From: garvinhicking <garvinhicking>
Date: Thu, 26 Oct 2006 09:41:10 +0000 (+0000)
Subject: Admin-based comment response, CSRF-protection for comment form in antispam plugin
X-Git-Tag: 1.1~63
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=5cf2c0dac4b417574f3a444012ad94916d5bc6ea;p=s9y.git

Admin-based comment response, CSRF-protection for comment form in antispam plugin
---

diff --git a/docs/NEWS b/docs/NEWS
index 23d5fe6..e64f1bf 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -3,6 +3,14 @@
 Version 1.1 ()
 ------------------------------------------------------------------------
 
+    * Added functionality to reply to comments in the admin interface
+      (garvinhicking)
+
+    * Enhance spamblock plugin with session hash check, to prevent
+      automatted comment posting. Also prevents possible CSRF for
+      tricking you into submitting comments to your own blog. Thanks
+      to Stefan Esser! (garvinhicking)
+
     * Support to delete multiple entries at once via checkboxes in the
       entry admin panel, fix admin entry pagination to not show
       next pages, if that next page were empty. (garvinhicking)
diff --git a/include/admin/comments.inc.php b/include/admin/comments.inc.php
index ef0e43d..44f10cc 100644
--- a/include/admin/comments.inc.php
+++ b/include/admin/comments.inc.php
@@ -13,7 +13,7 @@ if (!serendipity_checkPermission('adminComments')) {
 $commentsPerPage = (int)(!empty($serendipity['GET']['filter']['perpage']) ? $serendipity['GET']['filter']['perpage'] : 10);
 $summaryLength = 200;
 
-if ( $serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity['POST']['delete']) != 0 && serendipity_checkFormToken()) {
+if ($serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity['POST']['delete']) != 0 && serendipity_checkFormToken()) {
     foreach ( $serendipity['POST']['delete'] as $k => $v ) {
         serendipity_deleteComment($k, $v);
         echo DONE . ': '. sprintf(COMMENT_DELETED, $k) . '<br />';
@@ -22,7 +22,7 @@ if ( $serendipity['POST']['formAction'] == 'multiDelete' && sizeof($serendipity[
 
 
 /* We are asked to save the edited comment, and we are not in preview mode */
-if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'doEdit' && !isset($serendipity['POST']['preview']) && serendipity_checkFormToken()) {
+if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'doEdit' && !isset($serendipity['POST']['preview']) && serendipity_checkFormToken()) {
     $sql = "UPDATE {$serendipity['dbPrefix']}comments
                     SET
                         author    = '" . serendipity_db_escape_string($serendipity['POST']['name'])    . "',
@@ -36,9 +36,32 @@ if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActi
     echo COMMENT_EDITED;
 }
 
+/* Submit a new comment */
+if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'doReply' && !isset($serendipity['POST']['preview']) && serendipity_checkFormToken()) {
+    $comment = array();
+    $comment['url']       = $serendipity['POST']['url'];
+    $comment['comment']   = trim($serendipity['POST']['comment']);
+    $comment['name']      = $serendipity['POST']['name'];
+    $comment['email']     = $serendipity['POST']['email'];
+    $comment['subscribe'] = $serendipity['POST']['subscribe'];
+    $comment['parent_id'] = $serendipity['POST']['replyTo'];
+    if (!empty($comment['comment'])) {
+        if (serendipity_saveComment($serendipity['POST']['entry_id'], $comment, 'NORMAL')) {
+            echo '<script type="text/javascript">alert("' . COMMENT_ADDED . '"); parent.focus(); this.close();</script>';
+            echo '<noscript>' . COMMENT_ADDED . '</noscript>';
+            return true;
+        } else {
+            echo COMMENT_NOT_ADDED;
+            $serendipity['GET']['adminAction'] = 'reply';
+        }
+    } else {
+        echo COMMENT_NOT_ADDED;
+        $serendipity['GET']['adminAction'] = 'reply';
+    }
+}
 
