Added CSRF checks

diff --git a/apps/bookmarks/ajax/addBookmark.php b/apps/bookmarks/ajax/addBookmark.php
index a2eb506f85e6740df84ad1faee2081dfc8ee6cbc..b4d0f33d721648c4d26fc38641bf329f4bc769f8 100644 (file)
--- a/apps/bookmarks/ajax/addBookmark.php
+++ b/apps/bookmarks/ajax/addBookmark.php
@@ -29,6 +29,7 @@ $RUNTIME_NOSETUPFS=true;
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
+OCP\JSON::callCheck();
 
 require_once(OC::$APPSROOT . '/apps/bookmarks/bookmarksHelper.php');
 $id = addBookmark($_POST['url'], $_POST['title'], $_POST['tags']);

diff --git a/apps/bookmarks/ajax/delBookmark.php b/apps/bookmarks/ajax/delBookmark.php
index 5a067701c9fb165ba9e870a9b7f23680cd829e47..140da2a37d1f235a539be21e3f64deef66c07f07 100644 (file)
--- a/apps/bookmarks/ajax/delBookmark.php
+++ b/apps/bookmarks/ajax/delBookmark.php
@@ -29,6 +29,7 @@ $RUNTIME_NOSETUPFS=true;
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 if (!OC_Bookmarks_Bookmarks::deleteUrl($id)){

diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php
index 439b680dc20ae9088089a4d67b2f17a02767f893..36258f709617d035ae7f881a61f818eff23766ac 100644 (file)
--- a/apps/bookmarks/ajax/editBookmark.php
+++ b/apps/bookmarks/ajax/editBookmark.php
@@ -29,6 +29,7 @@ $RUNTIME_NOSETUPFS=true;
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('bookmarks');
+OCP\JSON::callCheck();
 
 $CONFIG_DBTYPE = OCP\Config::getSystemValue( "dbtype", "sqlite" );
 if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){

diff --git a/apps/calendar/ajax/calendar/delete.php b/apps/calendar/ajax/calendar/delete.php
index 4d6706f60028e8ef90dcb55c407f8e19f447e6df..089255cae39c4cfacfe0446c8c777b3ecce0cc6f 100644 (file)
--- a/apps/calendar/ajax/calendar/delete.php
+++ b/apps/calendar/ajax/calendar/delete.php
@@ -9,6 +9,7 @@
 
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $cal = $_POST["calendarid"];
 $calendar = OC_Calendar_App::getCalendar($cal, true);

diff --git a/apps/calendar/ajax/calendar/edit.php b/apps/calendar/ajax/calendar/edit.php
index 82f18fe7f44a3dfb60e2e8b4df8d8ef0a30758c2..3f69666b58c86af8c55ab8264ee783e4ef4e3e38 100644 (file)
--- a/apps/calendar/ajax/calendar/edit.php
+++ b/apps/calendar/ajax/calendar/edit.php
@@ -9,6 +9,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions();
 $calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true);

diff --git a/apps/calendar/ajax/calendar/new.php b/apps/calendar/ajax/calendar/new.php
index 278c8e5520bb99d40b567b740e8942b37ee21ae1..34b056abe8fba24b50ef11954ac12ad0203a9cde 100644 (file)
--- a/apps/calendar/ajax/calendar/new.php
+++ b/apps/calendar/ajax/calendar/new.php
@@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 if(trim($_POST['name']) == ''){
        OCP\JSON::error(array('message'=>'empty'));

diff --git a/apps/calendar/ajax/calendar/update.php b/apps/calendar/ajax/calendar/update.php
index 5cf63d396f7253a48229f1b6902886f7c2c00f26..740094775f5211d05cc29381daa6bef2a2ce8639 100644 (file)
--- a/apps/calendar/ajax/calendar/update.php
+++ b/apps/calendar/ajax/calendar/update.php
@@ -11,6 +11,7 @@
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 if(trim($_POST['name']) == ''){
        OCP\JSON::error(array('message'=>'empty'));

diff --git a/apps/calendar/ajax/event/delete.php b/apps/calendar/ajax/event/delete.php
index f183d431afaddad95a33a8b272467263b5d31bef..17e45c001e8093f974db3e3eb58d335fcc976a2d 100644 (file)
--- a/apps/calendar/ajax/event/delete.php
+++ b/apps/calendar/ajax/event/delete.php
@@ -9,6 +9,7 @@
 
