projects
/
platal.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Adds XSRF protection to the Lists module.
[platal.git]
/
classes
/
session.php
diff --git
a/classes/session.php
b/classes/session.php
index
5a58059
..
6eb5b30
100644
(file)
--- a/
classes/session.php
+++ b/
classes/session.php
@@
-78,19
+78,35
@@
class Session
return Session::logged() && Session::v('perms')->hasFlag(PERMS_ADMIN);
}
return Session::logged() && Session::v('perms')->hasFlag(PERMS_ADMIN);
}
+ public static function logged()
+ {
+ return Session::v('auth', AUTH_PUBLIC) >= AUTH_COOKIE;
+ }
+
+ public static function identified()
+ {
+ return Session::v('auth', AUTH_PUBLIC) >= AUTH_MDP;
+ }
+
+ // Anti-XSRF protections.
public static function has_xsrf_token()
{
return Session::has('xsrf_token') && Session::v('xsrf_token') == Env::v('token');
}
public static function has_xsrf_token()
{
return Session::has('xsrf_token') && Session::v('xsrf_token') == Env::v('token');
}
- public static function
logged
()
+ public static function
assert_xsrf_token
()
{
{
- return Session::v('auth', AUTH_PUBLIC) >= AUTH_COOKIE;
+ if (!Session::has_xsrf_token()) {
+ global $page;
+ if ($page instanceof PlatalPage) {
+ $page->kill("L'opération n'a pas pu aboutir, merci de réessayer.");
+ }
+ }
}
}
- public static function
identifi
ed()
+ public static function
rssActivat
ed()
{
{
- return Session::
v('auth', AUTH_PUBLIC) >= AUTH_MDP
;
+ return Session::
has('core_rss_hash') && Session::v('core_rss_hash')
;
}
}
}
}
@@
-107,7
+123,7
@@
function check_perms()
if ($_SESSION['log']) {
$_SESSION['log']->log("noperms",$_SERVER['PHP_SELF']);
}
if ($_SESSION['log']) {
$_SESSION['log']->log("noperms",$_SERVER['PHP_SELF']);
}
- $page->kill("Tu n'as pas les permissions nécessaires pour accéder à cette page.");
+
$page->kill("Tu n'as pas les permissions nécessaires pour accéder à cette page.");
}
}
}
}