 /* We approve a comment */
-if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'approve' && serendipity_checkFormToken()) {
+if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'approve' && serendipity_checkFormToken()) {
     $sql = "SELECT c.*, e.title, a.email as authoremail, a.mail_comments
             FROM {$serendipity['dbPrefix']}comments c
             LEFT JOIN {$serendipity['dbPrefix']}entries e ON (e.id = c.entry_id)
@@ -47,58 +70,89 @@ if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminActi
     $rs  = serendipity_db_query($sql, true);
 
     if ($rs === false) {
-        echo ERROR .': '. sprintf(COMMENT_ALREADY_APPROVED, $serendipity['GET']['id']);
+        echo ERROR .': '. sprintf(COMMENT_ALREADY_APPROVED, (int)$serendipity['GET']['id']);
     } else {
         serendipity_approveComment($serendipity['GET']['id'], $rs['entry_id']);
-        echo DONE . ': '. sprintf(COMMENT_APPROVED, $serendipity['GET']['id']);
+        echo DONE . ': '. sprintf(COMMENT_APPROVED, (int)$serendipity['GET']['id']);
     }
 }
 
 /* We are asked to delete a comment */
-if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'delete' && serendipity_checkFormToken()) {
+if (isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'delete' && serendipity_checkFormToken()) {
     serendipity_deleteComment($serendipity['GET']['id'], $serendipity['GET']['entry_id']);
-    echo DONE . ': '. sprintf(COMMENT_DELETED, $serendipity['GET']['id']);
+    echo DONE . ': '. sprintf(COMMENT_DELETED, (int)$serendipity['GET']['id']);
 }
 
 /* We are either in edit mode, or preview mode */
-if ( isset($serendipity['GET']['adminAction']) && $serendipity['GET']['adminAction'] == 'edit' || isset($serendipity['POST']['preview'])) {
+if (isset($serendipity['GET']['adminAction']) && ($serendipity['GET']['adminAction'] == 'edit' || $serendipity['GET']['adminAction'] == 'reply') || isset($serendipity['POST']['preview'])) {
 
     $serendipity['smarty_raw_mode'] = true; // Force output of Smarty stuff in the backend
     serendipity_smarty_init();
 
-    /* If we are not in preview, we need data from our database */
-    if (!isset($serendipity['POST']['preview']) ) {
-        $comment = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}comments WHERE id = ". (int)$serendipity['GET']['id']);
-        $data['name']       = $comment[0]['author'];
-        $data['email']      = $comment[0]['email'];
-        $data['url']        = $comment[0]['url'];
-        $data['replyTo']    = $comment[0]['parent_id'];
-        $data['comment']    = $comment[0]['body'];
-
-    /* If we are in preview, we get data from our form */
-    } elseif ( isset($serendipity['POST']['preview']) ) {
-        $data['name']       = $serendipity['POST']['name'];
-        $data['email']      = $serendipity['POST']['email'];
-        $data['url']        = $serendipity['POST']['url'];
-        $data['replyTo']    = $serendipity['POST']['replyTo'];
-        $data['comment']    = $serendipity['POST']['comment'];
-        $pc_data = array(
-                array(
-                  'email'     => $serendipity['POST']['email'],
-                  'author'    => $serendipity['POST']['name'],
-                  'body'      => $serendipity['POST']['comment'],
-                  'url'       => $serendipity['POST']['url'],
-                  'timestamp' => time()
-                )
-              );
-
-        serendipity_printComments($pc_data);
+    if ($serendipity['GET']['adminAction'] == 'reply' || $serendipity['GET']['adminAction'] == 'doReply') {
+        $c          = serendipity_fetchComments($serendipity['GET']['entry_id'], 1, 'co.id', false, 'NORMAL', ' AND co.id=' . (int)$serendipity['GET']['id']);
+
+        if (isset($serendipity['POST']['preview'])) {
+            $c[] = array(
+                      'email'     => $serendipity['POST']['email'],
+                      'author'    => $serendipity['POST']['name'],
+                      'body'      => $serendipity['POST']['comment'],
+                      'url'       => $serendipity['POST']['url'],
+                      'timestamp' => time(),
+                      'parent_id' => $serendipity['GET']['id']
+            );
+        }
+        
+        $target_url = '?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=doReply&amp;serendipity[id]=' . (int)$serendipity['GET']['id'] . '&amp;serendipity[entry_id]=' . (int)$serendipity['GET']['entry_id'] . '&amp;serendipity[noBanner]=true&amp;serendipity[noSidebar]=true&amp;' . serendipity_setFormToken('url');
+        $data       = $serendipity['POST'];
+        $data['replyTo'] = (int)$serendipity['GET']['id'];
+        $out        = serendipity_printComments($c);
         $serendipity['smarty']->display(serendipity_getTemplateFile('comments.tpl', 'serendipityPath'));
+        
+        if (!isset($data['name'])) {
+            $data['name']  = $serendipity['serendipityRealname'];
+        }
+
+        if (!isset($data['email'])) {
+            $data['email']  = $serendipity['serendipityEmail'];
+        }
+    } else {
+        $target_url = '?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=doEdit&amp;serendipity[id]=' . (int)$serendipity['GET']['id'] . '&amp;serendipity[entry_id]=' . (int)$serendipity['GET']['entry_id'] . '&amp;' . serendipity_setFormToken('url');
+
+        /* If we are not in preview, we need data from our database */
+        if (!isset($serendipity['POST']['preview'])) {
+            $comment = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}comments WHERE id = ". (int)$serendipity['GET']['id']);
+            $data['name']       = $comment[0]['author'];
+            $data['email']      = $comment[0]['email'];
+            $data['url']        = $comment[0]['url'];
+            $data['replyTo']    = $comment[0]['parent_id'];
+            $data['comment']    = $comment[0]['body'];
+    
+        /* If we are in preview, we get data from our form */
+        } elseif (isset($serendipity['POST']['preview'])) {
+            $data['name']       = $serendipity['POST']['name'];
+            $data['email']      = $serendipity['POST']['email'];
+            $data['url']        = $serendipity['POST']['url'];
+            $data['replyTo']    = $serendipity['POST']['replyTo'];
+            $data['comment']    = $serendipity['POST']['comment'];
+            $pc_data = array(
+                    array(
+                      'email'     => $serendipity['POST']['email'],
+                      'author'    => $serendipity['POST']['name'],
+                      'body'      => $serendipity['POST']['comment'],
+                      'url'       => $serendipity['POST']['url'],
+                      'timestamp' => time()
+                    )
+                  );
+    
+            serendipity_printComments($pc_data);
+            $serendipity['smarty']->display(serendipity_getTemplateFile('comments.tpl', 'serendipityPath'));
+        }
     }
 