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);

diff --git a/apps/calendar/ajax/event/edit.php b/apps/calendar/ajax/event/edit.php
index 1c3babc3d90909ed0bde5fe43f98ab9da4b5ab32..db78bf6e5e0c6603a6ac5c958570abd40cf2d947 100644 (file)
--- a/apps/calendar/ajax/event/edit.php
+++ b/apps/calendar/ajax/event/edit.php
@@ -9,6 +9,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 

diff --git a/apps/calendar/ajax/event/move.php b/apps/calendar/ajax/event/move.php
index 04cf2fb0513065d65a2c07fcf659e31e01a91105..f4e2b36376d415c1c87803ce63d777dbee90d7e8 100644 (file)
--- a/apps/calendar/ajax/event/move.php
+++ b/apps/calendar/ajax/event/move.php
@@ -7,6 +7,7 @@
  */
  
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);

diff --git a/apps/calendar/ajax/event/new.php b/apps/calendar/ajax/event/new.php
index 30e2b0cae36f428df2cc01472c810eb0dd994c3c..bc0439cc3155b794cd8b9e2eb724245fc0d09588 100644 (file)
--- a/apps/calendar/ajax/event/new.php
+++ b/apps/calendar/ajax/event/new.php
@@ -10,6 +10,7 @@
 
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('calendar');
+OCP\JSON::callCheck();
 
 $errarr = OC_Calendar_Object::validateRequest($_POST);
 if($errarr){

diff --git a/apps/calendar/ajax/import/import.php b/apps/calendar/ajax/import/import.php
index 18e93e67b4aed11a83356ea725ff2b48687e2e5a..c0cd1403763114360bc8412b5c0c06996da59981 100644 (file)
--- a/apps/calendar/ajax/import/import.php
+++ b/apps/calendar/ajax/import/import.php
@@ -8,6 +8,7 @@
 //check for calendar rights or create new one
 ob_start();
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 OCP\App::checkAppEnabled('calendar');
 $nl="\r\n";
 $comps = array('VEVENT'=>true, 'VTODO'=>true, 'VJOURNAL'=>true);

diff --git a/apps/calendar/ajax/settings/setfirstday.php b/apps/calendar/ajax/settings/setfirstday.php
index 056a60375247cd22a0734718b5dba5de9d4e56cb..97c248829398e85f6c380d64850ccd2b09995b30 100644 (file)
--- a/apps/calendar/ajax/settings/setfirstday.php
+++ b/apps/calendar/ajax/settings/setfirstday.php
@@ -7,6 +7,8 @@
  */
  
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
+
 if(isset($_POST["firstday"])){
        OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'firstday', $_POST["firstday"]);
        OCP\JSON::success();

diff --git a/apps/calendar/ajax/settings/settimeformat.php b/apps/calendar/ajax/settings/settimeformat.php
index 8e95f6f3bf53142ca853d7b5ee7ab303e812b51f..d09679b9270b6a605ee17f4abff456caf742ee80 100644 (file)
--- a/apps/calendar/ajax/settings/settimeformat.php
+++ b/apps/calendar/ajax/settings/settimeformat.php
@@ -7,6 +7,8 @@
  */
  
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
+
 if(isset($_POST["timeformat"])){
        OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timeformat', $_POST["timeformat"]);
        OCP\JSON::success();

diff --git a/apps/calendar/ajax/share/changepermission.php b/apps/calendar/ajax/share/changepermission.php
index 2737420c94ede4c2717f8008cd163c040d401242..f3c628e847758733761352e62061f6bfccec998f 100644 (file)
--- a/apps/calendar/ajax/share/changepermission.php
+++ b/apps/calendar/ajax/share/changepermission.php
@@ -5,7 +5,8 @@
  * later.
  * See the COPYING-README file.
  */
- 
+ OCP\JSON::callCheck();
+
 $id = strip_tags($_GET['id']);
 $idtype = strip_tags($_GET['idtype']);
 $permission = (int) strip_tags($_GET['permission']);

