diff options
author | cpollett@mozilla.com <cpollett@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> | 2008-05-07 15:36:27 (GMT) |
---|---|---|
committer | cpollett@mozilla.com <cpollett@mozilla.com@4eb1ac78-321c-0410-a911-ec516a8615a5> | 2008-05-07 15:36:27 (GMT) |
commit | 8676a0ec0db8107f3b5e99b460e734cf1d7a3a80 (patch) | |
tree | fe8e7b209a5e831c7ed2cbb16c82d4603b5c7d8b /site/app/app_controller.php | |
parent | 93568f646a3a64dbd05b6becef6ec6ee6c12b6bd (diff) |
fixes Bug432584 password reset form broken, r=fwenzel
git-svn-id: http://svn.mozilla.org/addons/trunk@12912 4eb1ac78-321c-0410-a911-ec516a8615a5
Diffstat (limited to 'site/app/app_controller.php')
-rw-r--r-- | site/app/app_controller.php | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/site/app/app_controller.php b/site/app/app_controller.php index 2ab63bd..37509c4 100644 --- a/site/app/app_controller.php +++ b/site/app/app_controller.php @@ -212,10 +212,21 @@ class AppController extends Controller * this had been causing session issues. * * This method should be added to any new controller whose $beforeFilter overrides the default one above to ensure - * CSRF detection is done. + * CSRF detection is done. + * + * For posted data where a session is not yet established use the array $exceptionCSRF to explicitly create an array of allowed + * URLs which you do not want checkCSRF to apply to. */ function checkCSRF() { - if($_SERVER['REQUEST_METHOD'] == 'POST' && !stristr($_SERVER['REQUEST_URI'], "/users/login") && !stristr($_SERVER['REQUEST_URI'], "/users/register")) { + $noexception = true; + if(isset($this->exceptionCSRF)) { + foreach ($this->exceptionCSRF as $exception) { + if(stristr($_SERVER['REQUEST_URI'], $exception)) { + $noexception = false; + } + } + } + if($_SERVER['REQUEST_METHOD'] == 'POST' && $noexception) { $sessionuser = $this->Session->read('User'); $id = htmlentities($sessionuser['id']); |