Mirrors/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2024-08-12 14:11:31 +02:00
Code Issues Actions 34 Packages Projects Releases Wiki Activity

Have login-checks and CSRF checks

Browse Source
This commit is contained in:
kondou 2013-09-05 00:04:31 +02:00
parent 8fd76e39cf
commit 6db96603a0
3 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
core/avatar/controller.php
View File

@ -10,12 +10,8 @@ namespace OC\Core\Avatar;
class Controller {
public static function getAvatar($args) {
if (!\OC_User::isLoggedIn()) {
$l = new \OC_L10n('core');
header("HTTP/1.0 403 Forbidden");
\OC_Template::printErrorPage($l->t("Permission denied"));
return;
}
\OC_JSON::checkLoggedIn();
\OC_JSON::callCheck();
$user = stripslashes($args['user']);
$size = (int)$args['size'];
@ -41,6 +37,9 @@ class Controller {
}
public static function postAvatar($args) {
\OC_JSON::checkLoggedIn();
\OC_JSON::callCheck();
$user = \OC_User::getUser();
if (isset($_POST['path'])) {
@ -93,6 +92,9 @@ class Controller {
}
public static function deleteAvatar($args) {
\OC_JSON::checkLoggedIn();
\OC_JSON::callCheck();
$user = \OC_User::getUser();
try {
@ -105,6 +107,9 @@ class Controller {
}
public static function getTmpAvatar($args) {
\OC_JSON::checkLoggedIn();
\OC_JSON::callCheck();
$tmpavatar = \OC_Cache::get('tmpavatar');
if (is_null($tmpavatar)) {
$l = new \OC_L10n('core');
@ -120,6 +125,9 @@ class Controller {
}
public static function postCroppedAvatar($args) {
\OC_JSON::checkLoggedIn();
\OC_JSON::callCheck();
$user = \OC_User::getUser();
if (isset($_POST['crop'])) {
$crop = $_POST['crop'];

2
core/js/jquery.avatar.js
View File

@ -66,7 +66,7 @@
var $div = this;
OC.Router.registerLoadedCallback(function() {
var url = OC.Router.generate('core_avatar_get', {user: user, size: size});
var url = OC.Router.generate('core_avatar_get', {user: user, size: size})+'?requesttoken='+oc_requesttoken;
$.get(url, function(result) {
if (typeof(result) === 'object') {
$div.placeholder(result.user);

2
settings/js/personal.js
View File

@ -58,7 +58,7 @@ function showAvatarCropper() {
$cropper = $('#cropper');
$cropperImage = $('#cropper img');
$cropperImage.attr('src', OC.Router.generate('core_avatar_get_tmp')+'#'+Math.floor(Math.random()*1000));
$cropperImage.attr('src', OC.Router.generate('core_avatar_get_tmp')+'?requesttoken='+oc_requesttoken+'#'+Math.floor(Math.random()*1000));
// Looks weird, but on('load', ...) doesn't work in IE8
$cropperImage.ready(function(){