From 8c8591ccb0ca20940d4d41ec05a09b25ddaabb00 Mon Sep 17 00:00:00 2001 From: plegall Date: Mon, 17 Mar 2014 22:16:47 +0000 Subject: bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6 (pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add, pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove) git-svn-id: http://piwigo.org/svn/branches/2.6@27810 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/themes/default/template/user_list.tpl | 7 +++++-- include/ws_functions/pwg.groups.php | 15 +++++++++++++++ include/ws_functions/pwg.permissions.php | 10 ++++++++++ include/ws_functions/pwg.users.php | 10 ++++++++++ ws.php | 7 +++++++ 5 files changed, 47 insertions(+), 2 deletions(-) diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl index a491cae17..79a2e4dd5 100644 --- a/admin/themes/default/template/user_list.tpl +++ b/admin/themes/default/template/user_list.tpl @@ -56,7 +56,7 @@ jQuery(document).ready(function() { jQuery.ajax({ url: "ws.php?format=json&method=pwg.users.add", type:"POST", - data: jQuery(this).serialize(), + data: jQuery(this).serialize()+"&pwg_token="+pwg_token, beforeSend: function() { jQuery("#addUserForm .errors").hide(); @@ -345,6 +345,7 @@ jQuery(document).ready(function() { url: "ws.php?format=json&method=pwg.users.setInfo", type:"POST", data: { + pwg_token:pwg_token, user_id:userId, password: jQuery('#user'+userId+' .changePassword input[type=text]').val() }, @@ -396,6 +397,7 @@ jQuery(document).ready(function() { url: "ws.php?format=json&method=pwg.users.setInfo", type:"POST", data: { + pwg_token:pwg_token, user_id:userId, username: jQuery('#user'+userId+' .changeUsername input[type=text]').val() }, @@ -467,6 +469,7 @@ jQuery(document).ready(function() { var userId = jQuery(this).data('user_id'); var formData = jQuery('#user'+userId+' form').serialize(); + formData += '&pwg_token='+pwg_token; if (jQuery('#user'+userId+' form select[name="group_id[]"] option:selected').length == 0) { formData += '&group_id=-1'; @@ -708,6 +711,7 @@ jQuery(document).ready(function() { var action = jQuery("select[name=selectAction]").prop("value"); var method = 'pwg.users.setInfo'; var data = { + pwg_token: pwg_token, user_id: selection }; @@ -718,7 +722,6 @@ jQuery(document).ready(function() { return false; } method = 'pwg.users.delete'; - data.pwg_token = pwg_token; break; case 'group_associate': method = 'pwg.groups.addUser'; diff --git a/include/ws_functions/pwg.groups.php b/include/ws_functions/pwg.groups.php index 773623eaf..67d5c843c 100644 --- a/include/ws_functions/pwg.groups.php +++ b/include/ws_functions/pwg.groups.php @@ -165,6 +165,11 @@ DELETE */ function ws_groups_setInfo($params, &$service) { + if (get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + $updates = array(); // does the group exist ? @@ -221,6 +226,11 @@ SELECT COUNT(*) */ function ws_groups_addUser($params, &$service) { + if (get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + // does the group exist ? $query = ' SELECT COUNT(*) @@ -264,6 +274,11 @@ SELECT COUNT(*) */ function ws_groups_deleteUser($params, &$service) { + if (get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + // does the group exist ? $query = ' SELECT COUNT(*) diff --git a/include/ws_functions/pwg.permissions.php b/include/ws_functions/pwg.permissions.php index 936999ab8..990404da3 100644 --- a/include/ws_functions/pwg.permissions.php +++ b/include/ws_functions/pwg.permissions.php @@ -146,6 +146,11 @@ SELECT group_id, cat_id */ function ws_permissions_add($params, &$service) { + if (get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); if (!empty($params['group_id'])) @@ -203,6 +208,11 @@ SELECT id */ function ws_permissions_remove($params, &$service) { + if (get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); $cat_ids = get_subcat_ids($params['cat_id']); diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php index 345d8f661..d3c676df1 100644 --- a/include/ws_functions/pwg.users.php +++ b/include/ws_functions/pwg.users.php @@ -275,6 +275,11 @@ SELECT */ function ws_users_add($params, &$service) { + if (get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + global $conf; if ($conf['double_password_type_in_admin']) @@ -363,6 +368,11 @@ function ws_users_delete($params, &$service) */ function ws_users_setInfo($params, &$service) { + if (get_pwg_token() != $params['pwg_token']) + { + return new PwgError(403, 'Invalid security token'); + } + global $conf, $user; include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); diff --git a/ws.php b/ws.php index fe81decf3..c5829671b 100644 --- a/ws.php +++ b/ws.php @@ -772,6 +772,7 @@ function ws_addDefaultMethods( $arr ) 'name' => array('flags'=>WS_PARAM_OPTIONAL), 'is_default' => array('flags'=>WS_PARAM_OPTIONAL, 'type'=>WS_TYPE_BOOL), + 'pwg_token' => array(), ), 'Updates a group. Leave a field blank to keep the current value.', $ws_functions_root . 'pwg.groups.php', @@ -785,6 +786,7 @@ function ws_addDefaultMethods( $arr ) 'group_id' => array('type'=>WS_TYPE_ID), 'user_id' => array('flags'=>WS_PARAM_FORCE_ARRAY, 'type'=>WS_TYPE_ID), + 'pwg_token' => array(), ), 'Adds one or more users to a group.', $ws_functions_root . 'pwg.groups.php', @@ -798,6 +800,7 @@ function ws_addDefaultMethods( $arr ) 'group_id' => array('type'=>WS_TYPE_ID), 'user_id' => array('flags'=>WS_PARAM_FORCE_ARRAY, 'type'=>WS_TYPE_ID), + 'pwg_token' => array(), ), 'Removes one or more users from a group.', $ws_functions_root . 'pwg.groups.php', @@ -850,6 +853,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin 'password_confirm' => array('flags'=>WS_PARAM_OPTIONAL), 'email' => array('default'=>null), 'send_password_by_mail' => array('default'=>false, 'type'=>WS_TYPE_BOOL), + 'pwg_token' => array(), ), 'Registers a new user.', $ws_functions_root . 'pwg.users.php', @@ -899,6 +903,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin 'type'=>WS_TYPE_BOOL), 'enabled_high' => array('flags'=>WS_PARAM_OPTIONAL, 'type'=>WS_TYPE_BOOL), + 'pwg_token' => array(), ), 'Updates a user. Leave a field blank to keep the current value.
"username", "password" and "email" are ignored if "user_id" is an array. @@ -936,6 +941,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin 'type'=>WS_TYPE_ID), 'recursive' => array('default'=>false, 'type'=>WS_TYPE_BOOL), + 'pwg_token' => array(), ), 'Adds permissions to an album.', $ws_functions_root . 'pwg.permissions.php', @@ -952,6 +958,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin 'type'=>WS_TYPE_ID), 'user_id' => array('flags'=>WS_PARAM_FORCE_ARRAY|WS_PARAM_OPTIONAL, 'type'=>WS_TYPE_ID), + 'pwg_token' => array(), ), 'Removes permissions from an album.', $ws_functions_root . 'pwg.permissions.php', -- cgit v1.2.3