diff options
author | Joas Schilling <coding@schilljs.com> | 2016-10-25 13:05:13 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2016-11-18 12:10:50 +0100 |
commit | 2fd2e45e428b24f16b7724b7a31d660ba67d2ef1 (patch) | |
tree | c6e77f9f796e25d38bef8cf401d1945429becd45 /settings/ajax | |
parent | 410e0fc28f25835c4b10e31066b641387cb53391 (diff) | |
download | nextcloud-server-2fd2e45e428b24f16b7724b7a31d660ba67d2ef1.tar.gz nextcloud-server-2fd2e45e428b24f16b7724b7a31d660ba67d2ef1.zip |
Require password confirmation for user management
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'settings/ajax')
-rw-r--r-- | settings/ajax/togglegroups.php | 7 | ||||
-rw-r--r-- | settings/ajax/togglesubadmins.php | 7 |
2 files changed, 14 insertions, 0 deletions
diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php index ff79861b811..b9958bef0c9 100644 --- a/settings/ajax/togglegroups.php +++ b/settings/ajax/togglegroups.php @@ -28,6 +28,13 @@ OC_JSON::checkSubAdminUser(); OCP\JSON::callCheck(); +$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm'); +if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay + $l = \OC::$server->getL10N('core'); + OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required')))); + exit(); +} + $success = true; $username = (string)$_POST['username']; $group = (string)$_POST['group']; diff --git a/settings/ajax/togglesubadmins.php b/settings/ajax/togglesubadmins.php index 390e5c09ef3..5658a382410 100644 --- a/settings/ajax/togglesubadmins.php +++ b/settings/ajax/togglesubadmins.php @@ -24,6 +24,13 @@ OC_JSON::checkAdminUser(); OCP\JSON::callCheck(); +$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm'); +if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay + $l = \OC::$server->getL10N('core'); + OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required')))); + exit(); +} + $username = (string)$_POST['username']; $group = (string)$_POST['group']; |