     serendipity_displayCommentForm(
       $serendipity['GET']['entry_id'],
-      '?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=doEdit&amp;serendipity[id]=' . $serendipity['GET']['id'] . '&amp;serendipity[entry_id]=' . $serendipity['GET']['entry_id'] . '&amp;' . serendipity_setFormToken('url'),
+      $target_url,
       NULL,
       $data,
       false,
@@ -407,6 +461,7 @@ foreach ($sql as $rs) {
           <a target="_blank" href="<?php echo $entrylink; ?>" title="<?php echo VIEW; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/zoom.png'); ?>" alt="<?php echo VIEW; ?>" /><?php echo VIEW ?></a>
           <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=edit&amp;serendipity[id]=<?php echo $comment['id'] ?>&amp;serendipity[entry_id]=<?php echo $comment['entry_id'] ?>&amp;<?php echo serendipity_setFormToken('url'); ?>" title="<?php echo EDIT; ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/edit.png'); ?>" alt="<?php echo EDIT; ?>" /><?php echo EDIT ?></a>
           <a href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=delete&amp;serendipity[id]=<?php echo $comment['id'] ?>&amp;serendipity[entry_id]=<?php echo $comment['entry_id'] ?>&amp;<?php echo serendipity_setFormToken('url'); ?>" onclick='return confirm("<?php echo sprintf(COMMENT_DELETE_CONFIRM, $comment['id'], htmlspecialchars($comment['author'])) ?>")' title="<?php echo DELETE ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/delete.png'); ?>" alt="<?php echo DELETE; ?>" /><?php echo DELETE ?></a>
+          <a target="_blank" onclick="cf = window.open(this.href, 'CommentForm', 'width=800,height=600,toolbar=no,scrollbars=1,scrollbars,resize=1,resizable=1'); cf.focus(); return false;" href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=reply&amp;serendipity[id]=<?php echo $comment['id'] ?>&amp;serendipity[entry_id]=<?php echo $comment['entry_id'] ?>&amp;serendipity[noBanner]=true&amp;serendipity[noSidebar]=true&amp;<?php echo serendipity_setFormToken('url'); ?>" title="<?php echo REPLY ?>" class="serendipityIconLink"><img src="<?php echo serendipity_getTemplateFile('admin/img/user_editor.png'); ?>" alt="<?php echo REPLY; ?>" /><?php echo REPLY ?></a>
           <?php echo $comment['action_more']; ?>
     </td>
 </tr>
diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php
index d58c860..f8ec76d 100644
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@@ -1786,7 +1786,7 @@ function serendipity_reportXSRF($type = 0, $reset = true, $use_config = false) {
  * @see serendipity_setFormToken()
  * @return  boolean     Returns true, if XSRF attempt was found and the token was missing
  */
-function serendipity_checkFormToken() {
+function serendipity_checkFormToken($output = true) {
     global $serendipity;
 
