(bug 4408) Partial work on automatic form auth checking.

Add automatic form auth checking when requested,
with future plans to make the automatic check the default.

cgi-bin/DW/Controller.pm

@@ -72,6 +72,11 @@ sub success_ml {
 #                      login cookie
 # - skip_domsess => 0 -- (for user domains) do redirect for the user domain 
 #                        cookie (default)
+# - form_auth => 0 -- Do not automatically check form auth ( current default )
+# - form_auth => 1 -- Automatically check form auth ( planned to be future default )
+#    On any new controller, please try and pass "form_auth => 0" if you are checking
+#      the form auth yourself, or if the automatic check will cause problems.
+#      Thank you.
 #
 # Returns one of:
 # - 0, $error_text (if there's an error)
@@ -97,6 +102,8 @@ sub controller {
            ( $args{authas} && $args{anonymous} ) ||
            ( $args{privcheck} && $args{anonymous} );
 
+    $args{form_auth} //= 0;
+
     # 'anonymous' pages must declare themselves, else we assume that a remote is
     # necessary as most pages require a user
     $vars->{u} = $vars->{remote} = LJ::get_remote();
@@ -169,6 +176,11 @@ sub controller {
             unless $has_one;
     }
 
+    if ( $r->did_post && $args{form_auth} ) {
+        my $post_args = $r->post_args || {};
+        return $fail->( error_ml( 'error.invalidform' ) ) unless LJ::check_form_auth( $post_args->{lj_form_auth} );
+    }
+
     # everything good... let the caller know they can continue
     return $ok->();
 }

cgi-bin/DW/Controller/Manage/Logins.pm

@@ -27,7 +27,7 @@ DW::Routing->register_string( "/manage/logins", \&login_handler, app => 1 );
 sub login_handler {
     my ( $opts ) = @_;
 
-    my ( $ok, $rv ) = controller();
+    my ( $ok, $rv ) = controller( form_auth => 1 );
     return $rv unless $ok;
 
     my $r = DW::Request->get;