diff --git a/checkin_notes b/checkin_notes index 3559b4f06f..0b2e248b7e 100644 --- a/checkin_notes +++ b/checkin_notes @@ -10573,3 +10573,13 @@ David 7 Nov 2007 team_search.php top_teams.php user_search.php + +David 7 Nov 2007 + - user web: protect Team Admin ops from cross-project link attacks + + html/ + inc/ + team.inc + user/ + team_manage.php + team_admins.php diff --git a/html/inc/team.inc b/html/inc/team.inc index 131801272f..201e8fba6e 100644 --- a/html/inc/team.inc +++ b/html/inc/team.inc @@ -63,7 +63,7 @@ function display_team_page($team, $offset, $sort_by) { $tokens = url_tokens($user->authenticator); row2("", "Join this team -
Note: joining a team gives its founder access to your email address." +
Note: joining a team gives its administrators access to your email address." ); } if (($user->teamid == $team->id) && ($user->id != $founder->id)) { diff --git a/html/user/team_admins.php b/html/user/team_admins.php index db4b6bf6b7..c6f1325520 100644 --- a/html/user/team_admins.php +++ b/html/user/team_admins.php @@ -5,18 +5,20 @@ require_once("../inc/util.inc"); require_once("../inc/team.inc"); function show_admin($user, $admin) { + $admin_user = BoincUser::lookup_id($admin->userid); + $tokens = url_tokens($user->auth); $date = date_str($admin->create_time); echo " - ".user_links($user)." + ".user_links($admin_user)." $date "; - show_button("team_admins.php?teamid=$admin->teamid&action=remove&userid=$user->id", "Remove"); + show_button("team_admins.php?teamid=$admin->teamid&action=remove&userid=$admin_user->id".$tokens, "Remove", "Remove Team Admin status from this member"); echo " "; } -function show_admins($teamid) { +function show_admins($user, $teamid) { page_head("Add or remove Team Admins"); echo " You can select team members as 'Team Admins'. @@ -40,12 +42,11 @@ function show_admins($teamid) { $admins = BoincTeamAdmin::enum("teamid=$teamid"); start_table(); if (count($admins)==0) { - row1("No admins"); + row1("There are currently no Team Admins"); } else { row1("Current Team Admins", 3); table_header("Name", "Became Team Admin on", ""); foreach ($admins as $admin) { - $user = BoincUser::lookup_id($admin->userid); show_admin($user, $admin); } } @@ -57,6 +58,7 @@ function show_admins($teamid) { "; + echo form_tokens($user->auth); start_table(); row1("Add Team Admin"); row2("Email address of team member:", ""); @@ -97,14 +99,16 @@ require_founder_login($user, $team); $action = get_str('action', true); switch($action) { case 'remove': + check_tokens($user->auth); remove_admin($team); Header("Location: team_admins.php?teamid=$teamid"); exit(); case 'add': + check_tokens($user->auth); add_admin($team); Header("Location: team_admins.php?teamid=$teamid"); exit(); } -show_admins($teamid); +show_admins($user, $teamid); ?> diff --git a/html/user/team_manage.php b/html/user/team_manage.php index 129a9e241d..de37723322 100644 --- a/html/user/team_manage.php +++ b/html/user/team_manage.php @@ -23,13 +23,14 @@ function show_admin_page($user, $team) {
See when members joined or quit this team "; if ($team->userid == $user->id) { + $tokens = url_tokens($user->auth); echo "
  • id>Change founder
    Transfer foundership to another member
  • id>Add/remove Team Admins
    Give selected team members Team Admin privileges -
  • id&action=delete>Remove team +
  • id&action=delete&$tokens>Remove team
    Allowed only if team has no members "; } @@ -64,6 +65,7 @@ if ($action == 'delete') { if (team_count_members($team->id) > 0) { error_page("Can't delete non-empty team"); } + check_tokens($user->auth); $team->delete(); page_head("Team $team->name deleted"); page_tail();