diff options
| author | kondou <kondou@ts.unde.re> | 2013-09-05 00:04:31 +0200 |
|---|---|---|
| committer | kondou <kondou@ts.unde.re> | 2013-09-05 00:04:31 +0200 |
| commit | 6db96603a09775e38db30cb3b0fb8e0065111bb5 (patch) | |
| tree | e5f77601d6c5a702bb40bc7fde749fcad3cb63c7 | |
| parent | 8fd76e39cf52fc9caaf7d2eac365dd03ed6b0cd0 (diff) | |
| download | nextcloud-server-6db96603a09775e38db30cb3b0fb8e0065111bb5.tar.gz nextcloud-server-6db96603a09775e38db30cb3b0fb8e0065111bb5.zip | |
Have login-checks and CSRF checks
| -rw-r--r-- | core/avatar/controller.php | 20 | ||||
| -rw-r--r-- | core/js/jquery.avatar.js | 2 | ||||
| -rw-r--r-- | settings/js/personal.js | 2 |
3 files changed, 16 insertions, 8 deletions
diff --git a/core/avatar/controller.php b/core/avatar/controller.php index 43ee811f191..03482ee1070 100644 --- a/core/avatar/controller.php +++ b/core/avatar/controller.php @@ -10,12 +10,8 @@ namespace OC\Core\Avatar; class Controller { public static function getAvatar($args) { - if (!\OC_User::isLoggedIn()) { - $l = new \OC_L10n('core'); - header("HTTP/1.0 403 Forbidden"); - \OC_Template::printErrorPage($l->t("Permission denied")); - return; - } + \OC_JSON::checkLoggedIn(); + \OC_JSON::callCheck(); $user = stripslashes($args['user']); $size = (int)$args['size']; @@ -41,6 +37,9 @@ class Controller { } public static function postAvatar($args) { + \OC_JSON::checkLoggedIn(); + \OC_JSON::callCheck(); + $user = \OC_User::getUser(); if (isset($_POST['path'])) { @@ -93,6 +92,9 @@ class Controller { } public static function deleteAvatar($args) { + \OC_JSON::checkLoggedIn(); + \OC_JSON::callCheck(); + $user = \OC_User::getUser(); try { @@ -105,6 +107,9 @@ class Controller { } public static function getTmpAvatar($args) { + \OC_JSON::checkLoggedIn(); + \OC_JSON::callCheck(); + $tmpavatar = \OC_Cache::get('tmpavatar'); if (is_null($tmpavatar)) { $l = new \OC_L10n('core'); @@ -120,6 +125,9 @@ class Controller { } public static function postCroppedAvatar($args) { + \OC_JSON::checkLoggedIn(); + \OC_JSON::callCheck(); + $user = \OC_User::getUser(); if (isset($_POST['crop'])) { $crop = $_POST['crop']; diff --git a/core/js/jquery.avatar.js b/core/js/jquery.avatar.js index 1d2c07211e7..37a824c3347 100644 --- a/core/js/jquery.avatar.js +++ b/core/js/jquery.avatar.js @@ -66,7 +66,7 @@ var $div = this; OC.Router.registerLoadedCallback(function() { - var url = OC.Router.generate('core_avatar_get', {user: user, size: size}); + var url = OC.Router.generate('core_avatar_get', {user: user, size: size})+'?requesttoken='+oc_requesttoken; $.get(url, function(result) { if (typeof(result) === 'object') { $div.placeholder(result.user); diff --git a/settings/js/personal.js b/settings/js/personal.js index 61ce6274c4e..e19d4c83500 100644 --- a/settings/js/personal.js +++ b/settings/js/personal.js @@ -58,7 +58,7 @@ function showAvatarCropper() { $cropper = $('#cropper'); $cropperImage = $('#cropper img'); - $cropperImage.attr('src', OC.Router.generate('core_avatar_get_tmp')+'#'+Math.floor(Math.random()*1000)); + $cropperImage.attr('src', OC.Router.generate('core_avatar_get_tmp')+'?requesttoken='+oc_requesttoken+'#'+Math.floor(Math.random()*1000)); // Looks weird, but on('load', ...) doesn't work in IE8 $cropperImage.ready(function(){ |