diff options
| -rw-r--r-- | app/Controller/UserImportController.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/app/Controller/UserImportController.php b/app/Controller/UserImportController.php index 6a9d5992..e878e605 100644 --- a/app/Controller/UserImportController.php +++ b/app/Controller/UserImportController.php @@ -3,6 +3,7 @@ namespace Kanboard\Controller; use Kanboard\Core\Csv; +use Kanboard\Core\Controller\AccessForbiddenException; /** * User Import controller @@ -35,6 +36,12 @@ class UserImportController extends BaseController public function save() { $values = $this->request->getValues(); + + // Note: $values is empty when the CSRF token is invalid. + if (empty($values)) { + throw new AccessForbiddenException(); + } + $filename = $this->request->getFilePath('file'); if (! file_exists($filename)) { |