- user web: protect Team Admin ops from cross-project link attacks

svn path=/trunk/boinc/; revision=14110
2007-11-07 17:54:27 +00:00 · 2007-11-07 17:54:27 +00:00 · 79b0934a55
parent d03d10537c
commit 79b0934a55
4 changed files with 24 additions and 8 deletions
--- a/10
+++ b/10
@ -10573,3 +10573,13 @@ David  7 Nov 2007
            team_search.php
            top_teams.php
            user_search.php
+
+David  7 Nov 2007
+    - user web: protect Team Admin ops from cross-project link attacks
+
+    html/
+        inc/
+            team.inc
+        user/
+            team_manage.php
+            team_admins.php
--- a/html/inc/team.inc
+++ b/html/inc/team.inc
@ -63,7 +63,7 @@ function display_team_page($team, $offset, $sort_by) {
            $tokens = url_tokens($user->authenticator);
            row2("",
                "<a href='team_join.php?$tokens&teamid=$team->id'>Join this team</a>
-                <br><span class=note>Note: joining a team gives its founder access to your email address.</span>"
+                <br><span class=note>Note: joining a team gives its administrators access to your email address.</span>"
            );
        }
        if (($user->teamid == $team->id) && ($user->id != $founder->id)) {
--- a/html/user/team_admins.php
+++ b/html/user/team_admins.php
@ -5,18 +5,20 @@ require_once("../inc/util.inc");
 require_once("../inc/team.inc");

 function show_admin($user, $admin) {
+    $admin_user = BoincUser::lookup_id($admin->userid);
+    $tokens = url_tokens($user->auth);
    $date = date_str($admin->create_time);
    echo "<tr>
-        <td>".user_links($user)."</td>
+        <td>".user_links($admin_user)."</td>
        <td>$date</td>
        <td>
    ";
-    show_button("team_admins.php?teamid=$admin->teamid&action=remove&userid=$user->id", "Remove");
+    show_button("team_admins.php?teamid=$admin->teamid&action=remove&userid=$admin_user->id".$tokens, "Remove", "Remove Team Admin status from this member");
    echo "</td></tr>
    ";
 }

-function show_admins($teamid) {
+function show_admins($user, $teamid) {
    page_head("Add or remove Team Admins");
    echo "
        You can select team members as 'Team Admins'.
@ -40,12 +42,11 @@ function show_admins($teamid) {
    $admins = BoincTeamAdmin::enum("teamid=$teamid");
    start_table();
    if (count($admins)==0) {
-        row1("No admins");
+        row1("There are currently no Team Admins");
    } else {
        row1("Current Team Admins", 3);
        table_header("Name", "Became Team Admin on", "");
        foreach ($admins as $admin) {
-            $user = BoincUser::lookup_id($admin->userid);
            show_admin($user, $admin);
        }
    }
@ -57,6 +58,7 @@ function show_admins($teamid) {
        <input type=hidden name=action value=add>
        <input type=hidden name=teamid value=$teamid>
    ";
+    echo form_tokens($user->auth);
    start_table();
    row1("Add Team Admin");
    row2("Email address of team member:", "<input name=email_addr>");
@ -97,14 +99,16 @@ require_founder_login($user, $team);
 $action = get_str('action', true);
 switch($action) {
 case 'remove':
+    check_tokens($user->auth);
    remove_admin($team);
    Header("Location: team_admins.php?teamid=$teamid");
    exit();
 case 'add':
+    check_tokens($user->auth);
    add_admin($team);
    Header("Location: team_admins.php?teamid=$teamid");
    exit();
 }
-show_admins($teamid);
+show_admins($user, $teamid);

 ?>
--- a/html/user/team_manage.php
+++ b/html/user/team_manage.php
@ -23,13 +23,14 @@ function show_admin_page($user, $team) {
            <br><span class=note>See when members joined or quit this team</span>
    ";
    if ($team->userid == $user->id) {
+        $tokens = url_tokens($user->auth);
        echo "
            <li><a href=team_change_founder_form.php?teamid=$team->id>Change founder</a>
                <br><span class=note>Transfer foundership to another member</span>
            <li><a href=team_admins.php?teamid=$team->id>Add/remove Team Admins</a>
                <br><span class=note>Give selected team members Team Admin privileges</span>

-            <li><a href=team_manage.php?teamid=$team->id&action=delete>Remove team</a>
+            <li><a href=team_manage.php?teamid=$team->id&action=delete&$tokens>Remove team</a>
                <br><span class=note>Allowed only if team has no members</a>
        ";
    }
@ -64,6 +65,7 @@ if ($action == 'delete') {
    if (team_count_members($team->id) > 0) {
        error_page("Can't delete non-empty team");
    }
+    check_tokens($user->auth);
    $team->delete();
    page_head("Team $team->name deleted");
    page_tail();