     $token = '';
@@ -1797,13 +1797,13 @@ function serendipity_checkFormToken() {
     }
 
     if (empty($token)) {
-        echo serendipity_reportXSRF('token', false);
+        if ($output) echo serendipity_reportXSRF('token', false);
         return false;
     }
 
     if ($token != md5(session_id()) &&
         $token != md5($serendipity['COOKIE']['old_session'])) {
-        echo serendipity_reportXSRF('token', false);
+        if ($output) echo serendipity_reportXSRF('token', false);
         return false;
     }
 
diff --git a/plugins/serendipity_event_spamblock/UTF-8/lang_de.inc.php b/plugins/serendipity_event_spamblock/UTF-8/lang_de.inc.php
index 1877340..eefd209 100644
--- a/plugins/serendipity_event_spamblock/UTF-8/lang_de.inc.php
+++ b/plugins/serendipity_event_spamblock/UTF-8/lang_de.inc.php
@@ -99,3 +99,7 @@
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_TREAT', 'Was soll mit auto-moderierten Trackbacks passieren?');
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT', 'Trackbackmoderation nach wievielen Tagen erzwingen');
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_DESC', 'Alle Trackbacks zu einem Artikel können abhängig vom Alter des Artikels automatisch moderiert werden. Tragen Sie hier das Minimalalter eines Artikels in Tagen ein, ab dem jedes Trackback erst nach Ihrer Moderation dargestellt wird. 0 bedeutet, dass keine automatische Moderation erzeugt wird.');
+
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF', 'CSRF-Schutz aktivieren?');
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF_DESC', 'Falls aktiviert, wird ein spezieller Hash-Wert sicherstellen, dass nur Benutzer Kommentare hinterlassen dürfen , die eine gültige Session-ID haben. Dies wird Spam etwas eindämmen und es unmöglich machen, dass Sie ungewollt Kommentare via CSRF-Angriffen hinterlassen, aber es wird auch dazu führen dass nur Benutzer mit aktivierten Cookies kommentieren können.');
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF_REASON', 'Ihr Kommentar enthielt keinen gültigen Session-Hash. Kommentare auf diesem Blog können nur mit aktivierten Cookies hinterlassen werden!');
\ No newline at end of file
diff --git a/plugins/serendipity_event_spamblock/lang_de.inc.php b/plugins/serendipity_event_spamblock/lang_de.inc.php
index ebeb782..05a3aed 100644
--- a/plugins/serendipity_event_spamblock/lang_de.inc.php
+++ b/plugins/serendipity_event_spamblock/lang_de.inc.php
@@ -100,3 +100,8 @@
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_TREAT', 'Was soll mit auto-moderierten Trackbacks passieren?');
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT', 'Trackbackmoderation nach wievielen Tagen erzwingen');
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_DESC', 'Alle Trackbacks zu einem Artikel können abhängig vom Alter des Artikels automatisch moderiert werden. Tragen Sie hier das Minimalalter eines Artikels in Tagen ein, ab dem jedes Trackback erst nach Ihrer Moderation dargestellt wird. 0 bedeutet, dass keine automatische Moderation erzeugt wird.');
+
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF', 'CSRF-Schutz aktivieren?');
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF_DESC', 'Falls aktiviert, wird ein spezieller Hash-Wert sicherstellen, dass nur Benutzer Kommentare hinterlassen dürfen , die eine gültige Session-ID haben. Dies wird Spam etwas eindämmen und es unmöglich machen, dass Sie ungewollt Kommentare via CSRF-Angriffen hinterlassen, aber es wird auch dazu führen dass nur Benutzer mit aktivierten Cookies kommentieren können.');
+
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF_REASON', 'Ihr Kommentar enthielt keinen gültigen Session-Hash. Kommentare auf diesem Blog können nur mit aktivierten Cookies hinterlassen werden!');
\ No newline at end of file
diff --git a/plugins/serendipity_event_spamblock/lang_en.inc.php b/plugins/serendipity_event_spamblock/lang_en.inc.php
index 4d58f3c..a94ff47 100644
--- a/plugins/serendipity_event_spamblock/lang_en.inc.php
+++ b/plugins/serendipity_event_spamblock/lang_en.inc.php
@@ -110,3 +110,7 @@
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_TREAT', 'What to do with trackbacks when being auto-moderated?');
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT', 'Force trackback moderation after how many days');
 @define('PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_DESC', 'You can automatically set all trackbacks for entries to be moderated. Enter the age of an entry in days, after which it should be auto-moderated. 0 means no auto-moderation.');
+
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF', 'Use CSRF protection for comments?');
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF_DESC', 'If enabled, a special hash value will check that only users can submit a comment with a valid session ID. This will decrease spam and prevent users from tricking you into submitting comments via CSRF, but it will also prevent users commenting on your blog without cookies.');
+@define('PLUGIN_EVENT_SPAMBLOCK_CSRF_REASON', 'Your comment did not contain a Session-Hash. Comments can only be made on this blog when having cookies enabled!');
\ No newline at end of file
diff --git a/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php b/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php
index 6f859b6..ebc6c73 100644
--- a/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php
+++ b/plugins/serendipity_event_spamblock/serendipity_event_spamblock.php
@@ -34,7 +34,7 @@ var $filter_defaults;
             'smarty'      => '2.6.7',
             'php'         => '4.1.0'
         ));
-        $propbag->add('version',       '1.51');
+        $propbag->add('version',       '1.60');
         $propbag->add('event_hooks',    array(
             'frontend_saveComment' => true,
             'external_plugin'      => true,
@@ -49,10 +49,14 @@ var $filter_defaults;
             'bodyclone',
             'entrytitle',
             'ipflood',
+            'csrf',
             'captchas',
             'captchas_ttl',
             'captcha_color',
             'forcemoderation',
+            'forcemoderation_treat',
+            'forcemoderationt',
+            'forcemoderationt_treat',
             'disable_api_comments',
             'trackback_check_url',
             'links_moderate',
@@ -110,6 +114,13 @@ var $filter_defaults;
                 $propbag->add('default', false);
                 break;
 
