From b08c46f3c3428fa5ffe50c15367ecefd46f65b6f Mon Sep 17 00:00:00 2001 From: plegall Date: Mon, 17 Mar 2014 22:20:28 +0000 Subject: merge r27810 from branch 2.6 to trunk bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6 (pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add, pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove) git-svn-id: http://piwigo.org/svn/trunk@27811 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/themes/default/template/user_list.tpl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'admin/themes') diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl index a491cae17..79a2e4dd5 100644 --- a/admin/themes/default/template/user_list.tpl +++ b/admin/themes/default/template/user_list.tpl @@ -56,7 +56,7 @@ jQuery(document).ready(function() { jQuery.ajax({ url: "ws.php?format=json&method=pwg.users.add", type:"POST", - data: jQuery(this).serialize(), + data: jQuery(this).serialize()+"&pwg_token="+pwg_token, beforeSend: function() { jQuery("#addUserForm .errors").hide(); @@ -345,6 +345,7 @@ jQuery(document).ready(function() { url: "ws.php?format=json&method=pwg.users.setInfo", type:"POST", data: { + pwg_token:pwg_token, user_id:userId, password: jQuery('#user'+userId+' .changePassword input[type=text]').val() }, @@ -396,6 +397,7 @@ jQuery(document).ready(function() { url: "ws.php?format=json&method=pwg.users.setInfo", type:"POST", data: { + pwg_token:pwg_token, user_id:userId, username: jQuery('#user'+userId+' .changeUsername input[type=text]').val() }, @@ -467,6 +469,7 @@ jQuery(document).ready(function() { var userId = jQuery(this).data('user_id'); var formData = jQuery('#user'+userId+' form').serialize(); + formData += '&pwg_token='+pwg_token; if (jQuery('#user'+userId+' form select[name="group_id[]"] option:selected').length == 0) { formData += '&group_id=-1'; @@ -708,6 +711,7 @@ jQuery(document).ready(function() { var action = jQuery("select[name=selectAction]").prop("value"); var method = 'pwg.users.setInfo'; var data = { + pwg_token: pwg_token, user_id: selection }; @@ -718,7 +722,6 @@ jQuery(document).ready(function() { return false; } method = 'pwg.users.delete'; - data.pwg_token = pwg_token; break; case 'group_associate': method = 'pwg.groups.addUser'; -- cgit v1.2.3