CSRF protection for subscription/unsubscription
darcs-hash:20080829051104-84dde-9bd23c28c2c8a720046060a33ff3e5f246c47116.gz
This commit is contained in:
parent
2e239e3fbb
commit
4272da4e9e
@ -179,6 +179,7 @@ class ShowstreamAction extends StreamAction {
|
||||
function show_subscribe_form($profile) {
|
||||
common_element_start('form', array('id' => 'subscribe', 'method' => 'post',
|
||||
'action' => common_local_url('subscribe')));
|
||||
common_hidden('token', common_session_token());
|
||||
common_element('input', array('id' => 'subscribeto',
|
||||
'name' => 'subscribeto',
|
||||
'type' => 'hidden',
|
||||
@ -200,6 +201,7 @@ class ShowstreamAction extends StreamAction {
|
||||
function show_unsubscribe_form($profile) {
|
||||
common_element_start('form', array('id' => 'unsubscribe', 'method' => 'post',
|
||||
'action' => common_local_url('unsubscribe')));
|
||||
common_hidden('token', common_session_token());
|
||||
common_element('input', array('id' => 'unsubscribeto',
|
||||
'name' => 'unsubscribeto',
|
||||
'type' => 'hidden',
|
||||
|
@ -36,6 +36,15 @@ class SubscribeAction extends Action {
|
||||
return;
|
||||
}
|
||||
|
||||
# CSRF protection
|
||||
|
||||
$token = $this->trimmed('token');
|
||||
|
||||
if (!$token || $token != common_session_token()) {
|
||||
common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
|
||||
return;
|
||||
}
|
||||
|
||||
$other_nickname = $this->arg('subscribeto');
|
||||
|
||||
$result=subs_subscribe_user($user, $other_nickname);
|
||||
|
@ -33,6 +33,15 @@ class UnsubscribeAction extends Action {
|
||||
return;
|
||||
}
|
||||
|
||||
# CSRF protection
|
||||
|
||||
$token = $this->trimmed('token');
|
||||
|
||||
if (!$token || $token != common_session_token()) {
|
||||
common_redirect(common_local_url('subscriptions', array('nickname' => $user->nickname)));
|
||||
return;
|
||||
}
|
||||
|
||||
$other_nickname = $this->arg('unsubscribeto');
|
||||
$result=subs_unsubscribe_user($user,$other_nickname);
|
||||
if($result!=true) {
|
||||
|
Loading…
Reference in New Issue
Block a user