+            case 'csrf':
+                $propbag->add('type', 'boolean');
+                $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_CSRF);
+                $propbag->add('description', PLUGIN_EVENT_SPAMBLOCK_CSRF_DESC);
+                $propbag->add('default', true);
+                break;
+
             case 'entrytitle':
                 $propbag->add('type', 'boolean');
                 $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_FILTER_TITLE);
@@ -297,6 +308,37 @@ var $filter_defaults;
                 $propbag->add('default', '30');
                 break;
 
+            case 'forcemoderation_treat':
+                $propbag->add('type', 'radio');
+                $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATION_TREAT);
+                $propbag->add('description', '');
+                $propbag->add('default', 'moderate');
+                $propbag->add('radio', array(
+                    'value' => array('moderate', 'reject'),
+                    'desc'  => array(PLUGIN_EVENT_SPAMBLOCK_API_MODERATE, PLUGIN_EVENT_SPAMBLOCK_API_REJECT)
+                ));
+                $propbag->add('radio_per_row', '1');
+                break;
+
+            case 'forcemoderationt':
+                $propbag->add('type', 'string');
+                $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT);
+                $propbag->add('description', PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_DESC);
+                $propbag->add('default', '30');
+                break;
+
+            case 'forcemoderationt_treat':
+                $propbag->add('type', 'radio');
+                $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_FORCEMODERATIONT_TREAT);
+                $propbag->add('description', '');
+                $propbag->add('default', 'moderate');
+                $propbag->add('radio', array(
+                    'value' => array('moderate', 'reject'),
+                    'desc'  => array(PLUGIN_EVENT_SPAMBLOCK_API_MODERATE, PLUGIN_EVENT_SPAMBLOCK_API_REJECT)
+                ));
+                $propbag->add('radio_per_row', '1');
+                break;
+
             case 'links_moderate':
                 $propbag->add('type', 'string');
                 $propbag->add('name', PLUGIN_EVENT_SPAMBLOCK_LINKS_MODERATE);
@@ -525,6 +567,10 @@ var $filter_defaults;
             $show_captcha = ($captchas && isset($eventData['timestamp']) && ($captchas_ttl < 1 || ($eventData['timestamp'] < (time() - ($captchas_ttl*60*60*24)))) ? true : false);
 
