X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=classes%2Fsession.php;h=2cb755ab3aa81bdef7f0c281825dba4abdf73cf2;hb=bd6a5fe3b1ad4c41568bd665bdb0ecfa7c7a5f02;hp=a1e72da3e2e6b8763b9750285cf51ac3c690886a;hpb=2fe96c5414e00fc2af8df38f379a02166a563a7d;p=platal.git

diff --git a/classes/session.php b/classes/session.php
index a1e72da..2cb755a 100644
--- a/classes/session.php
+++ b/classes/session.php
@@ -28,6 +28,7 @@ class Session
             $_SESSION['challenge'] = sha1(uniqid(rand(), true));
         }
         if (empty($_SESSION['xsrf_token'])) {
+            require_once 'xorg.misc.inc.php';
             $_SESSION['xsrf_token'] = rand_url_id();
         }
         if (!isset($_SESSION['perms']) || !($_SESSION['perms'] instanceof FlagSet)) {
@@ -77,11 +78,6 @@ class Session
         return Session::logged() && Session::v('perms')->hasFlag(PERMS_ADMIN);
     }
 
-    public static function has_xsrf_token()
-    {
-        return Session::has('xsrf_token') && Session::v('xsrf_token') == Env::v('token');
-    }
-
     public static function logged()
     {
         return Session::v('auth', AUTH_PUBLIC) >= AUTH_COOKIE;
@@ -91,6 +87,22 @@ class Session
     {
         return Session::v('auth', AUTH_PUBLIC) >= AUTH_MDP;
     }
+
+    // Anti-XSRF protections.
+    public static function has_xsrf_token()
+    {
+        return Session::has('xsrf_token') && Session::v('xsrf_token') == Env::v('token');
+    }
+
+    public static function assert_xsrf_token()
+    {
+        if (!Session::has_xsrf_token()) {
+            global $page;
+            if ($page instanceof PlatalPage) {
+                $page->kill("L'opération n'a pas pu aboutir, merci de réessayer.");
+            }
+        }
+    }
 }
 
 // {{{ function check_perms()