diff --git a/admin/inc/class.uiaccounts.inc.php b/admin/inc/class.uiaccounts.inc.php index 73905d74e5..d329c28b13 100755 --- a/admin/inc/class.uiaccounts.inc.php +++ b/admin/inc/class.uiaccounts.inc.php @@ -639,6 +639,11 @@ function delete_user() { + // for POST (not GET or cli call via setup_cmd_admin) validate CSRF token + if ($_SERVER['REQUEST_METHOD'] == 'POST') + { + egw_csrf::validate($_POST['csrf_token'], __METHOD__); + } if ($GLOBALS['egw']->acl->check('account_access',32,'admin') || $GLOBALS['egw_info']['user']['account_id'] == $_GET['account_id'] || $_POST['cancel']) { @@ -662,7 +667,8 @@ ); $var = Array( 'form_action' => $GLOBALS['egw']->link('/index.php','menuaction=admin.uiaccounts.delete_user'), - 'account_id' => $_GET['account_id'] + 'account_id' => $_GET['account_id'], + 'hidden_vars' => html::input_hidden('csrf_token', egw_csrf::token(__METHOD__)), ); // the account can have special chars/white spaces, if it is a ldap dn @@ -797,6 +803,11 @@ function edit_user($cd='',$account_id='', $required_account_access=16) { + // for POST (not GET or cli call via setup_cmd_admin) validate CSRF token + if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST) + { + egw_csrf::validate($_POST['csrf_token'], __METHOD__); + } if($GLOBALS['egw']->acl->check('account_access',$required_account_access,'admin') || isset($_POST['cancel'])) { $this->list_users(); @@ -1456,7 +1467,8 @@ 'account_passwd' => $userData['account_passwd'], 'account_passwd_2' => $userData['account_passwd_2'], 'account_file_space' => $account_file_space, - 'account_id' => (int) $userData['account_id'] + 'account_id' => (int) $userData['account_id'], + 'hidden_vars' => html::input_hidden('csrf_token', egw_csrf::token(__CLASS__.'::edit_user')), ); if (isset($userData['account_created'])) $var['account_status'].= '
'.lang('Created').': '.common::show_date($userData['account_created']); if (isset($userData['account_modified'])) $var['account_status'].= '
'.lang('Modified').': '.common::show_date($userData['account_modified']); diff --git a/admin/templates/default/account_form.tpl b/admin/templates/default/account_form.tpl index ba3ce5ea55..6add117152 100644 --- a/admin/templates/default/account_form.tpl +++ b/admin/templates/default/account_form.tpl @@ -8,7 +8,7 @@ function check_account_email(id) firstname = document.getElementById('firstname').value; lastname = document.getElementById('lastname').value; email = document.getElementById('email').value; - + if (!email || email_set || id == 'account') { xajax_doXMLHTTP('admin.uiaccounts.ajax_check_account_email',firstname,lastname,account,{account_id},email_set ? '' : email,id); @@ -19,7 +19,7 @@ function check_password(id) { password = document.getElementById('password').value; password2 = document.getElementById('password2').value; - + if (password && (password2 || id == 'password2') && password != password2) { alert('{lang_passwds_unequal}'); @@ -32,6 +32,7 @@ function check_password(id) }
+ {hidden_vars}
@@ -44,22 +45,22 @@ function check_password(id) - + - + - + - + {password_fields} @@ -75,7 +76,7 @@ function check_password(id) - + @@ -89,14 +90,14 @@ function check_password(id) - + - + @@ -105,9 +106,9 @@ function check_password(id) {permissions_list} - + {form_buttons} - +
{lang_action}
{lang_loginid} {account_lid} {lang_account_active}: {account_status}
{lang_firstname} {account_firstname}  {lang_lastname} {account_lastname} 
{lang_changepassword} {changepassword}{lang_email} {account_email}
{lang_groups} {groups_select}  {lang_primary_group} {primary_group_select} 
{lang_app} {lang_acl}
diff --git a/admin/templates/default/delete_account.tpl b/admin/templates/default/delete_account.tpl index a1aa9e087d..c1f95d3ad0 100755 --- a/admin/templates/default/delete_account.tpl +++ b/admin/templates/default/delete_account.tpl @@ -1,5 +1,6 @@ + {hidden_vars}