Added CRSF security token checks in ACL plugin

author: Andreas Gohr <andi@splitbrain.org> 2010-01-17 10:52:59 +0100
committer: Andreas Gohr <andi@splitbrain.org> 2010-01-17 10:52:59 +0100
commit: d7554c0bb25241c1299af28785878d31ad02dbad (patch)
tree: 7b58bfbc69ef58f93ce9a67c67348560aaecc183 /lib/plugins/acl/ajax.php
parent: 49eb6e38061d744f4a35b78082dce49fa35f79c8 (diff)
download: rpg-d7554c0bb25241c1299af28785878d31ad02dbad.tar.gz
rpg-d7554c0bb25241c1299af28785878d31ad02dbad.tar.bz2
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php
index e383f0d35..d3e88d932 100644
--- a/lib/plugins/acl/ajax.php
+++ b/lib/plugins/acl/ajax.php
@@ -19,11 +19,11 @@ require_once(DOKU_INC.'inc/auth.php');
 //close session
 session_write_close();
 
-if(!auth_isadmin()) die('forbidden');
+if(!auth_isadmin()) die('for admins only');
+if(!checkSecurityToken()) die('CRSF Attack');
 
 $ID    = getID();
 
-if(!auth_isadmin) die('for admins only');
 require_once(DOKU_INC.'inc/pluginutils.php');
 require_once(DOKU_INC.'inc/html.php');
 $acl = plugin_load('admin','acl');
author	Andreas Gohr <andi@splitbrain.org>	2010-01-17 10:52:59 +0100
committer	Andreas Gohr <andi@splitbrain.org>	2010-01-17 10:52:59 +0100
commit	d7554c0bb25241c1299af28785878d31ad02dbad (patch)
tree	7b58bfbc69ef58f93ce9a67c67348560aaecc183 /lib/plugins/acl/ajax.php
parent	49eb6e38061d744f4a35b78082dce49fa35f79c8 (diff)
download	rpg-d7554c0bb25241c1299af28785878d31ad02dbad.tar.gz rpg-d7554c0bb25241c1299af28785878d31ad02dbad.tar.bz2