From 19ea9ed6209b36cba5cb8f96224d9e3a0c022c93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Wed, 30 Jan 2019 20:21:12 -0800
Subject: [PATCH] Add missing CSRF check in TwoFactorController::deactivate()

---
 app/Controller/BaseController.php      | 9 ++++++++-
 app/Controller/TwoFactorController.php | 1 +
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index c984a702b..637c3db1b 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -33,6 +33,13 @@ abstract class BaseController extends Base
         }
     }
 
+    protected function checkCSRFForm()
+    {
+        if (! $this->token->validateCSRFToken($this->request->getRawValue('csrf_token'))) {
+            throw new AccessForbiddenException();
+        }
+    }
+
     /**
      * Check webhook token
      *
@@ -305,7 +312,7 @@ abstract class BaseController extends Base
 
         return $filter;
     }
-    
+
     /**
      * Redirect the user after the authentication
      *
diff --git a/app/Controller/TwoFactorController.php b/app/Controller/TwoFactorController.php
index 5f60e946c..2038c2691 100644
--- a/app/Controller/TwoFactorController.php
+++ b/app/Controller/TwoFactorController.php
@@ -119,6 +119,7 @@ class TwoFactorController extends UserViewController
      */
     public function deactivate()
     {
+        $this->checkCSRFForm();
         $user = $this->getUser();
         $this->checkCurrentUser($user);