Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

(bug 4408) Partial work on automatic form auth checking. #173

Merged
merged 1 commit into from

2 participants

@anall
Collaborator

Add automatic form auth checking when requested,
with future plans to make the automatic check the default.

[ I really would like this out of the way so I don't have to juggle a mess of merges on my OAuth branch, so I made this part less "scary" by making the automatic check non-default ]

@anall anall (bug 4408) Partial work on automatic form auth checking.
Add automatic form auth checking when requested,
with future plans to make the automatic check the default.
99dabe2
@afuna afuna merged commit a1e06e9 into from
@afuna
Owner

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 4, 2012
  1. @anall

    (bug 4408) Partial work on automatic form auth checking.

    anall authored
    Add automatic form auth checking when requested,
    with future plans to make the automatic check the default.
This page is out of date. Refresh to see the latest.
View
12 cgi-bin/DW/Controller.pm
@@ -72,6 +72,11 @@ sub success_ml {
# login cookie
# - skip_domsess => 0 -- (for user domains) do redirect for the user domain
# cookie (default)
+# - form_auth => 0 -- Do not automatically check form auth ( current default )
+# - form_auth => 1 -- Automatically check form auth ( planned to be future default )
+# On any new controller, please try and pass "form_auth => 0" if you are checking
+# the form auth yourself, or if the automatic check will cause problems.
+# Thank you.
#
# Returns one of:
# - 0, $error_text (if there's an error)
@@ -97,6 +102,8 @@ sub controller {
( $args{authas} && $args{anonymous} ) ||
( $args{privcheck} && $args{anonymous} );
+ $args{form_auth} //= 0;
+
# 'anonymous' pages must declare themselves, else we assume that a remote is
# necessary as most pages require a user
$vars->{u} = $vars->{remote} = LJ::get_remote();
@@ -169,6 +176,11 @@ sub controller {
unless $has_one;
}
+ if ( $r->did_post && $args{form_auth} ) {
+ my $post_args = $r->post_args || {};
+ return $fail->( error_ml( 'error.invalidform' ) ) unless LJ::check_form_auth( $post_args->{lj_form_auth} );
+ }
+
# everything good... let the caller know they can continue
return $ok->();
}
View
2  cgi-bin/DW/Controller/Manage/Logins.pm
@@ -27,7 +27,7 @@ DW::Routing->register_string( "/manage/logins", \&login_handler, app => 1 );
sub login_handler {
my ( $opts ) = @_;
- my ( $ok, $rv ) = controller();
+ my ( $ok, $rv ) = controller( form_auth => 1 );
return $rv unless $ok;
my $r = DW::Request->get;
Something went wrong with that request. Please try again.