bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6

(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add,
pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove)


git-svn-id: http://piwigo.org/svn/branches/2.6@27810 68402e56-0260-453c-a942-63ccdbb3a9ee

5 files changed, 47 insertions, 2 deletions

diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl
index a491cae17..79a2e4dd5 100644
--- a/admin/themes/default/template/user_list.tpl
+++ b/admin/themes/default/template/user_list.tpl
@@ -56,7 +56,7 @@ jQuery(document).ready(function() {
     jQuery.ajax({
       url: "ws.php?format=json&method=pwg.users.add",
       type:"POST",
-      data: jQuery(this).serialize(),
+      data: jQuery(this).serialize()+"&pwg_token="+pwg_token,
       beforeSend: function() {
         jQuery("#addUserForm .errors").hide();
 
@@ -345,6 +345,7 @@ jQuery(document).ready(function() {
       url: "ws.php?format=json&method=pwg.users.setInfo",
       type:"POST",
       data: {
+        pwg_token:pwg_token,
         user_id:userId,
         password: jQuery('#user'+userId+' .changePassword input[type=text]').val()
       },
@@ -396,6 +397,7 @@ jQuery(document).ready(function() {
       url: "ws.php?format=json&method=pwg.users.setInfo",
       type:"POST",
       data: {
+        pwg_token:pwg_token,
         user_id:userId,
         username: jQuery('#user'+userId+' .changeUsername input[type=text]').val()
       },
@@ -467,6 +469,7 @@ jQuery(document).ready(function() {
     var userId = jQuery(this).data('user_id');
 
     var formData = jQuery('#user'+userId+' form').serialize();
+    formData += '&pwg_token='+pwg_token;
 
     if (jQuery('#user'+userId+' form select[name="group_id[]"] option:selected').length == 0) {
       formData += '&group_id=-1';
@@ -708,6 +711,7 @@ jQuery(document).ready(function() {
     var action = jQuery("select[name=selectAction]").prop("value");
     var method = 'pwg.users.setInfo';
     var data = {
+      pwg_token: pwg_token,
       user_id: selection
     };
 
@@ -718,7 +722,6 @@ jQuery(document).ready(function() {
           return false;
         }
         method = 'pwg.users.delete';
-        data.pwg_token = pwg_token;
         break;
       case 'group_associate':
         method = 'pwg.groups.addUser';
diff --git a/include/ws_functions/pwg.groups.php b/include/ws_functions/pwg.groups.php
index 773623eaf..67d5c843c 100644
--- a/include/ws_functions/pwg.groups.php
+++ b/include/ws_functions/pwg.groups.php
@@ -165,6 +165,11 @@ DELETE
  */
 function ws_groups_setInfo($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   $updates = array();
 
   // does the group exist ?
@@ -221,6 +226,11 @@ SELECT COUNT(*)
  */
 function ws_groups_addUser($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   // does the group exist ?
   $query = '
 SELECT COUNT(*)
@@ -264,6 +274,11 @@ SELECT COUNT(*)
  */
 function ws_groups_deleteUser($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   // does the group exist ?
   $query = '
 SELECT COUNT(*)
diff --git a/include/ws_functions/pwg.permissions.php b/include/ws_functions/pwg.permissions.php
index 936999ab8..990404da3 100644
--- a/include/ws_functions/pwg.permissions.php
+++ b/include/ws_functions/pwg.permissions.php
@@ -146,6 +146,11 @@ SELECT group_id, cat_id
  */
 function ws_permissions_add($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 
   if (!empty($params['group_id']))
@@ -203,6 +208,11 @@ SELECT id
  */
 function ws_permissions_remove($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 
   $cat_ids = get_subcat_ids($params['cat_id']);
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index 345d8f661..d3c676df1 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -275,6 +275,11 @@ SELECT
  */
 function ws_users_add($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+  
   global $conf;
 
   if ($conf['double_password_type_in_admin'])
@@ -363,6 +368,11 @@ function ws_users_delete($params, &$service)
  */
 function ws_users_setInfo($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   global $conf, $user;
 
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
diff --git a/ws.php b/ws.php
index fe81decf3..c5829671b 100644
--- a/ws.php
+++ b/ws.php
@@ -772,6 +772,7 @@ function ws_addDefaultMethods( $arr )
         'name' =>       array('flags'=>WS_PARAM_OPTIONAL),
         'is_default' => array('flags'=>WS_PARAM_OPTIONAL,
                               'type'=>WS_TYPE_BOOL),
+        'pwg_token' => array(),
         ),
       'Updates a group. Leave a field blank to keep the current value.',
       $ws_functions_root . 'pwg.groups.php',
@@ -785,6 +786,7 @@ function ws_addDefaultMethods( $arr )
         'group_id' => array('type'=>WS_TYPE_ID),
         'user_id' =>  array('flags'=>WS_PARAM_FORCE_ARRAY,
                             'type'=>WS_TYPE_ID),
+        'pwg_token' => array(),
         ),
       'Adds one or more users to a group.',
       $ws_functions_root . 'pwg.groups.php',
@@ -798,6 +800,7 @@ function ws_addDefaultMethods( $arr )
         'group_id' => array('type'=>WS_TYPE_ID),
         'user_id' =>  array('flags'=>WS_PARAM_FORCE_ARRAY,
                             'type'=>WS_TYPE_ID),
+        'pwg_token' => array(),
         ),
       'Removes one or more users from a group.',
       $ws_functions_root . 'pwg.groups.php',
@@ -850,6 +853,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
         'password_confirm' => array('flags'=>WS_PARAM_OPTIONAL),
         'email' =>    array('default'=>null),
         'send_password_by_mail' => array('default'=>false, 'type'=>WS_TYPE_BOOL),
+        'pwg_token' => array(),
         ),
       'Registers a new user.',
       $ws_functions_root . 'pwg.users.php',
@@ -899,6 +903,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
                                     'type'=>WS_TYPE_BOOL),
         'enabled_high' =>     array('flags'=>WS_PARAM_OPTIONAL,
                                     'type'=>WS_TYPE_BOOL),
+        'pwg_token' => array(),
         ),
       'Updates a user. Leave a field blank to keep the current value.
 <br>"username", "password" and "email" are ignored if "user_id" is an array.
@@ -936,6 +941,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
                               'type'=>WS_TYPE_ID),
         'recursive' =>  array('default'=>false,
                               'type'=>WS_TYPE_BOOL),
+        'pwg_token' => array(),
         ),
       'Adds permissions to an album.',
       $ws_functions_root . 'pwg.permissions.php',
@@ -952,6 +958,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
                             'type'=>WS_TYPE_ID),
         'user_id' =>  array('flags'=>WS_PARAM_FORCE_ARRAY|WS_PARAM_OPTIONAL,
                             'type'=>WS_TYPE_ID),
+        'pwg_token' => array(),
         ),
       'Removes permissions from an album.',
       $ws_functions_root . 'pwg.permissions.php',