diff options
| author | Greg Roach <fisharebest@gmail.com> | 2013-11-08 07:28:21 +0000 |
|---|---|---|
| committer | Greg Roach <fisharebest@gmail.com> | 2013-11-08 07:28:21 +0000 |
| commit | 05d313494e39fa70e0c3c348555c579ecee66df5 (patch) | |
| tree | 9457d8943b0551f390b157c4769231e474a4b7d2 /action.php | |
| parent | b4abd87d4c67bbeb487647eed42b3d8667cff564 (diff) | |
| download | webtrees-05d313494e39fa70e0c3c348555c579ecee66df5.tar.gz webtrees-05d313494e39fa70e0c3c348555c579ecee66df5.tar.bz2 webtrees-05d313494e39fa70e0c3c348555c579ecee66df5.zip | |
Add CSRF checks to action.php callbacks
Diffstat (limited to 'action.php')
| -rw-r--r-- | action.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/action.php b/action.php index 8b986d84a6..15bcf5aa7c 100644 --- a/action.php +++ b/action.php @@ -41,6 +41,13 @@ require './includes/session.php'; header('Content-type: text/html; charset=UTF-8'); + +if (!WT_Filter::checkCsrf()) { + Zend_Session::writeClose(); + header('HTTP/1.0 406 Not Acceptable'); + exit; +} + switch (WT_Filter::post('action')) { case 'accept-changes': // Accept all the pending changes for a record @@ -157,7 +164,7 @@ case 'delete-source': case 'delete-user': $user_id = WT_Filter::post('user_id'); - if (WT_USER_IS_ADMIN && WT_USER_ID != $user_id && WT_Filter::checkCsrf()) { + if (WT_USER_IS_ADMIN && WT_USER_ID != $user_id) { AddToLog('deleted user ->' . get_user_name($user_id) . '<-', 'auth'); delete_user($user_id); } |
