Normalize CSRF handling into the access helper. Probably not the best

place for it, but it'll do for now. Do CSRF checking in the Admin controller so that we're safe across the board on the admin side.
author: Bharat Mediratta <bharat@menalto.com> 2008-12-22 04:33:18 +0000
committer: Bharat Mediratta <bharat@menalto.com> 2008-12-22 04:33:18 +0000
commit: 9cf2c5792111570fd831abfad9fc7496995d2e8b (patch)
tree: ae386819b6ecba9a9f7f1835db9e543f0ae8ae3b /core/libraries
parent: 685a5ca1e1b94cc1a817d699f4223d139689f7cb (diff)
1 files changed, 2 insertions, 17 deletions
diff --git a/core/libraries/MY_Forge.php b/core/libraries/MY_Forge.php
index c3d0ca71..877fe62c 100644
--- a/core/libraries/MY_Forge.php
+++ b/core/libraries/MY_Forge.php
@@ -31,14 +31,7 @@ class Forge extends Forge_Core {
    * Use our own template
    */
   public function render($template="form.html", $custom=false) {
-    $session = Session::instance();
-    $csrf = $session->get("csrf");
-    if (empty($csrf)) {
-      $csrf = md5(rand());
-      $session->set("csrf", $csrf);
-    }
-
-    $this->inputs["csrf"]->value($csrf);
+    $this->inputs["csrf"]->value(access::csrf_token());
     return parent::render($template, $custom);
   }
 
@@ -61,15 +54,7 @@ class Forge extends Forge_Core {
    */
   public function validate() {
     $status = parent::validate();
-
-    $type = $this->type;
-    if (empty($type)) {
-      $csrf_value = $this->csrf->value;
-      if (empty($csrf_value) || $csrf_value !== Session::instance()->get("csrf")) {
-        throw new Exception("@todo SECURITY_INVALID_CSRF_TOKEN");
-      }
-    }
-
+    access::verify_csrf();
     return $status;
   }
 }
 \ No newline at end of file
author	Bharat Mediratta <bharat@menalto.com>	2008-12-22 04:33:18 +0000
committer	Bharat Mediratta <bharat@menalto.com>	2008-12-22 04:33:18 +0000
commit	9cf2c5792111570fd831abfad9fc7496995d2e8b (patch)
tree	ae386819b6ecba9a9f7f1835db9e543f0ae8ae3b /core/libraries
parent	685a5ca1e1b94cc1a817d699f4223d139689f7cb (diff)