From 9f276729c2a44151c29754e816fb002502222b1d Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sun, 10 Jun 2012 23:38:26 +0200 Subject: Using POST instead of GET. --- apps/bookmarks/ajax/editBookmark.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'apps/bookmarks/ajax/editBookmark.php') diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php index db349af35c1..fcec2e1cedb 100644 --- a/apps/bookmarks/ajax/editBookmark.php +++ b/apps/bookmarks/ajax/editBookmark.php @@ -39,7 +39,7 @@ if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){ $_ut = "UNIX_TIMESTAMP()"; } -$bookmark_id = (int)$_GET["id"]; +$bookmark_id = (int)$_POST["id"]; $query = OCP\DB::prepare(" UPDATE *PREFIX*bookmarks @@ -48,8 +48,8 @@ $query = OCP\DB::prepare(" "); $params=array( - htmlspecialchars_decode($_GET["url"]), - htmlspecialchars_decode($_GET["title"]), + htmlspecialchars_decode($_POST["url"]), + htmlspecialchars_decode($_POST["title"]), ); $query->execute($params); @@ -67,7 +67,7 @@ $query = OCP\DB::prepare(" VALUES (?, ?) "); -$tags = explode(' ', urldecode($_GET["tags"])); +$tags = explode(' ', urldecode($_POST["tags"])); foreach ($tags as $tag) { if(empty($tag)) { //avoid saving blankspaces -- cgit v1.2.3 From 2f9763d216a759505868b75ff0e4dcf846e7000c Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Thu, 21 Jun 2012 11:50:51 +0200 Subject: check if user is allowed to edit bookmarks --- apps/bookmarks/ajax/editBookmark.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'apps/bookmarks/ajax/editBookmark.php') diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php index fcec2e1cedb..439b680dc20 100644 --- a/apps/bookmarks/ajax/editBookmark.php +++ b/apps/bookmarks/ajax/editBookmark.php @@ -40,18 +40,26 @@ if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){ } $bookmark_id = (int)$_POST["id"]; +$user_id = OCP\USER::getUser(); $query = OCP\DB::prepare(" UPDATE *PREFIX*bookmarks SET url = ?, title =?, lastmodified = $_ut - WHERE id = $bookmark_id + WHERE id = ? + AND user_id = ? "); $params=array( htmlspecialchars_decode($_POST["url"]), htmlspecialchars_decode($_POST["title"]), + $bookmark_id, + $user_id, ); -$query->execute($params); + +$result = $query->execute($params); + +# Abort the operation if bookmark couldn't be set (probably because the user is not allowed to edit this bookmark) +if ($result->numRows() == 0) exit(); # Remove old tags and insert new ones. $query = OCP\DB::prepare(" @@ -66,7 +74,7 @@ $query = OCP\DB::prepare(" (bookmark_id, tag) VALUES (?, ?) "); - + $tags = explode(' ', urldecode($_POST["tags"])); foreach ($tags as $tag) { if(empty($tag)) { -- cgit v1.2.3 From c63db28eafbe4745faf44a4774cc857e830939c9 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 7 Jul 2012 15:54:52 +0200 Subject: CSRF check --- apps/bookmarks/ajax/addBookmark.php | 2 ++ apps/bookmarks/ajax/delBookmark.php | 2 ++ apps/bookmarks/ajax/editBookmark.php | 2 ++ 3 files changed, 6 insertions(+) (limited to 'apps/bookmarks/ajax/editBookmark.php') diff --git a/apps/bookmarks/ajax/addBookmark.php b/apps/bookmarks/ajax/addBookmark.php index 6b5a0f71d4e..483716405a1 100644 --- a/apps/bookmarks/ajax/addBookmark.php +++ b/apps/bookmarks/ajax/addBookmark.php @@ -28,6 +28,8 @@ $RUNTIME_NOSETUPFS=true; // Check if we are a user OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); + OCP\JSON::checkAppEnabled('bookmarks'); require_once(OC_App::getAppPath('bookmarks').'