summaryrefslogtreecommitdiffstats
path: root/settings/ajax
diff options
context:
space:
mode:
authorJoas Schilling <coding@schilljs.com>2016-10-25 13:05:13 +0200
committerLukas Reschke <lukas@statuscode.ch>2016-11-18 12:10:50 +0100
commit2fd2e45e428b24f16b7724b7a31d660ba67d2ef1 (patch)
treec6e77f9f796e25d38bef8cf401d1945429becd45 /settings/ajax
parent410e0fc28f25835c4b10e31066b641387cb53391 (diff)
downloadnextcloud-server-2fd2e45e428b24f16b7724b7a31d660ba67d2ef1.tar.gz
nextcloud-server-2fd2e45e428b24f16b7724b7a31d660ba67d2ef1.zip
Require password confirmation for user management
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'settings/ajax')
-rw-r--r--settings/ajax/togglegroups.php7
-rw-r--r--settings/ajax/togglesubadmins.php7
2 files changed, 14 insertions, 0 deletions
diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php
index ff79861b811..b9958bef0c9 100644
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@@ -28,6 +28,13 @@
OC_JSON::checkSubAdminUser();
OCP\JSON::callCheck();
+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+ $l = \OC::$server->getL10N('core');
+ OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+ exit();
+}
+
$success = true;
$username = (string)$_POST['username'];
$group = (string)$_POST['group'];
diff --git a/settings/ajax/togglesubadmins.php b/settings/ajax/togglesubadmins.php
index 390e5c09ef3..5658a382410 100644
--- a/settings/ajax/togglesubadmins.php
+++ b/settings/ajax/togglesubadmins.php
@@ -24,6 +24,13 @@
OC_JSON::checkAdminUser();
OCP\JSON::callCheck();
+$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
+if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
+ $l = \OC::$server->getL10N('core');
+ OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
+ exit();
+}
+
$username = (string)$_POST['username'];
$group = (string)$_POST['group'];