From 9cf2c5792111570fd831abfad9fc7496995d2e8b Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 22 Dec 2008 04:33:18 +0000
Subject: Normalize CSRF handling into the access helper.  Probably not the
 best place for it, but it'll do for now.

Do CSRF checking in the Admin controller so that we're safe across the
board on the admin side.
---
 core/libraries/MY_Forge.php | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

(limited to 'core/libraries')

diff --git a/core/libraries/MY_Forge.php b/core/libraries/MY_Forge.php
index c3d0ca71..877fe62c 100644
--- a/core/libraries/MY_Forge.php
+++ b/core/libraries/MY_Forge.php
@@ -31,14 +31,7 @@ class Forge extends Forge_Core {
    * Use our own template
    */
   public function render($template="form.html", $custom=false) {
-    $session = Session::instance();
-    $csrf = $session->get("csrf");
-    if (empty($csrf)) {
-      $csrf = md5(rand());
-      $session->set("csrf", $csrf);
-    }
-
-    $this->inputs["csrf"]->value($csrf);
+    $this->inputs["csrf"]->value(access::csrf_token());
     return parent::render($template, $custom);
   }
 
@@ -61,15 +54,7 @@ class Forge extends Forge_Core {
    */
   public function validate() {
     $status = parent::validate();
-
-    $type = $this->type;
-    if (empty($type)) {
-      $csrf_value = $this->csrf->value;
-      if (empty($csrf_value) || $csrf_value !== Session::instance()->get("csrf")) {
-        throw new Exception("@todo SECURITY_INVALID_CSRF_TOKEN");
-      }
-    }
-
+    access::verify_csrf();
     return $status;
   }
 }
\ No newline at end of file
-- 
cgit v1.2.3