bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6

(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add, pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove) git-svn-id: http://piwigo.org/svn/branches/2.6@27810 68402e56-0260-453c-a942-63ccdbb3a9ee
author: plegall <plg@piwigo.org> 2014-03-17 22:16:47 +0000
committer: plegall <plg@piwigo.org> 2014-03-17 22:16:47 +0000
commit: 8c8591ccb0ca20940d4d41ec05a09b25ddaabb00 (patch)
tree: 79ec98b8936b93ab010982d726a46bdb90b6ae6b /include/ws_functions/pwg.groups.php
parent: 1dd79b4bac79ba8bd9ae68b20870e60ec62fabf2 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/include/ws_functions/pwg.groups.php b/include/ws_functions/pwg.groups.php
index 773623eaf..67d5c843c 100644
--- a/include/ws_functions/pwg.groups.php
+++ b/include/ws_functions/pwg.groups.php
@@ -165,6 +165,11 @@ DELETE
  */
 function ws_groups_setInfo($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   $updates = array();
 
   // does the group exist ?
@@ -221,6 +226,11 @@ SELECT COUNT(*)
  */
 function ws_groups_addUser($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   // does the group exist ?
   $query = '
 SELECT COUNT(*)
@@ -264,6 +274,11 @@ SELECT COUNT(*)
  */
 function ws_groups_deleteUser($params, &$service)
 {
+  if (get_pwg_token() != $params['pwg_token'])
+  {
+    return new PwgError(403, 'Invalid security token');
+  }
+
   // does the group exist ?
   $query = '
 SELECT COUNT(*)
author	plegall <plg@piwigo.org>	2014-03-17 22:16:47 +0000
committer	plegall <plg@piwigo.org>	2014-03-17 22:16:47 +0000
commit	8c8591ccb0ca20940d4d41ec05a09b25ddaabb00 (patch)
tree	79ec98b8936b93ab010982d726a46bdb90b6ae6b /include/ws_functions/pwg.groups.php
parent	1dd79b4bac79ba8bd9ae68b20870e60ec62fabf2 (diff)