summaryrefslogtreecommitdiff
path: root/action.php
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@gmail.com>2013-11-08 07:28:21 +0000
committerGreg Roach <fisharebest@gmail.com>2013-11-08 07:28:21 +0000
commit05d313494e39fa70e0c3c348555c579ecee66df5 (patch)
tree9457d8943b0551f390b157c4769231e474a4b7d2 /action.php
parentb4abd87d4c67bbeb487647eed42b3d8667cff564 (diff)
downloadwebtrees-05d313494e39fa70e0c3c348555c579ecee66df5.tar.gz
webtrees-05d313494e39fa70e0c3c348555c579ecee66df5.tar.bz2
webtrees-05d313494e39fa70e0c3c348555c579ecee66df5.zip
Add CSRF checks to action.php callbacks
Diffstat (limited to 'action.php')
-rw-r--r--action.php9
1 files changed, 8 insertions, 1 deletions
diff --git a/action.php b/action.php
index 8b986d84a6..15bcf5aa7c 100644
--- a/action.php
+++ b/action.php
@@ -41,6 +41,13 @@ require './includes/session.php';
header('Content-type: text/html; charset=UTF-8');
+
+if (!WT_Filter::checkCsrf()) {
+ Zend_Session::writeClose();
+ header('HTTP/1.0 406 Not Acceptable');
+ exit;
+}
+
switch (WT_Filter::post('action')) {
case 'accept-changes':
// Accept all the pending changes for a record
@@ -157,7 +164,7 @@ case 'delete-source':
case 'delete-user':
$user_id = WT_Filter::post('user_id');
- if (WT_USER_IS_ADMIN && WT_USER_ID != $user_id && WT_Filter::checkCsrf()) {
+ if (WT_USER_IS_ADMIN && WT_USER_ID != $user_id) {
AddToLog('deleted user ->' . get_user_name($user_id) . '<-', 'auth');
delete_user($user_id);
}