summaryrefslogtreecommitdiff
path: root/plugins/acl
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
committerAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
commit681ba6fc3c296cd6cd11050531b8f4e785141786 (patch)
tree77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /plugins/acl
parent53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff)
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'plugins/acl')
-rw-r--r--plugins/acl/acl.js27
-rw-r--r--plugins/acl/acl.php12
2 files changed, 24 insertions, 15 deletions
diff --git a/plugins/acl/acl.js b/plugins/acl/acl.js
index e59ac72a2..14634534e 100644
--- a/plugins/acl/acl.js
+++ b/plugins/acl/acl.js
@@ -58,8 +58,11 @@ rcube_webmail.prototype.acl_delete = function()
var users = this.acl_get_usernames();
if (users && users.length && confirm(this.get_label('acl.deleteconfirm'))) {
- this.http_request('settings/plugin.acl', '_act=delete&_user='+urlencode(users.join(','))
- + '&_mbox='+urlencode(this.env.mailbox),
+ this.http_post('settings/plugin.acl', {
+ _act: 'delete',
+ _user: users.join(','),
+ _mbox: this.env.mailbox
+ },
this.set_busy(true, 'acl.deleting'));
}
}
@@ -67,7 +70,7 @@ rcube_webmail.prototype.acl_delete = function()
// Save ACL data
rcube_webmail.prototype.acl_save = function()
{
- var user = $('#acluser', this.acl_form).val(), rights = '', type;
+ var data, type, rights = '', user = $('#acluser', this.acl_form).val();
$((this.env.acl_advanced ? '#advancedrights :checkbox' : '#simplerights :checkbox'), this.acl_form).map(function() {
if (this.checked)
@@ -88,12 +91,18 @@ rcube_webmail.prototype.acl_save = function()
return;
}
- this.http_request('settings/plugin.acl', '_act=save'
- + '&_user='+urlencode(user)
- + '&_acl=' +rights
- + '&_mbox='+urlencode(this.env.mailbox)
- + (this.acl_id ? '&_old='+this.acl_id : ''),
- this.set_busy(true, 'acl.saving'));
+ data = {
+ _act: 'save',
+ _user: user,
+ _acl: rights,
+ _mbox: this.env.mailbox
+ }
+
+ if (this.acl_id) {
+ data._old = this.acl_id;
+ }
+
+ this.http_post('settings/plugin.acl', data, this.set_busy(true, 'acl.saving'));
}
// Cancel/Hide form
diff --git a/plugins/acl/acl.php b/plugins/acl/acl.php
index 349f7e518..35a92bb1c 100644
--- a/plugins/acl/acl.php
+++ b/plugins/acl/acl.php
@@ -454,10 +454,10 @@ class acl extends rcube_plugin
*/
private function action_save()
{
- $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); // UTF7-IMAP
- $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC));
- $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_GPC));
- $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_GPC));
+ $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); // UTF7-IMAP
+ $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST));
+ $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_POST));
+ $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_POST));
$acl = array_intersect(str_split($acl), $this->rights_supported());
$users = $oldid ? array($user) : explode(',', $user);
@@ -510,8 +510,8 @@ class acl extends rcube_plugin
*/
private function action_delete()
{
- $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); //UTF7-IMAP
- $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC));
+ $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); //UTF7-IMAP
+ $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST));
$user = explode(',', $user);