Include pwg_token in user list POST request (Fixes #748) (#866)

* user list: set pwg_token in POST data to user_list_backend.php The POST data for the user data table request was empty, which could cause user data retrieval to error out with HTTP 403 due to missing the authentication token. * user_list_backend: fix uninitialized variables If iSortCol_0, sEcho, or sSearch are unset in the HTTP request, it could cause variables to be uninitialized, potentially causing error messages to be included in the HTTP response. These error messages, if present, can prevent the JSON response from being parsed. * user list: delete unnecessary quotes Javascript object key names don't generally need to be quoted. Remove some quotes that were introduced by a recent change that added a body to the AJAX POST request to retrieve the user list.
Piwigo · Jul 6, 2018 · 65ac272 · 65ac272
1 parent 7e41e21
commit 65ac272
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl
@@ -615,7 +615,13 @@ jQuery(document).on('click', '.close-user-details',  function(e) {
     processing: true,
     serverSide: true,
 		serverMethod: "POST",
-    ajaxSource: "admin/user_list_backend.php",
+    ajax: {
+        url : "admin/user_list_backend.php",
+        type : "POST",
+        data : {
+            pwg_token : pwg_token
+        }
+    },
 		pagingType: "simple",
     language: {
       processing: "{/literal}{'Loading...'|translate|escape:'javascript'}{literal}",

diff --git a/admin/user_list_backend.php b/admin/user_list_backend.php
@@ -70,7 +70,8 @@
   $sLimit = "LIMIT ".$_REQUEST['iDisplayStart'].", ".$_REQUEST['iDisplayLength'];
 }
 
-
+$sOrder = "";
+
 /*
  * Ordering
  */
@@ -104,7 +105,7 @@
  * on very large tables, and MySQL's regex functionality is very limited
  */
 $sWhere = "";
-if ( $_REQUEST['sSearch'] != "" )
+if ( isSet( $_REQUEST['sSearch']) && $_REQUEST['sSearch'] != "" )
 {
   $sWhere = "WHERE (";
   for ( $i=0 ; $i<count($aColumns) ; $i++ )
@@ -161,12 +162,13 @@
 $aResultTotal = pwg_db_fetch_array($rResultTotal);
 $iTotal = $aResultTotal[0];
 
-
+$sEcho = isSet($_REQUEST['sEcho']) ? intval($_REQUEST['sEcho']) : 0;
+
 /*
  * Output
  */
 $output = array(
-  "sEcho" => intval($_REQUEST['sEcho']),
+  "sEcho" => $sEcho,
   "iTotalRecords" => $iTotal,
   "iTotalDisplayRecords" => $iFilteredTotal,
   "aaData" => array()