From: Thomas Tanghus <thomas@tanghus.net>
Date: Thu, 14 Jun 2012 16:12:38 +0000 (+0200)
Subject: Contacts: Fixes for CSRF.
X-Git-Tag: v4.5.0beta1~74^2~420^2~27
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=47c03a0effbe036e644da8ae2dee65f12a6e6c84;p=nextcloud-server.git

Contacts: Fixes for CSRF.
---

diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
index 45509a7f9db..a1b9976006d 100644
--- a/apps/contacts/js/contacts.js
+++ b/apps/contacts/js/contacts.js
@@ -1152,7 +1152,7 @@ Contacts={
 			},
 			editPhoto:function(id, tmpkey){
 				//alert('editPhoto: ' + tmpkey);
-				$.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmpkey':tmpkey,'id':this.id},function(jsondata){
+				$.getJSON(OC.filePath('contacts', 'ajax', 'cropphoto.php'),{'tmpkey':tmpkey,'id':this.id, 'requesttoken':requesttoken},function(jsondata){
 					if(jsondata.status == 'success'){
 						//alert(jsondata.data.page);
 						$('#edit_photo_dialog_img').html(jsondata.data.page);
@@ -1645,7 +1645,7 @@ $(document).ready(function(){
 				//}
 			}
 		};
-		xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&imagefile='+encodeURIComponent(file.name), true);
+		xhr.open('POST', OC.filePath('contacts', 'ajax', 'uploadphoto.php')+'?id='+Contacts.UI.Card.id+'&requesttoken='+requesttoken+'&imagefile='+encodeURIComponent(file.name), true);
 		xhr.setRequestHeader('Cache-Control', 'no-cache');
 		xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
 		xhr.setRequestHeader('X_FILE_NAME', encodeURIComponent(file.name));