/bookmarksHelper.php'); diff --git a/apps/bookmarks/ajax/delBookmark.php b/apps/bookmarks/ajax/delBookmark.php index 5a067701c9f..f40f02ebab7 100644 --- a/apps/bookmarks/ajax/delBookmark.php +++ b/apps/bookmarks/ajax/delBookmark.php @@ -28,6 +28,8 @@ $RUNTIME_NOSETUPFS=true; // Check if we are a user OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); + OCP\JSON::checkAppEnabled('bookmarks'); $id = $_POST['id']; diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php index 439b680dc20..0b37d161af1 100644 --- a/apps/bookmarks/ajax/editBookmark.php +++ b/apps/bookmarks/ajax/editBookmark.php @@ -28,6 +28,8 @@ $RUNTIME_NOSETUPFS=true; // Check if we are a user OCP\JSON::checkLoggedIn(); +OCP\JSON::callCheck(); + OCP\JSON::checkAppEnabled('bookmarks'); $CONFIG_DBTYPE = OCP\Config::getSystemValue( "dbtype", "sqlite" ); -- cgit v1.2.3 From 7522a23693b11a4c277a475cdb3204a1d9ac5912 Mon Sep 17 00:00:00 2001 From: Bart Visscher Date: Wed, 8 Aug 2012 17:13:20 +0200 Subject: Remove unused RUNTIME_NOSETUPFS var --- apps/bookmarks/ajax/addBookmark.php | 7 +------ apps/bookmarks/ajax/delBookmark.php | 5 ----- apps/bookmarks/ajax/editBookmark.php | 5 ----- apps/bookmarks/ajax/recordClick.php | 5 ----- apps/bookmarks/ajax/updateList.php | 5 ----- apps/files_sharing/get.php | 2 -- apps/media/ajax/autoupdate.php | 3 +-- apps/remoteStorage/ajax/revokeToken.php | 4 ---- apps/remoteStorage/auth.php | 3 --- files/webdav.php | 2 -- lib/base.php | 3 --- public.php | 1 - remote.php | 1 - 13 files changed, 2 insertions(+), 44 deletions(-) (limited to 'apps/bookmarks/ajax/editBookmark.php') diff --git a/apps/bookmarks/ajax/addBookmark.php b/apps/bookmarks/ajax/addBookmark.php index 483716405a1..c8a64d531c9 100644 --- a/apps/bookmarks/ajax/addBookmark.php +++ b/apps/bookmarks/ajax/addBookmark.php @@ -21,11 +21,6 @@ * */ -//no apps or filesystem -$RUNTIME_NOSETUPFS=true; - - - // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::callCheck(); @@ -34,4 +29,4 @@ OCP\JSON::checkAppEnabled('bookmarks'); require_once(OC_App::getAppPath('bookmarks').'/bookmarksHelper.php'); $id = addBookmark($_POST['url'], $_POST['title'], $_POST['tags']); -OCP\JSON::success(array('data' => $id)); \ No newline at end of file +OCP\JSON::success(array('data' => $id)); diff --git a/apps/bookmarks/ajax/delBookmark.php b/apps/bookmarks/ajax/delBookmark.php index f40f02ebab7..ba1dfff3bed 100644 --- a/apps/bookmarks/ajax/delBookmark.php +++ b/apps/bookmarks/ajax/delBookmark.php @@ -21,11 +21,6 @@ * */ -//no apps or filesystem -$RUNTIME_NOSETUPFS=true; - - - // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::callCheck(); diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php index 0b37d161af1..ad43be064f0 100644 --- a/apps/bookmarks/ajax/editBookmark.php +++ b/apps/bookmarks/ajax/editBookmark.php @@ -21,11 +21,6 @@ * */ -//no apps or filesystem -$RUNTIME_NOSETUPFS=true; - - - // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::callCheck(); diff --git a/apps/bookmarks/ajax/recordClick.php b/apps/bookmarks/ajax/recordClick.php index 1eee1718d13..0283f09f60d 100644 --- a/apps/bookmarks/ajax/recordClick.php +++ b/apps/bookmarks/ajax/recordClick.php @@ -21,11 +21,6 @@ * */ -//no apps or filesystem -$RUNTIME_NOSETUPFS=true; - - - // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('bookmarks'); diff --git a/apps/bookmarks/ajax/updateList.php b/apps/bookmarks/ajax/updateList.php index 4de2475d067..cf9a2cf9183 100644 --- a/apps/bookmarks/ajax/updateList.php +++ b/apps/bookmarks/ajax/updateList.php @@ -22,11 +22,6 @@ * */ -//no apps or filesystem -$RUNTIME_NOSETUPFS=true; - - - // Check if we are a user OCP\JSON::checkLoggedIn(); OCP\JSON::checkAppEnabled('bookmarks'); diff --git a/apps/files_sharing/get.php b/apps/files_sharing/get.php index 70a5162d382..1d219719b2d 100644 --- a/apps/files_sharing/get.php +++ b/apps/files_sharing/get.php @@ -1,6 +1,4 @@