diff options
Diffstat (limited to 'modules/user/controllers')
| -rw-r--r-- | modules/user/controllers/admin_users.php | 6 | ||||
| -rw-r--r-- | modules/user/controllers/login.php | 4 | ||||
| -rw-r--r-- | modules/user/controllers/logout.php | 2 | ||||
| -rw-r--r-- | modules/user/controllers/password.php | 4 |
4 files changed, 16 insertions, 0 deletions
diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php index ac17c577..fe8061aa 100644 --- a/modules/user/controllers/admin_users.php +++ b/modules/user/controllers/admin_users.php @@ -28,6 +28,7 @@ class Admin_Users_Controller extends Controller { public function add_user() { access::verify_csrf(); + $form = user::get_add_form_admin(); $valid = $form->validate(); $name = $form->add_user->inputs["name"]->value; @@ -63,6 +64,7 @@ class Admin_Users_Controller extends Controller { public function delete_user($id) { access::verify_csrf(); + if ($id == user::active()->id || $id == user::guest()->id) { access::forbidden(); } @@ -97,6 +99,7 @@ class Admin_Users_Controller extends Controller { public function edit_user($id) { access::verify_csrf(); + $user = ORM::factory("user", $id); if (!$user->loaded) { kohana::show_404(); @@ -182,6 +185,7 @@ class Admin_Users_Controller extends Controller { public function add_group() { access::verify_csrf(); + $form = group::get_add_form_admin(); $valid = $form->validate(); if ($valid) { @@ -210,6 +214,7 @@ class Admin_Users_Controller extends Controller { public function delete_group($id) { access::verify_csrf(); + $group = ORM::factory("group", $id); if (!$group->loaded) { kohana::show_404(); @@ -240,6 +245,7 @@ class Admin_Users_Controller extends Controller { public function edit_group($id) { access::verify_csrf(); + $group = ORM::factory("group", $id); if (!$group->loaded) { kohana::show_404(); diff --git a/modules/user/controllers/login.php b/modules/user/controllers/login.php index 6ee2e69d..54a7905e 100644 --- a/modules/user/controllers/login.php +++ b/modules/user/controllers/login.php @@ -26,6 +26,8 @@ class Login_Controller extends Controller { } public function auth_ajax() { + access::verify_csrf(); + list ($valid, $form) = $this->_auth("login/auth_ajax"); if ($valid) { print json_encode( @@ -42,6 +44,8 @@ class Login_Controller extends Controller { } public function auth_html() { + access::verify_csrf(); + list ($valid, $form) = $this->_auth("login/auth_html"); if ($valid) { url::redirect("albums/1"); diff --git a/modules/user/controllers/logout.php b/modules/user/controllers/logout.php index b43680d5..6ceb7192 100644 --- a/modules/user/controllers/logout.php +++ b/modules/user/controllers/logout.php @@ -19,6 +19,8 @@ */ class Logout_Controller extends Controller { public function index() { + access::verify_csrf(); + $user = user::active(); user::logout(); log::info("user", t("User %name logged out", array("name" => $user->name)), diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php index c3e66634..3b0eac66 100644 --- a/modules/user/controllers/password.php +++ b/modules/user/controllers/password.php @@ -19,6 +19,8 @@ */ class Password_Controller extends Controller { public function reset() { + access::verify_csrf(); + if (request::method() == "post") { $this->_send_reset(); } else { @@ -27,6 +29,8 @@ class Password_Controller extends Controller { } public function do_reset() { + access::verify_csrf(); + if (request::method() == "post") { $this->_change_password(); } else { |