merge r27810 from branch 2.6 to trunk

bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6 (pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add, pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove) git-svn-id: http://piwigo.org/svn/trunk@27811 68402e56-0260-453c-a942-63ccdbb3a9ee
author: plegall <plg@piwigo.org> 2014-03-17 22:20:28 +0000
committer: plegall <plg@piwigo.org> 2014-03-17 22:20:28 +0000
commit: b08c46f3c3428fa5ffe50c15367ecefd46f65b6f (patch)
tree: e62e0b80e68a6955ede42dd72d5793d1fddaef9a /include/ws_functions
parent: 61b4fd3bb26b79a1e22a8cf62680b9d28b73cf73 (diff)
3 files changed, 35 insertions, 0 deletions
diff --git a/include/ws_functions/pwg.groups.php b/include/ws_functions/pwg.groups.php
index 773623eaf..67d5c843c 100644
--- a/include/ws_functions/pwg.groups.php
+++ b/include/ws_functions/pwg.groups.php
@@ -165,6 +165,11 @@ DELETE
  */
 function ws_groups_setInfo($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   $updates = array();
 
   // does the group exist ?
@@ -221,6 +226,11 @@ SELECT COUNT(*)
  */
 function ws_groups_addUser($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   // does the group exist ?
   $query = '
 SELECT COUNT(*)
@@ -264,6 +274,11 @@ SELECT COUNT(*)
  */
 function ws_groups_deleteUser($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   // does the group exist ?
   $query = '
 SELECT COUNT(*)
diff --git a/include/ws_functions/pwg.permissions.php b/include/ws_functions/pwg.permissions.php
index 936999ab8..990404da3 100644
--- a/include/ws_functions/pwg.permissions.php
+++ b/include/ws_functions/pwg.permissions.php
@@ -146,6 +146,11 @@ SELECT group_id, cat_id
  */
 function ws_permissions_add($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 
   if (!empty($params['group_id']))
@@ -203,6 +208,11 @@ SELECT id
  */
 function ws_permissions_remove($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 
   $cat_ids = get_subcat_ids($params['cat_id']);
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index 345d8f661..d3c676df1 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -275,6 +275,11 @@ SELECT
  */
 function ws_users_add($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+  
   global $conf;
 
   if ($conf['double_password_type_in_admin'])
@@ -363,6 +368,11 @@ function ws_users_delete($params, &$service)
  */
 function ws_users_setInfo($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   global $conf, $user;
 
   include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
author	plegall <plg@piwigo.org>	2014-03-17 22:20:28 +0000
committer	plegall <plg@piwigo.org>	2014-03-17 22:20:28 +0000
commit	b08c46f3c3428fa5ffe50c15367ecefd46f65b6f (patch)
tree	e62e0b80e68a6955ede42dd72d5793d1fddaef9a /include/ws_functions
parent	61b4fd3bb26b79a1e22a8cf62680b9d28b73cf73 (diff)