diff --git a/apps/calendar/ajax/share/share.php b/apps/calendar/ajax/share/share.php
index 629a7b6b79fb217d7c9b6ca1224303162ba4e1d3..babb8ce3f13cfbad8063d00b1a0ba54447be17ad 100644 (file)
--- a/apps/calendar/ajax/share/share.php
+++ b/apps/calendar/ajax/share/share.php
@@ -5,7 +5,8 @@
  * later.
  * See the COPYING-README file.
  */
- 
+ OCP\JSON::callCheck();
+
 $id = strip_tags($_GET['id']);
 $idtype = strip_tags($_GET['idtype']);
 switch($idtype){

diff --git a/apps/calendar/ajax/share/unshare.php b/apps/calendar/ajax/share/unshare.php
index fe7c98452d7e14528dd4d9532944d1ee51350756..09264070ddec6df4b6a4a81e53419408a87372f4 100644 (file)
--- a/apps/calendar/ajax/share/unshare.php
+++ b/apps/calendar/ajax/share/unshare.php
@@ -5,7 +5,8 @@
  * later.
  * See the COPYING-README file.
  */
- 
+ OCP\JSON::callCheck();
+
 $id = strip_tags($_GET['id']);
 $idtype = strip_tags($_GET['idtype']);
 switch($idtype){

diff --git a/apps/external/ajax/setsites.php b/apps/external/ajax/setsites.php
index f153735f0942e8f93e0f128f863d6d7ec3ab2a25..0dbac3abb296282da17bf14bbbfa2f35457692ff 100644 (file)
--- a/apps/external/ajax/setsites.php
+++ b/apps/external/ajax/setsites.php
@@ -8,6 +8,7 @@
 
  
 OCP\User::checkAdminUser();
+OCP\JSON::callCheck();
 
 $sites = array();
 for ($i = 0; $i < sizeof($_POST['site_name']); $i++) {

diff --git a/apps/files/ajax/delete.php b/apps/files/ajax/delete.php
index ed155de0dc76cf5e13e17701767ffd2615a393e0..161d820f735ec206a7705f78c912307d5136e79e 100644 (file)
--- a/apps/files/ajax/delete.php
+++ b/apps/files/ajax/delete.php
@@ -4,6 +4,7 @@
 
 
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 // Get data
 $dir = stripslashes($_GET["dir"]);

diff --git a/apps/files/ajax/move.php b/apps/files/ajax/move.php
index 945fe4e7b82a55ad4080bc801e195328a68408b3..56171dd0ed3d216ac2fccf930e1f01805cf72c88 100644 (file)
--- a/apps/files/ajax/move.php
+++ b/apps/files/ajax/move.php
@@ -4,6 +4,7 @@
 
 
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 // Get data
 $dir = stripslashes($_GET["dir"]);

diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php
index edb784148724e64ec0c877617f4479fc99477744..7236deb65c9b934791731a97fde4de227076bc06 100644 (file)
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@@ -4,6 +4,7 @@
 
 
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 // Get the params
 $dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : '';

diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php
index c5c37914c6a68c005e6c1df2b3795f397671eca6..ae92bcf09bb8f5f018a496593f361834ecc5a05b 100644 (file)
--- a/apps/files/ajax/newfolder.php
+++ b/apps/files/ajax/newfolder.php
@@ -4,6 +4,7 @@
 
 
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 // Get the params
 $dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : '';

diff --git a/apps/files/ajax/rename.php b/apps/files/ajax/rename.php
index e2fa3d54a61aad43feab0b0054e9c5125f6e705b..8e98308eb5c06ae7a54db56fee3f92e25a56710b 100644 (file)
--- a/apps/files/ajax/rename.php
+++ b/apps/files/ajax/rename.php
@@ -4,6 +4,7 @@
 
