aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2014-03-17 22:16:47 +0000
committerplegall <plg@piwigo.org>2014-03-17 22:16:47 +0000
commit8c8591ccb0ca20940d4d41ec05a09b25ddaabb00 (patch)
tree79ec98b8936b93ab010982d726a46bdb90b6ae6b
parent1dd79b4bac79ba8bd9ae68b20870e60ec62fabf2 (diff)
bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6
(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add, pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove) git-svn-id: http://piwigo.org/svn/branches/2.6@27810 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r--admin/themes/default/template/user_list.tpl7
-rw-r--r--include/ws_functions/pwg.groups.php15
-rw-r--r--include/ws_functions/pwg.permissions.php10
-rw-r--r--include/ws_functions/pwg.users.php10
-rw-r--r--ws.php7
5 files changed, 47 insertions, 2 deletions
diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl
index a491cae17..79a2e4dd5 100644
--- a/admin/themes/default/template/user_list.tpl
+++ b/admin/themes/default/template/user_list.tpl
@@ -56,7 +56,7 @@ jQuery(document).ready(function() {
jQuery.ajax({
url: "ws.php?format=json&method=pwg.users.add",
type:"POST",
- data: jQuery(this).serialize(),
+ data: jQuery(this).serialize()+"&pwg_token="+pwg_token,
beforeSend: function() {
jQuery("#addUserForm .errors").hide();
@@ -345,6 +345,7 @@ jQuery(document).ready(function() {
url: "ws.php?format=json&method=pwg.users.setInfo",
type:"POST",
data: {
+ pwg_token:pwg_token,
user_id:userId,
password: jQuery('#user'+userId+' .changePassword input[type=text]').val()
},
@@ -396,6 +397,7 @@ jQuery(document).ready(function() {
url: "ws.php?format=json&method=pwg.users.setInfo",
type:"POST",
data: {
+ pwg_token:pwg_token,
user_id:userId,
username: jQuery('#user'+userId+' .changeUsername input[type=text]').val()
},
@@ -467,6 +469,7 @@ jQuery(document).ready(function() {
var userId = jQuery(this).data('user_id');
var formData = jQuery('#user'+userId+' form').serialize();
+ formData += '&pwg_token='+pwg_token;
if (jQuery('#user'+userId+' form select[name="group_id[]"] option:selected').length == 0) {
formData += '&group_id=-1';
@@ -708,6 +711,7 @@ jQuery(document).ready(function() {
var action = jQuery("select[name=selectAction]").prop("value");
var method = 'pwg.users.setInfo';
var data = {
+ pwg_token: pwg_token,
user_id: selection
};
@@ -718,7 +722,6 @@ jQuery(document).ready(function() {
return false;
}
method = 'pwg.users.delete';
- data.pwg_token = pwg_token;
break;
case 'group_associate':
method = 'pwg.groups.addUser';
diff --git a/include/ws_functions/pwg.groups.php b/include/ws_functions/pwg.groups.php
index 773623eaf..67d5c843c 100644
--- a/include/ws_functions/pwg.groups.php
+++ b/include/ws_functions/pwg.groups.php
@@ -165,6 +165,11 @@ DELETE
*/
function ws_groups_setInfo($params, &$service)
{
+ if (get_pwg_token() != $params['pwg_token'])
+ {
+ return new PwgError(403, 'Invalid security token');
+ }
+
$updates = array();
// does the group exist ?
@@ -221,6 +226,11 @@ SELECT COUNT(*)
*/
function ws_groups_addUser($params, &$service)
{
+ if (get_pwg_token() != $params['pwg_token'])
+ {
+ return new PwgError(403, 'Invalid security token');
+ }
+
// does the group exist ?
$query = '
SELECT COUNT(*)
@@ -264,6 +274,11 @@ SELECT COUNT(*)
*/
function ws_groups_deleteUser($params, &$service)
{
+ if (get_pwg_token() != $params['pwg_token'])
+ {
+ return new PwgError(403, 'Invalid security token');
+ }
+
// does the group exist ?
