From 445ef6d1481745cd4e7af7e671f534a25d4495dc Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 28 May 2014 15:14:52 -0400
Subject: Add CSRF protections

---
 app/Controller/Base.php | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'app/Controller/Base.php')

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index 5829fc36..9b695a82 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -3,6 +3,7 @@
 namespace Controller;
 
 use Core\Registry;
+use Core\Security;
 use Core\Translator;
 use Model\LastLogin;
 
@@ -160,6 +161,28 @@ abstract class Base
         $this->response->html($this->template->layout('app_notfound', array('title' => t('Page not found'))));
     }
 
+    /**
+     * Application forbidden page
+     *
+     * @access public
+     */
+    public function forbidden()
+    {
+        $this->response->html($this->template->layout('app_forbidden', array('title' => t('Access Forbidden'))));
+    }
+
+    /**
+     * Check if the CSRF token from the URL is correct
+     *
+     * @access protected
+     */
+    protected function checkCSRFParam()
+    {
+        if (! Security::validateCSRFToken($this->request->getStringParam('csrf_token'))) {
+            $this->forbidden();
+        }
+    }
+
     /**
      * Check if the current user have access to the given project
      *
@@ -171,7 +194,7 @@ abstract class Base
         if ($this->acl->isRegularUser()) {
 
             if ($project_id > 0 && ! $this->project->isUserAllowed($project_id, $this->acl->getUserId())) {
-                $this->response->redirect('?controller=project&action=forbidden');
+                $this->forbidden();
             }
         }
     }
-- 
cgit v1.2.3