Merge remote-tracking branch 'upstream/master'

1 files changed, 25 insertions, 1 deletions

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index b21d9b8f..9b695a82 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -3,6 +3,7 @@
 namespace Controller;
 
 use Core\Registry;
+use Core\Security;
 use Core\Translator;
 use Model\LastLogin;
 
@@ -23,6 +24,7 @@ use Model\LastLogin;
  * @property \Model\Ldap        $ldap
  * @property \Model\Project     $project
  * @property \Model\RememberMe  $rememberMe
+ * @property \Model\SubTask     $subTask
  * @property \Model\Task        $task
  * @property \Model\User        $user
  */
@@ -160,6 +162,28 @@ abstract class Base
     }
 
     /**
+     * Application forbidden page
+     *
+     * @access public
+     */
+    public function forbidden()
+    {
+        $this->response->html($this->template->layout('app_forbidden', array('title' => t('Access Forbidden'))));
+    }
+
+    /**
+     * Check if the CSRF token from the URL is correct
+     *
+     * @access protected
+     */
+    protected function checkCSRFParam()
+    {
+        if (! Security::validateCSRFToken($this->request->getStringParam('csrf_token'))) {
+            $this->forbidden();
+        }
+    }
+
+    /**
      * Check if the current user have access to the given project
      *
      * @access protected
@@ -170,7 +194,7 @@ abstract class Base
         if ($this->acl->isRegularUser()) {
 
             if ($project_id > 0 && ! $this->project->isUserAllowed($project_id, $this->acl->getUserId())) {
-                $this->response->redirect('?controller=project&action=forbidden');
+                $this->forbidden();
             }
         }
     }