From aea87c78e17f8e8f817852532e3498577f97f405 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 8 Sep 2007 16:23:00 +0200
Subject: Small fix for CSRF check in config and ACL plugins

darcs-hash:20070908142300-7ad00-ecb0aa5d77f6451b33988e6008e0297bd4425948.gz
---
 lib/plugins/acl/admin.php    | 6 +++---
 lib/plugins/config/admin.php | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'lib/plugins')

diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php
index dd50bfb39..190ead761 100644
--- a/lib/plugins/acl/admin.php
+++ b/lib/plugins/acl/admin.php
@@ -79,12 +79,12 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
       $perm  = (int) $perm;
       if($perm > AUTH_DELETE) $perm = AUTH_DELETE;
 
-      // check token
-      if(!checkSecurityToken()) return;
-
       //nothing to do?
       if(empty($cmd) || empty($scope) || empty($user)) return;
 
+      // check token
+      if(!checkSecurityToken()) return;
+
 
       if($cmd == 'save'){
         $this->admin_acl_del($scope, $user);
diff --git a/lib/plugins/config/admin.php b/lib/plugins/config/admin.php
index f251eac7d..90b249202 100644
--- a/lib/plugins/config/admin.php
+++ b/lib/plugins/config/admin.php
@@ -58,8 +58,8 @@ class admin_plugin_config extends DokuWiki_Admin_Plugin {
       global $ID;
 
       if (!$this->_restore_session()) return $this->_close_session();
-      if (!checkSecurityToken()) return $this->_close_session();
       if (!isset($_REQUEST['save']) || ($_REQUEST['save'] != 1)) return $this->_close_session();
+      if (!checkSecurityToken()) return $this->_close_session();
 
       if (is_null($this->_config)) { $this->_config = new configuration($this->_file); }
 
-- 
cgit v1.2.3