ function ModifyCoreFeatures($return_config = false)
 	if ($context['is_new_install'])
 		updateSettings(array('admin_features' => ''));
 
+	// sub_template is already generic_xml and the token is created somewhere else
+	if (isset($_REQUEST['xml']))
+		return;
+
 	$context['sub_template'] = 'core_features';
 	$context['page_title'] = $txt['core_settings_title'];
 

Sources/Security.php

@@ -83,7 +83,10 @@ function validateSession($type = 'admin')
 	}
 
 	// Need to type in a password for that, man.
-	adminLogin($type);
+	if (!isset($_GET['xml']))
+		adminLogin($type);
+	else
+		return 'session_verify_fail';
 }
 
 /**

Sources/Xml.php

@@ -28,6 +28,9 @@ function XMLhttpMain()
 		'messageicons' => array(
 			'function' => 'ListMessageIcons',
 		),
+		'corefeatures' => array(
+			'function' => 'EnableCoreFeatures',
+		),
 	);
 	if (!isset($_REQUEST['sa'], $sub_actions[$_REQUEST['sa']]))
 		fatal_lang_error('no_access', false);
@@ -71,4 +74,91 @@ function ListMessageIcons()
 	$context['sub_template'] = 'message_icons';
 }
 
+function EnableCoreFeatures()
+{
+	global $context, $smcFunc, $sourcedir, $modSettings, $txt;
+
+	$context['xml_data'] = array();
+	// Just in case, maybe we don't need it
+	loadLanguage('Errors');
+
+	$errors = array();
+	$returns = array();
+	$tokens = array();
+	if (allowedTo('admin_forum'))
+	{
+		$validation = validateSession();
+		if (empty($validation))
+		{
+			require_once($sourcedir . '/ManageSettings.php');
+			$result = ModifyCoreFeatures();
+
+			if (empty($result))
+			{
+				$id = isset($_POST['feature_id']) ? $_POST['feature_id'] : '';
+
+				if (!empty($id) && isset($context['features'][$id]))
+				{
+					$feature = $context['features'][$id];
+
+					$returns[] = array(
+						'value' => (!empty($_POST['feature_' . $id]) && $feature['url'] ? '<a href="' . $feature['url'] . '">' . $feature['title'] . '</a>' : $feature['title']),
+					);
+
+					createToken('admin-core', 'post');
+					$tokens = array(
+						array(
+							'value' => $context['admin-core_token'],
+							'attributes' => array('type' => 'token_var'),
+						),
+						array(
+							'value' => $context['admin-core_token_var'],
+							'attributes' => array('type' => 'token'),
+						),
+					);
+				}
+				else
+				{
+					$errors[] = array(
+						'value' => $txt['feature_no_exists'],
+					);
+				}
+			}
+			else
+			{
+				$errors[] = array(
+					'value' => $txt[$result],
+				);
+			}
+		}
+		else
+		{
+			$errors[] = array(
+				'value' => $txt[$validation],
+			);
+		}
+	}
+	else
+	{
+		$errors[] = array(
+			'value' => $txt['cannot_admin_forum']
+		);
+	}
+
+	$context['sub_template'] = 'generic_xml';
+	$context['xml_data'] = array (
+		'corefeatures' => array (
+			'identifier' => 'corefeature',
+			'children' => $returns,
+		),
+		'tokens' => array (
+			'identifier' => 'token',
+			'children' => $tokens,
+		),
+		'errors' => array (
+			'identifier' => 'error',
+			'children' => $errors,
+		),
+	);
+}
 ?>

