5 files changed, 66 insertions, 60 deletions

diff --git a/avatar.php b/avatar.php
index dee162eca7f..a6d6666c623 100644
--- a/avatar.php
+++ b/avatar.php
@@ -12,30 +12,66 @@ if ($mode === "none") {
 	exit();
 }
 
-if (isset($_GET['user'])) {
-	//SECURITY TODO does this fully eliminate directory traversals?
-	$user = stripslashes($_GET['user']);
-} else {
-	$user = false;
-}
+if ($_SERVER['REQUEST_METHOD'] === "GET") {
+	if (isset($_GET['user'])) {
+		//SECURITY TODO does this fully eliminate directory traversals?
+		$user = stripslashes($_GET['user']);
+	} else {
+		$user = false;
+	}
 
-if (isset($_GET['size']) && ((int)$_GET['size'] > 0)) {
-	$size = (int)$_GET['size'];
-	if ($size > 2048) {
-		$size = 2048;
+	if (isset($_GET['size']) && ((int)$_GET['size'] > 0)) {
+		$size = (int)$_GET['size'];
+		if ($size > 2048) {
+			$size = 2048;
+		}
+	} else {
+		$size = 64;
 	}
-} else {
-	$size = 64;
-}
 
+	$image = \OC_Avatar::get($user, $size);
+
+	if ($image instanceof \OC_Image) {
+		$image->show();
+	} elseif (is_string($image)) { // Gravatar alike services
+		header("Location: ".$image);
+	} else {
+		$image = \OC_Avatar::getDefaultAvatar($user, $size);
+		$image->show();
+	}
+} elseif ($_SERVER['REQUEST_METHOD'] === "POST") {
+	$user = OC_User::getUser();
+
+	// Select an image from own files
+	if (isset($_POST['path'])) {
+		//SECURITY TODO FIXME possible directory traversal here
+		$path = $_POST['path'];
+		$avatar = OC::$SERVERROOT.'/data/'.$user.'/files'.$path;
+	}
+	// Upload a new image
+	elseif (!empty($_FILES)) {
+		$files = $_FILES['files'];
+		if ($files['error'][0] === 0) {
+			$avatar = file_get_contents($files['tmp_name'][0]);
+			unlink($files['tmp_name'][0]);
+		}
+	} else {
+	        OC_JSON::error();
+	}
 
-$image = \OC_Avatar::get($user, $size);
+	try {
+		\OC_Avatar::setLocalAvatar($user, $avatar);
+		OC_JSON::success();
+	} catch (\Exception $e) {
+		OC_JSON::error(array("data" => array ("message" => $e->getMessage()) ));
+	}
+} elseif ($_SERVER['REQUEST_METHOD'] === "DELETE") {
+	$user = OC_User::getUser();
 
-if ($image instanceof \OC_Image) {
-	$image->show();
-} elseif (is_string($image)) { // Gravatar alike services
-	header("Location: ".$image);
-} else {
-	$image = \OC_Avatar::getDefaultAvatar($user, $size);
-	$image->show();
+	try {
+		\OC_Avatar::setLocalAvatar($user, false);
+		OC_JSON::success();
+	} catch (\Exception $e) {
+		OC_JSON::error(array("data" => array ("message" => $e->getMessage()) ));
+	}
 }
diff --git a/settings/ajax/newavatar.php b/settings/ajax/newavatar.php
deleted file mode 100644
index 126f3283fb3..00000000000
--- a/settings/ajax/newavatar.php
+++ /dev/null
@@ -1,33 +0,0 @@
-<?php
-
-OC_JSON::checkLoggedIn();
-OC_JSON::callCheck();
-$user = OC_User::getUser();
-
-// Delete avatar
-if (isset($_POST['path']) && $_POST['path'] === "false") {
-	$avatar = false;
-}
-// Select an image from own files
-elseif (isset($_POST['path'])) {
-	//SECURITY TODO FIXME possible directory traversal here
-	$path = $_POST['path'];
-	$avatar = OC::$SERVERROOT.'/data/'.$user.'/files'.$path;
-}
-// Upload a new image
-elseif (!empty($_FILES)) {
-	$files = $_FILES['files'];
-	if ($files['error'][0] === 0) {
-		$avatar = file_get_contents($files['tmp_name'][0]);
-		unlink($files['tmp_name'][0]);
-	}
-} else {
-	OC_JSON::error();
-}
-
-try {
-	\OC_Avatar::setLocalAvatar($user, $avatar);
-	OC_JSON::success();
-} catch (\Exception $e) {
-	OC_JSON::error(array("data" => array ("message" => $e->getMessage()) ));
-}
diff --git a/settings/js/personal.js b/settings/js/personal.js
index 74ea7f26ebf..dd2d15052d1 100644
--- a/settings/js/personal.js
+++ b/settings/js/personal.js
@@ -45,7 +45,7 @@ function changeDisplayName(){
 }
 
 function selectAvatar (path) {
-	$.post(OC.filePath('settings', 'ajax', 'newavatar.php'), {path: path}, function(data) {
+	$.post(OC.filePath('', '', 'avatar.php'), {path: path}, function(data) {
 		if (data.status === "success") {
 			updateAvatar();
 		} else {
@@ -168,8 +168,13 @@ $(document).ready(function(){
 	});
 
 	$('#removeavatar').click(function(){
-		$.post(OC.filePath('settings', 'ajax', 'newavatar.php'), {path: false});
-		updateAvatar();
+		$.ajax({
+			type:	'DELETE',
+			url:	OC.filePath('', '', 'avatar.php'),
+			success: function(msg) {
+				updateAvatar();
+			}
+		});
 	});
 } );
 
diff --git a/settings/routes.php b/settings/routes.php
index 7d323008419..9a27c3e439b 100644
--- a/settings/routes.php
+++ b/settings/routes.php
@@ -72,5 +72,3 @@ $this->create('isadmin', '/settings/js/isadmin.js')
 	->actionInclude('settings/js/isadmin.php');
 $this->create('settings_ajax_setavatarmode', '/settings/ajax/setavatarmode.php')
 	->actionInclude('settings/ajax/setavatarmode.php');
-$this->create('settings_ajax_newavatar', '/settings/ajax/newavatar.php')
-	->actionInclude('settings/ajax/newavatar.php');
diff --git a/settings/templates/personal.php b/settings/templates/personal.php
index 8d0667f9564..7832c79894b 100644
--- a/settings/templates/personal.php
+++ b/settings/templates/personal.php
@@ -84,7 +84,7 @@ if($_['passwordChangeSupported']) {
 ?>
 
 <?php if ($_['avatar'] !== "none"): ?>
-<form id="avatar" method="post" action="<?php p(\OC_Helper::linkToRoute('settings_ajax_newavatar')); ?>">
+<form id="avatar" method="post" action="<?php p(\OC_Helper::linkTo('', 'avatar.php')); ?>">
 	<fieldset class="personalblock">
 		<legend><strong><?php p($l->t('Profile Image')); ?></strong></legend>
 		<img src="<?php print_unescaped(link_to('', 'avatar.php').'?user='.OC_User::getUser().'&size=128'); ?>"><br>