Empty the image cache only allowed for admin users

slackero · Sep 1, 2021 · 3bc4e78 · 3bc4e78
1 parent 0b2389c
commit 3bc4e78
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/include/inc_act/ajax_connector.php b/include/inc_act/ajax_connector.php
@@ -20,9 +20,9 @@
 require PHPWCMS_ROOT.'/include/inc_lib/general.inc.php';
 require PHPWCMS_ROOT.'/include/inc_lib/backend.functions.inc.php';
 
-if(empty($_SESSION["wcs_user"])) {
+if(empty($_SESSION['wcs_user']) || empty($_SESSION['PHPWCMS_BROWSER_HASH']) || $_SESSION['PHPWCMS_BROWSER_HASH'] !== $GLOBALS['phpwcms']['USER_AGENT']['hash']) {
 	headerRedirect('', 401);
-	die('Sorry, access forbidden');
+	die();
 }
 
 if(isset($_POST['action'])) {
@@ -98,7 +98,11 @@
 		break;
 
 	case 'flush_image_cache':
-		$files = returnFileListAsArray(PHPWCMS_ROOT.'/'.PHPWCMS_IMAGES, array('jpg', 'png', 'gif', 'svg'));
+        if (empty($_SESSION['wcs_user_admin'])) {
+            headerRedirect('', 401);
+            die();
+        }
+		$files = returnFileListAsArray(PHPWCMS_ROOT.'/'.PHPWCMS_IMAGES, array('jpg', 'png', 'gif', 'svg', 'webp'));
 		$data = array('file_count' => 0, 'status' => 'ok');
 		if(is_array($files)) {
 			$data['file_count'] = count($files);

diff --git a/include/inc_lib/revision/revision.php b/include/inc_lib/revision/revision.php
@@ -10,5 +10,5 @@
  **/
 
 define('PHPWCMS_VERSION', '1.9.29-dev');
-define('PHPWCMS_RELEASE_DATE', '2021/08/29');
+define('PHPWCMS_RELEASE_DATE', '2021/09/01');
 define('PHPWCMS_REVISION', '552');