diff --git a/lib/Controller/OtherController.php b/lib/Controller/OtherController.php
index d7ab42ac..69df376b 100644
--- a/lib/Controller/OtherController.php
+++ b/lib/Controller/OtherController.php
@@ -107,12 +107,15 @@ class OtherController extends GenericApiController
* @AdminRequired
*
* @NoCSRFRequired
+ *
+ * @UseSession
*/
public function getSystemStatus(): Http\Response
{
return Util::guardEx(function () {
$config = \OC::$server->get(\OCP\IConfig::class);
$index = \OC::$server->get(\OCA\Memories\Service\Index::class);
+ $session = \OC::$server->get(\OCP\ISession::class);
// Build status array
$status = [];
@@ -184,15 +187,27 @@ class OtherController extends GenericApiController
$status['vaapi_dev'] = 'ok';
}
+ // Action token
+ $status['action_token'] = $this->actionToken(true);
+
return new JSONResponse($status, Http::STATUS_OK);
});
}
/**
* @AdminRequired
+ *
+ * @UseSession
*/
- public function placesSetup(): Http\Response
+ public function placesSetup(?string $actiontoken): Http\Response
{
+ if (!$actiontoken || $this->actionToken() !== $actiontoken) {
+ return new JSONResponse(['error' => 'Invalid action token. Refresh the memories admin page.'], Http::STATUS_BAD_REQUEST);
+ }
+
+ // Reset action token
+ $this->actionToken(true);
+
try {
// Set PHP timeout to infinite
set_time_limit(0);
@@ -248,4 +263,17 @@ class OtherController extends GenericApiController
return 'ok';
}
+
+ private function actionToken(bool $set = false): string
+ {
+ $session = \OC::$server->get(\OCP\ISession::class);
+ if (!$set) {
+ return $session->get('memories_action_token');
+ }
+
+ $token = bin2hex(random_bytes(32));
+ $session->set('memories_action_token', $token);
+
+ return $token ?? '';
+ }
}
diff --git a/src/Admin.vue b/src/Admin.vue
index 7e60058f..c8e4ea77 100644
--- a/src/Admin.vue
+++ b/src/Admin.vue
@@ -248,6 +248,7 @@
target="_blank"
>
+
{{ t("memories", "Download planet database") }}
@@ -584,6 +585,8 @@ type IStatus = {
ffprobe: BinaryStatus;
govod: BinaryStatus;
vaapi_dev: "ok" | "not_found" | "not_readable";
+
+ action_token: string;
};
export default defineComponent({
@@ -775,6 +778,10 @@ export default defineComponent({
return (axios.defaults.headers).requesttoken;
},
+ actionToken() {
+ return this.status?.action_token || "";
+ },
+
gisStatus() {
if (typeof this.status.gis_type !== "number") {
return this.status.gis_type;