summaryrefslogtreecommitdiff
path: root/app/Controller/UserImportController.php
diff options
context:
space:
mode:
Diffstat (limited to 'app/Controller/UserImportController.php')
-rw-r--r--app/Controller/UserImportController.php7
1 files changed, 7 insertions, 0 deletions
diff --git a/app/Controller/UserImportController.php b/app/Controller/UserImportController.php
index 6a9d5992..e878e605 100644
--- a/app/Controller/UserImportController.php
+++ b/app/Controller/UserImportController.php
@@ -3,6 +3,7 @@
namespace Kanboard\Controller;
use Kanboard\Core\Csv;
+use Kanboard\Core\Controller\AccessForbiddenException;
/**
* User Import controller
@@ -35,6 +36,12 @@ class UserImportController extends BaseController
public function save()
{
$values = $this->request->getValues();
+
+ // Note: $values is empty when the CSRF token is invalid.
+ if (empty($values)) {
+ throw new AccessForbiddenException();
+ }
+
$filename = $this->request->getFilePath('file');
if (! file_exists($filename)) {