 
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 // Get data
 $dir = stripslashes($_GET["dir"]);

diff --git a/apps/files_sharing/ajax/email.php b/apps/files_sharing/ajax/email.php
index edf9eca43136677c38263757cfde26234da1dcaa..e931e5f77e6669e108c364242c4cfefa5f0ca0bd 100644 (file)
--- a/apps/files_sharing/ajax/email.php
+++ b/apps/files_sharing/ajax/email.php
@@ -1,5 +1,6 @@
 <?php
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 OCP\JSON::checkAppEnabled('files_sharing');
 $user = OCP\USER::getUser();
 // TODO translations

diff --git a/apps/files_sharing/ajax/setpermissions.php b/apps/files_sharing/ajax/setpermissions.php
index 2f4c5da978858a4187a39fbd5d0125368ad9cfa9..13daab738dec5ace6770d2a8ea557e529d276256 100644 (file)
--- a/apps/files_sharing/ajax/setpermissions.php
+++ b/apps/files_sharing/ajax/setpermissions.php
@@ -3,6 +3,7 @@ require_once(OC::$APPSROOT . '/apps/files_sharing/lib_share.php');
 
 OCP\JSON::checkAppEnabled('files_sharing');
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 $source = '/'.OCP\USER::getUser().'/files'.$_POST['source'];
 $uid_shared_with = $_POST['uid_shared_with'];

diff --git a/apps/files_sharing/ajax/share.php b/apps/files_sharing/ajax/share.php
index ec3c25998af903b41d88c11d481a1313cbf36235..fb28caf7b7e986fed63ee9554d4f0307b50de2da 100644 (file)
--- a/apps/files_sharing/ajax/share.php
+++ b/apps/files_sharing/ajax/share.php
@@ -3,6 +3,7 @@ require_once(OC::$APPSROOT . '/apps/files_sharing/lib_share.php');
 
 OCP\JSON::checkAppEnabled('files_sharing');
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 $userDirectory = '/'.OCP\USER::getUser().'/files';
 $sources = explode(';', $_POST['sources']);

diff --git a/apps/files_sharing/ajax/toggleresharing.php b/apps/files_sharing/ajax/toggleresharing.php
index 673f00c5d18e57d5b483191f9cf0db0968f5adf7..ab8e82c8c3fc0a344b67728bbc371197ba2ecfef 100644 (file)
--- a/apps/files_sharing/ajax/toggleresharing.php
+++ b/apps/files_sharing/ajax/toggleresharing.php
@@ -1,5 +1,7 @@
 <?php
 
+OCP\JSON::callCheck();
+
 OCP\JSON::checkAppEnabled('files_sharing');
 OCP\JSON::checkAdminUser();
 if ($_POST['resharing'] == true) {

diff --git a/apps/files_sharing/ajax/togglesharewitheveryone.php b/apps/files_sharing/ajax/togglesharewitheveryone.php
index dc1105f2f3cc8be63ecebd08f95cbc3f3891d006..96c43711cb5c843a076c856da19b84e44daa1bcb 100644 (file)
--- a/apps/files_sharing/ajax/togglesharewitheveryone.php
+++ b/apps/files_sharing/ajax/togglesharewitheveryone.php
@@ -1,5 +1,7 @@
 <?php
 
+OCP\JSON::callCheck();
+
 OCP\JSON::checkAppEnabled('files_sharing');
 OCP\JSON::checkAdminUser();
 if ($_POST['allowSharingWithEveryone'] == true) {

diff --git a/apps/files_sharing/ajax/unshare.php b/apps/files_sharing/ajax/unshare.php
index 9088bf4266349c05093715fb85d556bb30b8e403..d291b719e38eeff751baea023f0472ac48166a88 100644 (file)
--- a/apps/files_sharing/ajax/unshare.php
+++ b/apps/files_sharing/ajax/unshare.php
@@ -3,6 +3,7 @@ require_once(OC::$APPSROOT . '/apps/files_sharing/lib_share.php');
 
 OCP\JSON::checkAppEnabled('files_sharing');
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 $source = '/'.OCP\USER::getUser().'/files'.$_POST['source'];
 $uid_shared_with = $_POST['uid_shared_with'];

diff --git a/apps/files_texteditor/ajax/savefile.php b/apps/files_texteditor/ajax/savefile.php
index f789112d7d7b438450aafe6ec99a2ad2c6e2ccba..aa24d07eef18cad49333d6e68db3ce23a8692cf7 100644 (file)
--- a/apps/files_texteditor/ajax/savefile.php
+++ b/apps/files_texteditor/ajax/savefile.php
@@ -26,6 +26,7 @@
 
