From 2be6d35ccf42826f177db7751502bfe59dfbbb5c Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sun, 17 Jan 2010 10:52:59 +0100
Subject: Added CRSF security token checks in ACL plugin

---
 lib/plugins/acl/ajax.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/plugins/acl/ajax.php')

diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php
index e383f0d35..d3e88d932 100644
--- a/lib/plugins/acl/ajax.php
+++ b/lib/plugins/acl/ajax.php
@@ -19,11 +19,11 @@ require_once(DOKU_INC.'inc/auth.php');
 //close session
 session_write_close();
 
-if(!auth_isadmin()) die('forbidden');
+if(!auth_isadmin()) die('for admins only');
+if(!checkSecurityToken()) die('CRSF Attack');
 
 $ID    = getID();
 
-if(!auth_isadmin) die('for admins only');
 require_once(DOKU_INC.'inc/pluginutils.php');
 require_once(DOKU_INC.'inc/html.php');
 $acl = plugin_load('admin','acl');
-- 
cgit v1.2.3