             $forcemoderation = $this->get_config('forcemoderation', 60);
+            $forcemoderation_treat = $this->get_config('forcemoderation_treat', 'moderate');
+            $forcemoderationt = $this->get_config('forcemoderationt', 60);
+            $forcemoderationt_treat = $this->get_config('forcemoderationt_treat', 'moderate');
+
             $links_moderate  = $this->get_config('links_moderate', 10);
             $links_reject    = $this->get_config('links_reject', 20);
 
@@ -558,6 +604,15 @@ var $filter_defaults;
                         $logfile = $this->logfile = $this->get_config('logfile', $serendipity['serendipityPath'] . 'spamblock.log');
                         $required_fields = $this->get_config('required_fields', '');
 
+                        // Check CSRF [comments only, cannot be applied to trackbacks]
+                        if ($addData['type'] == 'NORMAL' && serendipity_db_bool($this->get_config('csrf', true))) {
+                            if (!serendipity_checkFormToken(false)) {
+                                $this->log($logfile, $eventData['id'], 'REJECTED', PLUGIN_EVENT_SPAMBLOCK_CSRF_REASON, $addData);
+                                $eventData = array('allow_comments' => false);
+                                $serendipity['messagestack']['comments'][] = PLUGIN_EVENT_SPAMBLOCK_CSRF_REASON;
+                            }
+                        }
+
                         // Check required fields
                         if ($addData['type'] == 'NORMAL' && !empty($required_fields)) {
                             $required_field_list = explode(',', $required_fields);
@@ -784,12 +839,32 @@ var $filter_defaults;
 //                            $this->log($logfile, $eventData['id'], 'REJECTED', 'Captcha not needed: ' . $serendipity['POST']['captcha'] . ' / ' . $_SESSION['spamblock']['captcha'] . ' // Source: ' . $_SERVER['REQUEST_URI'], $addData);
                         }
 
-                        // Check for forced moderation
-                        if ($forcemoderation > 0 && $eventData['timestamp'] < (time() - ($forcemoderation * 60 * 60 * 24))) {
-                            $this->log($logfile, $eventData['id'], 'MODERATE', PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION, $addData);
-                            $eventData['moderate_comments'] = true;
-                            $serendipity['csuccess']        = 'moderate';
-                            $serendipity['moderate_reason'] = PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION;
+                        // Check for forced comment moderation
+                        if ($addData['type'] == 'NORMAL' && $forcemoderation > 0 && $eventData['timestamp'] < (time() - ($forcemoderation * 60 * 60 * 24))) {
+                            $this->log($logfile, $eventData['id'], $forcemoderation_treat, PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION, $addData);
+                            if ($forcemoderation_treat == 'reject') {
+                                $eventData = array('allow_comments' => false);
+                                $serendipity['messagestack']['comments'][] = PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION;
+                                return false;
+                            } else {
+                                $eventData['moderate_comments'] = true;
+                                $serendipity['csuccess']        = 'moderate';
+                                $serendipity['moderate_reason'] = PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION;
+                            }
+                        }
+
+                        // Check for forced trackback moderation
+                        if ($addData['type'] != 'NORMAL' && $forcemoderationt > 0 && $eventData['timestamp'] < (time() - ($forcemoderationt * 60 * 60 * 24))) {
+                            $this->log($logfile, $eventData['id'], $forcemoderationt_treat, PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION, $addData);
+                            if ($forcemoderationt_treat == 'reject') {
+                                $eventData = array('allow_comments' => false);
+                                $serendipity['messagestack']['comments'][] = PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION;
+                                return false;
+                            } else {
+                                $eventData['moderate_comments'] = true;
+                                $serendipity['csuccess']        = 'moderate';
+                                $serendipity['moderate_reason'] = PLUGIN_EVENT_SPAMBLOCK_REASON_FORCEMODERATION;
+                            }
                         }
 
                         // Check for maximum number of links before forcing moderation
@@ -847,6 +922,10 @@ var $filter_defaults;
                         echo '<div class="serendipity_commentDirection serendipity_comment_spamblock">' . PLUGIN_EVENT_SPAMBLOCK_HIDE_EMAIL_NOTICE . '</div>';
                     }
 
