diff options
| -rw-r--r-- | lib/plugins/acl/admin.php | 12 | ||||
| -rw-r--r-- | lib/plugins/acl/ajax.php | 4 | ||||
| -rw-r--r-- | lib/plugins/acl/script.js | 3 |
3 files changed, 12 insertions, 7 deletions
diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index 59671a0cb..a3fb4636d 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -31,7 +31,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { return array( 'author' => 'Andreas Gohr', 'email' => 'andi@splitbrain.org', - 'date' => '2009-08-07', + 'date' => '2010-01-17', 'name' => 'ACL Manager', 'desc' => 'Manage Page Access Control Lists', 'url' => 'http://dokuwiki.org/plugin:acl', @@ -67,6 +67,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { // fresh 1:1 copy without replacements $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); + // namespace given? if($_REQUEST['ns'] == '*'){ $this->ns = '*'; @@ -89,7 +90,8 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { } // handle modifications - if(isset($_REQUEST['cmd'])){ + if(isset($_REQUEST['cmd']) && checkSecurityToken()){ + // scope for modifications if($this->ns){ if($this->ns == '*'){ @@ -310,6 +312,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { echo '<input type="hidden" name="id" value="'.hsc($ID).'" />'.NL; echo '<input type="hidden" name="do" value="admin" />'.NL; echo '<input type="hidden" name="page" value="acl" />'.NL; + echo '<input type="hidden" name="sectok" value="'.getSecurityToken().'" />'.NL; echo '</div></form>'.NL; } @@ -480,11 +483,11 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { $alt = '+'; } $ret .= '<img src="'.$img.'" alt="'.$alt.'" />'; - $ret .= '<a href="'.wl('',$this->_get_opts(array('ns'=>$item['id']))).'" class="idx_dir'.$cl.'">'; + $ret .= '<a href="'.wl('',$this->_get_opts(array('ns'=>$item['id'],'sectok'=>getSecurityToken()))).'" class="idx_dir'.$cl.'">'; $ret .= $base; $ret .= '</a>'; }else{ - $ret .= '<a href="'.wl('',$this->_get_opts(array('id'=>$item['id'],'ns'=>''))).'" class="wikilink1'.$cl.'">'; + $ret .= '<a href="'.wl('',$this->_get_opts(array('id'=>$item['id'],'ns'=>'','sectok'=>getSecurityToken()))).'" class="wikilink1'.$cl.'">'; $ret .= noNS($item['id']); $ret .= '</a>'; } @@ -562,6 +565,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { echo '<input type="hidden" name="acl_w" value="'.hsc($this->who).'" />'.NL; echo '<input type="hidden" name="do" value="admin" />'.NL; echo '<input type="hidden" name="page" value="acl" />'.NL; + echo '<input type="hidden" name="sectok" value="'.getSecurityToken().'" />'.NL; echo '<table class="inline">'; echo '<tr>'; echo '<th>'.$this->getLang('where').'</th>'; diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php index e383f0d35..d3e88d932 100644 --- a/lib/plugins/acl/ajax.php +++ b/lib/plugins/acl/ajax.php @@ -19,11 +19,11 @@ require_once(DOKU_INC.'inc/auth.php'); //close session session_write_close(); -if(!auth_isadmin()) die('forbidden'); +if(!auth_isadmin()) die('for admins only'); +if(!checkSecurityToken()) die('CRSF Attack'); $ID = getID(); -if(!auth_isadmin) die('for admins only'); require_once(DOKU_INC.'inc/pluginutils.php'); require_once(DOKU_INC.'inc/html.php'); $acl = plugin_load('admin','acl'); diff --git a/lib/plugins/acl/script.js b/lib/plugins/acl/script.js index 7ab83db58..449a3c16a 100644 --- a/lib/plugins/acl/script.js +++ b/lib/plugins/acl/script.js @@ -48,7 +48,8 @@ acl = { data[1] = ajax.encVar('id',frm.elements['id'].value); data[2] = ajax.encVar('acl_t',frm.elements['acl_t'].value); data[3] = ajax.encVar('acl_w',frm.elements['acl_w'].value); - data[4] = ajax.encVar('ajax','info'); + data[4] = ajax.encVar('sectok',frm.elements['sectok'].value); + data[5] = ajax.encVar('ajax','info'); ajax.elementObj = $('acl__info'); |