CSRF checks

2012-07-20 20:39:20 +02:00 · 2012-07-20 20:39:20 +02:00 · 93579d88dc
parent 38271ded75
commit 93579d88dc
12 changed files with 14 additions and 2 deletions
--- a/settings/ajax/changepassword.php
+++ b/settings/ajax/changepassword.php
@ -2,6 +2,7 @@

 // Init owncloud
 require_once('../../lib/base.php');
+OCP\JSON::callCheck();

 $username = isset($_POST["username"]) ? $_POST["username"] : OC_User::getUser();
 $password = $_POST["password"];
--- a/settings/ajax/creategroup.php
+++ b/settings/ajax/creategroup.php
@ -2,6 +2,7 @@

 // Init owncloud
 require_once('../../lib/base.php');
+OCP\JSON::callCheck();

 // Check if we are a user
 if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' )){
--- a/settings/ajax/createuser.php
+++ b/settings/ajax/createuser.php
@ -2,6 +2,7 @@

 // Init owncloud
 require_once('../../lib/base.php');
+OCP\JSON::callCheck();

 // Check if we are a user
 if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' )){
--- a/settings/ajax/disableapp.php
+++ b/settings/ajax/disableapp.php
@ -2,6 +2,7 @@
 // Init owncloud
 require_once('../../lib/base.php');
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();

 OC_App::disable($_POST['appid']);
--- a/settings/ajax/enableapp.php
+++ b/settings/ajax/enableapp.php
@ -3,6 +3,7 @@
 // Init owncloud
 require_once('../../lib/base.php');
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();

 if(OC_App::enable($_POST['appid'])){
--- a/settings/ajax/lostpassword.php
+++ b/settings/ajax/lostpassword.php
@ -4,11 +4,13 @@
 require_once('../../lib/base.php');

 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();

 $l=OC_L10N::get('core');

 // Get data
-if( isset( $_POST['email'] ) && filter_var( $_POST['email'], FILTER_VALIDATE_EMAIL) ){
	$email=trim($_POST['email']);
+if( isset( $_POST['email'] ) && filter_var( $_POST['email'], FILTER_VALIDATE_EMAIL) ){
+	$email=trim($_POST['email']);
 	OC_Preferences::setValue(OC_User::getUser(),'settings','email',$email);
 	OC_JSON::success(array("data" => array( "message" => $l->t("Email saved") )));
 }else{
--- a/settings/ajax/removegroup.php
+++ b/settings/ajax/removegroup.php
@ -4,6 +4,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $name = $_POST["groupname"];

--- a/settings/ajax/removeuser.php
+++ b/settings/ajax/removeuser.php
@ -4,6 +4,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $username = $_POST["username"];

--- a/settings/ajax/setlanguage.php
+++ b/settings/ajax/setlanguage.php
@ -6,7 +6,7 @@ require_once('../../lib/base.php');
 $l=OC_L10N::get('settings');

 OC_JSON::checkLoggedIn();
-
+OCP\JSON::callCheck();

 // Get data
 if( isset( $_POST['lang'] ) ){
--- a/settings/ajax/setloglevel.php
+++ b/settings/ajax/setloglevel.php
@ -7,6 +7,7 @@

 require_once('../../lib/base.php');
 OC_Util::checkAdminUser();
+OCP\JSON::callCheck();

 OC_Config::setValue( 'loglevel', $_POST['level'] );

--- a/settings/ajax/setquota.php
+++ b/settings/ajax/setquota.php
@ -9,6 +9,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $username = isset($_POST["username"])?$_POST["username"]:'';

--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@ -4,6 +4,7 @@
 require_once('../../lib/base.php');

 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();

 $success = true;
 $error = "add user to";