bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6

(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add,
pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove)


git-svn-id: http://piwigo.org/svn/branches/2.6@27810 68402e56-0260-453c-a942-63ccdbb3a9ee

1 files changed, 10 insertions, 0 deletions

diff --git a/include/ws_functions/pwg.permissions.php b/include/ws_functions/pwg.permissions.php
index 936999ab8..990404da3 100644
--- a/include/ws_functions/pwg.permissions.php
+++ b/include/ws_functions/pwg.permissions.php
@@ -146,6 +146,11 @@ SELECT group_id, cat_id
  */
 function ws_permissions_add($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 
   if (!empty($params['group_id']))
@@ -203,6 +208,11 @@ SELECT id
  */
 function ws_permissions_remove($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 
   $cat_ids = get_subcat_ids($params['cat_id']);