Permalink
Browse files

- Check request tokens also in devel_mode

  • Loading branch information...
1 parent de56ea1 commit 2bbc3da52aee81e920e46778d68278bd31f7bb6b @alecpl alecpl committed Aug 8, 2012
Showing with 1 addition and 1 deletion.
  1. +1 −1 index.php
View
@@ -223,7 +223,7 @@
// check client X-header to verify request origin
if ($OUTPUT->ajax_call) {
- if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
+ if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
header('HTTP/1.1 403 Forbidden');
die("Invalid Request");
}

2 comments on commit 2bbc3da

@thomascube
Member

Hmm, that way I cannot open ajax request in a separate tab for debugging. What was the intention of changing that?

@alecpl
Member
alecpl commented on 2bbc3da Aug 9, 2012

We were hit several times in past by this check. I mean, we didn't get an error because of devel_mode enabled, while other users requested an error in some functionality. The last time it was non-working spellchecker.
ps. I've never got a need to open an ajax request in a separate tab ;)

Please sign in to comment.