badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[core] different errors for missing vs invalid CSRF token

Browse source
This commit is contained in:
Shish 2024-06-20 00:38:19 +01:00 committed by Shish
parent be842308d9
commit 5b083c9ad4
1 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
core/event.php
View file

@ -63,7 +63,6 @@ class PageRequestEvent extends Event
*/ */
private array $named_args = []; private array $named_args = [];
public int $page_num; public int $page_num;
private bool $is_authed;
/** /**
* @param string $method The HTTP method used to make the request * @param string $method The HTTP method used to make the request
@ -87,10 +86,6 @@ class PageRequestEvent extends Event
$this->path = $path; $this->path = $path;
$this->GET = $get; $this->GET = $get;
$this->POST = $post; $this->POST = $post;
$this->is_authed = (
defined("UNITTEST")
|| (isset($_POST["auth_token"]) && $_POST["auth_token"] == $user->get_auth_token())
);
// break the path into parts // break the path into parts
$this->args = explode('/', $path); $this->args = explode('/', $path);
@ -218,8 +213,13 @@ class PageRequestEvent extends Event
// if we matched the method and the path, but the page requires // if we matched the method and the path, but the page requires
// authentication and the user is not authenticated, then complain // authentication and the user is not authenticated, then complain
if($authed && $this->is_authed === false) { if($authed && !defined("UNITTEST")) {
throw new PermissionDenied("Permission Denied: Missing CSRF Token"); if(!isset($this->POST["auth_token"])) {
throw new PermissionDenied("Permission Denied: Missing CSRF Token");
}
if($this->POST["auth_token"] != $user->get_auth_token()) {
throw new PermissionDenied("Permission Denied: Invalid CSRF Token (Go back, refresh the page, and try again?)");
}
} }
if($permission !== null && !$user->can($permission)) { if($permission !== null && !$user->can($permission)) {
throw new PermissionDenied("Permission Denied: {$user->name} lacks permission {$permission}"); throw new PermissionDenied("Permission Denied: {$user->name} lacks permission {$permission}");