diff options
| author | andyst <andy.st@gmail.com> | 2009-06-01 23:45:37 -0700 |
|---|---|---|
| committer | andyst <andy.st@gmail.com> | 2009-06-01 23:45:37 -0700 |
| commit | 02a840c84cada5a1c0cc0768f350424460310e5d (patch) | |
| tree | 6a35d4afddcf291327a4ff42245bca17328084ae /modules/gallery/controllers/rest.php | |
| parent | d0845aadc629cf10b8eee490a651c039750a1430 (diff) | |
| parent | 3b6567f38c206f1302c7b22d94d5eae4b458311a (diff) | |
Merge branch 'master' of git@github.com:gallery/gallery3
Diffstat (limited to 'modules/gallery/controllers/rest.php')
| -rw-r--r-- | modules/gallery/controllers/rest.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/modules/gallery/controllers/rest.php b/modules/gallery/controllers/rest.php index 11a6bbac..2edf079f 100644 --- a/modules/gallery/controllers/rest.php +++ b/modules/gallery/controllers/rest.php @@ -86,21 +86,20 @@ class REST_Controller extends Controller { return Kohana::show_404(); } - if ($request_method != "get") { - access::verify_csrf(); - } - switch ($request_method) { case "get": return $this->_show($resource); case "put": + access::verify_csrf(); return $this->_update($resource); case "delete": + access::verify_csrf(); return $this->_delete($resource); case "post": + access::verify_csrf(); return $this->_create($resource); } } @@ -111,17 +110,18 @@ class REST_Controller extends Controller { throw new Exception("@todo ERROR_MISSING_RESOURCE_TYPE"); } - // @todo this needs security checks $resource = ORM::factory($this->resource_type, $resource_id); if (!$resource->loaded) { return Kohana::show_404(); } + // Security checks must be performed in _form_edit return $this->_form_edit($resource); } /* We're adding a new item, pass along any additional parameters. */ public function form_add($parameters) { + // Security checks must be performed in _form_add return $this->_form_add($parameters); } |