From 3c768e1c59971475c0265d209939f6ebfa0f50d2 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sun, 4 Jan 2009 01:27:24 +0000
Subject: Require CSRF for any non-"get" action.

---
 core/controllers/rest.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'core/controllers/rest.php')

diff --git a/core/controllers/rest.php b/core/controllers/rest.php
index ceca321e..b91bb0d0 100644
--- a/core/controllers/rest.php
+++ b/core/controllers/rest.php
@@ -86,6 +86,10 @@ class REST_Controller extends Controller {
       return Kohana::show_404();
     }
 
+    if ($request_method != "get") {
+      access::verify_csrf();
+    }
+
     switch ($request_method) {
     case "get":
       return $this->_show($resource);
-- 
cgit v1.2.3