From 31bc8f119cd896f19085ea120b89356393d4f8e6 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Tue, 24 May 2011 22:38:27 +0200 Subject: Check permissions + security token in lock + draft modification FS#2265 This disables lock and draft creation for pages the user can't edit. It additionally adds a security token to the draft creation and deletion request so - at least for logged in users - drafts can't be created, modified or deleted so easily anymore. --- lib/exe/ajax.php | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'lib/exe') diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 7d594dc04..b2463ed3f 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -123,11 +123,22 @@ function ajax_suggestions() { function ajax_lock(){ global $conf; global $lang; - $id = cleanID($_POST['id']); - if(empty($id)) return; + global $ID; + global $INFO; + + $ID = cleanID($_POST['id']); + if(empty($ID)) return; + if (!checkSecurityToken()) return; + + $INFO = pageinfo(); + + if (!$INFO['writable']) { + echo 'Permission denied'; + return; + } - if(!checklock($id)){ - lock($id); + if(!checklock($ID)){ + lock($ID); echo 1; } @@ -135,14 +146,14 @@ function ajax_lock(){ $client = $_SERVER['REMOTE_USER']; if(!$client) $client = clientIP(true); - $draft = array('id' => $id, + $draft = array('id' => $ID, 'prefix' => substr($_POST['prefix'], 0, -1), 'text' => $_POST['wikitext'], 'suffix' => $_POST['suffix'], 'date' => (int) $_POST['date'], 'client' => $client, ); - $cname = getCacheName($draft['client'].$id,'.draft'); + $cname = getCacheName($draft['client'].$ID,'.draft'); if(io_saveFile($cname,serialize($draft))){ echo $lang['draftdate'].' '.dformat(); } @@ -158,6 +169,7 @@ function ajax_lock(){ function ajax_draftdel(){ $id = cleanID($_REQUEST['id']); if(empty($id)) return; + if (!checkSecurityToken()) return; $client = $_SERVER['REMOTE_USER']; if(!$client) $client = clientIP(true); -- cgit v1.2.3