lib/lemon_security.php @@ -35,6 +35,7 @@ dispatch('/:page', 'wikir_page_show'); $page_name = params('page'); if($page = WikirPage::find($page_name)) { + lemon_csrf_unset_token(); set('page_name', $page->name()); set('page_content', $page->content()); return html('show.php'); @@ -55,16 +56,19 @@ dispatch('/:page/new', 'wikir_page_new'); dispatch_post('/:page', 'wikir_page_create'); function wikir_page_create() { - $page_name = $_POST['page_name']; - $page_content = $_POST['page_content']; - $page = new WikirPage(); - $page->name($page_name); - $page->content($page_content); - if($page->save()) + if(lemon_csrf_require_valid_token()) { - redirect_to($page->name()); + $page_name = $_POST['page_name']; + $page_content = $_POST['page_content']; + $page = new WikirPage(); + $page->name($page_name); + $page->content($page_content); + if($page->save()) + { + redirect_to($page->name()); + } + halt('An error occured. Unable to create this page. Please check page/ dir is writable.'); } - halt('An error occured. Unable to create this page. Please check page/ dir is writable.'); } dispatch('/:page/edit', 'wikir_page_edit'); @@ -73,6 +77,7 @@ dispatch('/:page/edit', 'wikir_page_edit'); $page_name = params('page'); if($page = WikirPage::find($page_name)) { + lemon_csrf_unset_token(); set('page_name', $page->name()); set('page_content', $page->content()); return html('edit.php'); @@ -87,13 +92,16 @@ dispatch_put('/:page', 'wikir_page_update'); $page_content = $_POST['page_content']; if($page = WikirPage::find($page_name)) { - $page->name($page_name); - $page->content($page_content); - if($page->save() !== FALSE) + if(lemon_csrf_require_valid_token()) { - redirect($page->name()); + $page->name($page_name); + $page->content($page_content); + if($page->save() !== FALSE) + { + redirect($page->name()); + } + halt('An error occured. Unable to update this page. Please check page/ dir is writable.'); } - halt('An error occured. Unable to update this page. Please check page/ dir is writable.'); } halt(NOT_FOUND); } index.php @@ -1,5 +1,6 @@ <h1>Edit page: <?=h($page_name)?></h1> <form action="<?=url_for($page_name)?>" method="post"> + <?=html_form_token_field();?> <input type="hidden" name="_method" value="PUT" id="_method"> <input type="hidden" name="page_name" value="<?=page_name?>" id="page_name"> <textarea name="page_content" id="page_content" rows="8" cols="40"><?=$page_content;?></textarea> views/edit.php @@ -1,5 +1,6 @@ <h1>Create page: <?=h($page_name)?></h1> <form action="<?=url_for('create')?>" method="post"> + <?=html_form_token_field();?> <input type="hidden" name="page_name" value="<?=$page_name;?>" id="page_name"> <textarea name="page_content" id="page_content" rows="8" cols="40"></textarea> <p><input type="submit" value="Create →"></p> views/new.php 334847920c51b712591820bab565ee0b7b37dcc6 Fabrice Luraine fabrice.luraine@sofa-design.net http://github.com/organicweb/limonade-wiki-example/commit/5ac8b223c4e4a77939aade8ee9fbd8a9e13885c1 5ac8b223c4e4a77939aade8ee9fbd8a9e13885c1

2009-09-19T07:19:46-07:00

Adding Cross Site Request Forgery (CSRF) protection (to avoid spam...) ee12be647b606f67df47a51ea3cc069f974d11bb Fabrice Luraine fabrice.luraine@sofa-design.net