Check permissions + security token in lock + draft modification FS#2265

This disables lock and draft creation for pages the user can't edit. It
additionally adds a security token to the draft creation and deletion
request so - at least for logged in users - drafts can't be created,
modified or deleted so easily anymore.

1 files changed, 18 insertions, 6 deletions

diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php
index 7d594dc04..b2463ed3f 100644
--- a/lib/exe/ajax.php
+++ b/lib/exe/ajax.php
@@ -123,11 +123,22 @@ function ajax_suggestions() {
 function ajax_lock(){
     global $conf;
     global $lang;
-    $id = cleanID($_POST['id']);
-    if(empty($id)) return;
+    global $ID;
+    global $INFO;
+
+    $ID = cleanID($_POST['id']);
+    if(empty($ID)) return;
+    if (!checkSecurityToken()) return;
+
+    $INFO = pageinfo();
+
+    if (!$INFO['writable']) {
+        echo 'Permission denied';
+        return;
+    }
 
-    if(!checklock($id)){
-        lock($id);
+    if(!checklock($ID)){
+        lock($ID);
         echo 1;
     }
 
@@ -135,14 +146,14 @@ function ajax_lock(){
         $client = $_SERVER['REMOTE_USER'];
         if(!$client) $client = clientIP(true);
 
-        $draft = array('id'     => $id,
+        $draft = array('id'     => $ID,
                 'prefix' => substr($_POST['prefix'], 0, -1),
                 'text'   => $_POST['wikitext'],
                 'suffix' => $_POST['suffix'],
                 'date'   => (int) $_POST['date'],
                 'client' => $client,
                 );
-        $cname = getCacheName($draft['client'].$id,'.draft');
+        $cname = getCacheName($draft['client'].$ID,'.draft');
         if(io_saveFile($cname,serialize($draft))){
             echo $lang['draftdate'].' '.dformat();
         }
@@ -158,6 +169,7 @@ function ajax_lock(){
 function ajax_draftdel(){
     $id = cleanID($_REQUEST['id']);
     if(empty($id)) return;
+    if (!checkSecurityToken()) return;
 
     $client = $_SERVER['REMOTE_USER'];
     if(!$client) $client = clientIP(true);