Add missing CSRF check on avatar upload form

2018-01-29 13:14:33 -08:00 · 2018-01-29 13:14:33 -08:00 · 90984d6bb9
parent 357316cdf9
commit 90984d6bb9
2 changed files with 2 additions and 2 deletions
--- a/app/Controller/AvatarFileController.php
+++ b/app/Controller/AvatarFileController.php
@ -30,6 +30,7 @@ class AvatarFileController extends BaseController
     */
    public function upload()
    {
+        $this->checkCSRFParam();
        $user = $this->getUser();

        if (! $this->avatarFileModel->uploadImageFile($user['id'], $this->request->getFileInfo('avatar'))) {
--- a/app/Template/avatar_file/show.php
+++ b/app/Template/avatar_file/show.php
@ -13,8 +13,7 @@
 <hr>

 <h3><?= t('Upload my avatar image') ?></h3>
-<form method="post" enctype="multipart/form-data" action="<?= $this->url->href('AvatarFileController', 'upload', array('user_id' => $user['id'])) ?>">
-    <?= $this->form->csrf() ?>
+<form method="post" enctype="multipart/form-data" action="<?= $this->url->href('AvatarFileController', 'upload', array('user_id' => $user['id']), true) ?>">
    <?= $this->form->file('avatar') ?>

    <div class="form-actions">