+                    if (serendipity_db_bool($this->get_config('csrf', true))) {
+                        echo serendipity_setFormToken('form');
+                    }
+                    
                     // Check whether to allow comments from registered authors
                     if (serendipity_userLoggedIn() && $this->inGroup()) {
                         return true;
@@ -1000,11 +1079,14 @@ var $filter_defaults;
 
                 case 'backend_view_comment':
                     $author_is_filtered = $this->checkFilter('authors', $eventData['author']);
-                    $eventData['action_author'] .= ' <a class="serendipityIconLink" title="' . ($author_is_filtered ? PLUGIN_EVENT_SPAMBLOCK_REMOVE_AUTHOR : PLUGIN_EVENT_SPAMBLOCK_ADD_AUTHOR) . '" href="serendipity_admin.php?serendipity[adminModule]=comments&amp;serendipity[spamBlockAuthor]=' . $eventData['id'] . '"><img src="' . serendipity_getTemplateFile('admin/img/' . ($author_is_filtered ? 'un' : '') . 'configure.png') . '" /></a>';
+                    $clink1 = 'clink1' . $eventData['id'];
+                    $clink2 = 'clink2' . $eventData['id'];
+
+                    $eventData['action_author'] .= ' <a id="' . $clink1 . '" class="serendipityIconLink" title="' . ($author_is_filtered ? PLUGIN_EVENT_SPAMBLOCK_REMOVE_AUTHOR : PLUGIN_EVENT_SPAMBLOCK_ADD_AUTHOR) . '" href="serendipity_admin.php?serendipity[adminModule]=comments&amp;serendipity[spamBlockAuthor]=' . $eventData['id'] . $addData . '#' . $clink1 . '"><img src="' . serendipity_getTemplateFile('admin/img/' . ($author_is_filtered ? 'un' : '') . 'configure.png') . '" /></a>';
 
                     if (!empty($eventData['url'])) {
                         $url_is_filtered    = $this->checkFilter('urls', $eventData['url']);
-                        $eventData['action_url']    .= ' <a class="serendipityIconLink" title="' . ($url_is_filtered ? PLUGIN_EVENT_SPAMBLOCK_REMOVE_URL : PLUGIN_EVENT_SPAMBLOCK_ADD_URL) . '" href="serendipity_admin.php?serendipity[adminModule]=comments&amp;serendipity[spamBlockURL]=' . $eventData['id'] . '"><img src="' . serendipity_getTemplateFile('admin/img/' . ($url_is_filtered ? 'un' : '') . 'configure.png') . '" /></a>';
+                        $eventData['action_url']    .= ' <a id="' . $clink2 . '" class="serendipityIconLink" title="' . ($url_is_filtered ? PLUGIN_EVENT_SPAMBLOCK_REMOVE_URL : PLUGIN_EVENT_SPAMBLOCK_ADD_URL) . '" href="serendipity_admin.php?serendipity[adminModule]=comments&amp;serendipity[spamBlockURL]=' . $eventData['id'] . $addData . '#' . $clink2 . '"><img src="' . serendipity_getTemplateFile('admin/img/' . ($url_is_filtered ? 'un' : '') . 'configure.png') . '" /></a>';
                     }
 
                     return true;
diff --git a/serendipity_admin.php b/serendipity_admin.php
index 7129735..ec159d6 100644
--- a/serendipity_admin.php
+++ b/serendipity_admin.php
@@ -11,9 +11,9 @@ include('serendipity_config.inc.php');
 header('Content-Type: text/html; charset=' . LANG_CHARSET);
 
