$_SESSION['challenge'] = sha1(uniqid(rand(), true));
}
if (empty($_SESSION['xsrf_token'])) {
+ require_once 'xorg.misc.inc.php';
$_SESSION['xsrf_token'] = rand_url_id();
}
if (!isset($_SESSION['perms']) || !($_SESSION['perms'] instanceof FlagSet)) {
return Session::logged() && Session::v('perms')->hasFlag(PERMS_ADMIN);
}
- public static function has_xsrf_token()
- {
- return Session::has('xsrf_token') && Session::v('xsrf_token') == Env::v('token');
- }
-
public static function logged()
{
return Session::v('auth', AUTH_PUBLIC) >= AUTH_COOKIE;
{
return Session::v('auth', AUTH_PUBLIC) >= AUTH_MDP;
}
+
+ // Anti-XSRF protections.
+ public static function has_xsrf_token()
+ {
+ return Session::has('xsrf_token') && Session::v('xsrf_token') == Env::v('token');
+ }
+
+ public static function assert_xsrf_token()
+ {
+ if (!Session::has_xsrf_token()) {
+ global $page;
+ if ($page instanceof PlatalPage) {
+ $page->kill("L'opération n'a pas pu aboutir, merci de réessayer.");
+ }
+ }
+ }
}
// {{{ function check_perms()