Themes/default/Admin.template.php

@@ -1322,7 +1322,8 @@ function template_core_features()
 				var imgs = new Array("', $settings['images_url'], '/admin/switch_off.png", "', $settings['images_url'], '/admin/switch_on.png");
 				var new_state = !$("#feature_" + cf).attr("checked");
 				$("#feature_" + cf).attr("checked", new_state);
-				data = {save: "save"};
+
+				data = {save: "save", feature_id: cf};
 				data[$("#core_features_session").attr("name")] = $("#core_features_session").attr("value");
 				data[token_name] = token_value;
 				$(".core_features_status_box").each(function(){
@@ -1332,42 +1333,28 @@ function template_core_features()
 				// Launch AJAX request.
 				$.ajax({
 					// The link we are accessing.
-					url: $("#core_features").attr("action"),
+					url: "', $scripturl, '?action=xmlhttp;sa=corefeatures;xml",
 					// The type of request.
 					type: "post",
 					// The type of data that is getting returned.
-					dataType: "html",
 					data: data,
-					error: function(){
-						alert("Activation error");
+					error: function(error){
+							$("#activation_errors").html(error).slideDown(\'fast\');
 					},
 
-					success: function(strData){
-						// Session verification faile
-						// Token verification failed
-						// Admin session closed
-						if ($(strData).find("#feature_link_" + cf).length == 0)
+					success: function(request){
+						if ($(request).find("errors").find("error").length != 0)
 						{
-							// @todo token verification fails
-							if ($(strData).find("#frmLogin").length != 0)
-								$(document).find("#core_features").submit();
-							else
-							{
-								if ($(strData).find("#token_verify_fail").length != 0 || $(strData).find("#session_timeout").length != 0 || $(strData).find("#session_timeout").length != 0)
-									$(".errorbox").html($(strData).find("#token_verify_fail").html());
-								else
-									$(".errorbox").html(\'', $txt['error_occurred'], '\');
-								$(".errorbox").slideDown();
-							}
+							$("#activation_errors").html($(request).find("errors").find("error").text()).slideDown(\'fast\');
 						}
 						else
 						{
-							$("#feature_link_" + cf).html($(strData).find("#feature_link_" + cf).html());
+							$("#feature_link_" + cf).html($(request).find("corefeatures").find("corefeature").text());
 							cc.attr("src", imgs[new_state ? 1 : 0]);
 							$("#feature_link_" + cf).fadeOut().fadeIn();
 
-							token_name = $(strData).find("#core_features_token").attr("name");
-							token_value = $(strData).find("#core_features_token").attr("value");
+							token_name = $(request).find("tokens").find(\'[type="token"]\').text();
+							token_value = $(request).find("tokens").find(\'[type="token_var"]\').text();
 						}
 					}
 				});
@@ -1389,13 +1376,13 @@ function template_core_features()
 	}
 
 	echo '
-		<form id="core_features" action="', $scripturl, '?action=admin;area=corefeatures;" method="post" accept-charset="', $context['character_set'], '">
+		<form id="core_features" action="', $scripturl, '?action=admin;area=corefeatures" method="post" accept-charset="', $context['character_set'], '">
 			<div class="cat_bar">
 				<h3 class="catbg">
 					', $txt['core_settings_title'], '
 				</h3>
 			</div>
-			<div style="display:none" class="errorbox"></div>';
+			<div style="display:none" id="activation_errors" class="errorbox"></div>';
 
 	$alternate = true;
 	foreach ($context['features'] as $id => $feature)

Themes/default/languages/Errors.english.php

@@ -34,6 +34,7 @@ $txt['not_enough_posts_karma'] = 'Sorry, you don\'t have enough posts to modify
 $txt['cant_change_own_karma'] = 'Sorry, you are not permitted to modify your own karma.';
 $txt['karma_wait_time'] = 'Sorry, you can\'t repeat a karma action without waiting %1$s %2$s.';
 $txt['feature_disabled'] = 'Sorry, this feature is disabled.';
+$txt['feature_no_exists'] = 'Sorry, this feature doesn\'t exists.';
 $txt['cant_access_upload_path'] = 'Cannot access attachments upload path!';
 $txt['file_too_big'] = 'Your file is too large. The maximum attachment size allowed is %1$d KB.';
 $txt['attach_timeout'] = 'Your attachment couldn\'t be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.<br /><br />Please consult your server administrator for more information.';