 if (IS_installed === false) {
-    require_once(S9Y_INCLUDE_PATH . 'include/functions_permalinks.inc.php');
-    require_once(S9Y_INCLUDE_PATH . 'include/functions_installer.inc.php');
-    require_once S9Y_INCLUDE_PATH . 'include/functions_config.inc.php';
+    require(S9Y_INCLUDE_PATH . 'include/functions_permalinks.inc.php');
+    require(S9Y_INCLUDE_PATH . 'include/functions_installer.inc.php');
+    require(S9Y_INCLUDE_PATH . 'include/functions_config.inc.php');
     $css_file = 'serendipity.css.php?serendipity[css_mode]=serendipity_admin.css';
 } else {
     $css_file = serendipity_rewriteURL('serendipity_admin.css');
@@ -42,6 +42,8 @@ if (serendipity_is_iframe()) {
         <title><?php echo SERENDIPITY_ADMIN_SUITE; ?></title>
         <meta http-equiv="Content-Type" content="text/html; charset=<?php echo LANG_CHARSET; ?>" />
         <link rel="stylesheet" type="text/css" href="<?php echo $css_file; ?>" />
+        <link rel="stylesheet" type="text/css" href="<?php echo serendipity_getTemplateFile('admin/pluginmanager.css'); ?>" />
+
         <script type="text/javascript">
         function spawn() {
             if (self.Spawnextended) {
@@ -85,6 +87,7 @@ if (serendipity_is_iframe()) {
     </head>
     <body id="serendipity_admin_page" onload="spawn()">
         <table cellspacing="0" cellpadding="0" border="0" id="serendipityAdminFrame">
+        <?php if (!isset($serendipity['GET']['noBanner']) && !isset($serendipity['POST']['noBanner'])) { ?>
             <tr>
                 <td colspan="2" id="serendipityAdminBanner">
                 <?php if ( IS_installed === true && IS_up2date === true ) { ?>
@@ -102,6 +105,7 @@ if (serendipity_is_iframe()) {
                     <?php } ?>
                 </td>
             </tr>
+        <?php } ?>
             <tr valign="top">
 <?php
 if (!isset($serendipity['serendipityPath']) || IS_installed === false || IS_up2date === false ) {
@@ -114,7 +118,7 @@ if (!isset($serendipity['serendipityPath']) || IS_installed === false || IS_up2d
     }
 ?>
                 <td class="serendipityAdminContent" colspan="2">
-                    <?php require_once(S9Y_INCLUDE_PATH . $file); ?>
+                    <?php require(S9Y_INCLUDE_PATH . $file); ?>
 <?php
 
 
@@ -157,6 +161,7 @@ if (!isset($serendipity['serendipityPath']) || IS_installed === false || IS_up2d
 
 } else {
 ?>
+<?php if (!isset($serendipity['GET']['noSidebar']) && !isset($serendipity['POST']['noSidebar'])) { ?>
                 <td id="serendipitySideBar">
                     <ul class="serendipitySideBarMenu">
                         <li><a href="serendipity_admin.php"><?php echo ADMIN_FRONTPAGE; ?></a></li>
@@ -165,18 +170,22 @@ if (!isset($serendipity['serendipityPath']) || IS_installed === false || IS_up2d
 <?php } ?>
                     </ul>
                     <br />
-<?php if (serendipity_checkPermission('adminEntries')) { ?>
                     <ul class="serendipitySideBarMenu">
+<?php if (serendipity_checkPermission('adminEntries') || serendipity_checkPermission('adminEntriesPlugins')) { ?>
                         <li class="serendipitySideBarMenuHead"><?php echo ADMIN_ENTRIES ?></li>
+<?php if (serendipity_checkPermission('adminEntries')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=entries&amp;serendipity[adminAction]=new"><?php echo NEW_ENTRY; ?></a></li>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=entries&amp;serendipity[adminAction]=editSelect"><?php echo EDIT_ENTRIES; ?></a></li>
+<?php } ?>
 <?php if (serendipity_checkPermission('adminComments')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=comments"><?php echo COMMENTS; ?></a></li>
 <?php } ?>
 <?php if (serendipity_checkPermission('adminCategories')) { ?>
                         <li><a href="serendipity_admin.php?serendipity[adminModule]=category&amp;serendipity[adminAction]=view"><?php echo CATEGORIES; ?></a></li>
 <?php } ?>
+<?php if (serendipity_checkPermission('adminEntries') || serendipity_checkPermission('adminEntriesPlugins')) { ?>
                         <?php if ($serendipity['no_create'] !== true) serendipity_plugin_api::hook_event('backend_sidebar_entries', $serendipity); ?>
+<?php } ?>
                     </ul>
 <?php } ?>
 <?php if (serendipity_checkPermission('adminImages')) { ?>
@@ -235,6 +244,7 @@ if (!isset($serendipity['serendipityPath']) || IS_installed === false || IS_up2d
                     </ul>
 
                 </td>
+<?php } ?>
                 <td class="serendipityAdminContent">
 <?php
     if (!isset($serendipity['GET']['adminModule'])) {