Normalize CSRF handling into the access helper. Probably not the best

place for it, but it'll do for now.

Do CSRF checking in the Admin controller so that we're safe across the
board on the admin side.

4 files changed, 38 insertions, 18 deletions

diff --git a/core/controllers/admin.php b/core/controllers/admin.php
index 2a6bae7e..6e44c54e 100644
--- a/core/controllers/admin.php
+++ b/core/controllers/admin.php
@@ -33,6 +33,10 @@ class Admin_Controller extends Controller {
   }
 
   public function __call($controller_name, $args) {
+    if (request::method() == "post") {
+      access::verify_csrf();
+    }
+
     if ($controller_name == "index") {
       $controller_name = "dashboard";
     }
diff --git a/core/controllers/admin_dashboard.php b/core/controllers/admin_dashboard.php
index a29c2167..13ec5d82 100644
--- a/core/controllers/admin_dashboard.php
+++ b/core/controllers/admin_dashboard.php
@@ -19,7 +19,7 @@
  */
 class Admin_Dashboard_Controller extends Admin_Controller {
   public function index() {
-    return $this->theme()->dashboard_blocks();
+    return $this->theme()->admin_dashboard_blocks();
   }
 }
 
diff --git a/core/helpers/access.php b/core/helpers/access.php
index 0d44a074..ab113375 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -289,6 +289,37 @@ class access_Core {
   }
 
   /**
+   * Verify our Cross Site Request Forgery token is valid, else throw an exception.
+   */
+  public static function verify_csrf() {
+    if (Input::instance()->post("csrf") !== Session::instance()->get("csrf")) {
+      access::forbidden();
+    }
+  }
+
+  /**
+   * Get the Cross Site Request Forgery token for this session.
+   * @return string
+   */
+  public static function csrf_token() {
+    $session = Session::instance();
+    $csrf = $session->get("csrf");
+    if (empty($csrf)) {
+      $csrf = md5(rand());
+      $session->set("csrf", $csrf);
+    }
+    return $csrf;
+  }
+
+  /**
+   * Generate an <input> element containing the Cross Site Request Forgery token for this session.
+   * @return string
+   */
+  public static function csrf_form_field() {
+    return "<input type=\"hidden\" name=\"csrf\" value=\"" . self::csrf_token() . "\"/>";
+  }
+
+  /**
    * Internal method to get all available groups.
    *
    * @return ORM_Iterator
diff --git a/core/libraries/MY_Forge.php b/core/libraries/MY_Forge.php
index c3d0ca71..877fe62c 100644
--- a/core/libraries/MY_Forge.php
+++ b/core/libraries/MY_Forge.php
@@ -31,14 +31,7 @@ class Forge extends Forge_Core {
    * Use our own template
    */
   public function render($template="form.html", $custom=false) {
-    $session = Session::instance();
-    $csrf = $session->get("csrf");
-    if (empty($csrf)) {
-      $csrf = md5(rand());
-      $session->set("csrf", $csrf);
-    }
-
-    $this->inputs["csrf"]->value($csrf);
+    $this->inputs["csrf"]->value(access::csrf_token());
     return parent::render($template, $custom);
   }
 
@@ -61,15 +54,7 @@ class Forge extends Forge_Core {
    */
   public function validate() {
     $status = parent::validate();
-
-    $type = $this->type;
-    if (empty($type)) {
-      $csrf_value = $this->csrf->value;
-      if (empty($csrf_value) || $csrf_value !== Session::instance()->get("csrf")) {
-        throw new Exception("@todo SECURITY_INVALID_CSRF_TOKEN");
-      }
-    }
-
+    access::verify_csrf();
     return $status;
   }
 }
\ No newline at end of file