Add missing CSRF check in TwoFactorController::deactivate()

2019-01-30 20:21:12 -08:00 · 2019-01-30 20:21:12 -08:00 · 19ea9ed620
parent ef1abecee4
commit 19ea9ed620
2 changed files with 9 additions and 1 deletions
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@ -33,6 +33,13 @@ abstract class BaseController extends Base
        }
    }

+    protected function checkCSRFForm()
+    {
+        if (! $this->token->validateCSRFToken($this->request->getRawValue('csrf_token'))) {
+            throw new AccessForbiddenException();
+        }
+    }
+
    /**
     * Check webhook token
     *
@ -305,7 +312,7 @@ abstract class BaseController extends Base

        return $filter;
    }
-    
+
    /**
     * Redirect the user after the authentication
     *
--- a/app/Controller/TwoFactorController.php
+++ b/app/Controller/TwoFactorController.php
@ -119,6 +119,7 @@ class TwoFactorController extends UserViewController
     */
    public function deactivate()
    {
+        $this->checkCSRFForm();
        $user = $this->getUser();
        $this->checkCurrentUser($user);