CSRF check in the settings

diff --git a/settings/ajax/changepassword.php b/settings/ajax/changepassword.php
index 860ea987871af323373ebff7a73e245e58655db9..604298b1cf172d9f48c1f4f7e55ded49812f9d6b 100644 (file)
--- a/settings/ajax/changepassword.php
+++ b/settings/ajax/changepassword.php
@@ -9,6 +9,8 @@ $oldPassword=isset($_POST["oldpassword"])?$_POST["oldpassword"]:'';
 
 // Check if we are a user
 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();
+
 if( (!OC_Group::inGroup( OC_User::getUser(), 'admin' ) && ($username!=OC_User::getUser() || !OC_User::checkPassword($username,$oldPassword)))) {
        OC_JSON::error( array( "data" => array( "message" => "Authentication error" )));
        exit();

diff --git a/settings/ajax/creategroup.php b/settings/ajax/creategroup.php
index 57d82e7bd94599f16002385cf1de2f8bcc5f82b0..3626600ad9b0de1b8c0cfbf0f98da4fcd0a12c47 100644 (file)
--- a/settings/ajax/creategroup.php
+++ b/settings/ajax/creategroup.php
@@ -9,6 +9,8 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' ))
        exit();
 }
 
+OCP\JSON::callCheck();
+
 $groupname = $_POST["groupname"];
 
 // Does the group exist?

diff --git a/settings/ajax/createuser.php b/settings/ajax/createuser.php
index 6714711bc876fbf5161343c6265859941a8b2d32..079b4750b7d2113bdbf9194026a30df0a6297aa2 100644 (file)
--- a/settings/ajax/createuser.php
+++ b/settings/ajax/createuser.php
@@ -8,6 +8,7 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' ))
        OC_JSON::error(array("data" => array( "message" => "Authentication error" )));
        exit();
 }
+OCP\JSON::callCheck();
 
 $groups = array();
 if( isset( $_POST["groups"] )){

diff --git a/settings/ajax/disableapp.php b/settings/ajax/disableapp.php
index 53e9be379e19eae172eff3b15215a60425060c66..cc00698870702faf8482361dbc52c83fd0f8f4c5 100644 (file)
--- a/settings/ajax/disableapp.php
+++ b/settings/ajax/disableapp.php
@@ -2,6 +2,7 @@
 // Init owncloud
 require_once('../../lib/base.php');
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();
 
 OC_App::disable($_POST['appid']);

diff --git a/settings/ajax/enableapp.php b/settings/ajax/enableapp.php
index cb116ebe4e84bf1a3e88431d684f12ec03ad8d55..bd53a50210cdffe5fe41173cbcfaf038d3290dab 100644 (file)
--- a/settings/ajax/enableapp.php
+++ b/settings/ajax/enableapp.php
@@ -3,6 +3,7 @@
 // Init owncloud
 require_once('../../lib/base.php');
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();
 
 if(OC_App::enable($_POST['appid'])){

diff --git a/settings/ajax/lostpassword.php b/settings/ajax/lostpassword.php
index c6df8551f5265ddac8e38e49e169d29f3cb78308..68f6b7933e6e739cdc43bfd04eecf1551beb86e9 100644 (file)
--- a/settings/ajax/lostpassword.php
+++ b/settings/ajax/lostpassword.php
@@ -2,8 +2,8 @@
 
 // Init owncloud
 require_once('../../lib/base.php');
-
 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 $l=OC_L10N::get('core');
 

diff --git a/settings/ajax/openid.php b/settings/ajax/openid.php
index 58d071255c205c0c10224e23b836399460bf654b..883cd52bfe1c8a9f535f9e483b4dcd0d3217fb55 100644 (file)
--- a/settings/ajax/openid.php
+++ b/settings/ajax/openid.php
@@ -6,6 +6,7 @@ require_once('../../lib/base.php');
 $l=OC_L10N::get('settings');
 
 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 OC_JSON::checkAppEnabled('user_openid');
 
 // Get data

diff --git a/settings/ajax/removegroup.php b/settings/ajax/removegroup.php
index 4d3647818949f28d323aeef433082a8918465b89..19cbe51fd51762ec894c142cafec030e601c0f5a 100644 (file)
--- a/settings/ajax/removegroup.php
+++ b/settings/ajax/removegroup.php
@@ -4,6 +4,7 @@
 require_once('../../lib/base.php');
 
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 
 $name = $_POST["groupname"];
 

diff --git a/settings/ajax/removeuser.php b/settings/ajax/removeuser.php
index 2c288997a1f2467e8db132d6d1855fe2da264e3f..63388b3ca688896c20121a93e581967a98cec50a 100644 (file)
--- a/settings/ajax/removeuser.php
+++ b/settings/ajax/removeuser.php
@@ -4,6 +4,7 @@
 require_once('../../lib/base.php');
 
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 
 $username = $_POST["username"];
 

diff --git a/settings/ajax/setlanguage.php b/settings/ajax/setlanguage.php
index e3b00c3bc8073b980949fc8dafb925755bd54d34..6b8c9274e65e72b9be737f09d361874e5a7dde31 100644 (file)
--- a/settings/ajax/setlanguage.php
+++ b/settings/ajax/setlanguage.php
@@ -6,6 +6,7 @@ require_once('../../lib/base.php');
 $l=OC_L10N::get('settings');
 
 OC_JSON::checkLoggedIn();
+OCP\JSON::callCheck();
 
 
 // Get data

diff --git a/settings/ajax/setloglevel.php b/settings/ajax/setloglevel.php
index 298cbd64738fb1f0629c44af08eb20eed855c614..4b97ba2aa32fe08aa8508f33f9b58066abdd80a1 100644 (file)
--- a/settings/ajax/setloglevel.php
+++ b/settings/ajax/setloglevel.php
@@ -7,6 +7,7 @@
 
 require_once('../../lib/base.php');
 OC_Util::checkAdminUser();
+OCP\JSON::callCheck();
 
 OC_Config::setValue( 'loglevel', $_POST['level'] );
 

diff --git a/settings/ajax/setquota.php b/settings/ajax/setquota.php
index f59017600ac5b991069a2b057ed63fcea14cb7e0..44c2067824b236af0c565a7ec5cc6e1518e79159 100644 (file)
--- a/settings/ajax/setquota.php
+++ b/settings/ajax/setquota.php
@@ -9,6 +9,7 @@
 require_once('../../lib/base.php');
 
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 
 $username = isset($_POST["username"])?$_POST["username"]:'';
 

diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php
index 7773c1049c3eb3f24553492a59e53fa839c9141f..a7cdeb2cfbd7a80396a3768cee2ffbcb0746578e 100644 (file)
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@@ -4,6 +4,7 @@
 require_once('../../lib/base.php');
 
 OC_JSON::checkAdminUser();
+OCP\JSON::callCheck();
 
 $success = true;
 $error = "add user to";