Changeset 27810 for branches/2.6/admin/themes/default/template/user_list.tpl

Timestamp:

Mar 17, 2014, 11:16:47 PM (10 years ago)

Author:

plg

Message:

bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6
(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add,
pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove)

File:

• branches/2.6/admin/themes/default/template/user_list.tpl (modified) (6 diffs)

branches/2.6/admin/themes/default/template/user_list.tpl

@@ -57 +57 @@
       url: "ws.php?format=json&method=pwg.users.add",
       type:"POST",
-      data: jQuery(this).serialize(),
+      data: jQuery(this).serialize()+"&pwg_token="+pwg_token,
       beforeSend: function() {
         jQuery("#addUserForm .errors").hide();
@@ -346 +346 @@
       type:"POST",
       data: {
+        pwg_token:pwg_token,
         user_id:userId,
         password: jQuery('#user'+userId+' .changePassword input[type=text]').val()
@@ -397 +398 @@
       type:"POST",
       data: {
+        pwg_token:pwg_token,
         user_id:userId,
         username: jQuery('#user'+userId+' .changeUsername input[type=text]').val()
@@ -468 +470 @@
 
     var formData = jQuery('#user'+userId+' form').serialize();
+    formData += '&pwg_token='+pwg_token;
 
     if (jQuery('#user'+userId+' form select[name="group_id[]"] option:selected').length == 0) {
@@ -709 +712 @@
     var method = 'pwg.users.setInfo';
     var data = {
+      pwg_token: pwg_token,
       user_id: selection
     };
@@ -719 +723 @@
         }
         method = 'pwg.users.delete';
-        data.pwg_token = pwg_token;
         break;
       case 'group_associate':