merge r27810 from branch 2.6 to trunk

bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6 (pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add, pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove) git-svn-id: http://piwigo.org/svn/trunk@27811 68402e56-0260-453c-a942-63ccdbb3a9ee
author: plegall <plg@piwigo.org> 2014-03-17 22:20:28 +0000
committer: plegall <plg@piwigo.org> 2014-03-17 22:20:28 +0000
commit: b08c46f3c3428fa5ffe50c15367ecefd46f65b6f (patch)
tree: e62e0b80e68a6955ede42dd72d5793d1fddaef9a /admin/themes/default/template/user_list.tpl
parent: 61b4fd3bb26b79a1e22a8cf62680b9d28b73cf73 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl
index a491cae17..79a2e4dd5 100644
--- a/admin/themes/default/template/user_list.tpl
+++ b/admin/themes/default/template/user_list.tpl
@@ -56,7 +56,7 @@ jQuery(document).ready(function() {
     jQuery.ajax({
       url: "ws.php?format=json&method=pwg.users.add",
       type:"POST",
-      data: jQuery(this).serialize(),
+      data: jQuery(this).serialize()+"&pwg_token="+pwg_token,
       beforeSend: function() {
         jQuery("#addUserForm .errors").hide();
 
@@ -345,6 +345,7 @@ jQuery(document).ready(function() {
       url: "ws.php?format=json&method=pwg.users.setInfo",
       type:"POST",
       data: {
+        pwg_token:pwg_token,
         user_id:userId,
         password: jQuery('#user'+userId+' .changePassword input[type=text]').val()
       },
@@ -396,6 +397,7 @@ jQuery(document).ready(function() {
       url: "ws.php?format=json&method=pwg.users.setInfo",
       type:"POST",
       data: {
+        pwg_token:pwg_token,
         user_id:userId,
         username: jQuery('#user'+userId+' .changeUsername input[type=text]').val()
       },
@@ -467,6 +469,7 @@ jQuery(document).ready(function() {
     var userId = jQuery(this).data('user_id');
 
     var formData = jQuery('#user'+userId+' form').serialize();
+    formData += '&pwg_token='+pwg_token;
 
     if (jQuery('#user'+userId+' form select[name="group_id[]"] option:selected').length == 0) {
       formData += '&group_id=-1';
@@ -708,6 +711,7 @@ jQuery(document).ready(function() {
     var action = jQuery("select[name=selectAction]").prop("value");
     var method = 'pwg.users.setInfo';
     var data = {
+      pwg_token: pwg_token,
       user_id: selection
     };
 
@@ -718,7 +722,6 @@ jQuery(document).ready(function() {
           return false;
         }
         method = 'pwg.users.delete';
-        data.pwg_token = pwg_token;
         break;
       case 'group_associate':
         method = 'pwg.groups.addUser';
author	plegall <plg@piwigo.org>	2014-03-17 22:20:28 +0000
committer	plegall <plg@piwigo.org>	2014-03-17 22:20:28 +0000
commit	b08c46f3c3428fa5ffe50c15367ecefd46f65b6f (patch)
tree	e62e0b80e68a6955ede42dd72d5793d1fddaef9a /admin/themes/default/template/user_list.tpl
parent	61b4fd3bb26b79a1e22a8cf62680b9d28b73cf73 (diff)