oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Provide a framework for CSRF protection, with tests.

Browse source 
Add CSRF protection to Asset editSave, AssetManager, VersionTags and Group operations.
This commit is contained in:
Colin Kuskie 2009-07-06 16:58:57 +00:00
parent 4664ab7035
commit 5e4db3adb4
19 changed files with 362 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/WebGUI/AssetLineage.pm
View file

@ -1020,8 +1020,10 @@ sub www_setRank {
=head2 www_setRanks ( )
Utility method for the AssetManager. Reorders 1 pagefull of assets via rank.
AssetIds are passed in via the C<assetId> form variable.
If the current user cannot edit the current asset, it returns the insufficient privileges page.
If the current user cannot edit the current asset, or if a valid CSRF token
is not submitted with the form, it returns the insufficient privileges page.
Returns the user to the manage assets screen.
@ -1030,7 +1032,7 @@ Returns the user to the manage assets screen.
sub www_setRanks {
my $self = shift;
my $session = $self->session;
return $session->privilege->insufficient() unless $session->asset->canEdit;
return $session->privilege->insufficient() unless $session->asset->canEdit && $session->form->validToken;
my $i18n = WebGUI::International->new($session, 'Asset');
my $pb = WebGUI::ProgressBar->new($session);
my $form = $session->form;