* [ADDED] Smarty acl_check function
* [ADDED] Optional default return value for getValue calls
* [UPDATE] ACL Checks in page controllers
* [UPDATE] Navigation template to use check_acl from Smarty
* [ADDED] New ACL options where needed
* [REMOVED] Disable pages from System Settings Tab
* [ADDED] Above removed pages into ACL Settings Tab
This will make usage of ACLs a bit easier and transparent.
Also fixes#1731 once merged.
* [ADDED] CSRF token checks to worker page
* [CHANGED] Check for both _GET and _POST ctokens
* [ADDED] CSRF token to each delete call URL
Fixes#1702 once merged
The way this now works is, if csrf is enabled:
* Any new or existing template can have csrf protection by adding the hidden input ctoken that's in this batch to its form, removes any logic in templates
* Page controllers that already exist have been updated, new ones only require checking if csrf is enabled and valid
* [ADDED] Config option `$config['donate_threshold']['min'] = 1;`
* [VERSION] Incremented config file version to `0.0.6`
* [CHANGED] Round donations to at least two digits
* [CHANGED] Honor minimum set pool donation percentage
* [UPDATED] Account edit template
Fixes#1475 once merged
Getting started page modification suggestions for all users.
1. Add BFGMiner details.
2. Remove bullet points for steps.
3. Add additional line for BFGMiner command line.
* Now an array to disable with granularity
* Fixed all CSRF tokens back to 1 min
* Added CSRF protection for unlock account
* Unified error message for all csrf tokens
* Fixed a few issues with last commit
added csrf protection to workers under sitewide config
added csrf protection to notifications under sitewide config
added csrf protection to invitations under sitewide config
cleaned up login page csrf
cleaned up contactform/contactform page
cleaned up register/register page
moved config->csrf->forms->register to sitewide
added login ip/user/time to notification on login
moved sitewide into options portion of the config option
csrf protection for contact form under sitewide config option
changed register to 1 hour token
Since we are adding more security realted features, we drop the small
login in the header. It will need more workarounds than we'd like and is
already dropped when re-Captcha is enabled.
Security > Convenience :D
