From: Lukas Reschke Date: Sat, 7 Jul 2012 13:27:04 +0000 (+0200) Subject: CSRF check in the settings X-Git-Tag: v4.5.0beta1~74^2~225^2~19 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=777eb1d8b1d68f93d986bf2c8280e7416a1694e6;p=nextcloud-server.git CSRF check in the settings --- diff --git a/settings/ajax/changepassword.php b/settings/ajax/changepassword.php index 860ea987871..604298b1cf1 100644 --- a/settings/ajax/changepassword.php +++ b/settings/ajax/changepassword.php @@ -9,6 +9,8 @@ $oldPassword=isset($_POST["oldpassword"])?$_POST["oldpassword"]:''; // Check if we are a user OC_JSON::checkLoggedIn(); +OCP\JSON::callCheck(); + if( (!OC_Group::inGroup( OC_User::getUser(), 'admin' ) && ($username!=OC_User::getUser() || !OC_User::checkPassword($username,$oldPassword)))) { OC_JSON::error( array( "data" => array( "message" => "Authentication error" ))); exit(); diff --git a/settings/ajax/creategroup.php b/settings/ajax/creategroup.php index 57d82e7bd94..3626600ad9b 100644 --- a/settings/ajax/creategroup.php +++ b/settings/ajax/creategroup.php @@ -9,6 +9,8 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' )) exit(); } +OCP\JSON::callCheck(); + $groupname = $_POST["groupname"]; // Does the group exist? diff --git a/settings/ajax/createuser.php b/settings/ajax/createuser.php index 6714711bc87..079b4750b7d 100644 --- a/settings/ajax/createuser.php +++ b/settings/ajax/createuser.php @@ -8,6 +8,7 @@ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' )) OC_JSON::error(array("data" => array( "message" => "Authentication error" ))); exit(); } +OCP\JSON::callCheck(); $groups = array(); if( isset( $_POST["groups"] )){ diff --git a/settings/ajax/disableapp.php b/settings/ajax/disableapp.php index 53e9be379e1..cc006988707 100644 --- a/settings/ajax/disableapp.php +++ b/settings/ajax/disableapp.php @@ -2,6 +2,7 @@ // Init owncloud require_once('../../lib/base.php'); OC_JSON::checkAdminUser(); +OCP\JSON::callCheck(); OC_JSON::setContentTypeHeader(); OC_App::disable($_POST['appid']); diff --git a/settings/ajax/enableapp.php b/settings/ajax/enableapp.php index cb116ebe4e8..bd53a50210c 100644 --- a/settings/ajax/enableapp.php +++ b/settings/ajax/enableapp.php @@ -3,6 +3,7 @@ // Init owncloud require_once('../../lib/base.php'); OC_JSON::checkAdminUser(); +OCP\JSON::callCheck(); OC_JSON::setContentTypeHeader(); if(OC_App::enable($_POST['appid'])){ diff --git a/settings/ajax/lostpassword.php b/settings/ajax/lostpassword.php index c6df8551f52..68f6b7933e6 100644 --- a/settings/ajax/lostpassword.php +++ b/settings/ajax/lostpassword.php @@ -2,8 +2,8 @@ // Init owncloud require_once('../../lib/base.php'); - OC_JSON::checkLoggedIn(); +OCP\JSON::callCheck(); $l=OC_L10N::get('core'); diff --git a/settings/ajax/openid.php b/settings/ajax/openid.php index 58d071255c2..883cd52bfe1 100644 --- a/settings/ajax/openid.php +++ b/settings/ajax/openid.php @@ -6,6 +6,7 @@ require_once('../../lib/base.php'); $l=OC_L10N::get('settings'); OC_JSON::checkLoggedIn(); +OCP\JSON::callCheck(); OC_JSON::checkAppEnabled('user_openid'); // Get data diff --git a/settings/ajax/removegroup.php b/settings/ajax/removegroup.php index 4d364781894..19cbe51fd51 100644 --- a/settings/ajax/removegroup.php +++ b/settings/ajax/removegroup.php @@ -4,6 +4,7 @@ require_once('../../lib/base.php'); OC_JSON::checkAdminUser(); +OCP\JSON::callCheck(); $name = $_POST["groupname"]; diff --git a/settings/ajax/removeuser.php b/settings/ajax/removeuser.php index 2c288997a1f..63388b3ca68 100644 --- a/settings/ajax/removeuser.php +++ b/settings/ajax/removeuser.php @@ -4,6 +4,7 @@ require_once('../../lib/base.php'); OC_JSON::checkAdminUser(); +OCP\JSON::callCheck(); $username = $_POST["username"]; diff --git a/settings/ajax/setlanguage.php b/settings/ajax/setlanguage.php index e3b00c3bc80..6b8c9274e65 100644 --- a/settings/ajax/setlanguage.php +++ b/settings/ajax/setlanguage.php @@ -6,6 +6,7 @@ require_once('../../lib/base.php'); $l=OC_L10N::get('settings'); OC_JSON::checkLoggedIn(); +OCP\JSON::callCheck(); // Get data diff --git a/settings/ajax/setloglevel.php b/settings/ajax/setloglevel.php index 298cbd64738..4b97ba2aa32 100644 --- a/settings/ajax/setloglevel.php +++ b/settings/ajax/setloglevel.php @@ -7,6 +7,7 @@ require_once('../../lib/base.php'); OC_Util::checkAdminUser(); +OCP\JSON::callCheck(); OC_Config::setValue( 'loglevel', $_POST['level'] ); diff --git a/settings/ajax/setquota.php b/settings/ajax/setquota.php index f59017600ac..44c2067824b 100644 --- a/settings/ajax/setquota.php +++ b/settings/ajax/setquota.php @@ -9,6 +9,7 @@ require_once('../../lib/base.php'); OC_JSON::checkAdminUser(); +OCP\JSON::callCheck(); $username = isset($_POST["username"])?$_POST["username"]:''; diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php index 7773c1049c3..a7cdeb2cfbd 100644 --- a/settings/ajax/togglegroups.php +++ b/settings/ajax/togglegroups.php @@ -4,6 +4,7 @@ require_once('../../lib/base.php'); OC_JSON::checkAdminUser(); +OCP\JSON::callCheck(); $success = true; $error = "add user to";