diff options
| author | Frédéric Guillot <fred@kanboard.net> | 2019-01-30 20:21:12 -0800 |
|---|---|---|
| committer | Frédéric Guillot <fred@kanboard.net> | 2019-01-30 20:21:12 -0800 |
| commit | 19ea9ed6209b36cba5cb8f96224d9e3a0c022c93 (patch) | |
| tree | 2037ed7b8738d8ec2c37d05e91fc64b926cee8b9 /app | |
| parent | ef1abecee4d7860c1e612310ed3509d321039e6f (diff) | |
Add missing CSRF check in TwoFactorController::deactivate()
Diffstat (limited to 'app')
| -rw-r--r-- | app/Controller/BaseController.php | 9 | ||||
| -rw-r--r-- | app/Controller/TwoFactorController.php | 1 |
2 files changed, 9 insertions, 1 deletions
diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php index c984a702..637c3db1 100644 --- a/app/Controller/BaseController.php +++ b/app/Controller/BaseController.php @@ -33,6 +33,13 @@ abstract class BaseController extends Base } } + protected function checkCSRFForm() + { + if (! $this->token->validateCSRFToken($this->request->getRawValue('csrf_token'))) { + throw new AccessForbiddenException(); + } + } + /** * Check webhook token * @@ -305,7 +312,7 @@ abstract class BaseController extends Base return $filter; } - + /** * Redirect the user after the authentication * diff --git a/app/Controller/TwoFactorController.php b/app/Controller/TwoFactorController.php index 5f60e946..2038c269 100644 --- a/app/Controller/TwoFactorController.php +++ b/app/Controller/TwoFactorController.php @@ -119,6 +119,7 @@ class TwoFactorController extends UserViewController */ public function deactivate() { + $this->checkCSRFForm(); $user = $this->getUser(); $this->checkCurrentUser($user); |