Provide a framework for CSRF protection, with tests.

Add CSRF protection to Asset editSave, AssetManager, VersionTags and Group operations.
This commit is contained in:
Colin Kuskie 2009-07-06 16:58:57 +00:00
parent 4664ab7035
commit 5e4db3adb4
19 changed files with 362 additions and 62 deletions

View file

@ -607,6 +607,7 @@ sub www_editSettings {
name => "op",
value => "saveSettings"
});
$tabform->csrfToken();
my $definitions = definition($session, $i18n);
foreach my $definition (@{$definitions}) {
@ -671,7 +672,7 @@ is in group Admin (3). Returns the user to the Edit Settings screen, www_editSe
sub www_saveSettings {
my $session = shift;
return $session->privilege->adminOnly() unless ($session->user->isAdmin);
return $session->privilege->adminOnly() unless ($session->user->isAdmin && $session->form->validToken);
my $i18n = WebGUI::International->new($session, "WebGUI");
my $setting = $session->setting;
my $form = $session->form;