Contacts: Fixes for CSRF.

diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
index 45509a7f9db475698b771e53c3bb7642fe7fe744..a1b9976006d9117b455e5bfb89daed7bc114d5ea 100644 (file)
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -1152,7 +1152,7 @@ Contacts={
                        },
                        editPhoto:function(id, tmpkey){
                                //alert('editPhoto: ' + tmpkey);
-                               $.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmpkey':tmpkey,'id':this.id},function(jsondata){
+                               $.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmpkey':tmpkey,'id':this.id, 'requesttoken':requesttoken},function(jsondata){
                                        if(jsondata.status == 'success'){
                                                //alert(jsondata.data.page);
                                                $('#edit_photo_dialog_img').html(jsondata.data.page);
@@ -1645,7 +1645,7 @@ $(document).ready(function(){
                                //}
                        }
                };
-               xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&imagefile='+encodeURIComponent(file.name), true);
+               xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&requesttoken='+requesttoken+'&imagefile='+encodeURIComponent(file.name), true);
                xhr.setRequestHeader('Cache-Control', 'no-cache');
                xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
                xhr.setRequestHeader('X_FILE_NAME', encodeURIComponent(file.name));