Permalink
Browse files

(bug 4408) Partial work on automatic form auth checking.

Add automatic form auth checking when requested,
with future plans to make the automatic check the default.
  • Loading branch information...
1 parent 5f94be1 commit 99dabe24e30a9e990ffc1e6f584e0fb79856e924 @anall committed Dec 4, 2012
Showing with 13 additions and 1 deletion.
  1. +12 −0 cgi-bin/DW/Controller.pm
  2. +1 −1 cgi-bin/DW/Controller/Manage/Logins.pm
View
@@ -72,6 +72,11 @@ sub success_ml {
# login cookie
# - skip_domsess => 0 -- (for user domains) do redirect for the user domain
# cookie (default)
+# - form_auth => 0 -- Do not automatically check form auth ( current default )
+# - form_auth => 1 -- Automatically check form auth ( planned to be future default )
+# On any new controller, please try and pass "form_auth => 0" if you are checking
+# the form auth yourself, or if the automatic check will cause problems.
+# Thank you.
#
# Returns one of:
# - 0, $error_text (if there's an error)
@@ -97,6 +102,8 @@ sub controller {
( $args{authas} && $args{anonymous} ) ||
( $args{privcheck} && $args{anonymous} );
+ $args{form_auth} //= 0;
+
# 'anonymous' pages must declare themselves, else we assume that a remote is
# necessary as most pages require a user
$vars->{u} = $vars->{remote} = LJ::get_remote();
@@ -169,6 +176,11 @@ sub controller {
unless $has_one;
}
+ if ( $r->did_post && $args{form_auth} ) {
+ my $post_args = $r->post_args || {};
+ return $fail->( error_ml( 'error.invalidform' ) ) unless LJ::check_form_auth( $post_args->{lj_form_auth} );
+ }
+
# everything good... let the caller know they can continue
return $ok->();
}
@@ -27,7 +27,7 @@ DW::Routing->register_string( "/manage/logins", \&login_handler, app => 1 );
sub login_handler {
my ( $opts ) = @_;
- my ( $ok, $rv ) = controller();
+ my ( $ok, $rv ) = controller( form_auth => 1 );
return $rv unless $ok;
my $r = DW::Request->get;

0 comments on commit 99dabe2

Please sign in to comment.