CSRF check in the settings

2012-07-07 15:27:04 +02:00 · 2012-07-07 15:27:04 +02:00 · 777eb1d8b1
parent ec7bb86b28
commit 777eb1d8b1
13 changed files with 15 additions and 1 deletions
--- a/settings/ajax/changepassword.php
+++ b/settings/ajax/changepassword.php
@ -9,6 +9,8 @@ $oldPassword=isset($_POST["oldpassword"])?$_POST["oldpassword"]:'';

 // Check if we are a user
 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();
+
 if( (!OC_Group::inGroup( OC_User::getUser(), 'admin' ) && ($username!=OC_User::getUser() || !OC_User::checkPassword($username,$oldPassword)))) {
 	OC_JSON::error( array( "data" => array( "message" => "Authentication error" )));
 	exit();
--- a/settings/ajax/creategroup.php
+++ b/settings/ajax/creategroup.php
@ -9,6 +9,8 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' ))
 	exit();
 }

+OCP\JSON::callCheck();
+
 $groupname = $_POST["groupname"];

 // Does the group exist?
--- a/settings/ajax/createuser.php
+++ b/settings/ajax/createuser.php
@ -8,6 +8,7 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' ))
 	OC_JSON::error(array("data" => array( "message" => "Authentication error" )));
 	exit();
 }
+OCP\JSON::callCheck();

 $groups = array();
 if( isset( $_POST["groups"] )){
--- a/settings/ajax/disableapp.php
+++ b/settings/ajax/disableapp.php
@ -2,6 +2,7 @@
 // Init owncloud
 require_once('../../lib/base.php');
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();

 OC_App::disable($_POST['appid']);
--- a/settings/ajax/enableapp.php
+++ b/settings/ajax/enableapp.php
@ -3,6 +3,7 @@
 // Init owncloud
 require_once('../../lib/base.php');
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();

 if(OC_App::enable($_POST['appid'])){
--- a/settings/ajax/lostpassword.php
+++ b/settings/ajax/lostpassword.php
@ -2,8 +2,8 @@

 // Init owncloud
 require_once('../../lib/base.php');
-
 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();

 $l=OC_L10N::get('core');

--- a/settings/ajax/openid.php
+++ b/settings/ajax/openid.php
@ -6,6 +6,7 @@ require_once('../../lib/base.php');
 $l=OC_L10N::get('settings');

 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 OC_JSON::checkAppEnabled('user_openid');

 // Get data
--- a/settings/ajax/removegroup.php
+++ b/settings/ajax/removegroup.php
@ -4,6 +4,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $name = $_POST["groupname"];

--- a/settings/ajax/removeuser.php
+++ b/settings/ajax/removeuser.php
@ -4,6 +4,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $username = $_POST["username"];

--- a/settings/ajax/setlanguage.php
+++ b/settings/ajax/setlanguage.php
@ -6,6 +6,7 @@ require_once('../../lib/base.php');
 $l=OC_L10N::get('settings');

 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();


 // Get data
--- a/settings/ajax/setloglevel.php
+++ b/settings/ajax/setloglevel.php
@ -7,6 +7,7 @@

 require_once('../../lib/base.php');
 OC_Util::checkAdminUser();
+OCP\JSON::callCheck();

 OC_Config::setValue( 'loglevel', $_POST['level'] );

--- a/settings/ajax/setquota.php
+++ b/settings/ajax/setquota.php
@ -9,6 +9,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $username = isset($_POST["username"])?$_POST["username"]:'';

--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@ -4,6 +4,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $success = true;
 $error = "add user to";