From a637f36214d0da21f6f51e5763ff77faefaf10a6 Mon Sep 17 00:00:00 2001
From: Zach Copley <zach@controlyourself.ca>
Date: Fri, 29 Aug 2008 00:54:41 -0400
Subject: [PATCH] CSRF protection for invites.php

darcs-hash:20080829045441-7b5ce-a1382496d8d6b043a1a72c0fb32051f1b43163c8.gz
---
 actions/invite.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/actions/invite.php b/actions/invite.php
index 8b4346ca90..c7d92085c1 100644
--- a/actions/invite.php
+++ b/actions/invite.php
@@ -40,6 +40,13 @@ class InviteAction extends Action {
 
 	function send_invitations() {
 
+		# CSRF protection
+		$token = $this->trimmed('token');
+		if (!$token || $token != common_session_token()) {
+			$this->show_form(_('There was a problem with your session token. Try again, please.'));
+			return;
+		}
+
 		$user = common_current_user();
 		$profile = $user->getProfile();
 
@@ -125,6 +132,7 @@ class InviteAction extends Action {
 		common_element_start('form', array('method' => 'post',
 										   'id' => 'invite',
 										   'action' => common_local_url('invite')));
+		common_hidden('token', common_session_token());
 
 		common_textarea('addresses', _('Email addresses'),
 						$this->trimmed('addresses'),