$query = '
SELECT COUNT(*)
diff --git a/include/ws_functions/pwg.permissions.php b/include/ws_functions/pwg.permissions.php
index 936999ab8..990404da3 100644
--- a/include/ws_functions/pwg.permissions.php
+++ b/include/ws_functions/pwg.permissions.php
@@ -146,6 +146,11 @@ SELECT group_id, cat_id
*/
function ws_permissions_add($params, &$service)
{
+ if (get_pwg_token() != $params['pwg_token'])
+ {
+ return new PwgError(403, 'Invalid security token');
+ }
+
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
if (!empty($params['group_id']))
@@ -203,6 +208,11 @@ SELECT id
*/
function ws_permissions_remove($params, &$service)
{
+ if (get_pwg_token() != $params['pwg_token'])
+ {
+ return new PwgError(403, 'Invalid security token');
+ }
+
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
$cat_ids = get_subcat_ids($params['cat_id']);
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index 345d8f661..d3c676df1 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -275,6 +275,11 @@ SELECT
*/
function ws_users_add($params, &$service)
{
+ if (get_pwg_token() != $params['pwg_token'])
+ {
+ return new PwgError(403, 'Invalid security token');
+ }
+
global $conf;
if ($conf['double_password_type_in_admin'])
@@ -363,6 +368,11 @@ function ws_users_delete($params, &$service)
*/
function ws_users_setInfo($params, &$service)
{
+ if (get_pwg_token() != $params['pwg_token'])
+ {
+ return new PwgError(403, 'Invalid security token');
+ }
+
global $conf, $user;
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
diff --git a/ws.php b/ws.php
index fe81decf3..c5829671b 100644
--- a/ws.php
+++ b/ws.php
@@ -772,6 +772,7 @@ function ws_addDefaultMethods( $arr )
'name' => array('flags'=>WS_PARAM_OPTIONAL),
'is_default' => array('flags'=>WS_PARAM_OPTIONAL,
'type'=>WS_TYPE_BOOL),
+ 'pwg_token' => array(),
),
'Updates a group. Leave a field blank to keep the current value.',
$ws_functions_root . 'pwg.groups.php',
@@ -785,6 +786,7 @@ function ws_addDefaultMethods( $arr )
'group_id' => array('type'=>WS_TYPE_ID),
'user_id' => array('flags'=>WS_PARAM_FORCE_ARRAY,
'type'=>WS_TYPE_ID),
+ 'pwg_token' => array(),
),
'Adds one or more users to a group.',
$ws_functions_root . 'pwg.groups.php',
@@ -798,6 +800,7 @@ function ws_addDefaultMethods( $arr )
'group_id' => array('type'=>WS_TYPE_ID),
'user_id' => array('flags'=>WS_PARAM_FORCE_ARRAY,
'type'=>WS_TYPE_ID),
+ 'pwg_token' => array(),
),
'Removes one or more users from a group.',
$ws_functions_root . 'pwg.groups.php',
@@ -850,6 +853,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
'password_confirm' => array('flags'=>WS_PARAM_OPTIONAL),
'email' => array('default'=>null),
'send_password_by_mail' => array('default'=>false, 'type'=>WS_TYPE_BOOL),
+ 'pwg_token' => array(),
),
'Registers a new user.',
$ws_functions_root . 'pwg.users.php',
@@ -899,6 +903,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
'type'=>WS_TYPE_BOOL),
'enabled_high' => array('flags'=>WS_PARAM_OPTIONAL,
'type'=>WS_TYPE_BOOL),
+ 'pwg_token' => array(),
),
'Updates a user. Leave a field blank to keep the current value.
<br>"username", "password" and "email" are ignored if "user_id" is an array.
@@ -936,6 +941,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
'type'=>WS_TYPE_ID),
'recursive' => array('default'=>false,
'type'=>WS_TYPE_BOOL),
+ 'pwg_token' => array(),
),
'Adds permissions to an album.',
$ws_functions_root . 'pwg.permissions.php',
@@ -952,6 +958,7 @@ enabled_high, registration_date, registration_date_string, registration_date_sin
'type'=>WS_TYPE_ID),
'user_id' => array('flags'=>WS_PARAM_FORCE_ARRAY|WS_PARAM_OPTIONAL,
'type'=>WS_TYPE_ID),
+ 'pwg_token' => array(),
),
'Removes permissions from an album.',
$ws_functions_root . 'pwg.permissions.php',