 // Check if we are a user
 OCP\JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 // Get paramteres
 $filecontents = isset($_POST['filecontents']) ? $_POST['filecontents'] : false;

diff --git a/apps/files_versions/ajax/rollbackVersion.php b/apps/files_versions/ajax/rollbackVersion.php
index 127592f3b58095bf55c48b95ae13562c1a049b0c..77c6102ea7645bf3c4e14e777afe3cd0eb9ff0e2 100644 (file)
--- a/apps/files_versions/ajax/rollbackVersion.php
+++ b/apps/files_versions/ajax/rollbackVersion.php
@@ -1,6 +1,7 @@
 <?php
 
 OCP\JSON::checkAppEnabled('files_versions');
+OCP\JSON::callCheck();
 
 require_once('apps/files_versions/versions.php');
 

diff --git a/apps/gallery/ajax/createAlbum.php b/apps/gallery/ajax/createAlbum.php
index 61e2e9ae2e9928b90b4899a833e0495959f78750..e13dac6ad1a259d56fa18dbab042c174a7089a63 100644 (file)
--- a/apps/gallery/ajax/createAlbum.php
+++ b/apps/gallery/ajax/createAlbum.php
@@ -24,6 +24,7 @@
  
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('gallery');
+OCP\JSON::callCheck();
 
 OC_Gallery_Album::create(OCP\USER::getUser(), $_GET['album_name']);
 

diff --git a/apps/gallery/ajax/sharing.php b/apps/gallery/ajax/sharing.php
index 1223320120b4aa7a41150542a9afea658974ba16..c3d5989ae57dba26ac9e6b22cab425166a10295a 100644 (file)
--- a/apps/gallery/ajax/sharing.php
+++ b/apps/gallery/ajax/sharing.php
@@ -22,6 +22,7 @@
 */
 
  
+OCP\JSON::callCheck();
 
 if (!isset($_GET['token']) || !isset($_GET['operation'])) {
   OCP\JSON::error(array('cause' => 'Not enought arguments'));

diff --git a/apps/tasks/ajax/addtask.php b/apps/tasks/ajax/addtask.php
index 9f35e7f21ec464165ba40d5518259c0692a60ce0..188e179236af9a727b632c2b842babbcb61d2ac0 100644 (file)
--- a/apps/tasks/ajax/addtask.php
+++ b/apps/tasks/ajax/addtask.php
@@ -3,6 +3,7 @@
 // Init owncloud
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('tasks');
+OCP\JSON::callCheck();
 
 $calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true);
 $first_calendar = reset($calendars);

diff --git a/apps/tasks/ajax/addtaskform.php b/apps/tasks/ajax/addtaskform.php
index d86232e2da5a74132a0b91c50e8b512bdc693635..2795f393732d3c8ed9f7421e141434591772c9f1 100644 (file)
--- a/apps/tasks/ajax/addtaskform.php
+++ b/apps/tasks/ajax/addtaskform.php
@@ -3,6 +3,7 @@
 // Init owncloud
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('tasks');
+OCP\JSON::callCheck();
 
 $calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true);
 $category_options = OC_Calendar_App::getCategoryOptions();

diff --git a/apps/tasks/ajax/delete.php b/apps/tasks/ajax/delete.php
index e29add9b556ff4f43a08acfc19bf09d9101220d0..cc22c3e38733bcac2fd5581c77aca5b52e89b09a 100644 (file)
--- a/apps/tasks/ajax/delete.php
+++ b/apps/tasks/ajax/delete.php
@@ -23,6 +23,7 @@
 // Init owncloud
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('tasks');
+OCP\JSON::callCheck();
 
 $id = $_POST['id'];
 $task = OC_Calendar_App::getEventObject( $id );

diff --git a/apps/tasks/ajax/edittask.php b/apps/tasks/ajax/edittask.php
index edcc8a7cdcda2240a4e04d5ada7596cda781f34c..77ecff13e6639ceb21f7f363a82dd3793a79ce1e 100644 (file)
--- a/apps/tasks/ajax/edittask.php
+++ b/apps/tasks/ajax/edittask.php
@@ -3,6 +3,7 @@
 // Init owncloud
 OCP\JSON::checkLoggedIn();
 OCP\JSON::checkAppEnabled('tasks');
+OCP\JSON::callCheck();
 
 $l10n = new OC_L10N('tasks');