From 445ef6d1481745cd4e7af7e671f534a25d4495dc Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 28 May 2014 15:14:52 -0400
Subject: Add CSRF protections

---
 app/Controller/Config.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'app/Controller/Config.php')

diff --git a/app/Controller/Config.php b/app/Controller/Config.php
index b4a5b8d3..daa57790 100644
--- a/app/Controller/Config.php
+++ b/app/Controller/Config.php
@@ -76,6 +76,7 @@ class Config extends Base
      */
     public function downloadDb()
     {
+        $this->checkCSRFParam();
         $this->response->forceDownload('db.sqlite.gz');
         $this->response->binary($this->config->downloadDatabase());
     }
@@ -87,6 +88,7 @@ class Config extends Base
      */
     public function optimizeDb()
     {
+        $this->checkCSRFParam();
         $this->config->optimizeDatabase();
         $this->session->flash(t('Database optimization done.'));
         $this->response->redirect('?controller=config');
@@ -99,6 +101,7 @@ class Config extends Base
      */
     public function tokens()
     {
+        $this->checkCSRFParam();
         $this->config->regenerateTokens();
         $this->session->flash(t('All tokens have been regenerated.'));
         $this->response->redirect('?controller=config');
@@ -111,6 +114,7 @@ class Config extends Base
      */
     public function removeRememberMeToken()
     {
+        $this->checkCSRFParam();
         $this->rememberMe->remove($this->request->getIntegerParam('id'));
         $this->response->redirect('?controller=config&action=index#remember-me');
     }
-- 
cgit v1.2.3