From 9cf2c5792111570fd831abfad9fc7496995d2e8b Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 22 Dec 2008 04:33:18 +0000
Subject: Normalize CSRF handling into the access helper.  Probably not the
 best place for it, but it'll do for now.

Do CSRF checking in the Admin controller so that we're safe across the
board on the admin side.
---
 core/helpers/access.php | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'core/helpers')

diff --git a/core/helpers/access.php b/core/helpers/access.php
index 0d44a074..ab113375 100644
--- a/core/helpers/access.php
+++ b/core/helpers/access.php
@@ -288,6 +288,37 @@ class access_Core {
     ORM::factory("access_cache")->where("item_id", $item->id)->find()->delete();
   }
 
+  /**
+   * Verify our Cross Site Request Forgery token is valid, else throw an exception.
+   */
+  public static function verify_csrf() {
+    if (Input::instance()->post("csrf") !== Session::instance()->get("csrf")) {
+      access::forbidden();
+    }
+  }
+
+  /**
+   * Get the Cross Site Request Forgery token for this session.
+   * @return string
+   */
+  public static function csrf_token() {
+    $session = Session::instance();
+    $csrf = $session->get("csrf");
+    if (empty($csrf)) {
+      $csrf = md5(rand());
+      $session->set("csrf", $csrf);
+    }
+    return $csrf;
+  }
+
+  /**
+   * Generate an <input> element containing the Cross Site Request Forgery token for this session.
+   * @return string
+   */
+  public static function csrf_form_field() {
+    return "<input type=\"hidden\" name=\"csrf\" value=\"" . self::csrf_token() . "\"/>";
+  }
+
   /**
    * Internal method to get all available groups.
    *
-- 
cgit v1.2.3