From 5b083c9ad4067c1daede74a9afa2bcd5c699f3e5 Mon Sep 17 00:00:00 2001 From: Shish Date: Thu, 20 Jun 2024 00:38:19 +0100 Subject: [PATCH] [core] different errors for missing vs invalid CSRF token --- core/event.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/core/event.php b/core/event.php index 814a1bee..72e7b534 100644 --- a/core/event.php +++ b/core/event.php @@ -63,7 +63,6 @@ class PageRequestEvent extends Event */ private array $named_args = []; public int $page_num; - private bool $is_authed; /** * @param string $method The HTTP method used to make the request @@ -87,10 +86,6 @@ class PageRequestEvent extends Event $this->path = $path; $this->GET = $get; $this->POST = $post; - $this->is_authed = ( - defined("UNITTEST") - || (isset($_POST["auth_token"]) && $_POST["auth_token"] == $user->get_auth_token()) - ); // break the path into parts $this->args = explode('/', $path); @@ -218,8 +213,13 @@ class PageRequestEvent extends Event // if we matched the method and the path, but the page requires // authentication and the user is not authenticated, then complain - if($authed && $this->is_authed === false) { - throw new PermissionDenied("Permission Denied: Missing CSRF Token"); + if($authed && !defined("UNITTEST")) { + if(!isset($this->POST["auth_token"])) { + throw new PermissionDenied("Permission Denied: Missing CSRF Token"); + } + if($this->POST["auth_token"] != $user->get_auth_token()) { + throw new PermissionDenied("Permission Denied: Invalid CSRF Token (Go back, refresh the page, and try again?)"); + } } if($permission !== null && !$user->can($permission)) { throw new PermissionDenied("Permission Denied: {$user->name} lacks permission {$permission}");