1 files changed, 13 insertions, 1 deletions

diff --git a/modules/gallery/tests/Controller_Auth_Test.php b/modules/gallery/tests/Controller_Auth_Test.php
index 50afae8f..c4dc915b 100644
--- a/modules/gallery/tests/Controller_Auth_Test.php
+++ b/modules/gallery/tests/Controller_Auth_Test.php
@@ -18,6 +18,11 @@
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
 class Controller_Auth_Test extends Unit_Test_Case {
+  static $rest_methods = array("_index", "_show", "_form_edit", "_form_add", "_create",
+                               "_update", "_delete");
+
+  static $rest_methods_with_csrf_check = array("_update", "_delete", "_create");
+
   public function find_missing_auth_test() {
     $found = array();
     foreach (glob("*/*/controllers/*.php") as $controller) {
@@ -34,6 +39,7 @@ class Controller_Auth_Test extends Unit_Test_Case {
       }
 
       $is_admin_controller = false;
+      $is_rest_controller = false;
 
       $open_braces = 0;
       $function = null;
@@ -50,6 +56,7 @@ class Controller_Auth_Test extends Unit_Test_Case {
               $found[$controller][] = $function;
             } else if ($open_braces == 0) {
               $is_admin_controller = false;
+              $is_rest_controller = false;
             }
             $function = null;
           } else if ($token == "{") {
@@ -61,6 +68,8 @@ class Controller_Auth_Test extends Unit_Test_Case {
           if ($open_braces == 0 && $token[0] == T_EXTENDS) {
             if (self::_token_matches(array(T_STRING, "Admin_Controller"), $tokens, $token_number + 1)) {
               $is_admin_controller = true;
+            } else if (self::_token_matches(array(T_STRING, "REST_Controller"), $tokens, $token_number + 1)) {
+              $is_rest_controller = true;
             }
           } else if ($open_braces == 1 && $token[0] == T_FUNCTION) {
             $line = $token[2];
@@ -82,8 +91,11 @@ class Controller_Auth_Test extends Unit_Test_Case {
               }
             } while ($token_number < count($tokens));
 
-            if (!$is_private) {
+            if (!$is_private || ($is_rest_controller && in_array($name, self::$rest_methods))) {
               $function = self::_function($name, $line, $is_admin_controller);
+              if ($is_rest_controller && in_array($name, self::$rest_methods_with_csrf_check)) {
+                $function->checks_csrf(true);
+              }
             }
           }